Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security warning CS-Cart version 1.3.5-SP4 Rate Topic   - - - - -

 
  • Spiral
  • BANNED
  • Banned
  • Join Date: 02-Aug 09
  • 133 posts

Posted 05 January 2010 - 10:00 PM #41

I just think its a bit irresponsible to openly talk about security holes and get the community in an uproar

I don't think he needs to post them here, but I think he should tell CS-Cart about them so they may help the community and maybe release a patch/hot-fix.

Good Point! However I am not the one who opened this discussion! ;)

(Anyone who doesn't think so, I suggest you read the first few posts a bit closer)

Anyway though, you are absolutely correct on both counts (quoted above) and yes that is precisely why I don't post technical exploit details in forum communities!

Again for those who apparently keep missing this, back to the basics ----

The topic of discussion is an email someone received from their hosting provider's automated scanning program to let them know that their CS-Cart was outdated and listed on a "vulnerable" list in one or more of the online security threat databases that the collected version information is checked against ... that's it!

IF version = old
AND version = has security alert in 3rd party database
THEN you get email

(Not really that hard of a concept to follow! -- good grief people!)

As a side footnote (and ignoring I also wrote the host's security checking program), I mentioned that "yes", working directly in the security field, I too personally have seen a very large amount of attacks against a lot of sites running the very same version of CS-Cart and those attacks are indeed increasing and "yes" I have found and successfully duplicated what they are exploiting specifically but I am sure as to hell not going to post those details publicly but that is apparently where everyone's brain falls out ...

I have already told everyone that it is NOT totally necessary to upgrade but everyone seems to have missed that point as well, probably from the generic scanning alert telling the original poster to "consider upgrading" and everyone still obsessed with that apparently --- also ignoring the fact that the message on such a security checking program has to be generic as such given that this program checks the status of several hundred different web applications.

As I also said previously, I would be glad to assist anyone that needs help closing those security holes and pass that same information on to their web hosts assuming they haven't already been told the same already anyway (as the first thing I do is alert everyone in my contact list on new security discoveries) and chances are even if they are not on my list already, your host might even be monitoring the same databases that I do! Never the less, you're covered irregardless!

As I have already said several times now and this too seems to be missed entirely --- this is just one of hundreds of security issues like this with many, many programs out there each and every week!

In the grand scheme of things, the security issues with CS-Cart 1.3.5 is not really that significant!

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 05 January 2010 - 11:41 PM #42

Spiral,

No offence dude, but still nothing from you so, I will just ignore any result of your security scanning and hundreds of words regarding 1.3.5 SP4.

Make some effort and read your lines below and stop changing words to make things softer. Empty statements...

What you just described is the automatic default alert message generated from one of my own security scanning applications...

Incidentally, CS-Cart 1.3.5-SP4 is one that does indeed have a number of unresolved security vulnerabilities ...

...upgrading would be a good move

I have personally witnessed, at different web hosts, over 50 sites hijacked and all used as spam servers for no other reason than they each were running CS-Cart 1.3.5-SP4 ...

Another 27, also running the same version, got their customer credit card data or other information stolen as well by injected code modifications...

and there is a URL reference in the major public security advisory databases...
I have personally seen a large number of sites on CS 1.3.5 SP4 hacked...

YES, 1.3.5 SP4 does indeed have some very major security problems ...

1.3.5 sp4 in and of itself but you will need to make a number of modifications to deal with several poorly written code areas that are now being activity exploited heavily ...

I have observed how this has been exploited has either to be utilize the CS-Cart program as a spam distribution relays...

I have also located all the areas of code that are currently being exploited by hackers ...


I saw Elvis...
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • Triplets
  • Senior Member
  • Members
  • Join Date: 23-Sep 08
  • 1176 posts

Posted 05 January 2010 - 11:50 PM #43

Without any meat behind these automated emails, I have told all my clients to ignore them.

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 06 January 2010 - 12:17 AM #44

Spiral,

No offence dude, but still nothing from you so, I will just ignore any result of your security scanning and hundreds of words regarding 1.3.5 SP4.

Make some effort and read your lines below and stop changing words to make things softer. Empty statements...

What you just described is the automatic default alert message generated from one of my own security scanning applications...

Incidentally, CS-Cart 1.3.5-SP4 is one that does indeed have a number of unresolved security vulnerabilities ...

...upgrading would be a good move

I have personally witnessed, at different web hosts, over 50 sites hijacked and all used as spam servers for no other reason than they each were running CS-Cart 1.3.5-SP4 ...

Another 27, also running the same version, got their customer credit card data or other information stolen as well by injected code modifications...

and there is a URL reference in the major public security advisory databases...
I have personally seen a large number of sites on CS 1.3.5 SP4 hacked...

YES, 1.3.5 SP4 does indeed have some very major security problems ...

1.3.5 sp4 in and of itself but you will need to make a number of modifications to deal with several poorly written code areas that are now being activity exploited heavily ...

I have observed how this has been exploited has either to be utilize the CS-Cart program as a spam distribution relays...

I have also located all the areas of code that are currently being exploited by hackers ...


I saw Elvis...

Spiral could be a good politic,SPIRAL FOR PRESIDENT!!!!!!!(he knows how to adapt sentences...)HURAYYYYYYYY!!!!!!!!!!!!!!!!!!
(sorry guys ,the pressure is getting into my nerves....let's break the ice...)
:mad: :( :) :D
Number 1

 
  • Struck
  • Teetering on Genious
  • Members
  • Join Date: 07-Mar 09
  • 2502 posts

Posted 06 January 2010 - 12:23 AM #45

I am not running 1.3.x and have only been viewing this thread for personal entertainment purposes. :P

However, has anyone contacted CS-Cart directly to determine if they feel it has vulnerabilites and if so, to determine if they will continue to provide security patches for this older version?
Cooking with Gas on Version 4.1.2 (But proceeding with caution....)

 
  • Spiral
  • BANNED
  • Banned
  • Join Date: 02-Aug 09
  • 133 posts

Posted 06 January 2010 - 12:34 AM #46

Without any meat behind these automated emails, I have told all my clients to ignore them.

Then you have told your clients incorrectly ....

Actually there is very serious "meat" behind them as you put it ;)

The security concerns are in fact very real and alerts don't go out unless two conditions are at least met bare bones minimum:

1. User's software is outdated ....

2. User's software version is listed in public security databases as vulnerable ...

Optionally, if patch reference is located in #2 searching above from each database check then that information is included automatically in the alert email else a generic alert is sent out telling you that you outdated and make a note that you should probably upgrade.

So the correct response is not "ignore such emails" but rather tell your clients to "ask more questions" ...

If you get an email like that, you do indeed have an issue to be concerned about and you should not "ignore" that issue but the solution may be as simple as a patch already released, a few code modifications, or an upgrade to a new version and you'll need to determine which is appropriate in your situation.

