Securing osCommerce 2.2 and 2.3

osCommerce continues to be one of the most exploited pieces of web software. Back in October we wrote about the need to secure osCommerce to prevent these exploitations. Since then we have seen a lot of bad information on securing osCommerce against these exploitations as well as questions on securing osCommerce 2.3, which was released in November, so we have put together additional information on securing osCommerce 2.2 and 2.3.

osCommerce 2.2

There are several vulnerabilities in osCommerce 2.2 that are being exploited. The simplest and most effective method to protect against the exploitation of these vulnerabilities is to rename and password protect the admin directory. Doing this is also recommended by osCommerce.

Renaming the admin directory requires changing the name of the directory and changing the DIR_WS_ADMIN and DIR_FS_ADMIN lines in the /includes/configure.php file located in admin directory with the new admin directory name in place of admin.

The easiest way to turn enable password protection is using the HTACCESS from osC admin menu add-on (this is add-on has also been integrated into osCommerce 2.3) following these steps:

  1. Install the add-on, make sure to install the files located in the admin folder in the add-on to the renamed admin directory.
  2. Login into the admin area.
  3. In the left hand menu, click on Administrators link in the Configuration section.
  4. Click edit.
  5. Enter your current password in the New Password field and select Protect With htaccess/htpasswd.

You can find information on extra security measures you can take in the osCommerce forum thread How to secure your osCommerce 2.2 site.

For existing osCommerce 2.2 based websites that do not already have these protections in placed it is likely that the website has already been hacked. Many of these hacks only involve placing a backdoor script, which allows the hacker to run commands from and access files on the website. With the backdoor script in place they can come back later and use the website for malicious purposes. Other hacks involve using the website for spam, malware, or other malicious purposes.

The best way to insure that any code added by hacker has been removed is to revert to a clean backup of the website. Because osCommerce have been being hacked for so long it is unlikely that a backup that was made of the website from the last year or two would be clean at this point. If you have a copy of the website that was never placed on the website you could use that, you would need to add any new files you created since then, such as images.

Another method to clean the website is to remove the malicious code and files that the hackers have added. Malicious code is often added to the index.php and /includes/header.php. Backdoor scripts can be placed throughout the website; our Basic Backdoor Script Finder will find some of the most popular ones. You can also look for any .php files in the images folder and for files that begin goog1e located in the root directory of the osCommerce installation as the will be backdoor scripts.

osCommerce 2.3

osCommerce 2.3 included fixes for the vulnerabilities in osCommerce 2.2  and at this point there are no known vulnerabilities in 2.3.1 (there was an incorrect advisory that claimed there was one), so it would be safe to run the software without additional protection, but it is still recommend rename and password the admin directory.

It is possible to rename the admin directory during the installation of osCommerce 2.3. If the admin directory was not renamed during the installation it can be done by changing the name of the directory and updating the DIR_WS_ADMIN and DIR_FS_ADMIN lines in the /includes/configure.php file located in admin directory with the new admin directory name in place of admin.

Password protection is integrated into osCommerce 2.3, it can be turned on following these steps:

  1. Login into the admin area.
  2. In the left hand menu, click on the Administrators link in the Configuration section.
  3. Click edit.
  4. Enter your current password in the New Password field and select Protect With htaccess/htpasswd.

You can find information on extra security measures you can take in the osCommerce forum thread How to secure your osCommerce 2.2 site (most of the information applies to 2.3 as well as 2.2).

osCommerce 2.3 also includes a number of security enhancements. The Portable PHP hashing framework has been added to more securely hash passwords, this software is also used in WordPress. A customer session token has been added “to forms to protect against Cross-Site Request Forgeries (CSRF)”. A new section of the admin, Security Directory Permissions, displays the current write permission of the various osCommerce directories and what the recommend permissions are. A built-in version checker allows for checking if a new version of osCommerce has been released.