eCommerce News & Resources by oscommerceuniversity.com

The osCMax project recently released an updated version of osCMax which removes the File Manager and Define Languages tools due to unspecified security concerns.

Details can be found in the osCMax forums – http://www.oscmax.com/forums/announcement-discussions/20984-security-notice-oscmax-2-0-4-released.html and in the osCMax Blog – http://www.oscmax.com/node/341

Few details are available but this flaw may also affect CRE Loaded and other osCommerce derivatives…

Once more the Evil Over Lords Imperial Storm Troopers (AKA Chain Reaction Ecommerce)  strikes a blow for Open Source excellence at their customers expense.  How you might ask?  As well you should.  The answer does yeild a certain amount of amusement, if one’s sense of humer partakes of a certain twisted bent.

This morning, CRE Loaded store users began drawing to my attention the sudden onset of error messages from Internet Explorer whenever an Admin page was rendered.  The error noted that some of the page content was subject to a security certificate flaw.  On examination of the pages, we found the expected suspect.  Once more Chain Reaction has used its 175,000 users as alarm clocks to remind them to renew a security certificate.  This is, I believe, at 3 years running.  Is this now company tradition?  Rumors abound of a pool for next years renewal date..

Security Certificate Expired.

In the meantime, if you have better things to do with your time than call CRE support to remind them of a job they should already have done (and who doesn’t), or you’re one of those clued in people who know better than to simply click “accept this content” whenever you encounter this error (and we sincerely hope you are – bad habit!), you might want to join us in the Open Source University Forums to find out how to remove the offending links from YOUR CRE Loaded cart.

A server administrator I know referred me to this post on file upload security : http://www.uno-code.com/?q=node/93 this morning. An interesting article, rather well written, and pretty informative. It is obviously targeted at people who are hosting sites on their own server though, so I thought I would take a look at how these recommendations stand up to a shared hosting environment and comment on them from the point of view of a software developer. My tone may wax a bit sarcastic from time to time – this is nothing to do with the author of the original article. I’d like to give some credit to the author, but they really don’t have any ID on their site. No info on the website, no info on the website referred to in the whois information. So, thanks go out to “The Artist Known as Admin AT uno-code.com” , (aka “The Artist”). Whoever they are.

The article centers around 10 things that can be done to achieve file upload security on your Apache based server. Those ten things are:

1. Don’t allow uploads
2. Check MIME type server-side
3. Use mod_security to validate file uploads via a approver script
4. Use suhosin. Suhosin (was/is ?) the hardened-php project
5. Don’t upload to a web accessible directory
6. Pay attention to permissions.
7. Don’t serve certain file types if you need to have a web accessible upload directory.
8. Make sure your /tmp directory is not executable
9. Chroot your Apache environment
10. Use safe_mode and open_basedir

You would think this is a fairly useful list, and perhaps it is. The author addressed each of these issues with a paragraph or so of comments. I’ll summarize those below, and offer discussion..

Don’t Allow Uploads

The Artist apologizes for restating the obvious, and notes that if you disallow file uploads on the entire server, you don’t have to worry about them. Good advice as far as it goes, just not always practical on an eCommerce Server. In any case, the conditions under which a server or server account are rented often do not allow the system administrator a choice here. More on this later.

Check MIME type server-side

Excellent advice. The Artist follows with some practical tips on how to do so, part of what makes the article well worth reading. It is well worth repeating that the mime-types passed during content negotiation may be spoofed and that these should be checked server-side before accepting the file into permanent file storage. The techniques using PEAR’s fileinfo package and GD’s exif_imagetype() should certainly be helpful – provided they are available.

Use mod_security to validate file uploads via a approver script

OK – not a bad idea. But – how? Not so much from a technical standpoint, as from a protocol perspective. File uploads are generally enabled because the site owner needs that feature, and needs certain file types. Should the System Administrator blindly stop an upload without communicating the issue to the site owner?? I don’t think so. The fact is, file validation on uploads is a shared responsibility. Either the system administrator or the application programmer should be providing a service which can be used to assure that validation is done. This is a significant need in shared server space, because simply blocking the upload steps on the tenants rights to access their property – ie, their rented server space. Subjecting all uploads to scanning is a good idea, but this also should not be done without interaction with the site owner. Emailing them on discovery of malicious content upload would be good – and if you can use mod_security or other techniques to tie the content to its source so much the better. In short – don’t do so blindly and capriciously without regard to the site owners need to be aware of events taking place on their site.

Use suhosin. Suhosin (was/is ?) the hardened-php project. Well, maybe. My own experience running PHP software on Suhosin is that it may be hardened, but it requires due diligence in site setup and/or application development for a reasonable level of confidence in application performance to be reached. My experience with PHP development in general tells me that it would be a very good idea not to urn any business software on Suhosin that wasn’t developed on it. (Which by the way – I highly recommend.). So – I don’t disagree with the recommendation, but I think as a flat policy statement it may be better offered to PHP developers than the general public. It leaves the question – why is Suhosin not a standard part of PHP ?