Now regarding the CS-Cart 1.3.5-SP4 issue, here is a few basic log snips a web hosting provider provided to me to post here in this thread on the condition that the last octet is redacted and I make no mention of their customer's web address where the log data was collected. This should give you all a little better idea and some visualization more as to just exactly the types of things I have been observing and what I have been seeing elsewhere is all very much like what you see below:
221.2.172.xxx - - [05/Jan/2010:12:50:35 -0600] "GET /core/sessions.php?phpinfo(??CSCART)@:&PHP3211&mail() HTTP/1.0" 200 169 "-" "-"
185.126.106.xxx - - [05/Jan/2010:14:02:42 -0600] "GET /?system=if[1.3.5-SP4??afave23jttphpinfo()"  HTTP/1.0" 200 41584 "-" "Wget/1.12 (linux-gnu)"
216.129.118.xxx - - [05/Jan/2010:14:09:18 -0600] "HEAD /?135sp4afdfja;klfjafjefafjfafjafljkafljfjfjafjfjfjmail()" HTTP/1.1" 200 1150 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5.6"
128.195.4.xxx - - [04/Jan/2010:19:13:56 -0600] "GET /?version HTTP/1.1" 400 226 "-" "-"
128.195.4.xxx - - [04/Jan/2010:19:13:57 -0600] "GET /?cmd=(if CSCART_VERSION=='1.5.3-SP4'AFATE#Q) HTTP/1.1" 400 226 "-" "-"
221.115.8.xxx - - [05/Jan/2010:02:28:24 -0600] "GET /core/sessions.php?phpinfo()@:&PHP3211&mail() HTTP/1.1" 200 169 "-" "CSCART VERSION OF GREAT TO FIX"
221.2.172.xxx - - [05/Jan/2010:12:50:35 -0600] "GET /core/sessions.php?phpinfo(??CSCART)@:&PHP3211&mail() HTTP/1.0" 200 169 "-" "-"
217.46.19.xxx - - [05/Jan/2010:01:39:01 -0600] "GET /core/sessions.php?phpinfo()@:&PHP3211&mail() HTTP/1.1" 200 169 "-" "msnbot/2.0b (+http://suck.nsm.com/msnbot.htm
 
)"
221.115.8.xxx - - [05/Jan/2010:02:28:24 -0600] "GET /core/sessions.php?phpinfo()@:&PHP3211&mail() HTTP/1.1" 200 169 "-" "CSCART VERSION OF GREAT TO FIX"
222.249.35.xxx - - [05/Jan/2010:02:30:04 -0600] "GET /core/sessions.php?phpinfo()@:&PHP3211&mail() HTTP/1.1" 200 169 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
222.249.35.xxx - - [05/Jan/2010:03:33:48 -0600] "GET /core/sessions.php?phpinfo()@:&PHP3211&mail() HTTP/1.0" 200 169 "-" "Mozilla/5.0 (compatible; Yaahoo! Slirp; http://hlep.yahoo.com/help/us/ysearch/slirp
 
)"

And my personal favorite (look at web browser string closely):
221.35.185.xxx - - [04/Jan/2010:23:20:24 -0600] "GET /index.php?target=??phpinfo() HTTP/1.1" 200 6609 "-" "msnrbot/2.0b (+http://GOOGLEBOOT
 
)"
(Just for the record, the CS-Cart 1.3.5 site under attack above was not compromised according to the host supplying the log data but this at least provided for a very good illustration of what is being observed in increasing frequency. Much thanks for providing that and also for allowing me to post your log details.)

I would also show you the PHP code that is the underlying reasons why some sites are getting hit with these particular request strings but that could do more harm than good so don't even bother asking.

Most attempts are unsuccessful and many don't even target the correct web sites but I have also seen a number of sites attacked in exactly the same manner which were not so lucky and of those, the bulk of the compromises were primarily used to send spam and a few of them were used to steal customer order data.


--------------

Note to the moron script kiddies out there:

The full command strings have been truncated and the detailed variable information including the information to pull of this exploit successfully has been removed.

PS: To the actual hackers, maybe you should try learning about something called a spell checker!


 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 06 January 2010 - 12:52 AM #47

Well, I can provide anyone with 2 pages of the same stuff after each weekend.

"Trying" doesn't mean "successfully hacked"

As you said, none of the "CS websites" (?) were hacked. So, where's the issue with the code?
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 06 January 2010 - 02:38 AM #48

In the grand scheme of things, the security issues with CS-Cart 1.3.5 is not really that significant!

Hi Spiral,
I tought i like the things you said ,but nowwwww it's too much.
This is NOT what you told me in another thread!!!!!WTF
Who has brains now?hun?you?
Number 1

 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 06 January 2010 - 03:14 AM #49

this thread looks and smells like a turd spiraling down the toilet...
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • moka
  • Senior Member
  • Members
  • Join Date: 09-Feb 08
  • 634 posts

Posted 06 January 2010 - 03:29 AM #50

Ok, I'm calling a time out on everyone!! (ok, sorry, mom of 3 here...)

