back to article Attack on open-source web app keeps growing

An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users. When researchers from Armorize first spotted the exploit on July 24, they …

COMMENTS

This topic is closed for new posts.
  1. Onid
    Unhappy

    it's not that they can't be bothered...

    oscommerce (at least up until 2.2 MS2) had become such a mess with customisations and plugins and mods necessary to get plugin x to work with plugin y that we decided to drop it around 2 years ago and switch to drupal. trying to manage all the changes from one version to the next and all the breaks in the plugins that the upgrade would cause was a regular nightmare..

    I've seen v3 is looking much more interesting and more modular etc but after that trama won't be going back there in a hurry !!

    1. Rich 2 Silver badge
      FAIL

      Yes ....and no....

      I used to run an OSC site, and it took me the best part of 2 years to get it "just right". OK, I'm quite slow :-) ...but one thing I did learn was that a lot of people running OSC really do not give a shit about security - especially that of their users and customers. OSC was also to blame in this respect - it's why I wrote the "register globals" mod for 2.2 so that you no longer had to run it with PHP's "register globals" option enabled, which even back then was a blindingly obvious, huge, and very well known security hole. I think my mod got used quite a bit by others - I'm not sure.

      The OP is right though - in order to get a site working half-decently, you had (still have?) to install a dozen mods and patches, each of which was of unknown quality and quite often written in an insecure way. I ended up re-writing big lumps of it for myself - it's probably why it took me two years to get it working!

      But back to my original point, a lot of people running OSC sites really do not give a gnat's bits for security. I lost count of the number of times I posed and read questions regarding security issues and it seemed that most people were interested in was whether the site stayed up long enough to get someone's order in; what the hell if it was full of bugs and security problems? You can probably still find loads of posts asking about storing credit card numbers on the site's server. Apart from almost certainly being against the T&Cs of the bank providing the merchant account (they generally demand demonstrably rigorous security systems to be in place before you do this sort of thing, and yes, I know this is a bit pot-kettle as far as banks are concerned, but still), this sort of thing is just bloody irresponsible. And if you pointed this out, you would get a response (if you got one at all) of "so? Who cares?".

      I think this is in part why Zen Cart started up - by a bunch of OSC people who got fed up with the OSC way of doing things.

      I know OSC has probably moved on a lot since I used it, but I bet the attitude and ethos has not. If I ever set up another e-commerce site, I shall be looking elsewhere.

  2. Anonymous Coward
    Devil

    Now guess why...

    Maybe nobody cared to update their osC install because after installing a few mods to it updating it becomes a effin' nightmare?

  3. Will Godfrey Silver badge
    Unhappy

    Hmmm

    While I appreciate the difficulty and time costs of performing the upgrades (or getting out altogether), to do nothing when you KNOW there is a problem is irresponsible in the extreme, and puts your customers (who have no way of knowing about this) at risk.

  4. g e
    FAIL

    Wouldn't consider using it

    Given that the last bug I knew of in OsC was that you could guess URL's in the admin area and not have to be logged in as admin to load them (or something like that).

    Fail 101

    1. Onid
      Stop

      Drove me up the wall as well

      So I ended up modifying the admin pages and moved them to a different url so instead of having http://website.com/admin/

      would then have http://admin.website.com/ - and restricted it through apache so that only our IP could access it through certificate based authentication as the in-built auth mechanism were a joke. Needed a lot of changes to get it working though... Additionally a different process would always run the admin page as a different user on the server. I even started experimenting with not having the admin pages on the server at all and just having the admin pages running on a local copy of apache that would connect to ssh... in the end I figured this isn't worth the trouble and decided to dump it as the mods were just getting too extensive.

      I do recall running every vulnerability scanner against it after any code change and I wouldn't store creditcard data inside it all .. infact we re-directed to the payment provider so that we wouldn't handle it at all as wasn't convinced at all at the mess going on inside....

      This changed and we now handle cc's directly with ubercart as there is much more significant testing and resilience apparent in this.

      A mate was asking me to help him with an oscommerce installation he was starting up and I just said to him... stop - and run as far away from osc as you can hehe..

  5. heyrick Silver badge

    What are those Google links looking for?

    On my Android, tapping the link briefly passes by https://encrypted.google.com/ before redirecting to the Google main page. The link itself is a mess of complicated parameters, hard to figure out what it is actually asking (using a post-it note app ;) ).

  6. Aaron Guilmette
    Coat

    Compliance

    So how many merchants doesthat make who aren't PCI compliant? Be taking my online shopping elsewhere.

    Mine's the one with the updated bits....

    1. Solomon Grundy
      FAIL

      Really?

      Very few of the small shops that are the foundation of most economies are PCI compliant. Even fewer know what PCI is (a joke) but you buy from them all the time. One online article and you're going to take your business elsewhere?

