Interesting, that beside big CMS like Joomla or Wordpress, also OpenCart and Prestashop is the "target".
"Goal" of this is, to redirect traffic, steal credit cards and other sensitive information, hijack resources to mine for cryptocurrencies, or even serve unwanted ads. [quoted]
The script try to find the folder ../system/config/ and place then inside a new file which acts then as "bridge".
BEFORE, it tries to chmod (change Permission) the file index.php in the root to 0644.
Important to say here, that your websop should have the correct permissions (usually 0644 for files, 0755 for folders - some hoster use other permissions, if the differ, ask them before you change files and folders "like a Idiot" to 0666 or 0777 (as seen in this forum!)).
Read the full article here
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Ok, so how does it do this?
What settings would make an OpenCart site vulnerable?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
OpenCart itself is secure.
But not anymore, if for example other instances of WordPress with old code and not updated system are hosted on the same Server.
Or other scripts which are unsecure - and scriptkiddies will find them!
e.g. there was a thread here not long ago about adminer.
Another security hole is to give away FTP and/or Backend access data to unknown people.
Let them work, get no changelog back.
And after the work is done, access (Backend &/or FTP) are not deleted.
More, nobody will check afterwards what such "developers" have used (tools) or what they have changed inside the scripts.
Have seen here also manual added backdoors.
What I have seen also, clients hand out backend access data to everyone and all.
But no FTP access data .. because theyr argument is, that this not secure to give that to an unknown person.
Funny fact is, that exactly those stores have the FTP data in the Store configuration stored - readable (and therefore useable afterwards).
Another story are "self maintained" Servers.
And no glue what to do there.
Webstore Owners are no technicians!
The have not to be.
But they should know who they can trust.
OpenCart itself is secure.
But are the people working with it secure?
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
This should be used as the Opencart's sub-title.OpenCart itself is secure.
But are the people working with it secure?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
If you're going to leave outdated files on your server for any reason, atleast move them to the folder above public_html or change the file permissions to 000 so they can't be modified.
Opencart Hosting Plans, Domain Registration, Microsoft and Google Email and More
Visit our website for great deals and most importantly, fast and friendly support - www.evolvewebhost.com
Well, I never understud, why some obviously add non-related 'Code' toBut not anymore, if for example other instances of WordPress with old code and not updated system are hosted on the same Server.
an Onlineshop Site, regardless of, what Software-Brand it might be. It's
contrary to any Security Concept, especially, when it comes to Code like
Wordpress and/or other popular Tools.
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
So this is only an issue if someone already has access to the filesystem?
In that case I'm not really sure how this is news?
Got a link?
UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk
The News?
1. OpenCart (beside Joomla, Prestashop) is mentioned - and affected!
2. Stealing customer data (Creditcard, Bank, etc.) is not new, but a serious action
3. Cannot be written as much as can be, Webstoreowners, Admins, Staff (everybody who has access to the backend and server) must be aware of such risks
News?
Not really .. "business as usual" ..
Good for us (you, me and serious developers), bad for Storeowners.
Don't know, read the article - but I guess.So this is only an issue if someone already has access to the filesystem?
Otherwise such scripts cannot be placed on a server.
.. but wait .. there is another option: getting Extensions, Templates, Themes, etc. from unserious sites (because Commercial Extensions there are free ..), can lead to a security hole!
Not only one, but finally: one is enough!
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
A guy by the name of Krasimir Konov, that for job is a "Sucuri's Malware Analyst who joined the company in 2014", writes a blog in which he recommends people to use Sucuri Wordpress Plugin that does cost $199.99 per year, sold by the company he works for, and you don't really see the problem???
I'm sure Krasimir is a good guy, but are you familiar with the phrase "Conflict of interest"...
Oh, and just to make it a bit easier for you, the plugin does say:
Do you think that would/could be wrong??Sucuri WordPress Plugin Compatibility
Keep in mind that the Sucuri Security plugin requires WordPress version 3.6 or higher, and administrative privileges for installation.
Sometimes, people try to sell bridges...
Over 95% of all computer problems can be traced back to the interface between the keyboard and the chair...
And another second ..
Nobody in the Article there said anything about Wordpress.
Nobody in the Article said something about any plugin.
Fine when you read more than it's written in the article, but irrelevant here.
I really don't know what your problem is?!
This Company, those Writers are nothing for me, don't need them and never will need them in future.
So what do you want to tell me, us?
Your answer sound like those people saying "Covid19" is nothing .. only another type of Influenca.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Jesus Christ, man...OSWorX wrote: ↑Fri Oct 09, 2020 11:13 amAnd another second ..
Nobody in the Article there said anything about Wordpress.
Nobody in the Article said something about any plugin.
Fine when you read more than it's written in the article, but irrelevant here.
I really don't know what your problem is?!
This Company, those Writers are nothing for me, don't need them and never will need them in future.
So what do you want to tell me, us?
Your answer sound like those people saying "Covid19" is nothing .. only another type of Influenca.
YOU posted the link to the article in your first post!! Did you read the entire article???
I don't have a problem reading an English article to the end where the link for the purchase of the plugin is provided..
I don't have a problem in seeing that the article is just an articulated way of advertising their plugins..
Maybe, I'm not the one with the problem here..
Here, this is the link you posted in your first post, but this time just read it to the end and then click on the link provided there...
Read the full article here
Over 95% of all computer problems can be traced back to the interface between the keyboard and the chair...
I have read the full article, but why should i click on a link leads me to plugin I do not need?Burt65 wrote: ↑Fri Oct 09, 2020 2:57 pmYOU posted the link to the article in your first post!! Did you read the entire article???
I don't have a problem reading an English article to the end where the link for the purchase of the plugin is provided..
I don't have a problem in seeing that the article is just an articulated way of advertising their plugins..
.. but this time just read it to the end and then click on the link provided there...
When you do that, your fault.
And that they want to sell their services, why not - I do not get anything from them.
The more, services like that (as so many others), are calculating with the "stupidy" of too many users.
But this is their (users) own fault.
If Websiteowners would have an "Eye" on their own security, not editing server settings they do not know what for they are, not installing Extensions from unsecure Sites, they would not need services like them.
As said, not everybody can be a serveradmin, technician or developer, better they sell their goods and let that business do the Professionals.
The "Web" would be more secure ..
p.s.: this article and their website is like this here: OpenCart Blog (basically no difference).
Everybody wants to sell everything .. that's why most of the people are here ..
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
You should have clicked on the link so to have an actual understanding of what the author was aiming at, and more importantly, his targeted audience.. People that use WP not people that simply use Opencart. That's why both myself and Paul didn't see this as "News". It definitely doesn't need to be in the announcements, unless you are getting a share of the profit for advertising the plugin on Sucuri behalf!
Again, is not a service, is an unnecessary plugin that will set you back $199.99 per year!
Oh I see, so now you are explaining to me, what a blog is, after I just pointed it out to you that it wasn't a "news" but just an advertisement blog...OSWorX wrote: ↑Fri Oct 09, 2020 4:52 pmp.s.: this article and their website is like this here: OpenCart Blog (basically no difference).
Everybody wants to sell everything .. that's why most of the people are here ..
You are a funny, man.. full of contradictions, but funny
Over 95% of all computer problems can be traced back to the interface between the keyboard and the chair...
Users browsing this forum: No registered users and 92 guests