Page 1 of 4 123 ... LastLast
Results 1 to 10 of 36

Thread: Security Notice : osCMax 2.0.4 Released

  1. #1
    osCMax Developer


    Security Notice : osCMax 2.0.4 Released

    michael_s's Avatar
    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,011
    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    594


    Default Security Notice : osCMax 2.0.4 Released

    A new blog entry has been added:

    [drupal=341]Security Notice : osCMax 2.0.4 Released[/drupal]

    A serious security vulnerability has been discovered in osCMax v2.0.3
    and all prior versions. It is important that you follow the below
    instructions carefully to secure your site. Failure to do so could
    result in your site being breached by attack.<br><br>The following files must be removed from your site's administrative panel folder:<br><br>/admin/<b>file_manager.php</b><br>/admin/<b>define_language.php</b><br><br>Removing these files will close this vulnerability.<br><br>osCMax
    v2.0.4 has been posted to osCMax.com and the vulnerability has been
    patched. The security fix has also been added in SVN. It is recommended
    that all osCMax site owners remove these files immediately. <br>
    Visit the above link to download the new release. Feel free to post your comments, questions, problems or thoughts regarding this project here.

    This thread will serve as the official discussion thread for this project.
    Michael Sasek

    osCmax 2.5.4 is now available via auto-installation using Softaculous!

    Stay Up To Date with everything osCMax:
    osCmax on Twitter - Up to the minute info as it happens. Know it first.

    osCmax Documentation

  2. #2
    user123
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    Hi Michael,

    Do we just need to remove those 2 files or do we have to install 2.04 as well? In the upgrade folder, I see 2 files - upgrade.php and sql file. Do we use this to upgrade from 2.03 to 2.04? It would be great if you can tell us how to update the site for newbies like me.

    Thanks for the update.

    Jay

  3. #3
    osCMax Developer


    Security Notice : osCMax 2.0.4 Released

    michael_s's Avatar
    Join Date
    Jul 2002
    Location
    Phoenix, AZ
    Posts
    23,011
    Total Contributions For

    michael_s     $ 10.00
    Rep Power
    594


    Default Re: Security Notice : osCMax 2.0.4 Released

    Just delete the two files from your admin panel. That is all you need to do. No downloads needed.
    Michael Sasek

    osCmax 2.5.4 is now available via auto-installation using Softaculous!

    Stay Up To Date with everything osCMax:
    osCmax on Twitter - Up to the minute info as it happens. Know it first.

    osCmax Documentation

  4. #4
    user123
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    Cool! That's easy

  5. #5
    vallys
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    Thanks for useful info!

  6. #6
    osCMax Development Team

    Security Notice : osCMax 2.0.4 Released

    pgmarshall's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    3,517
    Total Contributions For

    pgmarshall     $ 35.00
    Rep Power
    77


    Question Re: Security Notice : osCMax 2.0.4 Released

    Michael,

    Is this a temporary fix? Ie. Are we looking at replacing the file manager?

    Define Languages - I never use anyway - but I do use the File Manager quite a lot! Especially when helping other people with their sites ... saves having to ask for FTP details which they never have ...

    Since the File Manager is stand alone could we not rename it to a complete random name? Which coupled with the rename of the Admin folder make it reasonably secure again?

    Do you have any more details of the security hole?

    Regards,
    pgmarshall
    _______________________________

  7. #7
    GedC
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    Thanks Michael - on the ball as usual.

    One question - removing the 2 files from the admin folder also removes the functionality from the admin->tools section right? Is the functionality replaced in 2.0.4 (from a quick look, I don't see either file in there)?

    define languages isn't that big a problem for me but some clients use file manager.

    Thanks for your help.
    Ged

  8. #8
    osCMax Development Team

    Security Notice : osCMax 2.0.4 Released

    pgmarshall's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    3,517
    Total Contributions For

    pgmarshall     $ 35.00
    Rep Power
    77


    Smile Re: Security Notice : osCMax 2.0.4 Released

    GedC,

    Yes - removing the files will remove the functionality ...

    As per my previous post - I find the File Manager very useful - as an interim measure I have renamed the file something complicated using numbers and upper and lower cases.

    If you want to do the same then -
    1) Rename the file_manager.php something else eg. s4feRn4mE.php
    2) open admin/filenames.php and change the define for FILE_MANAGER
    3) rename the language file in admin/includes/languages/<your language>/s4feRn4mE.php.

    Assuming you have also renamed your Admin folder then the potential hacker needs to be able to find 2 random string names by chance ... unless someone can tell me more about the security hole ...

    Perhaps, the osCMax installer should be updated to generate a random name for the ADMIN folder and file_manager.php at setup and store these in the relevant places within the configure, filenames, language files?
    Regards,
    pgmarshall
    _______________________________

  9. #9
    GedC
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    pgmarshall,

    Excellent advice - thank you. I will make those changes immediately (I hadn't thought of renaming the ADMIN folder but will do so).

    Do you think it might be worthwhile applying the same logic to some (or all) of the other key files to really lock down any potential holes? It would appear to make sense, given the open source nature of oscmax/oscommerce.

    In fact this has spurred me into the idea of reworking the admin interface completely and customizing it for individual clients........ no rest for the wicked, as they say .

    Thanks again

    GedC

  10. #10
    Nimitz_1061
    Guest


    Default Re: Security Notice : osCMax 2.0.4 Released

    These files have been known to be security risks in the basic osCommerce for quite some time. Both had some reworking before being re-included in CRE Loaded. I would presume similar work had been done on the osCMax versions. This would tend to indicate an entirely new risk has been found which is not covered by the admin access system despite recent patches. This makes the details quite important in regards to the question of whether these files are safe in other distributions or any installations at all.

    I can understand that Michael would not want to disclose such details in open forum (or blog) - is there a closed forum here for identified developers in which confidential discussion may take place during the early phases of security response?? If not, I do provide one in the oscommerceuniversity.com forums.

Page 1 of 4 123 ... LastLast

Similar Threads

  1. osCMax v2.0.3 Security Update Released
    By michael_s in forum Announcements
    Replies: 0
    Last Post: 07-01-2009, 10:14 AM
  2. osCMax v2.0.0 Released
    By michael_s in forum Announcement Discussions
    Replies: 2
    Last Post: 03-28-2009, 01:31 PM
  3. osCMax 2.0 RC4 Released
    By michael_s in forum Announcements
    Replies: 2
    Last Post: 03-15-2009, 03:12 PM
  4. osCMax v2.0 RC2 Released
    By michael_s in forum Announcements
    Replies: 0
    Last Post: 09-21-2005, 03:43 PM
  5. osCMax v2.0 RC1 Released!
    By michael_s in forum Announcements
    Replies: 0
    Last Post: 06-14-2005, 01:51 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •