On 12/08/10 07:01, Chuck Swiger wrote:
On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote:
With a provider where I had a dedicated server, not running FreeBsd , the
entire server was hacked and before leaving them, the tech support people said
that the hacking was because of a problem with some libraries under PHP AND
OSCOMMERCE. They never could prove that but I leave them since the entire
server was hacked, not information stolen but ONLY that$ all web pages (.html,
.php) pages where changed, all under different domains and account jailed (?)
using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I
know it is very popular but I would like to test something else.
30 seconds with a Google search suggests that osCommerce has unpatched security
vulnerabilities which do lead to compromise of admin and arbitrary PHP code
execution:
http://secunia.com/advisories/product/1308/
"Affected By 7 Secunia advisories
44 Vulnerabilities
Unpatched 29% (2 of 7 Secunia advisories)
Most Critical Unpatched
The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor
patches applied, is rated Highly critical."
http://secunia.com/advisories/33446/
"1) The application allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited
to e.g. create additional administrator accounts by tricking an administrative user
into visiting a malicious web site.
2) An error in the authentication mechanism can be exploited to bypass authentication
checks and gain access to the administrative interface in the "admin/" folder.
Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the
file_manager.php script."
In other words, your former site's tech support people were likely right-- the
site was almost certainly hacked because of osCommerce. Find something else,
preferably something which is not based upon PHP.
Regards,
One to point out the obvious, and two to clarify your view here: why not
php? Php was the scripting used, but if used poorly will create a
security risk in the web app. That means that the vulnerability is the
coder's problem; not php itself. God knows how many references there are
to what not to do for security reasons on the php site.
Vulnerabilities due to bad coding is not the fault of the language used,
otherwise we wouldn't be using c, c++, etc.
I ask because I'm coding web apps in php myself, and I'm curious to know
if my view is in error...
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
