Praise from...

Craig L. Grantham
BRILLIANT! STUPENDOUS! AWESOME! PERFECT!!! You know Frank – I'm still amazed at how well we communicate intricate details on Web site building with nothing more than e-mail...you're a great communicator!

Craig L. Grantham, Founder
Kneeriders.com.
Preventing osCommerce Admin exploits PDF Print E-mail
Tips & Tricks

Preventing osCommerce Admin exploitsThough osCommerce is a popular online-commerce application with wide community support, it's not perfect. Occasionally vulnerabilities are exposed and exploited. The fall of 2009 saw new exploits in the Admin area where hackers gained access to certain administration screens simply by knowing the file names of the screens.

One such exploit allowed hackers to gain access to osCommerce's Mass Mail tool and send spam to every email address in the database's "customers" table. It turns out that by adding an admin-page file name to the login URL, a hacker could see and use that page. In the case of Mass Mail, all a hacker had to do was append the login URL in his browser by changing http://www.yoursite.com/admin/login.php to http://www.yoursite.com/login.php/mail.php. He could then see and abuse the Mass Mail page to send spam.

To fix this, osCommerce site owners and managers should take the following steps:

  1. Change the name of the "admin" directory to anything else.

  2. Once that's done, two values in the Admin config file has to be updated accordingly. In the file /admin/includes/configure.php change the reference to the "admin" directory to its new name in the the following two constants:

    define('DIR_WS_ADMIN', '/admin/');
    define('DIR_FS_ADMIN', '/server/path/to/your/osCommerce/installation/admin/');

  3. Next you'll want to password protect the "admin" directory via .htaccess. (Search the web for "htaccess password protection" for step by step instrucions. Many topics exist.)

  4. In the file /admin/includes/application_top.php find the following code:

    if (!tep_session_is_registered('admin')) {
    $redirect = false;

    Just before this code add the following hacker-test for URL requests containing more than one ".php":

    $hacker_test = strtolower($_SERVER['PHP_SELF']);
    if ((substr_count($hacker_test,'.php')) > 1) {
    tep_redirect(tep_href_link(FILENAME_LOGIN));
    }

  5. It's also recommended that you disable the files /admin/define_languages.php and /admin/file_manager.php.

For additional info on this exploit, visit the thread Serious Hole Found in osCommerce at the osCommerce forums.

Frank Nilsen

January, 2010

< Prev   Next >