The thread is definitely going down the toilet.

Spiral, I understand your frustration with us from the standpoint that you seem to know a whole heck of a lot more than everyone, but a little patience goes a long way (this is the teacher in me dealing 90 middle schoolers a day). However, name calling and implying that we are brainless does not help.

The frustrations on our part comes from the fact that we don't understand, which leads to more insults. The problem is we are being told 2 different things. In one post we got:

In the grand scheme of things, the security issues with CS-Cart 1.3.5 is not really that significant!
/


but we also have from another post

YES, 1.3.5 SP4 does indeed have some very major security problems


So yes, when we don't understand and we get conflicting messages. We are scared. A lot of us feel that we are d*mned if we do and d*mned if we don't upgrade.

All I know is the longer this thread goes on with the confusion and insults about security issues, google will eat up this content rich thread and make our sites even more vulnerable to those that wish to search for vulnerable programs!

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 896 posts

Posted 06 January 2010 - 03:57 AM #51

Moka,

Don't worry there are no super serious problems or Spiral would have contacted CS cart by now.

I have also taught middle school (emotionally handicapped kids in my case) and I have lots of patience but Spiral posts in a vague and confusing way which is not the mark of a genius instead it shows that he does not have anything of substance to say.

I say this not to berate Spiral but so that we do not take the blame for not being rocket scientists - we are all hard working concerned shop owners not idiots as Spiral seems to enjoy suggesting.

My positive win/win solution still holds:

Let Spiral contact CS cart and if they agree with him that he is a genius and make a security update I will make a donation to the United Nations childrens fund.

You are a teacher will you join me in pledging say $5?

On a side note:

Dealing with middle school kids is way harder than this shopping cart issue.

I base my statement on the fact that High school kids are at least trying to be cool, and Elementary kids are young enough that they can be controlled with a look and a serious voice.

Middle schoolers are neither here nor there - very, very hard work. I appreciate all school teachers - keep up the good work, thank you!.

Version 4.9.2


 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 06 January 2010 - 04:10 AM #52

I too am enjoying this thread. It is making me dive in a little deaper to make sure all of our sites (and our customers information) are as secure as possible.
Regards,
Jim

 
  • moka
  • Senior Member
  • Members
  • Join Date: 09-Feb 08
  • 634 posts

Posted 06 January 2010 - 05:18 AM #53

Let Spiral contact CS cart and if they agree with him that he is a genius and make a security update I will make a donation to the United Nations childrens fund.

You are a teacher will you join me in pledging say $5?

On a side note:

Dealing with middle school kids is way harder than this shopping cart issue.

I base my statement on the fact that High school kids are at least trying to be cool, and Elementary kids are young enough that they can be controlled with a look and a serious voice.

Middle schoolers are neither here nor there - very, very hard work. I appreciate all school teachers - keep up the good work, thank you!.


I'll throw in another $100! Let's get this thing fixed... I don't have the time or guts to upgrade until this summer.

Middle schoolers are a lot of work, but they keep me laughing, which makes it sooo worth it! :P Technically, I really could quit my day job with my store, but I would miss the kids too much!

 
  • Lee Li Pop
  • Senior Member
  • Members
  • Join Date: 07-Mar 08
  • 941 posts

Posted 06 January 2010 - 06:59 AM #54

Hello All,

The question is this:

What sites are hacked?

We need some evidence before the controversy took over.


Lee Li Pop
.
If All Else Fails, Read The Instruction Manual! Knowledge Base 2.x + CS-Cart Instruction Manual

Hosted at Pair.com since 2000. Zero hacking attempts during first 11 years... And counting!

 
  • Lee Li Pop
  • Senior Member
  • Members
  • Join Date: 07-Mar 08
  • 941 posts

Posted 06 January 2010 - 07:51 AM #55

Hello Spiral,

2. User's software version is listed in public security databases as vulnerable ...


You're absolutely right. But, why don't add that every CS-Cart's vulnerabilities, listed in this website, are patched from vendor?

http://secunia.com/a...t[]=0&where[]=0

Example with CS-Cart 1.x:

http://secunia.com/advisories/31686/

Example with CS-Cart 2.x:

http://secunia.com/advisories/36112/

Play with everyone's fear is a dangerous game...



