Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
A list of more than a hundred online small businesses running vulnerable functions of shopping cart software osCommerce has been published online.
The vulnerable sites could have database passwords stolen and granted access to attackers.
Each contained a directory dubbed extras that had been identified as insecure in 2006 and removed from osCommerce versions.
It was introduced in the osCommerce Online Merchant download which assisted users to upgrade PHP and Perl scripts on their sites.
An insecure directory listing implementation meant those scripts allowed any file on the server to be read, including configuration files and database backups, if the location of the file was known.
The company said the scripts were not relevant to current releases and that users should remove them.
Many websites in the list were duplicates and three of the sites were Australian companies.
Context Information Security consultant Michael Jordon said the local file inclusion vulnerability allowed "for any file on the system to be read which could easily lead to a full compromise of the server" if for example attackers had found a data backup file.
“If the database is available from the internet, then it's game over,” he said.
He said the discovery of the vulnerability was not "particularly clever" and was likely found through Google search queries.
“The listed websites need to patch urgently and change all database connector credentials and then check that no credit card, personal data or passwords were in clear text in the database.”
This article originally appeared at scmagazineuk.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
