From owner-freebsd-questions@FreeBSD.ORG Wed Dec 8 00:30:42 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7383F1065670 for ; Wed, 8 Dec 2010 00:30:42 +0000 (UTC) (envelope-from freebsd-questions@herveybayaustralia.com.au) Received: from mail.unitedinsong.com.au (mail.unitedinsong.com.au [150.101.178.33]) by mx1.freebsd.org (Postfix) with ESMTP id 25A008FC0A for ; Wed, 8 Dec 2010 00:30:41 +0000 (UTC) Received: from laptop1.herveybayaustralia.com.au (laptop1.herveybayaustralia.com.au [192.168.0.193]) by mail.unitedinsong.com.au (Postfix) with ESMTP id 259165C21 for ; Wed, 8 Dec 2010 10:35:28 +1000 (EST) Message-ID: <4CFED0D4.3090108@herveybayaustralia.com.au> Date: Wed, 08 Dec 2010 10:27:00 +1000 From: Da Rock User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.1.15) Gecko/20101119 Thunderbird/3.0.10 ThunderBrowse/3.3.4 MIME-Version: 1.0 To: freebsd-questions@freebsd.org References: <3374599093-437630056@intranet.com.mx> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Shopping cart other than OSCommerce? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Dec 2010 00:30:42 -0000 On 12/08/10 07:01, Chuck Swiger wrote: > On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: > >> With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. >> > 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: > > http://secunia.com/advisories/product/1308/ > > "Affected By 7 Secunia advisories > 44 Vulnerabilities > > Unpatched 29% (2 of 7 Secunia advisories) > > Most Critical Unpatched > The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical." > > http://secunia.com/advisories/33446/ > > "1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. > > 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the "admin/" folder. > > Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script." > > In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. > > Regards, > One to point out the obvious, and two to clarify your view here: why not php? Php was the scripting used, but if used poorly will create a security risk in the web app. That means that the vulnerability is the coder's problem; not php itself. God knows how many references there are to what not to do for security reasons on the php site. Vulnerabilities due to bad coding is not the fault of the language used, otherwise we wouldn't be using c, c++, etc. I ask because I'm coding web apps in php myself, and I'm curious to know if my view is in error...