Full service web hosting, great prices and support. Starts at $1.99/month!
Results 1 to 5 of 5

Thread: Security issue found! cross domain login as a customer

  1. #1
    wesfll123
    Guest


    1 out of 1 members found this post helpful.

    Exclamation Security issue found! cross domain login as a customer

    So I was working on a fix to to my login issue which I posted on oscommerce with session id in the url not allowing customer to login. See more here..

    Today with fresh eyes I went through the login.php action process code to login as a customer....to my surprise if I know where the website's admin folder is....either the obvious /admin or I received a invoice from the company with the referrer using the admin folder I can log into a customer account from a totally different domain on a different server. Its almost scary easy....example below

    Im using admin for the sake of not showing you my admin folder haha

    I made a test.php file in a folder off the root called 'admin'...the call is

    Code:
     
    <form action="https://www.targetdomaintologin.com/login.php" method="POST" target="_blank">
     <input type="hidden" name="email_address" value="[email protected]">
     <input type="hidden" name="action" value="process">
     <input type="hidden" name="phoneorder" value="order">
     <input type="hidden" name="admin" value="admin/">
     <input type="image"  src="includes/languages/english/images/buttons/button_login.gif"  alt="Login as customer" title=" Login as customer ">
     </form>
    I run that on a server (ANY SERVER) and shocking...im logged in...

    I understand that someone would need to guess the email but there isnt any reason a script couldn't be executed on a list of emails to find valid ones

    So I went ahead and patched it with another variable a hidden one hardcoded into in your admin near ...I guess we could compare customer id's too or this string

    customers.php line 1532?
    find....
    Code:
     
     <input type="hidden" name="phoneorder" value="order">
    add this right after (you could use the junk valur below or compare customer_id's that way you gotta know its a good request.
    Code:
     <input type="hidden" name="hardcodedsecurityvalue" value="jn*&H*&H*&H*&[email protected]@UNDI">
    and In login.php ...

    Code:
              if (isset($_POST['action'])) {
            $referrer = $_SERVER['HTTP_REFERER'];
                // We should have the admin folder name in the $_POST vars
              // NO GOOD NEED MORE SECURITY!  if (strpos($referrer, $_POST['admin']) !== false) {
                if (strpos($referrer, $_POST['admin']) !== false && $_POST['hardcodedsecurityvalue']=='jn*&H*&H*&H*&[email protected]@UNDI') {
                  $checked = 'pass';
                } else {
                  $checked = 'fail';
                }
              }
    This worked for me....let me know if you have any issues....I know I could define a security value constant but I went with the quick way.

    I don't know if this has been fixed or not this was oscmax 2.5.4 i believe
    Last edited by wesfll123; 05-13-2015 at 09:33 AM.

  2. #2
    osCMax Development Team

    Security issue found! cross domain login as a customer

    pgmarshall's Avatar
    Join Date
    Feb 2009
    Location
    London
    Posts
    3,517
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    pgmarshall     $ 35.00
    Rep Power
    77


    Default Re: Security issue found! cross domain login as a customer

    I can't seem to replicate this issue but ... an additional secret code should be implemented to the code.

    Could you add this to the bugtracker?
    pgmarshall
    _______________________________

  3. #3
    wesfll123
    Guest


    Default Re: Security issue found! cross domain login as a customer

    Sorry I really don't know how to go about that.

  4. #4
    Active Member
    Security issue found! cross domain login as a customer


    Join Date
    Sep 2009
    Location
    Vancouver, BC, Canada
    Posts
    482
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    JRR     $ 180.00
    Rep Power
    69


    1 out of 1 members found this post helpful.

    Default Re: Security issue found! cross domain login as a customer

    Long ago I read somewhere that the Admin directory/folder needs to be password protected to avoid attacks such as the one you outline.<br>
    So I have had a separate name and password required to even access the renamed Admin directory prior to the osCmax Admin login procedure for many years.
    <br>
    A quick search turned up this warning from 2009 (search terms used: protect admin account access oscommerce) which addresses this potential vulnerability and proposes the same solutions I recommend, namely renaming the Admin directory AND password protecting the admin directory using the hosting services Control Panel. This may be the report that I saw, however I certainly am well aware that the osCommerce/osCmax admin directory is easily vulnerable to attack if not well protected.
    I'm always interested to see if there are further vulnerabilities that need to be addressed, so thanks for the reminder on this one!

  5. #5
    osCMax Development Team

    Security issue found! cross domain login as a customer

    ridexbuilder's Avatar
    Join Date
    Jul 2008
    Location
    Haggisland
    Posts
    4,134
    Contribute If you enjoy reading the
    content here, click the below
    image to support our site.
    Click Here To Contribute To Our Site

    Total Contributions For

    ridexbuilder     $ 15.00
    Rep Power
    96


    Default Re: Security issue found! cross domain login as a customer

    I've been an advocate of htaccess control over the admin directory, ever since being involved in ecommerce software. Interesting to see the osC implementation of this but I prefer a two tier approach: "generic" htaccess login, followed by user specific admin access.

    Developers resource at bitbucket
    *** *** ***
    oscmax.co.uk / ejsolutions.co.uk
    Hosting plans with installation, configuration, contributions, support and maintenance.
    *** FREE osCmax hosting available ***
    oscmaxtemplates.com

Similar Threads

  1. [Catalog Issue] Possible security issue in checkout process?
    By viswablr in forum Bugs and Problems
    Replies: 7
    Last Post: 10-24-2012, 11:42 AM
  2. Security Issue
    By automotiveuk in forum osCmax v2 Installation issues
    Replies: 3
    Last Post: 09-10-2007, 05:55 AM
  3. port, checkout_process, or domain issue?
    By cara in forum Linkpoint
    Replies: 5
    Last Post: 02-13-2007, 08:43 AM
  4. Login client obligatoire V1 - Obligatory login customer V1
    By michael_s in forum New osCommerce Contributions
    Replies: 0
    Last Post: 01-29-2007, 05:01 PM
  5. OSC MS2 Security Issue 20051112 -Important to Max users?
    By kenlyle in forum osCMax v2 Features Discussion
    Replies: 4
    Last Post: 11-27-2005, 09:22 AM

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •