Date: Wed, 08 Dec 2010 10:27:00 +1000 From: Da Rock <freebsd-questions@herveybayaustralia.com.au> To: freebsd-questions@freebsd.org Subject: Re: Shopping cart other than OSCommerce? Message-ID: <4CFED0D4.3090108@herveybayaustralia.com.au> In-Reply-To: <DB1524B8-BBC3-446C-A72A-59E981DD29B3@mac.com> References: <3374599093-437630056@intranet.com.mx> <DB1524B8-BBC3-446C-A72A-59E981DD29B3@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/08/10 07:01, Chuck Swiger wrote: > On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: > >> With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. >> > 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: > > http://secunia.com/advisories/product/1308/ > > "Affected By 7 Secunia advisories > 44 Vulnerabilities > > Unpatched 29% (2 of 7 Secunia advisories) > > Most Critical Unpatched > The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical." > > http://secunia.com/advisories/33446/ > > "1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. > > 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the "admin/" folder. > > Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script." > > In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. > > Regards, > One to point out the obvious, and two to clarify your view here: why not php? Php was the scripting used, but if used poorly will create a security risk in the web app. That means that the vulnerability is the coder's problem; not php itself. God knows how many references there are to what not to do for security reasons on the php site. Vulnerabilities due to bad coding is not the fault of the language used, otherwise we wouldn't be using c, c++, etc. I ask because I'm coding web apps in php myself, and I'm curious to know if my view is in error...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4CFED0D4.3090108>