Shopping cart other than OSCommerce?

Tue Dec 7 21:01:20 UTC 2010

On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote:
> With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all  web pages (.html, .php) pages where changed, all under different domains  and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else.

30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution:

  http://secunia.com/advisories/product/1308/

"Affected By	 7 Secunia advisories
                44 Vulnerabilities

Unpatched	 29% (2 of 7 Secunia advisories)

Most Critical Unpatched
The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical."

  http://secunia.com/advisories/33446/

"1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site.

2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the "admin/" folder.

Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script."

In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce.  Find something else, preferably something which is not based upon PHP.

Regards,
-- 
-Chuck