OsCommerce / ZenCart Security

Posted on August 28, 2010 by Anatoli
If you have an online store it is certain that website security is one of the keys to its success. If your store is insecure than problems are bound to happen. Customers will complain that once they purchase something their credit cards are used in other parts of the world without their authorization… The worst will come when your payment processor finds out about these problems…
Anyway, don’t get scared as our aim is to talk more about website security. Unfortunately, OsCommerce and ZenCart don’t have much in common with website security. They are built on a platform started almost 10 years ago. New versions come slowly and security vulnerabilities exist for months. Practically, almost every website stored built on OsCommerce / Zencart is compromised unless the owner has taken additional measures to protect it.
If you wonder whether your store is among the compomised, download the images folder. Sort the files by extension and look for files with .php, .pl or .cgi extension. If you have such a file there, it is 100% certain your store is compromised. Those files could be names something simple from fr.php to googleadasd323asdad.php. Sometimes they have some authentic OsCommerce code other times they are pure backdoors. In any case, you should delete them asap.
In any case, it is recommended that you migrate your web store to a newer and more secure e-commerce platform such as Magento. The migration might not be easy, especially if your store is large. Still, it will be worth it in the long term and the best option for your website security.
Posted in General | Tagged , , | Leave a comment

Internet Explorer Is Insecure

Posted on August 21, 2010 by Anatoli

I don’t use Internet Explorer because it does not run on Linux in the first place. However, I don’t agree when hearing that Internet Explorer is insecure. Yes, if you use Internet Explorer 6 and you haven’t updated your Windows for years then the first site with virus will compromise your PC.

But as a whole Internet Explorer is just as secure as any other browser. Of course, take into consideration that it is the most popular browser and naturally all exploits target it. Thus if you just don’t use it most exploits won’t affect your browser. This is not always true though because most advanced exploits check your browser agent and send you applicable exploit. Smart, isn’t it :)

Furthermore, there is much that can be done for securing additionally Internet Explorer. For example, disable all java, javascript, flash and so on… Anything that does not affect the sites you visit should be disabled or you could just whitelist those sites. Also, don’t store any passwords in it because they can be easily stolen.

So as a whole Internet Explorer is not insecure but it is harder to keep it secure compared to less popular browsers.

Posted in Security Myths | Tagged | Leave a comment

Secure Web Hosting

Posted on August 17, 2010 by Anatoli

Website security depends greatly on the web hosting (but not entirely). Web hosting services differ and first we will review the most popular and affordable shared web hosting. When choosing your provider look for these:

1. Web server (Apache) must work in chrooted environment. This means that users can’t see each other processes and files. If someone is able to read your files your security is compromised. This condition is not covered by 90% of the providers.

2. Make sure that PHP is the latest stable branch, allow_url_include and register_globals are turned of. Running older PHP versions and configuration mistakes like the previous degrade seriously your website security.

3. Make sure there is adept technical support. Usually advanced support services are additionally paid but if you need them once per year that shouldn’t be a problem. Instead the problem will be if you need them and they are not there.

4. There are many additional things like brute force protection, IDS/IPS, special kernels and so on which might also help but don’t fall for them. The three above are the most important features to look for in order to ensure your website security.

Posted in General | Tagged , | Leave a comment

Kaspersky Rescue Disk

Posted on August 12, 2010 by Anatoli

As previously mentioned, many websites are compromised because the webmasters’ computers are infected with a computer virus. Thus, it is essential for the website security to keep your local computer clean from viruses.

There are many antivirus products but we will review Kaspersky Rescue Disk because:

1. It is free of charge

2. It does not depend on the Windows operating system. Instead it runs on bootable Linux. Have asked yourself how good an antivirus program is if your Windows is so compromised that it cannot run anything.

3. There will be no locked files, no protected files and so on… That’s where usually viruses love to hide.

4. It is very reliable and up to date. You have the option to update the live cd as long as you have a working network.

Once you are convinced that Kaspersky Rescue Disk suits your current needs follow these steps:

1. Download and burn the cd. Check for a current link on the official site.

2. Boot the live cd in graphical mode and choose your language.

You can pick the option for text mode boot if your pc is low in resources. However, it is a bit more unpleasant to work without GUI and takes too many actions.

3. Update the virus signatures – that’s a must in any case.

4. Finally, start the scan and prepare yourself for a shock. The last time I ran it for a friend of mine(yes, she was a girl), it showed more than 80 threats :) When a threat is found it will ask you what to do. In most cases it is safe to delete the file but if you have any doubt it is a system file check it on the net for certain (and don’t trust only the name of the file).

Once you go through all of the above you may consider your local PC safer than before. That’s one of the many things on which website security relies.

Posted in General | Leave a comment

Is It Safe To Use Free Website Templates

Posted on August 9, 2010 by Anatoli

The answer is as usually – it depends. And in this case it depends mostly on the provider of the template. If it is a well-known company you would probably give it just a link from the footer of your site.

However, some less known sources release templates / themes with 2 problems:

1. Copyrighted Images – even if the releaser of the template has a right to use an image, you may NOT have that right. Then you will go to the Getty Images Hell.

2. Very often there is hidden code in the sources of the template. Usually it is used eval(gzinflate(base64_decode(‘asdasd’)) or just base64_decode(). The problem is that most people don’t see what is in this code and very often it appears to include content from other sites. This is a huge risk because you never know what is going to be included today in your site. If you see such source try the tools below to decode it:

http://www.tareeinternet.com/scripts/decrypt.php – eval gzinflate base64_decode PHP Decoder

http://www.tools4noobs.com/online_php_functions/base64_decode/ – base 64 decode

Thus don’t use third party free website templates unless you understand all of its source and you can make sure the images have proper copyrights.

