Date: Tue, 07 Dec 2010 13:01:02 -0800 From: Chuck Swiger <cswiger@mac.com> To: Jorge Biquez <jbiquez@intranet.com.mx> Cc: Free BSD Questions list <freebsd-questions@freebsd.org> Subject: Re: Shopping cart other than OSCommerce? Message-ID: <DB1524B8-BBC3-446C-A72A-59E981DD29B3@mac.com> In-Reply-To: <3374599093-437630056@intranet.com.mx> References: <3374599093-437630056@intranet.com.mx>
next in thread | previous in thread | raw e-mail | index | archive | help
On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: > With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: http://secunia.com/advisories/product/1308/ "Affected By 7 Secunia advisories 44 Vulnerabilities Unpatched 29% (2 of 7 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical." http://secunia.com/advisories/33446/ "1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the "admin/" folder. Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script." In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DB1524B8-BBC3-446C-A72A-59E981DD29B3>