Security Notice : osCMax 2.0.4 Released

[michael_s]

A new blog entry has been added:

Security Notice : osCMax 2.0.4 Released

Quote:

A serious security vulnerability has been discovered in osCMax v2.0.3
and all prior versions. It is important that you follow the below
instructions carefully to secure your site. Failure to do so could
result in your site being breached by attack.<br><br>The following files must be removed from your site's administrative panel folder:<br><br>/admin/<b>file_manager.php</b><br>/admin/<b>define_language.php</b><br><br>Removing these files will close this vulnerability.<br><br>osCMax
v2.0.4 has been posted to osCMax.com and the vulnerability has been
patched. The security fix has also been added in SVN. It is recommended
that all osCMax site owners remove these files immediately. <br>

Visit the above link to download the new release. Feel free to post your comments, questions, problems or thoughts regarding this project here.

This thread will serve as the official discussion thread for this project.

[user123]

Hi Michael,

Do we just need to remove those 2 files or do we have to install 2.04 as well? In the upgrade folder, I see 2 files - upgrade.php and sql file. Do we use this to upgrade from 2.03 to 2.04? It would be great if you can tell us how to update the site for newbies like me.

Thanks for the update.

Jay

[michael_s]

Just delete the two files from your admin panel. That is all you need to do. No downloads needed.

[user123]

Cool! That's easy

[vallys]

Thanks for useful info!

[pgmarshall]

Michael,

Is this a temporary fix? Ie. Are we looking at replacing the file manager?

Define Languages - I never use anyway - but I do use the File Manager quite a lot! Especially when helping other people with their sites ... saves having to ask for FTP details which they never have ...

Since the File Manager is stand alone could we not rename it to a complete random name? Which coupled with the rename of the Admin folder make it reasonably secure again?

Do you have any more details of the security hole?

Regards,

[GedC]

Thanks Michael - on the ball as usual.

One question - removing the 2 files from the admin folder also removes the functionality from the admin->tools section right? Is the functionality replaced in 2.0.4 (from a quick look, I don't see either file in there)?

define languages isn't that big a problem for me but some clients use file manager.

Thanks for your help.
Ged

[pgmarshall]

GedC,

Yes - removing the files will remove the functionality ...

As per my previous post - I find the File Manager very useful - as an interim measure I have renamed the file something complicated using numbers and upper and lower cases.

If you want to do the same then -
1) Rename the file_manager.php something else eg. s4feRn4mE.php
2) open admin/filenames.php and change the define for FILE_MANAGER
3) rename the language file in admin/includes/languages/<your language>/s4feRn4mE.php.

Assuming you have also renamed your Admin folder then the potential hacker needs to be able to find 2 random string names by chance ... unless someone can tell me more about the security hole ...

Quote:

Perhaps, the osCMax installer should be updated to generate a random name for the ADMIN folder and file_manager.php at setup and store these in the relevant places within the configure, filenames, language files?

Regards,

[GedC]

pgmarshall,

Excellent advice - thank you. I will make those changes immediately (I hadn't thought of renaming the ADMIN folder but will do so).

Do you think it might be worthwhile applying the same logic to some (or all) of the other key files to really lock down any potential holes? It would appear to make sense, given the open source nature of oscmax/oscommerce.

In fact this has spurred me into the idea of reworking the admin interface completely and customizing it for individual clients........ no rest for the wicked, as they say .

Thanks again

GedC

[Nimitz_1061]

These files have been known to be security risks in the basic osCommerce for quite some time. Both had some reworking before being re-included in CRE Loaded. I would presume similar work had been done on the osCMax versions. This would tend to indicate an entirely new risk has been found which is not covered by the admin access system despite recent patches. This makes the details quite important in regards to the question of whether these files are safe in other distributions or any installations at all.

I can understand that Michael would not want to disclose such details in open forum (or blog) - is there a closed forum here for identified developers in which confidential discussion may take place during the early phases of security response?? If not, I do provide one in the oscommerceuniversity.com forums.