[Security] osCommerce admin fix


Monday, July 19th, 2010 - Security

As stated in a previous post regarding the insecurities in osCommerce, we have applied a fix to all osCommerce scripts installed on our server and password protected the admin directories for these scripts.

If you had previously and already password protected your admin directory, then no changes were made to your script.

This fix only applied to users who did not have their admin directory password protected.

If you need access to your now password protected admin directory, then you will need to submit a support ticket and be sure to include either your account username and password or the last four digits of the credit card number that is used to pay for your account. We will have to be able to verify account ownership before we can give information out concerning your osCommerce admin directory.

Scott


[Security] osCommerce Security Fix


Monday, July 12th, 2010 - Security

Update July 19, 2010 1:15PM CDT – We have applied the fix to the osCommerce admin directories. For more information see our updated post.

As we stated in a previous post, lately we have had some security concerns regarding osCommerce scripts and they apparently do not want to fix their security holes. Instead they have published a work around for this. This work around involves password protecting the admin directory, which contains the administrative area that is used to make changes to your shopping catalog with your osCommerce script. This is a far cry from actually fixing the security issue, but it is better than nothing.

This essentially means that osCommerce administrative users will have to login twice in order to access the administrative side of their osCommerce script. Once for the Apache based directory protection and once for the osCommerce access. This is a less than ideal solution, but again this is the only solution that osCommerce is presenting.

It should be noted – We will be password protecting these admin directories ourselves in the next few days if you have not already password protected the area yourself. We will be using random passwords, that will essentially lock you out of accessing the administrative portion of your osCommerce install. This is meant to protect you and your website from hacking. If you want to remain in control of your osCommerce administrative area, then you should password protect your osCommerce admin directory yourself with a username and password that you are aware of. Instructions for doing so are given below. If your admin directory is already password protected when go through and perform our check, then we will not re-protect or change the password for your admin directory. If you find yourself locked out because of our password protecting of this directory, then you will need to open a support ticket with your account login credentials so that we can verify your account ownership.

To password protect your osCommerce admin directory, you will first need to log into your cPanel:

http://www.yourdomain.com/cpanel

Once you have logged in, find the section labeled Security and find the link labled Password Protect Directories

This will bring up a dialog box asking you from what directory do you want to start. Select the option for Web Root.

Now navigate your way into the directory containing your osCommerce admin directory. Click the folder icon beside the directory name to navigate into that directory. For example, if your osCommerce catalog is located in the directory:

/home/user/public_html/catalog

Then you would click on the folder beside the directory name catalog to navigate inside the catalog directory. It is important that you don’t navigate into the admin directory, you just want to navigate into the directory containing the admin directory.

Once you have done this, click on the admin directory name (not the folder icon).

This will take you to a page where you can turn on Directory Protection for that directory. This is a two part system. First you have to enable directory protection on this directory and then secondly you have to assign a username and password to access the directory under directory protection.

The first part is enabling directory protection. Complete the top part, under Security Settings.

and click Save. This will enable directory protection for this directory, but it does not assign a username and password to the area. Click on the link Go Back to go back to the previous page.

Now you will want to add a username and password to access this area.

You can use whatever you want for a Username and Password. I do recommend making the username and password something unique and not the same as your osCommerce administrative area username and password.

When you have this filled out click on Add/modify authorized user.

Now navigate to your osCommerce admin area, as you normally would. You should get a browser dialog box asking your for the username and password to access the Authorized Area. This is the username and password you just created with Directory Protection. You will then be presented to your osCommerce administrative login page, where you would enter your osCommerce administrative username and password.

Scott


[Security] OSCommerce Exploits


Wednesday, July 7th, 2010 - Security

Lately we have been seeing a lot of account compromises that have tied back to outdated and poorly coded OSCommerce scripts.

Before going any further, it should be noted that OSCommerce is not among our most favorite web applications. The project started out good and with good intentions, but it now goes through long periods of abandonment, where the developers do not actively develop the software and keep the code up-to-date. This results in security holes being discovered in the application and the OSCommerce developers take their pleasant time to resolve the issue.

An example of this is the current exploit we are seeing a lot of. This security hole was first discovered in January 2009, and now in July 2010 the OSCommerce developers still have not issued an update to the OSCommerce package to fix this security hole. They have released information on a workaround, but this is a far cry from actually fixing the security hole, and only the individuals that actively browse the OSCommerce community forums know about this.

So with all of that being said, I would highly recommend that if your shopping cart is important to you and your website and you are using OSCommerce, then I would recommend finding or moving to another shopping cart application. Unfortunately, I can’t recommend anything that makes migrating from OSCommerce to another product very easy. But since the OSCommerce developers appear to have no regard for security holes in their products, continuing to use OSCommerce may result in your account being compromised and your catalog information being hacked into.

We have heard good thing’s about Mal’s Ecommerce remote hosting solution:

http://www.mals-e.com

This takes your shopping cart application out from under your webhosting account with us and your catalog is hosted on the Mal’s Ecommerce servers. This way you do not have to worry or concern yourself with keeping the shopping cart application up-to-date since this is all handled on the Mal’s Ecommerce servers. This may not be a viable solution for some users.

I have gone through our servers and looked for OSCommerce installs. We have found that only 52% of the OSCommerce scripts that are installed on our servers by our clients are in use. This means 48% of those OSCommerce installs are abandoned for one reason or another. This represents a significant portion of the OSCommerce installs on our server that are just sitting there with no apparent purpose and perfect targets for hackers and malicious users to compromise. We will be disabling these abandoned OSCommerce installs in the near future.

For the other 52% of the OSCommerce installs that are being used, we will need to make arrangements to secure those installs. We will write those users that are affected by this with suggestions on how to secure this.

The purpose of this action is to take a proactive approach and prevent future account compromises due to these insecurities.

If you have questions regarding this or wish to inquire further regarding this, please open a support ticket.

Scott