[ENGLISH]
Dear Customers,
we have noticed that osCommerce version 2.2 RC2a has bug, abused by spammers to send out spam using http:// site name .com / admin/mail.php/login.php?action=send_email_to_user. To fix this problem, please patch the file admin/includes/application_top.php using this schema:
| 34 | 34 | require(DIR_WS_FUNCTIONS . ‘compatibility.php’); | |
|---|---|---|---|
| 35 | 35 | ||
| 36 | 36 | // set php_self in the local scope | |
| 37 | – | $PHP_SELF = (isset($HTTP_SERVER_VARS[‘PHP_SELF’]) ? $HTTP_SERVER_VARS[‘PHP_SELF’] : $HTTP_SERVER_VARS[‘SCRIPT_NAME’]); | |
| 37 | + | $PHP_SELF = $_SERVER[‘PHP_SELF’]; | |
| 38 | 38 | ||
| 39 | 39 | // Used in the “Backup Manager” to compress backups | |
| 40 | 40 | define(‘LOCAL_EXE_GZIP’, ‘/usr/bin/gzip’); | |
| … | |||
| 134 | 134 | ||
| 135 | 135 | // include the language translations | |
| 136 | 136 | require(DIR_WS_LANGUAGES . $language . ‘.php’); | |
| 137 | – | $current_page = basename($PHP_SELF); | |
| 137 | + | $current_page = basename($_SERVER[‘SCRIPT_FILENAME’]); | |
| 138 | 138 | if (file_exists(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page)) { | |
| 139 | 139 | include(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page); | |
| 140 | 140 | } | |
| … | |||
| 213 | 213 | } | |
| 214 | 214 | ||
| 215 | 215 | // BOF: MOD – Admin w/access levels | |
| 216 | – | if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN && basename($PHP_SELF) != FILENAME_FORBIDDEN) { | |
| 216 | + | if (basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_LOGIN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_PASSWORD_FORGOTTEN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_FORBIDDEN) { | |
| 217 | 217 | tep_admin_check_login(); | |
| 218 | 218 | } | |
| 219 | 219 | // EOF: MOD – Admin w/access levels |
Source of patch:
http://code.google.com/p/oscmax2/source/detail?r=169
For further informations & security updates regarding osCommerce:
http://www.oscmax.com/forums/oscmax-v1-7-discussion/20994-spam-through-admin-mail-php-login-php-action-send_email_to_user.html
As a general workaround we suggest password-protecting the admin-folder using either .htaccess+.htpasswd, your control-panel (Plesk, Confixx etc.) or some equivalent solution. The alternative is to rename the admin-folder into something difficult to guess (e.g. “n3WaDm1N”) so that no automatic scanning of the vulnerability is possible.
[ITALIANO]
Gentili Clienti,
da una segnalazione risulta un problema di sicurezza nella versione 2.2 RC2a di osCommerce che viene gia’ abusato da spammers per inviare spam utilizzando l’URL http:// nome sito .it / admin/mail.php/login.php?action=send_email_to_user. Per ovviare al problema, modificare il file admin/includes/application_top.php utilizzando la seguente tabella:
| 34 | 34 | require(DIR_WS_FUNCTIONS . ‘compatibility.php’); | |
|---|---|---|---|
| 35 | 35 | ||
| 36 | 36 | // set php_self in the local scope | |
| 37 | – | $PHP_SELF = (isset($HTTP_SERVER_VARS[‘PHP_SELF’]) ? $HTTP_SERVER_VARS[‘PHP_SELF’] : $HTTP_SERVER_VARS[‘SCRIPT_NAME’]); | |
| 37 | + | $PHP_SELF = $_SERVER[‘PHP_SELF’]; | |
| 38 | 38 | ||
| 39 | 39 | // Used in the “Backup Manager” to compress backups | |
| 40 | 40 | define(‘LOCAL_EXE_GZIP’, ‘/usr/bin/gzip’); | |
| … | |||
| 134 | 134 | ||
| 135 | 135 | // include the language translations | |
| 136 | 136 | require(DIR_WS_LANGUAGES . $language . ‘.php’); | |
| 137 | – | $current_page = basename($PHP_SELF); | |
| 137 | + | $current_page = basename($_SERVER[‘SCRIPT_FILENAME’]); | |
| 138 | 138 | if (file_exists(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page)) { | |
| 139 | 139 | include(DIR_WS_LANGUAGES . $language . ‘/’ . $current_page); | |
| 140 | 140 | } | |
| … | |||
| 213 | 213 | } | |
| 214 | 214 | ||
| 215 | 215 | // BOF: MOD – Admin w/access levels | |
| 216 | – | if (basename($PHP_SELF) != FILENAME_LOGIN && basename($PHP_SELF) != FILENAME_PASSWORD_FORGOTTEN && basename($PHP_SELF) != FILENAME_FORBIDDEN) { | |
| 216 | + | if (basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_LOGIN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_PASSWORD_FORGOTTEN && basename($_SERVER[‘SCRIPT_FILENAME’]) != FILENAME_FORBIDDEN) { | |
| 217 | 217 | tep_admin_check_login(); | |
| 218 | 218 | } | |
| 219 | 219 | // EOF: MOD – Admin w/access levels |
Riferimento patch:
http://code.google.com/p/oscmax2/source/detail?r=169
Per ulteriori informazioni riguardanti informazioni di sicurezza per osCommerce consigliamo:
http://www.oscmax.com/forums/oscmax-v1-7-discussion/20994-spam-through-admin-mail-php-login-php-action-send_email_to_user.html
Come workaround generale suggeriamo di proteggere la cartella admin tramite una password utilizzando .htpaccess+.htpasswd, un pannello di controllo (Plesk, Confixx etc.) oppure qualche altro metodo equivalente. In alternativa si puo’ ridenominare la cartella “admin”, preferibilmente utilizzando un nome difficile da indovinare (p.e. “n3WaDm1N”) in modo da evitare scansioni automatizzate da parte di hacker.
Ultimi commenti