      Companies pay their monies for card processing and card readers and that's fair. They purchased a product and they pay big recuring fees for service - they are offering YOU the ability to use plastic; because YOU think you are too good for cash. If a random person purchases something they expect big consumer protections but those same people fail to realize the businesses that make the world go round are people too. There is a HUGE disconnect in the world that thinks just because someone is selling something they are making big money. Most small businesses are happy just to make good on their employees pay checks. They aren't making lots of money because they "own a business". You go on ahead with your updated bits and do your part to fuck up the economy even more.

    2. James Woods

      hahaha

      PCI compliance was created by the card industry. The same industry that has always been responsible for making sure your credit card transactions are safe.

      Common sense takes more steps to increase security than a PCI questionnaire.

      If PCI compliance worked why do the big guys that surely conform to the measure always seem to be having the large break ins?

      Another win for the bankers since at the end of the day if someone uses your card without your permission and it can easily be proved you should be off the hook. But not always:)

  7. Gilgamesh
    FAIL

    1998 called, they want their exploit back

    Let me guess, SQL injection?

    Hooray, let's trust what the browser tells the PHP script! Better still - let's pass in unescaped to the database as a superuser account.

    Morons. Anyone who gets hacked like this in the 21st deserves all they get.

    1. Anonymous Coward
      FAIL

      You guessed wrong

      You might want to read up on the problem before making comments, a 2 second read would show the problem had nothing to do with SQL injection

  8. AbortRetryFail

    "a large percentage of osCommerce websites can't be bothered to install it"

    Clearly the author of this article has never used osCommerce.

    The way you apply patches, mods and customisations to osCommerce is to merge the actual PHP source code and it very quickly becomes a nightmare. Even if you are fastidious in delimiting changes in comments, it is still a huge diff-merge task to take on an upgrade and one that is beyond a majority of users.

    I remember spending days trying to reconcile two osCommerce sites developed for my (now ex) wife that had been developed by the same web "designer" but at different times and based on different versions of osCommerce and it was insane; the differences between them were enormous and trying to make a unified version with the only differences being the visual customisation proved impossible.

    Having said that, 'Rich 2' is probably right as well.

    1. Onid
      Happy

      That's bad...

      so the trouble with osc was so bad you ended up divorcing your wife over it???

      I can sympathise ... we were nearly there arguing over it... We run a small craft website which since moving to drupal has been a dream in contrast to osc (though I seem to encounter some osc thinking in the forums ... heh)

      Yes I agree with Rich 2 also that a lot of the posts I encountered on the osc forums beggared belief and all the shoulder shrugging just drove me up the wall....

      Code merging versions ... arghhh.. you're bringing back nightmares I used to have.... arggghh...

  9. Anonymous Coward
    FAIL

    Users Are Lazy

    I have been running Oscommerce stores since the early "The Exchange Project" days and I think given how long the code has been around the low number of high-risk security issues has been pretty impressive. I am currently running around 18 Oscommerce stores and none have been infected, when this was announced last year I added just 3 lines from the documentation at

    http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update

    For a heavily modified store this took about 2 minutes.

    Unfortunately open-source doesn't protect against general laziness on behalf of store owners, its hardly the fault of the Oscommerce project which has provided a fix for over 10 months, which has been heavily discussed in the forums and I think I even got an email newsletter when 2.3 was released asking me to upgrade if people don't do it. They have also added in 2.3 the ability for store owners to be notified of new releases when they are available so personally I think they have tried to get people to upgrade.

    I am now running 2.3.1 and looking at upgrading to 3.0 when its released sometime in the next 2 years ;-)

  10. Godwhacker
    Stop

    Are you sure it's all the fault of the person running the shop?

    It's far more likely that most of these websites were built by someone other than the shop owner. Whoever owns the shop would then be completely unaware of what software it's using, so they won't be receiving patch emails.

    Given that there's no auto-update for server side stuff, I would guess this is mostly the fault of freelance web developers not caring about past jobs.

    1. Steve Knox
      Megaphone

      Positive.

      It doesn't matter who developed the site, if you own it but don't take the basic responsibility of at least knowing someone who knows how to maintain it properly, it's your fault when your site compromises your customers.

    2. Anonymous Coward
      FAIL

      re: Are you sure it's all the fault

      That really depends on how you define "running the shop", doesn't it?

    3. James Woods

      or

      shop owners not wanting to pay for a plan to continue management of what was installed.

  11. Anonymous Coward
    Joke

    Harold Ponce de Leon

    Is he the ponce of Leon?

  12. Anonymous Coward
    Anonymous Coward

    Magento?

    Viart?

  13. Nigel Hamlin

    User safety

    I'm sort of surprised no-one's mentioned this, but what's the best way for anyone shopping online to find out which commerce software a website is using and, if it's OSC, whether or not it's infected? At least, if this information were known and 'out there', potential customers would be empowered to put pressure on the store to get their act together and thus start to tackle this problem.

    Speculation about who's caused this problem or why it's happened is all very well, but won't in itself get the problem sorted!

This topic is closed for new posts.

Other stories you might like