Lee Li Pop
.
If All Else Fails, Read The Instruction Manual! Knowledge Base 2.x + CS-Cart Instruction Manual

Hosted at Pair.com since 2000. Zero hacking attempts during first 11 years... And counting!

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 06 January 2010 - 09:33 AM #56

I'm feed up,this is(hopefully) my last post in this thread.Cs cart sp4 is a good'n old GOLDEN PIECE OF CODE.I think i have brains,and it's not for coincidence that many people here stick with the past(especially brainless developers like me....).
Conclusion:
The FALSE ALARM is nothing more than A MARKETING STRATEGY TO PERSUADE PEOPLE TO SIGN UP WITH A "SAFE" HOST PROVIDER.
Is all i got to say....(but i think all the brainless people got that anyway!!!)
Number 1

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 06 January 2010 - 10:39 AM #57

Let's end it and stop wasting this nice white space here.

Spiral is actually doing harm to hard working CS guys writing all those false statements. Simple as that. As a new potential customer of CS, I would run away and ask for a refund after reading his comments about CS Cart, poorly written code and security issues, which won't be resolved if any found in 1.3.5.

Also, he's wasting people's time contributing to this thread. After hundreds of words - we have still nothing.

Some people may be under impression with him as a security specialist. Let me tell you, if he is one, then he is the very unprofessional one. Full stop here.

And now, I will be happy to challenge him. I will offer him 100 bucks for hacking my 1.3.5 with SP4, with no extra security settings except for what is provided with CS.
Someone has offered another 100$ and other gentleman extra 5$. This makes 205$ for a few minutes of work. Are you up for the challenge SPIRAL? All I’m asking for is to inject your nickname to one of the pages we have or extract customers’ details.


If successful, I won’t ask for any details, if not, people will show you your place.
My URL will be send to you by PM when you’re ready. You will have 24h.
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 947 posts

Posted 06 January 2010 - 11:09 AM #58

Why isn't there some security updating system for CS-Cart similar to that offered by Microsoft for their operating systems ??

Probably a lot easier to suggest than impliment.

 
  • roban
  • Senior Member
  • Moderators
  • Join Date: 23-Oct 06
  • 1132 posts

Posted 06 January 2010 - 11:21 AM #59

this thread looks and smells like a turd spiraling down the toilet...


Amen Bro! I totally agree.

 
  • Lee Li Pop
  • Senior Member
  • Members
  • Join Date: 07-Mar 08
  • 941 posts

Posted 06 January 2010 - 12:38 PM #60

Hello Noman,

Spiral is actually doing harm to hard working CS guys writing all those false statements. Simple as that. As a new potential customer of CS, I would run away and ask for a refund after reading his comments about CS Cart, poorly written code and security issues, which won't be resolved if any found in 1.3.5.


You're 100% right... Unfortunatly. :(

Reader who is looking for a safe shopping cart, powerful and easy to manage, CS-Cart is for you.

CS-Cart is it Safe?

Definitely YES.

Why write this?

Look for yourself the number of complaints coming from thousands of CS-Cart users regarding the safety of CS-Cart: None!

Shouting "Fire!" is easy. Giving evidence is a little more complicated.

Spiral far has written us some fine words about some alleged hacked websites, but he didn't bring us yet not any formal proof.

Shouting "Fire!" for the sole benefit of the company whom hires him is discourteous.

Especially if his allegations are not substantiated by evidence.

CS-Cart is the best shopping cart on the place. Easy, Powerfull and Safe.


Lee Li Pop
.
If All Else Fails, Read The Instruction Manual! Knowledge Base 2.x + CS-Cart Instruction Manual

Hosted at Pair.com since 2000. Zero hacking attempts during first 11 years... And counting!