The Register® — Biting the hand that feeds IT

Feeds

Attack on open-source web app keeps growing

8 mil poisoned pages, thanks to osCommerce users

Customer Success Testimonial: Recovery is Everything

An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users.

When researchers from Armorize first spotted the exploit on July 24, they estimated it had injected malicious links into about 91,000 webpages. By early last week, The Reg reported it had taken hold of almost 5 million pages. At time of writing, Google searches here and here suggested that the number exceeded 8.3 million.

Armorize said attackers are exploiting three separate vulnerabilities in the open source store-management application, including one that was discovered last month. Harold Ponce de Leon, the lead developer of osCommerce, said there's only one vulnerability that's being exploited, but he admitted that no one on his team has spoken to anyone at Armorize to reconcile the difference of opinion.

"It is devastating not only to see the damage the attack has inflicted to online stores, but also to customers who are getting affected with old IE6 browser exploits," he wrote in an email.

He said a fix has been available since November's release of osCommerce Online Merchant v2.3. The steadily climbing number of infected webpages suggests that a large percentage of osCommerce websites can't be bothered to install it. And that means people visiting those ecommerce websites are being unnecessarily exposed to attacks. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

it's not that they can't be bothered...

oscommerce (at least up until 2.2 MS2) had become such a mess with customisations and plugins and mods necessary to get plugin x to work with plugin y that we decided to drop it around 2 years ago and switch to drupal. trying to manage all the changes from one version to the next and all the breaks in the plugins that the upgrade would cause was a regular nightmare..

I've seen v3 is looking much more interesting and more modular etc but after that trama won't be going back there in a hurry !!

4
0

Are you sure it's all the fault of the person running the shop?

It's far more likely that most of these websites were built by someone other than the shop owner. Whoever owns the shop would then be completely unaware of what software it's using, so they won't be receiving patch emails.

Given that there's no auto-update for server side stuff, I would guess this is mostly the fault of freelance web developers not caring about past jobs.

3
0

"a large percentage of osCommerce websites can't be bothered to install it"

Clearly the author of this article has never used osCommerce.

The way you apply patches, mods and customisations to osCommerce is to merge the actual PHP source code and it very quickly becomes a nightmare. Even if you are fastidious in delimiting changes in comments, it is still a huge diff-merge task to take on an upgrade and one that is beyond a majority of users.

I remember spending days trying to reconcile two osCommerce sites developed for my (now ex) wife that had been developed by the same web "designer" but at different times and based on different versions of osCommerce and it was insane; the differences between them were enormous and trying to make a unified version with the only differences being the visual customisation proved impossible.

Having said that, 'Rich 2' is probably right as well.

3
0

More from The Register

 breaking news
NSA PRISM snoop-gate: Won't someone think of the children, wails Apple
10,000 things probed, mostly about missing kids, Alzheimer patients, we're told
 breaking news
NSA PRISM-gate: Relax, GCHQ spooks 'keep us safe', says Cameron
Whatever they are up to, it's all above board, we're told
PRISM snitch claims NSA hacked Chinese targets since 2009
Snowden suddenly looks safer in Hong Kong after revelations
 breaking news
US chief spook: Look, we only want to spy on 6.66 BEELLLION of you
Americans assured they are not in the NSA's sights
Speech-to-text drives motorists to distraction
Will talking to you mean I crash into that car up ahead, Siri?
DHS warns of vulns in hospital medical equipment
Has your doctor's anasthesia machine been hacked?
 breaking news
'BadNews is malware' says outfit that found it
Google says code harmless but Lookout says code base is evolving
Panda-peddlers cuffed for chess gambling gambit
More porridge on the menu for Chinese coders after second offence
 breaking news
Yes, maybe we should keep hackers in the clink for YEARS, mulls EU
Watch out black hats, they just might throw away the key
Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats