|
Nov 19
2009
|
Serious osCommerce vulnerability exposedPosted by: Dave on Nov 19, 2009 |
|
A very serious vulnerability in osCommerce was brought to our attention on November 13th. The vulnerability allows an attacker to bypass the authentication mechanism and gain access to the admin pages.
I have held off on blogging about this until now as I did not feel it was appropriate. It was a difficult decision to make, on one hand I want to inform those running osCommerce so they can secure their systems but by blogging about the issue I am also highlighting it to potential attackers.
I would like to discuss the vulnerability and how it works but we'll leave that for another time. For those of you running osCommerce you can find information about the vulnerability on the osCommerce forums and also on the powersellers forum.
There are a number of suggested solutions and patches but based on my research the simplest thing to do is to protect the admin directory using .htaccess-based authentication.
Dave
--
If you liked this article then you can:
- Subscribe to our
Blog RSS feed - Become a fan of webpayments.ie on Facebook
- Follow us on Twitter
Related Blog Posts:
written by Robert , November 30, 2009
Hi Dave,
Thanks for the fix. I have set .htpasswd on the admin folder of my sole oscommerce site. Just as you posted someone had started sending spam from my admin account (I was informed by a past customer).
written by web design tipperary , December 01, 2009
many off-the-shelf php applications are riddled with security problems, especially if care is not taken to set correct file permissions on server. also on a php site any admin/system directories should be blocked with htaccess file. the problem here and similar problems have been documented on a number of popular php apps, including joomla, magento and wordpress
