A vulnerability in open source shopping cart software osCommerce has affected almost 200 websites that have been listed and posted online.
A source informed SC Magazine of the Pastebin list of 198 websites, which they said were fairly small e-commerce sites and vulnerable to the osCommerce flaw and could be subject to attack soon.
SC Magazine showed the list to a number of industry experts. Andrew Barratt, partner at PTP Consulting, confirmed that all of the websites have the same vulnerability and said it appears that the examples given allow the password file to be stolen, or access to be granted to their database information including connection strings and passwords.
Michael Jordon, information security consultant at Context Information Security, said that the osCommerce bug affects the ‘extras' directory bug that may let remote users view files on the target system and according to securitytracker.com this was originally reported on in April 2006.
Jordon said: “So all the websites have not patched their version of osCommerce. The vulnerability allows for any file on the system to be read which could easily lead to a full compromise of the server, for example if they read a database backup file it would contain all the details in the app including usernames and passwords, but they would have to know the exact path.”
Asked if he was familiar with osCommerce, Jordon said he was not, but he found out that it is used by small-scale online shops and hosting providers who may provide it for people to use.
“The vulnerable websites would most likely be ones where they were set up a few years ago and have been working, so nothing has been changed. It is not really osCommerce's fault if they provide the necessary fix for people but they have not applied it,” he said.
Showing the list of websites to a penetration tester, he confirmed to SC Magazine that the osCommerce shopping cart appears to be vulnerable and it looked like a simple local file inclusion.
He pointed to a link that he said contains the PHP source code and the database connector passwords.
“If the database is available from the internet, then it's game over,” he said.
“I guess the list of sites have been found using a Google Dork. This looks related to a similar bug in categories.php in the same app that was disclosed in 2009.”
Asked if all of the 198 sites use the osCommerce shopping cart, he said it appears so, as the syntax of the URI is identical in all cases.
He said: “The various websites all appear to be small e-commerce sites, which may explain the use of an open source commerce platform. I don't think anything particularly clever has been done here; the Pastebin user has probably found them on a Google Dork that relates to an old vulnerability, and realised it applies to other .php scripts on the same platform.
“The listed websites need to patch urgently and change all database connector credentials and then check that no credit card, personal data or passwords were in clear text in the database.”
OsCommerce was informed of the issue. A spokesperson for osCommerce denied that the ‘extras/' directory is part of the installation, but that some users copied this directory manually to their servers.
“We noticed this and deleted the offending PHP files in the directory five years ago,” they said.
The list has also been passed on to the Information Commissioner's Office. An ICO spokesperson said: “This incident highlights the need for all website operators to make sure their systems are secure and the importance of performing regular maintenance checks.”
Update – OScommerce has issued a statement stating that the ‘extras' directory is not part of the installation, but is included in the osCommerce Online Merchant download packages. It said that this is added to assist existing users in upgrading their sites through various PHP and Perl scripts that had to be manually copied to the server.
It said: “These scripts are no longer relevant to the newer releases and were removed from the download package five years ago for the v2.2 Release Candidate 1 release.
“Due to an insecure directory listing implementation, the scripts could have allowed any file on the server to be read, including configuration files and database backups, if the location of the file is known. As some of our earlier users have left this directory on their servers, we'd like to remind them to remove the ‘extras' directory entirely.”