PDA

View Full Version : Security Notice : osCMax 2.0.4 Released



michael_s
11-09-2009, 05:05 PM
A new blog entry has been added:

Security Notice : osCMax 2.0.4 Released


A serious security vulnerability has been discovered in osCMax v2.0.3
and all prior versions. It is important that you follow the below
instructions carefully to secure your site. Failure to do so could
result in your site being breached by attack.<br><br>The following files must be removed from your site's administrative panel folder:<br><br>/admin/<b>file_manager.php</b><br>/admin/<b>define_language.php</b><br><br>Removing these files will close this vulnerability.<br><br>osCMax
v2.0.4 has been posted to osCMax.com and the vulnerability has been
patched. The security fix has also been added in SVN. It is recommended
that all osCMax site owners remove these files immediately. <br>

Visit the above link to download the new release. Feel free to post your comments, questions, problems or thoughts regarding this project here.

This thread will serve as the official discussion thread for this project.

user123
11-09-2009, 06:38 PM
Hi Michael,

Do we just need to remove those 2 files or do we have to install 2.04 as well? In the upgrade folder, I see 2 files - upgrade.php and sql file. Do we use this to upgrade from 2.03 to 2.04? It would be great if you can tell us how to update the site for newbies like me.

Thanks for the update.

Jay

michael_s
11-09-2009, 06:51 PM
Just delete the two files from your admin panel. That is all you need to do. No downloads needed.

user123
11-09-2009, 06:55 PM
Cool! That's easy :)

vallys
11-09-2009, 11:06 PM
Thanks for useful info!

pgmarshall
11-10-2009, 12:12 AM
Michael,

Is this a temporary fix? Ie. Are we looking at replacing the file manager?

Define Languages - I never use anyway - but I do use the File Manager quite a lot! Especially when helping other people with their sites ... saves having to ask for FTP details which they never have ...

Since the File Manager is stand alone could we not rename it to a complete random name? Which coupled with the rename of the Admin folder make it reasonably secure again?

Do you have any more details of the security hole?

Regards,

GedC
11-10-2009, 12:18 AM
Thanks Michael - on the ball as usual.

One question - removing the 2 files from the admin folder also removes the functionality from the admin->tools section right? Is the functionality replaced in 2.0.4 (from a quick look, I don't see either file in there)?

define languages isn't that big a problem for me but some clients use file manager.

Thanks for your help.
Ged

pgmarshall
11-10-2009, 01:01 AM
GedC,

Yes - removing the files will remove the functionality ...

As per my previous post - I find the File Manager very useful - as an interim measure I have renamed the file something complicated using numbers and upper and lower cases.

If you want to do the same then -
1) Rename the file_manager.php something else eg. s4feRn4mE.php
2) open admin/filenames.php and change the define for FILE_MANAGER
3) rename the language file in admin/includes/languages/<your language>/s4feRn4mE.php.

Assuming you have also renamed your Admin folder then the potential hacker needs to be able to find 2 random string names by chance ... unless someone can tell me more about the security hole ...


Perhaps, the osCMax installer should be updated to generate a random name for the ADMIN folder and file_manager.php at setup and store these in the relevant places within the configure, filenames, language files?

Regards,

GedC
11-10-2009, 03:20 AM
pgmarshall,

Excellent advice - thank you. I will make those changes immediately (I hadn't thought of renaming the ADMIN folder but will do so).

Do you think it might be worthwhile applying the same logic to some (or all) of the other key files to really lock down any potential holes? It would appear to make sense, given the open source nature of oscmax/oscommerce.

In fact this has spurred me into the idea of reworking the admin interface completely and customizing it for individual clients........ no rest for the wicked, as they say :D.

Thanks again

GedC

Nimitz_1061
11-10-2009, 04:30 AM
These files have been known to be security risks in the basic osCommerce for quite some time. Both had some reworking before being re-included in CRE Loaded. I would presume similar work had been done on the osCMax versions. This would tend to indicate an entirely new risk has been found which is not covered by the admin access system despite recent patches. This makes the details quite important in regards to the question of whether these files are safe in other distributions or any installations at all.

I can understand that Michael would not want to disclose such details in open forum (or blog) - is there a closed forum here for identified developers in which confidential discussion may take place during the early phases of security response?? If not, I do provide one in the oscommerceuniversity.com forums.

ridexbuilder
11-10-2009, 07:45 AM
Welcome to the party Nimitz (a frequent/respected member of the CRE community).
There is a 'developers' forum here. :-) Perhaps Michael will shed some light on it.

