osCommerce 2.2 RC2a bug

[ENGLISH]

Dear Customers,

we have noticed that osCommerce version 2.2 RC2a has bug, abused by spammers to send out spam using http:// site name .com / admin/mail.php/login.php?action=send_email_to_user. To fix this problem, please patch the file admin/includes/application_top.php using this schema:

34 34 require(DIR_WS_FUNCTIONS . ‘compatibility.php’);
35 35
36 36 // set php_self in the local scope
37 $PHP_SELF = (isset($HTTP_SERVER_VARS[‘PHP_SELF’]) ? $HTTP_SERVER_VARS[‘PHP_SELF’] : $HTTP_SERVER_VARS[‘SCRIPT_NAME’]);
37 + $PHP_SELF = $_SERVER[‘PHP_SELF’];
38 38
39 39 // Used in the “Backup Manager” to compress backups
40 40 define(‘LOCAL_EXE_GZIP’, ‘/usr/bin/gzip’);
134 134
135 135 // include the language translations
136 136 require(DIR_WS_LANGUAGES . $language . ‘.php’);
137 $current_page = basename($PHP_SELF);
137 + $current_page = basename($_SERVER[‘SCRIPT_FILENAME’]);
138 138 if (file_exists(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page)) {
139 139 include(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page);
140 140 }
213 213 }
214 214
215 215 // BOF: MOD – Admin w/access levels
216 if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN && basename($PHP_SELF) != FILENAME_FORBIDDEN) {
216 + if (basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_LOGIN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_PASSWORD_FORGOTTEN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_FORBIDDEN) {
217 217 tep_admin_check_login();
218 218 }
219 219 // EOF: MOD – Admin w/access levels

Source of patch:
http://code.google.com/p/oscmax2/source/detail?r=169

For further informations & security updates regarding osCommerce:
http://www.oscmax.com/forums/oscmax-v1-7-discussion/20994-spam-through-admin-mail-php-login-php-action-send_email_to_user.html

As a general workaround we suggest password-protecting the admin-folder using either .htaccess+.htpasswd, your control-panel (Plesk, Confixx etc.) or some equivalent solution. The alternative is to rename the admin-folder into something difficult to guess (e.g. “n3WaDm1N”) so that no automatic scanning of the vulnerability is possible.

[ITALIANO]

Gentili Clienti,

da una segnalazione risulta un problema di sicurezza nella versione 2.2 RC2a di osCommerce che viene gia’ abusato da spammers per inviare spam utilizzando l’URL  http:// nome sito  .it / admin/mail.php/login.php?action=send_email_to_user. Per ovviare al problema, modificare il file admin/includes/application_top.php utilizzando la seguente tabella:

34 34 require(DIR_WS_FUNCTIONS . ‘compatibility.php’);
35 35
36 36 // set php_self in the local scope
37 $PHP_SELF = (isset($HTTP_SERVER_VARS[‘PHP_SELF’]) ? $HTTP_SERVER_VARS[‘PHP_SELF’] : $HTTP_SERVER_VARS[‘SCRIPT_NAME’]);
37 + $PHP_SELF = $_SERVER[‘PHP_SELF’];
38 38
39 39 // Used in the “Backup Manager” to compress backups
40 40 define(‘LOCAL_EXE_GZIP’, ‘/usr/bin/gzip’);
134 134
135 135 // include the language translations
136 136 require(DIR_WS_LANGUAGES . $language . ‘.php’);
137 $current_page = basename($PHP_SELF);
137 + $current_page = basename($_SERVER[‘SCRIPT_FILENAME’]);
138 138 if (file_exists(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page)) {
139 139 include(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page);
140 140 }
213 213 }
214 214
215 215 // BOF: MOD – Admin w/access levels
216 if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN && basename($PHP_SELF) != FILENAME_FORBIDDEN) {
216 + if (basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_LOGIN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_PASSWORD_FORGOTTEN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_FORBIDDEN) {
217 217 tep_admin_check_login();
218 218 }
219 219 // EOF: MOD – Admin w/access levels

Riferimento patch:
http://code.google.com/p/oscmax2/source/detail?r=169

Per ulteriori informazioni riguardanti informazioni di sicurezza per osCommerce consigliamo:
http://www.oscmax.com/forums/oscmax-v1-7-discussion/20994-spam-through-admin-mail-php-login-php-action-send_email_to_user.html

Come workaround generale suggeriamo di proteggere la cartella admin tramite una password utilizzando .htpaccess+.htpasswd, un pannello di controllo (Plesk, Confixx etc.) oppure qualche altro metodo equivalente. In alternativa si puo’ ridenominare la cartella “admin”, preferibilmente utilizzando un nome difficile da indovinare (p.e. “n3WaDm1N”) in modo da evitare scansioni automatizzate da parte di hacker.

Pubblicato in: