Reference: http://aota.net/forums/showthread.php?t=25216

Do you scan for the security hole or for osC installations? A customer of mine is having a osC installation but I did a lot of .htaccess tweaks to improve security. The problem is that I cannot install a lot of plugins because there are many Austrian specific tweaks.

In this case we scanned the servers for OSC installations.

Specifically we looked for files named "*/admin/includes/application_top.php" that contained the string "PROJECT_VERSION".

We are still determining if the problem is more widespread than that.

I did a short look into the posted osc-forum links. It looks like that two files in the admin folder are vulnerable. To secure these files, I have added a file protection with .htaccess for both. It would be interesting if this protection is enough.

Manfred

Maybe this is an security improvement.

.htaccess in folder /www/ :

Options +FollowSymLinks

RewriteEngine On

RewriteCond %{QUERY_STRING} ^(.*)http://(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)https://(.*) [OR]
RewriteCond %{QUERY_STRING} ^(.*)ftp://(.*) [OR]
RewriteCond %{HTTP_USER_AGENT} ^libwww [OR]

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]


.htaccess in folder /www/shop/admin :
(additional to password protection for the folder and the code from osCommerce)

### file_manager.php
AuthUserFile /big/dom/xDOMAIN/.sys_opr_dir/CNC_Protect/.passwd
AuthName Protected_Area
AuthType Basic
<Files "file_manager.php">
require user USERNAME

### file_manager.php
AuthUserFile /big/dom/xDOMAIN/.sys_opr_dir/CNC_Protect/.passwd
AuthName Protected_Area
AuthType Basic
<Files "define_language.php">
require user USERNAME
</Files>

Manfred, unfortunately that question is only something that the osCommerce developers can adequately respond to...

We are between a rock and a hard place with 3rd party scripts and cannot comment on security fixes outside of what the script developers recommend... It is a slippery slope of liability issues... :(

Ok, that sound logical :)

Can you provide more informations about how they are hacking the osc installations. Is this something like a code injection?

Yes, it is a code injection attack that uses the OSC filemanager.php as a vehicle for the attack...

What makes this particularly nasty is that filemanager.php is exploited and in turn is directed to create a new file within your account that can contain anything the attacker wants... Most likely, this will be a remote shell and will give them pretty much full file access to your account as their script runs with your user/group credentials... IOW, they have created a way to access your account that bypasses password authorizations...

Thank you Terra for the explanation! It sounds that simple, but it is so destructive. Is there something which can be found in the log files? For example, a special log entry? So that we can search in our logs whether someone did try to gain access to our packages. Is it enough to search for something like "file_manager.php?config=http://BADSITE.TLD/harmful.txt"?

You would be looking for POST entries that contain:
admin/file_manager.php/login.php?action=save

Thank you very much!