Friday, August 5, 2011

Millions of running osCommerce online stores may have been hacked

As we known,  it has never been easier to set up shop online, even with dozens of solutions available and free to use that you find on the internet, or until ready to install on some servers. The problem begins when you cease to update the system and it leaves you vulnerable to security flaws that the updates corrected. And that's what happened recently with osCommerce.

According to analysis of Armorize blog at least 3 million different stores with older versions of osCommerce (open-source system for creating online stores) may have been attacked from at least three known vulnerabilities in version 2.2 of the system. These vulnerabilities allow attackers to access the configuration interface of the store, and inject malicious code in the layout, it contains an IFRAME and JavaScript code.

Haunts the speed with which the attacks have multiplied. Of almost 90,000 urls that Google was showing when the attack was first discovered, the number skyrocketed to more than 3.8 million a week later. It is worth noting that sometimes Google returns some URLs from the same store, but it's still a very high number.

As always, it is the maxim that every good sysadmin knows head will not help if you install a system has several default settings (such as passwords and access doors) and much less if you do not need security updates.

If you maintain an online store using osCommerce, can download the latest version of the project site, which has all the security fixes to date. If you have an online store maintained by your server or a third party, make sure they are using the latest version possible. And tell by the way, do it forever.