Posted in General | Leave a comment

PHP Encryption

Posted on August 1, 2010 by Anatoli

It’s a myth that PHP Encryption will make your PHP code and site more secure. Furthermore, it’s absolutely useless if you plan to hide any of your sensitive data.

No matter how you encrypt your data, IonCube, Zend, SourceGuardian… there is a very simple way to find out what is written in the file following 2 steps:

1. Create a new php file and include the encrypted file in it.

2. Print all defined variables, functions, classes and so on.

Here is a sample code – encrypted.php is the file which is encrypted:

<?php

include('encrypted.php');

//First, we will print the hyper secret functions:

$functions = get_defined_functions();

print_r($functions);

//Next, let's print all the variables. Usually that's where passwords are :)

$variables = get_defined_vars();

print_r($variables);

?>

Similarly, you can use get_defined_constants and get_declared_classes to find the defined constants and classes…

Thus, if you’d like to hide any sensitive data or protect your code think of something else and don’t rely on encryption.

Posted in Security Myths | Tagged , , | Leave a comment

SSL And Website Security

Posted on July 30, 2010 by Anatoli

Is SSL helpful to website security? From scientific point of view – not much. No, because it does not help in protecting your site from hackers. If there is a vulnerability on your site it will be exploited with or without SSL.

The only real benefit is that if your web traffic is sniffed (common for wireless networks) sensitive data (passwords, cc details) is a bit more protected.

Besides the scientific point of view, there is also a practical point of view. Most sites are hacked by script kiddies who use popular scripts. Most of these tools don’t work with SSL by default and they might miss you provided you configure your site to work only by SSL.

Generally, SSL is highly recommended for any e-commerce site because there is a lot of sensitive data transmitted. Though it is of little use for the ordinary site. Still, sometimes it might be worth for a few more $$ to give extra protection to your site.

Posted in Security Myths | Leave a comment

PHP and Register Globals

Posted on July 30, 2010 by Anatoli

Generally, Register Globals in PHP is an useful feature. Its great benefit is that variables can be easily changed. However, this is a disaster for website security.

Let’s take a look an example. You have a script called register_globals.php which has to run Linux shell comands:

<?php
echo exec($command);
?>

With register_globals turned on you can define this variable $command easily and even through an URL like this:

http://website-security.info/register_globals.php?command=whoami

And if you can define it usually attackers can define it too. That’s where the big problem comes…

Generally, no decent site should run with register_globals turned on. It’s just like leaving your house with open door in a bad neighborhood which the World Wide Web is in fact.

The good thing is that it is possible to define variables externally and still keep your site unsafe even with register_globals turned off. Here is an example:

<?php
echo exec($_GET['command']);
?>

With the above even with register_globals turned off the attacker can hack your site in exactly the same way as before :)

Posted in PHP Security | Leave a comment

Web Security Advices

Posted on July 16, 2010 by Anatoli

In this article we will describe a few web security advices for a safer web site. They tend to be basic, easy and reliable.

1. Never show information about the web application you are using. Remove all ‘Powered by’ footers and meta tag “generator” tags. This will ensure that your site doesn’t appear in search engines for searches like ‘Powered by XYZ’ – the first thing all script kiddies do when a new exploit for XYZ appears.

2. Change your URL scheme and use rewrite rules. With rewrite rules you could make a php script seems like an asp script easily. WordPress is very powerful in this case and gives great freedom through its feature called Permalinks. Along that it is a good idea to change all error pages to be the same so that the attacker can’t be sure if he has stubled upon a Forbidden or Not found page.

3. Ensure IP based protection for the administrative area. You can restrict the access to the admin areas for almost all popular web applications. The most simple solution is to use Apache Deny / Allow rules in .htaccess file:

deny from alll

allow from your_ip_address

If you use WordPress you should place such a file in your wp-admin directory. For Joomla you should place it in the administrator directory.

The above protection will protect you from attacks against scripts in the admin area on one hand. On the other hand it will ensure even if an attacker knows your admin password he cannot login in the admin area unless he has the same IP address as yours.

4. Unless a web visitor has been authorized / logged in require him to fill captcha for any input (search, feedback, login forms).

5. The usual recommendations – always keep your scripts up-to-date and use as few as possible third party extensions.

If you follow the above web security advices you will never have problems with the web security.

Posted in General | Tagged , | Leave a comment

Site Hacked Through Exploited Windows

Posted on July 8, 2010 by Anatoli

You may not know but very often sites are hacked because of exploited Windows. Worms get the passwords from the FTP client, download all index.php files, add malicious code to them and then upload the files back.

Needless to say, almost always Windows pcs are exploited. You can never say it too often but Windows is insecure and unsecurable.

Still, I don’t think the problem is so much with Windows. It’s just that it is too popular and all exploits are made for it. If you go with the mainstream you are always vulnerable. I still remember when one Fedora repository got hacked and there appeared a funny sshd update – welcome to the botnet :)

So if you want to stay secure – just stay away from any mainstream software. Use little known distributions, preferably Linux… Zenwalk is one of my favorites for example. Don’t trust popular browsers for most of your browsing too. It’s also a good idea to apply frequent updates, but not too often (especially if you run Fedora) because fresh updates are not always well-tested and may crash your system.

So when your site has been hacked the first thing to check is whether your local pc is safe and secure. After that check the FTP logs and see if there are no downloads and shortly after that uploads of the same files, usually index.phps.

Posted in General | Leave a comment