Attack on open-source web app keeps growing
8 mil poisoned pages, thanks to osCommerce users
An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users.
When researchers from Armorize first spotted the exploit on July 24, they estimated it had injected malicious links into about 91,000 webpages. By early last week, The Reg reported it had taken hold of almost 5 million pages. At time of writing, Google searches here and here suggested that the number exceeded 8.3 million.
Armorize said attackers are exploiting three separate vulnerabilities in the open source store-management application, including one that was discovered last month. Harold Ponce de Leon, the lead developer of osCommerce, said there's only one vulnerability that's being exploited, but he admitted that no one on his team has spoken to anyone at Armorize to reconcile the difference of opinion.
"It is devastating not only to see the damage the attack has inflicted to online stores, but also to customers who are getting affected with old IE6 browser exploits," he wrote in an email.
He said a fix has been available since November's release of osCommerce Online Merchant v2.3. The steadily climbing number of infected webpages suggests that a large percentage of osCommerce websites can't be bothered to install it. And that means people visiting those ecommerce websites are being unnecessarily exposed to attacks. ®
it's not that they can't be bothered...
oscommerce (at least up until 2.2 MS2) had become such a mess with customisations and plugins and mods necessary to get plugin x to work with plugin y that we decided to drop it around 2 years ago and switch to drupal. trying to manage all the changes from one version to the next and all the breaks in the plugins that the upgrade would cause was a regular nightmare..
I've seen v3 is looking much more interesting and more modular etc but after that trama won't be going back there in a hurry !!
Are you sure it's all the fault of the person running the shop?
It's far more likely that most of these websites were built by someone other than the shop owner. Whoever owns the shop would then be completely unaware of what software it's using, so they won't be receiving patch emails.
Given that there's no auto-update for server side stuff, I would guess this is mostly the fault of freelance web developers not caring about past jobs.
"a large percentage of osCommerce websites can't be bothered to install it"
Clearly the author of this article has never used osCommerce.
The way you apply patches, mods and customisations to osCommerce is to merge the actual PHP source code and it very quickly becomes a nightmare. Even if you are fastidious in delimiting changes in comments, it is still a huge diff-merge task to take on an upgrade and one that is beyond a majority of users.
I remember spending days trying to reconcile two osCommerce sites developed for my (now ex) wife that had been developed by the same web "designer" but at different times and based on different versions of osCommerce and it was insane; the differences between them were enormous and trying to make a unified version with the only differences being the visual customisation proved impossible.
Having said that, 'Rich 2' is probably right as well.