MindTwist
11-10-2009, 09:41 AM
I find strange that noone has asked this... But, if you have passworded the admin folder with htaccess, shouldn't those two files be kinda safe from anyone, unless they first get to break the htaccess level password?

ridexbuilder
11-10-2009, 09:45 AM
I find strange that noone has asked this... But, if you have passworded the admin folder with htaccess, shouldn't those two files be kinda safe from anyone, unless they first get to break the htaccess level password?

TBH, It's the very 1st thing that occurred to me but I guess not everyone implements directory protection, so at least the vulnerability is gone 'out-of-the-box'.

:popcorn:

[Let's face it - if they break into .htaccess protection, except for a crappy password, then you have other major issues ;)]

MindTwist
11-10-2009, 10:11 AM
[Let's face it - if they break into .htaccess protection, except for a crappy password, then you have other major issues ;)]

That's what I was wondering... If they manage to find out my htaccess password, then I would have a lot more to worry. And unless they get past it, I do not think anyone would be able to do anything with those two files, no matter if they are buggy or not.

michael_s
11-10-2009, 02:07 PM
Because of how many unsecured sites are out there, and the large amount of people that run stores without updating, I am not going to publicly discuss the specifics of the vulnerability.

It is not a new issue, and the hole that allows access to the file manager was closed in v2.0.3, so osCMax v2.0.3 and v2.1 were already patched against the known problem that allowed unprivileged access to the file manager.

The reason for this update is the file manager itself, and that is about all I am going to say about it. When it is fixed, it will be returned to the package. In its present form, it is simply too risky to have it present. Additional measures must be added to the file itself to keep it from being so easily misused.



That's what I was wondering... If they manage to find out my htaccess password, then I would have a lot more to worry. And unless they get past it, I do not think anyone would be able to do anything with those two files, no matter if they are buggy or not.

This is actually at the heart of the problem. While it should be standard practice to use .htaccess, if you don't, there should not be fatal repercussions.

MindTwist
11-10-2009, 02:12 PM
This is actually at the heart of the problem. While it should be standard practice to use .htaccess, if you don't, there should not be fatal repercussions.

Good to know, so if we have the admin folder secured via htaccess, we should be safe? (those files will still be bugged, I know, but they won't be accessible to the public)

Thanks Michael!

Nimitz_1061
11-11-2009, 05:33 AM
Good to know, so if we have the admin folder secured via htaccess, we should be safe? (those files will still be bugged, I know, but they won't be accessible to the public)

Thanks Michael!

Not necessarily.

The security provided by the htpasswd system may or may not be transmitted securely. The most common implementations are generally NOT secure in transmission. That the password is exchanged in the clear compounds the issue. Basically, htpasswd usage is a thin reed on which to base your security, particularly when you rely on the control panel for implementation.


David

Cameron
12-18-2009, 08:08 AM
You need to add something so the top of my osCMax can say v2.0.4 instead of this lousy v2.0.3

GraGra
12-23-2009, 04:02 AM
It may be related to this or something else, but my OscMax web site has been sending spam to customers from the on line database for the last 2 days.
I have fixed this bug, and removed some suspicious files, changed the ftp and database password for the web site, but the spam is still coming. What should I do next? I can post the code from the suspicious files if this helps.

pgmarshall
12-23-2009, 04:12 AM
If your site is sending usolicited emails then you have been hacked.

Please read the Wiki on what to do next. (http://wiki.oscdox.com/setting_up_security)

Regards,

GraGra
12-23-2009, 04:17 AM
Thanks for this. I will let you know how I go. Regards.

rosarystuff
12-29-2009, 08:16 AM
Hi,

I'm very confused so I need to try and clarify something. First a little background: someone is using my site to send spam email to all of my customers.

I found one fix here: r169 - oscmax2 - Project Hosting on Google Code (http://code.google.com/p/oscmax2/source/detail?r=169)#

and then this one about deleting the 2 files. My version is osCMax v2.0.2.

I'm just unsure of which solution is needed to do to fix my problem and get my site up and running again. As you can tell, I don't have much computer background and haven't had any luck finding anyone in my area to help me.

So...... can you please guide me a little here? I'm so lost!! :confused:

Thank you,

Phyllis

michael_s
12-29-2009, 08:32 AM
r169 should fix you up. Then make sure to change your admin folder location and limit access to the new admin location with .htaccess:
http://wiki.oscdox.com/setting_up_security

rosarystuff
12-30-2009, 09:48 AM
Thank you sooooooooooooo much Michael!!! :D

I'll start working on the items on that other security page right away. I may have some questions though. Some of the instructions are a little vague.

