Today I noticed an unusual program listening on one of the web servers that I managed. Upon investigating, I found out that the attacker was able to gain access through a program called cpCommerce that one of our customers had installed.
I was able to pretty quickly identify the security hole and hacked up the PHP code so that it wouldn’t work again. I then downloaded the latest release of this program and took a look at it to see if the bug had been fixed…and it hadn’t.
So, I headed over to their site to submit a bug report. Although, since it’s a security problem, I didn’t want to post all of the detail publicly so that it could be exploited further. After a little big of fighting with their forum software, I was able to send the developer all of the details, and he has since posted a patch for the program.
I’m not familiar with the program, but it doesn’t look like the patch is just a hack-job either. It looks like it was fixed correctly in a way that would possibly prevent other similar scripts in the program from having the same problem.
http://cpcommerce.cpradio.org/forums/index.php/topic,3430.0.html
Nice job Brandon, it’s always nice to see people contributing back to the open source community! Did the developer use your patch or create his own?
My patch was just a quick regular expression check on the abused variable. The author’s patch was more in-depth. It made sure the script wasn’t called directly (it was meant to be included as part of a whole page). It also looks like the variable was also initialized correctly, so an attempt to pass the variable in using register_globals would no longer work.