Don’t upload to a web accessible directory. Oh please. Good idea on some servers, and totally irrelevant on others. Depending on the server setup, this just could allow any malicious program escaping validation and scanning free entry into other parts of the server. Do this if and only if your server administrator specifically advises you to, and provides a specific location to which the uploads may be routed. Administrators should make this part of their server setup routine, and include the information in welcome emails.

Pay attention to permissions definitely a good idea – and for system administrators I would add pay attention to ownership as well. Part of the reason for my position on the last suggestion offered.

Don’t serve certain file types if you need to have a web accessible upload directory. Good advice. What file types? Many merchants have little to no clue. This is a place where closer collaboration between hosts and hosts and their clients could really pay off for security – especially when combined with some creative account configuration and construction techniques. For hosts to collect intended usage information and issue focused security advisories could be very helpful to all concerned.

Make sure your /tmp directory is not executable. Not bad advice at all. Here is another for use in a shared hosting ecommerce environment – make sure your users can create their own space in the /tmp directory separate from any other users space, provide such separate space up front or advise the use of database stored sessions. Why? Session identifiers are generally pseudo random in nature – but the key portion of that description is “Pseudo”. The total number of times I have seen an exchange of confidential customer information occur because of shared /tmp directory space is quite small in terms of the total number of annual transactions which occured on the servers obverved – but are in double digits, which was quite enough for the people involved. If a host wants to lease server space to ecommerce sites, they should be aware of this and offer guidance to the best solution for their server configuration up front.

Chroot your Apache environment – great advice anytime, I think.

Use safe_mode and open_basedir – way off_base. Sorry Artist – but safe_mode is going away in PHP 6, or hadn’t you heard? Every server administrator should be aware of this change – nor is it a bad thing. It may be a mode, but it is not safe nor does it assure code safety any more than turning Register Globals off. During the time safe_mode was available it diverted attention from other secure programming techniques by interfering substantially with access to normal programming techniques. No security tool provided by a mere application development language can substitute for a secure implementation of basic services including email, shell, FTP and web servers and the close attention to file ownership, and permissions advised above. Offer tutorials in the secure use of the services you make available as part of your business. Orient your customers as to security policy, then enforce it. Most of them will thank you, and those that won’t need to be elsewhere.

by David Graham.

Wow.

I’ve now finished generating the screen captures for installations
of CRE Loaded 6.2 B2B, osC Max 2.0.0 rc3.01, and osCommerce 2.2 rc1.

Zen Cart is coming up, but already some interesting differences can
be seen. Each distribution starts to show its varying emphasis
right away.

The osC Max installer bears a very close resemblence to the old
osCommerce 2.2 MS2 installer. Not surprising, as the osC Max
project emphasizes its position as a preinstaller of contributions
which makes no effort to innovate on its own. osC Max installs and
generates bug fixes, but improvements are the province of the
osCommerce projects developers and contributors.

The CRE Loaded installers bears some resemblence to its descendents
as well, at least in the essential steps. It has a clean rebranded
look, though a bit aged in appearance when compared to the
osCommerce 2.2 rc1 installer. The added features definitely stand
out. This installer easily has the most comprehensive checks for
server compatibility and file and directory permissions. It also
shows a level of maturity greater than either of the other
installers where security features are involved. Password echoing
is held to a minimum for example, and the CRE installer retains the
seemingly redundant but definitely helpful capability to use
separate database users for installation and store
operations.

The osCommerce 2.2 rc1 installer is a substantial back port of the
osCommerce 3.0 Alpha installer. While the implementation is
definitely both prettier and flashier than its 2.2 MS2 predecessor,
it falls short in some respects. Particularly, I could not fathom
why AJAX techniques were used for some status reports. The rapid
updates were too quick for the human eye, and the advance to the
next page left me wondering just what had been reported on. Not
good.

However, the rc1 installer does show some promise. It does include
a few server compatibility checks on the front page. These are
likely sufficient given a development targeted at the lowest common
denominator in server setup. There were no file or permission
checks present. This could be problematical, and indeed, I noticed
immediately after completing the installation that the backup tool
was non-functional due to the lack of an admin/backups
directory.

On the promising side though, this was the shortest installation
procedure of the three. The instructions were clear, if not quite
complete, and the direction in which development is proceeding is
quite satisfying. The osCommerce project definitely is nowhere near being out of the game.

I’m definitely looking forward to seeing the direction taken by Zen
Cart, the outspoken fork which seeks to dominate them all..