Security Notice : osCMax 2.0.4 Released

[ridexbuilder]

Welcome to the party Nimitz (a frequent/respected member of the CRE community).
There is a 'developers' forum here. Perhaps Michael will shed some light on it.

[MindTwist]

I find strange that noone has asked this... But, if you have passworded the admin folder with htaccess, shouldn't those two files be kinda safe from anyone, unless they first get to break the htaccess level password?

[ridexbuilder]

I find strange that noone has asked this... But, if you have passworded the admin folder with htaccess, shouldn't those two files be kinda safe from anyone, unless they first get to break the htaccess level password?

TBH, It's the very 1st thing that occurred to me but I guess not everyone implements directory protection, so at least the vulnerability is gone 'out-of-the-box'.



[Let's face it - if they break into .htaccess protection, except for a crappy password, then you have other major issues ]

[MindTwist]

[Let's face it - if they break into .htaccess protection, except for a crappy password, then you have other major issues ]

That's what I was wondering... If they manage to find out my htaccess password, then I would have a lot more to worry. And unless they get past it, I do not think anyone would be able to do anything with those two files, no matter if they are buggy or not.

[michael_s]

Because of how many unsecured sites are out there, and the large amount of people that run stores without updating, I am not going to publicly discuss the specifics of the vulnerability.

It is not a new issue, and the hole that allows access to the file manager was closed in v2.0.3, so osCMax v2.0.3 and v2.1 were already patched against the known problem that allowed unprivileged access to the file manager.

The reason for this update is the file manager itself, and that is about all I am going to say about it. When it is fixed, it will be returned to the package. In its present form, it is simply too risky to have it present. Additional measures must be added to the file itself to keep it from being so easily misused.

That's what I was wondering... If they manage to find out my htaccess password, then I would have a lot more to worry. And unless they get past it, I do not think anyone would be able to do anything with those two files, no matter if they are buggy or not.

This is actually at the heart of the problem. While it should be standard practice to use .htaccess, if you don't, there should not be fatal repercussions.

[MindTwist]

This is actually at the heart of the problem. While it should be standard practice to use .htaccess, if you don't, there should not be fatal repercussions.

Good to know, so if we have the admin folder secured via htaccess, we should be safe? (those files will still be bugged, I know, but they won't be accessible to the public)

Thanks Michael!

[Nimitz_1061]

Good to know, so if we have the admin folder secured via htaccess, we should be safe? (those files will still be bugged, I know, but they won't be accessible to the public)

Thanks Michael!

Not necessarily.

The security provided by the htpasswd system may or may not be transmitted securely. The most common implementations are generally NOT secure in transmission. That the password is exchanged in the clear compounds the issue. Basically, htpasswd usage is a thin reed on which to base your security, particularly when you rely on the control panel for implementation.


David

[Cameron]

You need to add something so the top of my osCMax can say v2.0.4 instead of this lousy v2.0.3

[GraGra]

It may be related to this or something else, but my OscMax web site has been sending spam to customers from the on line database for the last 2 days.
I have fixed this bug, and removed some suspicious files, changed the ftp and database password for the web site, but the spam is still coming. What should I do next? I can post the code from the suspicious files if this helps.

[pgmarshall]

If your site is sending usolicited emails then you have been hacked.

Please read the Wiki on what to do next.

Regards,