Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Re: Critical Security Vulnerability In Cs-Cart And Multi-Vendor 2.x.x To 4.1.2 Rate Topic   - - - - -

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 08 June 2014 - 11:08 AM #221

EZ Admin Helper looks very handy. At this stage I am not sure whether I will re-install 3.0.6
or upgrade to 4.1.4 or beyond. It appears that there are different versions of the Helper.
Sorry, sort of off topic but related as regards general security.

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 08 June 2014 - 09:37 PM #222

Everything/anything is vastly different between V3/V4 from an addon developers perspective. Cs-cart did us no favors.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • snorocket
  • Forum Janitor
  • Members
  • Join Date: 15-Mar 06
  • 2519 posts

Posted 09 June 2014 - 06:51 AM #223

After installing some monitoring apps we've picked up on almost 200+ attempts at accessing files related to the FCKeditor, the access logs look like:

/admin/fckeditor/editor/filemanager/upload/test.html
/admin/FCKeditor/editor/filemanager/connectors/uploadtest.html
/FCKeditor/editor/filemanager/connectors/test.html
/system/fckeditor/editor/filemanager/browser/default/connectors/test.html
/FCKeditor/_samples/asp/sample01.asp
/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx

A google search brings up this vulnerability in the FCKeditior, guess it's time to wipe this out too before its too late - Sno
SNOROCKET.COM, Now Accepting PRE-ORDERS:
Customer Service (Helpdesk) Addon for CS-Cart v4.3.1
Quote and Invoicing Addon for CS-Cart v4.3.1

 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 09 June 2014 - 08:14 PM #224

After installing some monitoring apps we've picked up on almost 200+ attempts at accessing files related to the FCKeditor, the access logs look like:

/admin/fckeditor/editor/filemanager/upload/test.html
/admin/FCKeditor/editor/filemanager/connectors/uploadtest.html
/FCKeditor/editor/filemanager/connectors/test.html
/system/fckeditor/editor/filemanager/browser/default/connectors/test.html
/FCKeditor/_samples/asp/sample01.asp
/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx

A google search brings up this vulnerability in the FCKeditior, guess it's time to wipe this out too before its too late - Sno

What did you figure out about this Sno? Did you remove fckeditor? Can we remove it? Our site is averaging 30+ so called users hitting the sitemap every minute or two right now with something that comes from dpc6935160062.direcpc.com. The IP shows up as 27.159.238.37 and it is trying to find not just the fckeditor but the ckeditor.
Regards,
Jim

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 09 June 2014 - 08:33 PM #225

Those are not valid cs-cart paths. So was this editor added?
If you're just seeing activity for someone trying to see if they can exploit via some path name on the site, this happens every day and all the time. It just never yields anything useful since always get a 404.

Sorry, but this is not related to the attack related to this thread.
Might be more useful if a new thread related to this editor were started.
Anyone with this issue would probably not look in this thread for descriptions/answers.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 09 June 2014 - 10:05 PM #226

Those are not valid cs-cart paths. So was this editor added?
If you're just seeing activity for someone trying to see if they can exploit via some path name on the site, this happens every day and all the time. It just never yields anything useful since always get a 404.

The fckeditor is just the predecessor to the ckeditor that comes stock in CS-Cart. We show someone trying to find both on our site. Blocking the previous IP we showed did not do anything.

Sorry, but this is not related to the attack related to this thread.
Might be more useful if a new thread related to this editor were started.
Anyone with this issue would probably not look in this thread for descriptions/answers.

It may not be related to "this" attack, but sadly I still don't think anyone has quite made it clear that they know everything that was in this attack. There still seems to be a lot of guessing and speculation. Since they already found a couple of holes, who knows what else they know.

I did make a post in this feed that no one responded do and I guess may have nothing to do with this particular vulnerability so I will re-post elsewhere as it is probably buried, but it still seems like either a bug or a security risk at the least.
Regards,
Jim

 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 09 June 2014 - 10:38 PM #227

Very sorry to butt in but I just got this ( I hope it's not attack related ).
Fatal error: Class 'mysqli' not found in /home/jameshou/public_html/core/db/mysqli.php on line 25

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 09 June 2014 - 11:36 PM #228

You'll see requests to your site every day for invalid url's of people trying to find holes. Just look for 404 in your logs.
Who's going to read through 12 pages of messages about a security issue and who could find a new one embedded in the middle of it all.

Just think it would be a lot clearer to take each issue (the signature of what's happening on a site) and create a new thread for it with an applicable title. Then 3 months from now when we need to find out about attacks related to fckeditor it's easier to find the information. But I'm not a forum cop so just suggesting what I think would make things more digestible.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 09 June 2014 - 11:38 PM #229

@termalert - need more context on what you were doing at the time. But given you're not saying your site died and stayed dead, I would think this is a transient error. But it could mean that you were trying to access your site in a manner that it did not initialize properly (by design).

