OSCOMMERCE SUPPORT CALL 702-453-3332

Alot of the contributions still in use that provide some sort of WYSIWYG editor to the admin and/or frontend users uses a app called HTMLAREA with a wide open security flaw. It rather depends on how you secure your admin or if your adding a wysiwyg to the front end but inside the HTMLAREA there is a php file called file.php that allows read/write/delete of files and folders anywhere that the php user(typically the apache user account) has access too. Common directories for this are catalog/images/ among others. If you have HTMLAREA and files/folders that are chmod 777 or if you php runs under the same account the owns the files/folders you are vunerable to this exploit!!!

The means of fixing this exploit are dependent upon your setup. If you only have admin HTMLAREA and you use a a solid .htaccess scheme then you may be fine. If your using HTMLAREA in admin and useing the multiadmin contrib for mutlitple admin logins or any other code based authentication you are probably open!

I do know that alot of still used contributions use this HTMLAREA but am unable to really do a complete listing for you guys. Basically if you have a WYSIWYG editor(graphical editor) for any portion of your site look for a directory called htmlarea on your site and inside it is a popups/files.php this is the culprit. One solution that keeps out a certain type of hack is to limit the filetypes it accepts and writes but this still opens you for maliscious damage such as removal of file/folders.

such as?

This has been around for a few years now so I would think the contribution for this has the updated code, but maybe not. To test if your site is vulnerable, go to http://(Site url)/admin/htmlarea/popups/lister.php. If you don't see a login screen, you have a security hole.

Jack

using fck here

i get a file not found error... am i safe??

Jack

The HTML Area, if you use it, is in the admin folder, so provided that you have that secured via .htaccess and don't just rely on an osCommerce login add-on it should be secure.

With regard to folders and files with permisisons of 777 being vulnerable to exploitation - well "Yes"! What else would they be?

Vger

There was a security hole found a while back that allowed access to the files even if the admin was protected. It was found in CRE shops but applies to any one using that editor. I'm pretty sure an update was applied to the contribution here but it's been so long I don't recall.

Jack

i read what you said jack.... i just meant if the file isnt there how can someone access it? Maybe i'm looking at it wrong...

sorry for being a noob at it all... and asking so many questions that may seem obvious to experienced ppl. questions like... how can i fix the problem?

No need to aplogize - we've all been there. Are you sure you have htmlarea installed?

Jack

well i have that file (i'm using a templated version and that file came with it) but i havnt installed any contrbutions like that...

If you have it installed, there will be a directory in admin named htmlarea. If you don't have that, don't worry about it.

Jack

ohh ok... no i dont have a directory titled that... thanks for the clarification to the noobs questions