Jump to content

CUBECART IS A JOKE


Recommended Posts

I would like to add something which may be of interest - please know I am am not au fait with web servers so I cannot elaborate!

We recently had an issue with images being exploited by hackers in one of my OScommerce shops - setting the image permissions was not enough, nor was passwording the directory - it was because REGISTER_GLOBALS was turned on. We had to implement a workaround to make sure that REGISTER_GLOBALS was turned off, and the problem was apparently cured.

Hope that helps!

<edited because Isaid safe mode instead of register_globals - told you I wasn't much good at this!)

Link to post
Share on other sites

I would like to add something which may be of interest - please know I am am not au fait with web servers so I cannot elaborate!

We recently had an issue with images being exploited by hackers in one of my OScommerce shops - setting the image permissions was not enough, nor was passwording the directory - it was because REGISTER_GLOBALS was turned on. We had to implement a workaround to make sure that REGISTER_GLOBALS was turned off, and the problem was apparently cured.

Hope that helps!

<edited because Isaid safe mode instead of register_globals - told you I wasn't much good at this!)

Setting register_globals to OFF is absolutely critical. Leaving it ON allows for so many more possibilities for hacking any script. CubeCart is a well-written program that works fine with it off, so I can't imagine any reason not to do so.

Link to post
Share on other sites
Guest taj

I would like to add something which may be of interest - please know I am am not au fait with web servers so I cannot elaborate!

We recently had an issue with images being exploited by hackers in one of my OScommerce shops - setting the image permissions was not enough, nor was passwording the directory - it was because REGISTER_GLOBALS was turned on. We had to implement a workaround to make sure that REGISTER_GLOBALS was turned off, and the problem was apparently cured.

Hope that helps!

<edited because Isaid safe mode instead of register_globals - told you I wasn't much good at this!)

Setting register_globals to OFF is absolutely critical. Leaving it ON allows for so many more possibilities for hacking any script. CubeCart is a well-written program that works fine with it off, so I can't imagine any reason not to do so.

Yep - mine is off and it works fine - I've just seen a mod which requires register_globals on - maybe the person has installed something like that.

Link to post
Share on other sites

If there's a mod for CubeCart or a program out there which REQUIRES register_globals to be on, RUN AWAY!!!!! RUN AWAY FAST!!!!!

Seriously, anybody offering up any kind of commercial or even semi-commercial software that still uses/needs register_globals likely doesn't know what they're doing.

If there's a CubeCart mod that needs it, please PM me with the info on it. I want to talk to the writer and help them understand what they're doing wrong.

:rolleyes:

Link to post
Share on other sites

I have had the same problem,first they added a e-bay spoof site to images file,my hosting company netfirms found it shut down my site till Iremoved it,then again I was checking my files found another one in main directory in plain site. changed passwords,htacess admin images etc,but netfirms won't allow you to shut off register global? is there away of doing it myself or a work around? :w00t:

Link to post
Share on other sites

I have had the same problem,first they added a e-bay spoof site to images file,my hosting company netfirms found it shut down my site till Iremoved it,then again I was checking my files found another one in main directory in plain site. changed passwords,htacess admin images etc,but netfirms won't allow you to shut off register global? is there away of doing it myself or a work around? :wacko:

It depends on your hosting setup, but usually yes. if you are on an Apache server you can usually add PHP directives to your .htaccess file. So in this case you would add:

php_flag register_globals 0

The advantage of doing it this way is that it then applies to all subdirectories of your web directory as well.

The other way is to add a php.ini file to your web directory, but not all hosts allow you to do that either. Some people have had trouble making this method work for all subdirectories and have had to put a php.ini file in every subdirectory as well. I haven't tried this method myself (since I am on Apache servers), so I can't say for sure why that would be or how to avoid it.

One detail of using local php.ini files that often seems to be overlooked is that you can't just add the settings that you want to change in this file. The php.ini file must contain ALL of your PHP settings (including the ones you want to leave as they are). If you don't set everything in this file then the values you've left blank revert to their defaults (not the host's defaults - the base PHP defaults).

Here's a guide for how to make your own local php.ini files.

You can find out more about register_globals here.

Link to post
Share on other sites
  • 2 weeks later...
Guest jjardine

i have to agree with him as my site was taken down because paypal said i was sending email and had a fake paypal site gathering peoples info. after 3 days they removed the email and url spoof from my cube cart. and if you dont believe me i can send you my whole cube cart folder and you can scan it with a virus scanner and you will see its in the includes folder. and they did it via an injection

Link to post
Share on other sites

i have to agree with him as my site was taken down because paypal said i was sending email and had a fake paypal site gathering peoples info. after 3 days they removed the email and url spoof from my cube cart. and if you dont believe me i can send you my whole cube cart folder and you can scan it with a virus scanner and you will see its in the includes folder. and they did it via an injection

Were you running an updated version of CubeCart or an old version? Did you set register_globals to off? When you say "they did it via an injection" do you mean an SQL injection (dunno how that could cause this) or by "injecting" offsite code into the query string (which would mean that both your CC was not updated and register_globals was on)?

Link to post
Share on other sites
Guest jjardine

not sure about the globals. is it auto off or do i gotta turn off. but i do know thet somehow they got a webadmin.php in the includes folder and was able to access my whole file dir. i only noticed as i went into my last visitors and someone was accessing that webadmin.php file and called my host and they told me i was hacked.

i have been hacked twice through CC. and both times i was fully updated off the site. any ideas. right no i am consideing changing to another cart. but i know CC quite well.

i was doing a search and some websited told me it was an ordersucess exploit?

Link to post
Share on other sites

not sure about the globals. is it auto off or do i gotta turn off. but i do know thet somehow they got a webadmin.php in the includes folder and was able to access my whole file dir. i only noticed as i went into my last visitors and someone was accessing that webadmin.php file and called my host and they told me i was hacked.

i have been hacked twice through CC. and both times i was fully updated off the site. any ideas. right no i am consideing changing to another cart. but i know CC quite well.

i was doing a search and some websited told me it was an ordersucess exploit?

I believe that the exploit that you're refering to was patched in 3.0.7. It also would only work if you had left register_globals set to ON. Turning this to OFF alone is a huge step in protecting any script from hacking (see my post above for links and info about how to set this).

This was a serious hack (and it could have allowed hackers to write code to your site), but it was patched back in December or January. If you run any eCommerce program on your site you absolutely must keep up-to-date on security alerts and patches. That's not to say it's your fault you got hacked, but this is the unfortunate reality of doing business on the internet (no matter what program you use).

I think that in the future CubeCart should refuse to take orders unless register_globals is set to off (it's just too huge of a security risk to leave it on).

Link to post
Share on other sites
Guest jjardine

thanks zap, i think i will give it another shot. and hope for the best.

and again thanks for the help. you can check out my page when i install CC again www.minibikeplanet.com

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
×
×
  • Create New...