Take care,
Phyllis :)

pgmarshall
12-30-2009, 10:26 AM
rosarystuff,

If you let me know which bits are unclear I will try and write some more detailed instructions for you.

Regards,

GraGra
12-30-2009, 03:54 PM
Thanks Michael and pgmarshall. I have followed your advice and the problems seem to have stopped. Your big brains are appreciated!

rosarystuff
12-31-2009, 10:21 AM
Hi Michael,


Well, for example editing the admin file. We are to change the name from admin to something else (as below).

Open admin/includes/configure.php
Edit these lines:
define('DIR_WS_ADMIN', '/admin/');
define('DIR_WS_HTTPS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', '/home/mystore.com/www/public/admin/');



The more obscure the name the better - try to use numbers and letters.
But is it really that simple? I thought the word admin was sprinkled throughout the entire store code. Wouldn't we have to change that word everywhere it appears as well? Or am I completely off base. :)

Also, if someone is looking for our admin section, and we choose a name that is completely different or that has letters or numbers in it, wouldn't that be a red flag for them to check that file because it's so much different than the others?

Am I making this more complicated than it needs to be? I'm just worried after what I just went through with hackers, so I want to make sure I do it right.

I also don't understand how to change the admin htaccess to my ip address.

I guess that's a good place to start. :)

Thanks for the help again.

michael_s
12-31-2009, 04:14 PM
But is it really that simple? I thought the word admin was sprinkled throughout the entire store code. Wouldn't we have to change that word everywhere it appears as well? Or am I completely off baseYou are completely off base. It really is as simple as changing the folder name and then editing the configure.php file to match the new folder name.


Also, if someone is looking for our admin section, and we choose a name that is completely different or that has letters or numbers in it, wouldn't that be a red flag for them to check that file because it's so much different than the others?No. If they have no idea what the name of the folder is, it will be very difficult to find. The longer and more random the name, the less and less likely it will get found (especially by the automated bots used to hack sites these days). It would be far more risky to keep it set to admin.


Am I making this more complicated than it needs to be?Yes.


I also don't understand how to change the admin htaccess to my ip address.Let me google that for you (http://lmgtfy.com/?q=.htaccess+limit+by+ip)

pgmarshall
01-01-2010, 07:05 AM
Love the Let Me Google That For You! Will be using that from now on!!

Anyway - reason for post - Wiki Updated (http://wiki.oscdox.com/restrict_ip_access)

Regards,

rosarystuff
01-01-2010, 08:46 AM
Thanks for the help. I'm so glad it's easier than I thought (I have a habit of making some things more difficult). LOL. :)

Let me fiddle with it a bit and see what else comes up. Thanks again.

Oh, and by the way. I don't quite understand the google comment, but if it's a joke at my expense, at least you guys got a good laugh!! You've got to take those when they come. LOL

Take care,

Phyllis :)

pgmarshall
01-01-2010, 09:34 AM
Rosarystuff,

Did you click the link at the end of Michael's post - the one marked "Let me Google that for you"?

That was all I was refering to!

Regards,

rosarystuff
01-01-2010, 09:54 AM
Not yet, but I'll get there. :) No worries. :)

rosarystuff
01-01-2010, 12:27 PM
I'm sorry pgmarshall. My Bad. I should have looked more closely. :) OOPS!!

Although, how do you guys know what info you find on google is correct and which is not? I've googled for info before only to end up with slightly incorrect advice. I'm just not sure how to tell the difference between who knows what they are talking about and who may not have the experience to know for sure.

Take care,

rosarystuff ;)

michael_s
01-01-2010, 12:47 PM
Although, how do you guys know what info you find on google is correct and which is not?
Trial and error until you start retaining some of the stuff you test. Then you start making comparisons of what you find to what you already know.

This is not rocket science and doing it wrong is not going to get anyone killed, so go ahead and get messy with some trial and error to see what works and what doesn't.

That is the best way to learn and to test if what you found on google is correct. It also gives you a good solid reason to make backups regularly :)

pvdesign
01-01-2010, 04:08 PM
Hi michael_s.......

I too had the issue with getting spam through the email of a client who had oscommerce setup....

Did as you suggested and removed the two file and got nothing for a few days but now seem to be getting them back again....
removed these files from the system
/admin/file_manager.php
/admin/define_language.php

your help is appreciated......


Paul

michael_s
01-01-2010, 04:17 PM
You missed the previous security patch (2.0.3). Do that one too:

http://www.oscmax.com/forums/oscmax-v2-announcements/19351-oscmax-v2-0-3-security-update-released.html

http://www.oscmax.com/forums/announcement-discussions/20984-security-notice-oscmax-2-0-4-released.html#post51384