Results 1 to 6 of 6

Thread: security info left in cache file

  1. #1
    Active Member
    security info left in cache file


    Join Date
    Jan 2009
    Posts
    212
    Total Contributions For

    jmelson     $ 50.00
    Rep Power
    11


    Default security info left in cache file

    OK, a bit of a long story, I got up one morning and found 150 credit card transactions for $0.10 and $0.12 so I went to my credit card processor (authorize.net) and found 1300+ attempts, most of them denied, but 152 of them still in the authorize hold. I called Authorize.net, and they had me turn on velocity filtering, a minimum transaction amount, and change my transaction key.

    I'm REALLY sure this was NOT done through the store software, as it would have run up a large number of GET and POST requests on the web server, and I did not see that.
    So, somehow, somebody must have gotten my merchant account # or my API credentials on Authorize.net

    I have a daily program that checks for any updated files on the system.
    It found, when I changed my transaction key in osCmax, that a new file was generated:
    ~/osc2.5/catalog/cache/cachefile.inc.php

    this file has cleartext of all my Authorize.net API credentials and my Fedex API credentials! It also has at least a portion of my USPS and PayPal credentials.
    It seems a bit of a bug to have all this info in a persistent file under the catalog tree. Now, I have a .htaccess file that keeps this whole directory /catalog/cache
    non-readable from the web server, but this still seems like a dangerous thing to leave around. Is there any reason this file is even created? Why is it in the catalog tree instead of the renamed "admin" section? Shouldn't this file at least be deleted after the update is performed into the database? This is an osCmax 2.5 RC1 system.

    Thanks,

    Jon

  2. #2
    osCMax Development Team

    security info left in cache file

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,098
    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    95


    Default Re: security info left in cache file

    The reason for its' existence is to dramatically reduce lookups on the database, for configuration items. Personally, I haven't delved into the code, nor the cache file contents.
    Your observations do seem to be a bit alarming though.

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

  3. #3
    Active Member
    security info left in cache file


    Join Date
    Jan 2009
    Posts
    212
    Total Contributions For

    jmelson     $ 50.00
    Rep Power
    11


    Default Re: security info left in cache file

    I have set up my system so that the admin directory tree cannot be accessed at all from outside the local network, with the directory settings in the web server configuration.
    So, having such a file in the admin tree would be less worrying. Since it is a php file and in the catalog tree, it seems like hackers would be able to execute this file and maybe obtain info like API credentials from it. (I'm not much of a php hacker, so I really don't even know how to test this.)

    Thanks,

    Jon

  4. #4
    osCMax Development Team

    security info left in cache file

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,098
    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    95


    Arrow Re: security info left in cache file

    In a properly setup webserver, the supplied as standard .htaccess file should offer protection.
    Code:
    <FilesMatch "\.(ser|php|cache|htaccess)$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>
    Resulting in a 403 Forbidden page.


    (I got a forum notification, for the 1st time in years! )

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

  5. #5
    Active Member
    security info left in cache file


    Join Date
    Jan 2009
    Posts
    212
    Total Contributions For

    jmelson     $ 50.00
    Rep Power
    11


    Default Re: security info left in cache file

    Right, I have this, but it allows outsiders to access the admin login page. I don't want them to even be able to see any part of the admin section, so I have the web server set up to not allow any part of the admin directory tree to be accessed outside my local net. When traveling, I have to set up a tunnel so I appear to be coming from inside to access the admin section.

    Thanks,

    Jon

  6. #6
    osCMax Development Team

    security info left in cache file

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,098
    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    95


    Default Re: security info left in cache file

    I usually secure the admin directory with the simple .htaccess password method.

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

Similar Threads

  1. Cache Configurations into file
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 05-22-2009, 09:52 PM
  2. Cache Configurations into file
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 05-22-2009, 06:54 PM
  3. Cache Configurations into file
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 05-21-2009, 06:00 PM
  4. Cache Configurations into file
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 05-17-2009, 07:50 PM
  5. Replies: 5
    Last Post: 04-24-2009, 08:02 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •