Exclusive: Almost 200 e-commerce websites vulnerable to shopping cart flaw

By Opeyemi Adebiyi -
A vulnerability in open source shopping cart software osCommerce has affected almost 200 websites that have been listed and posted online.
A source informed SC Magazine of the Pastebin list of 198 websites, which they said were fairly small e-commerce sites and vulnerable to the osCommerce flaw and could be subject to attack soon.
SC Magazine showed the list to a number of industry experts. Andrew Barratt, partner at PTP Consulting, confirmed that all of the websites have the same vulnerability and said it appears that the examples given allow the password file to be stolen, or access to be granted to their database information including connection strings and passwords.
Michael Jordon, information security consultant at Context Information Security, said that the osCommerce bug affects the ‘extras' directory bug that may let remote users view files on the target system and according to securitytracker.com this was originally reported on in April 2006.
Jordon said: “So all the websites have not patched their version of osCommerce. The vulnerability allows for any file on the system to be read which could easily lead to a full compromise of the server, for example if they read a database backup file it would contain all the details in the app including usernames and passwords, but they would have to know the exact path.”
Asked if he was familiar with osCommerce, Jordon said he was not, but he found out that it is used by small-scale online shops and hosting providers who may provide it for people to use.
“The vulnerable websites would most likely be ones where they were set up a few years ago and have been working, so nothing has been changed. It is not really osCommerce's fault if they provide the necessary fix for people but they have not applied it,” he said.
Showing the list of websites to a penetration tester, he confirmed to SC Magazine that the osCommerce shopping cart appears to be vulnerable and it looked like a simple local file inclusion.
He pointed to a link that he said contains the PHP source code and the database connector passwords.
“If the database is available from the internet, then it's game over,” he said.
“I guess the list of sites have been found using a Google Dork. This looks related to a similar bug in categories.php in the same app that was disclosed in 2009.”
Asked if all of the 198 sites use the osCommerce shopping cart, he said it appears so, as the syntax of the URI is identical in all cases.
He said: “The various websites all appear to be small e-commerce sites, which may explain the use of an open source commerce platform. I don't think anything particularly clever has been done here; the Pastebin user has probably found them on a Google Dork that relates to an old vulnerability, and realised it applies to other .php scripts on the same platform.
“The listed websites need to patch urgently and change all database connector credentials and then check that no credit card, personal data or passwords were in clear text in the database.”
OsCommerce was informed of the issue. A spokesperson for osCommerce denied that the ‘extras/' directory is part of the installation, but that some users copied this directory manually to their servers.
“We noticed this and deleted the offending PHP files in the directory five years ago,” they said.
The list has also been passed on to the Information Commissioner's Office. An ICO spokesperson said: “This incident highlights the need for all website operators to make sure their systems are secure and the importance of performing regular maintenance checks.”
Update – OScommerce has issued a statement stating that the ‘extras' directory is not part of the installation, but is included in the osCommerce Online Merchant download packages. It said that this is added to assist existing users in upgrading their sites through various PHP and Perl scripts that had to be manually copied to the server.
It said: “These scripts are no longer relevant to the newer releases and were removed from the download package five years ago for the v2.2 Release Candidate 1 release.
“Due to an insecure directory listing implementation, the scripts could have allowed any file on the server to be read, including configuration files and database backups, if the location of the file is known. As some of our earlier users have left this directory on their servers, we'd like to remind them to remove the ‘extras' directory entirely.”


Comments

Post a Comment

Kindly Comment your views and share this post...

Popular posts from this blog

Two married couples who switch partners every night open up about their relationship

By Opeyemi Adebiyi -
Image
  Two married couples who live and raise their families together and swap partners have opened up about life as a foursome. Alysia and Tyler Rogers are married and were already parents to two children, now ages 7 and 8, when they embarked on a romantic relationship with married friends Sean and Taya Hartless. The two couples, originally from the US, moved in together as a polyamorous foursome in 2020 and the following year, Alysia and Taya delivered babies seven months apart. Neither woman knows who biologically fathered the kids, with Alysia maintaining they will help the children discover that down the road if they ever want to. We wanted to do everything we could to make sure that everybody feels like an equal parent, Taya told Today.com. At this point, finding out their genetics would change nothing. The family of eight now live in Lebanon and have amassed a huge social media following with their big family. We didn't intend to fall in love, but here we are! the quad, who have
Read more

Police arrest Nigerian pharmacy student for drug smuggling in India, recover 15.56grams of heroin.

By Opeyemi Adebiyi -
Image
The anti-narcotics cell of Panchkula in Haryana, India have arrested a Nigerian student for allegedly supplying heroin to drug peddlers.   The 29-year-old Nigerian national identified as Nwosu Echezoma, alias Amaica, was arrested on Sunday, February 12, 2023.  Heroin weighing 15.56 gm was also recovered from the accused, who is pursuing BPharma from a college in Mullana, Ambala, said police His arrest came on the disclosure of Surajpal Singh, alias Robin, 34, a resident of Zirakpur, who was caught with 8.78 gm heroin near Amartex showroom on February 9, 2023.  Singh was booked under the Narcotic Drugs and Psychotropic Substances Act and taken on two-day police remand. During interrogation, he revealed the source of the drugs, leading to Nwosu?s arrest. "The Nigerian national used to source drugs from Delhi and supplied them in and around Ambala. A court sent him to two-day police remand. He will be questioned further to reveal his network, Police source said.
Read more

How You Can Extend Your Mobile Phone Battery Life.

By Opeyemi Adebiyi -
Image
  Mobile phone battery life depends on a variety of factors. A line of best fit or regression model will help predict when a mobile phone’s battery will run out of charge. The time the phone is off and used are also factors to consider when calculating battery life. Many people find that their phones last about 18-24 months if they charge them every two days. But, for many people, this number is not sufficient. This means that it may not be realistic to expect the phone to last that long. A good way to extend the life of your mobile phone’s battery is to turn off the features you don’t use often. The more things you do with your phone, the more battery it will use. When the battery gets low, turn off unnecessary features and apps to save the battery. You can also try changing the interval at which the phone updates. But this can cause other problems. Try these tips and make sure that your phone has enough battery life to last you until your next recharge. The battery life of a mobile p
Read more