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 09 June 2014 - 11:47 PM #230

Came good within 1/2 hour. Apparently it may have had something to do with my web host disabling eaccelerator
on my server ( to get rid of huge cache bloating ).
One thing I did notice was a double file in core > db > mysql.php ( 1 x 4.91 meg , 1 x 4.43 meg )
same creation time. Weird ( or normal ? ).

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 10 June 2014 - 12:54 AM #231

What is a "double file". Can't have 2 filenames that are the same.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 10 June 2014 - 01:10 AM #232

Here they are. The only reason I am posting is because it MAY be related to current security scare.
aarrgghhh ! they are not identical. My eyesight needs repairing. I didn't notice the 'i'.

Attached Thumbnails

  • DOUBLEFILE.jpg


 
  • gabbo
  • Junior Member
  • Trial users
  • Join Date: 04-May 11
  • 92 posts

Posted 10 June 2014 - 03:00 AM #233

Here they are. The only reason I am posting is because it MAY be related to current security scare.
aarrgghhh ! they are not identical. My eyesight needs repairing. I didn't notice the 'i'.


They are not same.. mysql and mysqli (improved).

 
  • milezone
  • Member
  • Members
  • Join Date: 23-Mar 10
  • 162 posts

Posted 12 June 2014 - 12:54 PM #234

too bad cs-cart does not warn people about the other issue, we had to find this out with help from another user here. shame shame cs-cart you knew about this and failed to tell people?

 
  • Magpie Don
  • Senior Member
  • Members
  • Join Date: 01-Apr 09
  • 814 posts

Posted 12 June 2014 - 06:23 PM #235

too bad cs-cart does not warn people about the other issue, we had to find this out with help from another user here. shame shame cs-cart you knew about this and failed to tell people?

What "other issue"? Did I miss something?
Termalert's security issue is not an exploit.
Snorocket's security issue is a fishing expedition for FCKeditor - which is a piece of obsolete software that is not included with CS-Cart. Was there something else I missed?
If you are referring to the actual exploit that this thread is about, then you should know that CS-Cart sent out an urgent email message to all their licensed account holders that provided instructions on how to mitigate the exploit BEFORE it actually went off (in the majority of cases). If you didn't get the email message, then you must not have a license, or your contact information is out of date - and that's not CS-Cart's fault.

CS-Cart Ultimate ver 4.3.5


 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 12 June 2014 - 06:51 PM #236

@magpie - Most merchants have no clue as to what the original attack was or how it worked. Additionally, once a scare is in place, any abnormality can appear to now be a hack. I believe @milezone has other issues going on in his store that may in fact be from some other attack.

The advice I usually give is to NEVER combine applications in one document root. If you're going to have a WP site, do it in a sub-domain in a separate directory structure. If you have to have it within your store structure, then ensure that ownership/permissions are appropriate for your hosting environment AND that you keep current with any updates from that other software. WP is notorious for enabling maleware to enter a system. Once in, it's very difficult to get rid of and it's certainly not cheap to do so.

Cs-cart is not simple software. It is priced to attract customers who don't have deep-pockets. Unfortunately, those same customers have no idea of how to secure their site or how to insure that their customer data is secure. And most are not willing to spend the money to do so. This is one of the greatest challenges for small merchants and where a SaaS based cart will reap huge rewards to merchants but the need to expect pretty standard functionality to be supported in SaaS.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • Magpie Don
  • Senior Member
  • Members
  • Join Date: 01-Apr 09
  • 814 posts

Posted 12 June 2014 - 07:19 PM #237

Thanks for being a "voice of reason" Tony!

CS-Cart Ultimate ver 4.3.5


 
  • spinball
  • Junior Member
  • Members
  • Join Date: 12-Jan 10
  • 23 posts

Posted 12 June 2014 - 09:03 PM #238

We have removed the vulnerable files on 5/27. We are still getting customer credit cards hacked. I ran a scan for the referenced files to see if they were elsewhere on the server and nothing came up. Anyone finding anything else we should be looking for?

 
  • tbirnseth
  • CS Cart Expert
  • Authorized Reseller
  • Join Date: 08-Nov 08
  • 11320 posts

Posted 12 June 2014 - 09:17 PM #239

If you removed the vulnerability on 5/27, you were 2 days too late. The data was probably already taken and the resulting frauds are now taking place off your site but with your customer data.

Verify that your init.php file ends in:

For V2:
// init content search
fn_init_search();
?>

For V3:
// Run INIT
fn_init($_REQUEST);
?>

And for V4.
// Run INIT
fn_init($_REQUEST);
If it ends in anything else then you may have an issue.

Update: Found it was different for V2 so updated the post.
Note that all V4 php files should NOT end in a closing '?>' for DSI compliance.

Edited by tbirnseth, 12 June 2014 - 09:59 PM.

EZ Merchant Solutions: Custom (USA based) B2B Development, Consulting, Development and Special Projects (get a quote here).
Commercial addons, payment methods and modifications to meet your business and operations needs.


 
  • termalert
  • Senior Member
  • Members
  • Join Date: 14-Jan 09
  • 956 posts

Posted 13 June 2014 - 06:44 AM #240

Verified for V3.0.6...whew !!