BigCommerce - Hosted Ecommerce Software by Interspire

Interspire Forum

 
Go Back   Interspire Forum > Interspire Shopping Cart Community Forum > E-Commerce and Selling Online

Reply
 
Thread Tools Display Modes
  #1  
Old 11-18-2011, 04:09 PM
VPO + VPO is offline
Interspire Customer
 
Join Date: Feb 2011
Posts: 26
Default Malicious Code Injection, ISC 6.1.1

We got an e-mail this week from someone who received a security warning upon going to one of the pages in our site. Checking with our host, they found that there was some sort of encoded injection on that page. Taking that code and searching for how many files were injected, we got a list of 155 files.

The attack targeted the master template files for the shopping cart. Our host has suggested that we update to the cart's most recent version (not possible) and check the forums to see if there's a security patch. Does anyone know whether such a thing is available, or anyone else have the problem?
Reply With Quote
  #2  
Old 11-18-2011, 06:57 PM
Scott Smithwick (Interspire Staff) Scott Smithwick (Interspire Staff) is offline
Customer Service
 
Join Date: Jul 2008
Location: Austin
Posts: 169
Default

Quote:
Originally Posted by VPO View Post
We got an e-mail this week from someone who received a security warning upon going to one of the pages in our site. Checking with our host, they found that there was some sort of encoded injection on that page. Taking that code and searching for how many files were injected, we got a list of 155 files.

The attack targeted the master template files for the shopping cart. Our host has suggested that we update to the cart's most recent version (not possible) and check the forums to see if there's a security patch. Does anyone know whether such a thing is available, or anyone else have the problem?
Security patches are included with each update released. You can check this log to see if your error was already correct:
https://www.interspire.com/forum/showthread.php?t=18540

You would need to renew your support to access the latest version.
__________________
______

Scott Smithwick
Interspire Manager
Toll-Free: 1 800 939 5570
US: 1 512 758 7618

"Web Software Inspired by You"
http://www.interspire.com/
Reply With Quote
  #3  
Old 11-18-2011, 07:18 PM
VPO + VPO is offline
Interspire Customer
 
Join Date: Feb 2011
Posts: 26
Default

Thanks for your reply, Scott. I looked at the change logs but I didn't see anything there, unless I missed it.

In any event, I have a hard time with the idea that I would need to purchase an (expensive) year of additional support to acquire a security patch or bug fix, when there's otherwise no reason - like significant upgrades/improvements to the cart - to re-up the support.

It looks to me like most of what's been done since 6.1.1. has been tweaks and bug fixes. I honestly don't know why security patches fixes wouldn't be made available to customers for free - they're corrections to a product someone has already paid for. I always thought the cost of re-upping with ISC was very high, but at least there were relatively significant new releases available during the year that could give your cart new functionality. Fixes and patches are an entirely different matter and should be handled differently, in my opinion.
Reply With Quote
  #4  
Old 11-19-2011, 06:23 AM
SeanPaul89 SeanPaul89 is offline
Junior Member
 
Join Date: Nov 2011
Posts: 4
Default

This sounds very alarming to me since i keep getting this. What should I do?
Reply With Quote
  #5  
Old 11-19-2011, 12:58 PM
websnail + websnail is offline
Interspire Customer
 
Join Date: Jul 2008
Posts: 1,548
Default

EDIT: Sorry... I PM'd someone else and got mixed up...

VPO... Could you please send me a PM with the information regarding the injection and files affected so I can check into this please.
__________________
ShoppingCartCommunity - Community Forum, Mods, Hacks, Add-ons & a growing KB (was InterspireD)
SnailSolutions Mod Shop - for Royal Mail Adv, Max Chars, Currency Converters, etc...
Web Mollusc appreciation fund (Paypal: info [at] websnail.net)

Last edited by websnail; 11-19-2011 at 01:07 PM..
Reply With Quote
  #6  
Old 11-19-2011, 03:22 PM
VPO + VPO is offline
Interspire Customer
 
Join Date: Feb 2011
Posts: 26
Default

SeanPaul - not sure what you mean that you "keep getting this." You keep having incidents of malicious code injections?

Websnail - sent you info in 2 PM's. Can also send you a text list of affected files if you want.
Reply With Quote
  #7  
Old 11-19-2011, 03:42 PM
websnail + websnail is offline
Interspire Customer
 
Join Date: Jul 2008
Posts: 1,548
Default

Quote:
Originally Posted by VPO View Post
Websnail - sent you info in 2 PM's. Can also send you a text list of affected files if you want.
Thanks for the information...

I did some digging in the changelog to 6.1.6 and can't find any mention of any exploit since version 6.0.11 and that doesn't explain what was changed.

As I mentioned in my PM reply, it's more likely that the code was injected as part of insecure FTP or file/folder permissions so it's worth reviewing the problem with your host and asking if they have any suggestions.. Mod_security is a big help in fending off these kinds of attacks as well though.


Worth noting that the code you forwarded to me, was complicit in a Wordpress exploit that used an SQL injection to attack some plugins.. Whether that indicates there's an SQL injection exploit somewhere in the Interspire code, hard to say, but somehow I doubt we'll get a reply on this..
__________________
ShoppingCartCommunity - Community Forum, Mods, Hacks, Add-ons & a growing KB (was InterspireD)
SnailSolutions Mod Shop - for Royal Mail Adv, Max Chars, Currency Converters, etc...
Web Mollusc appreciation fund (Paypal: info [at] websnail.net)

Last edited by Scott Smithwick (Interspire Staff); 11-22-2011 at 04:49 PM..
Reply With Quote
  #8  
Old 11-19-2011, 09:29 PM
cupargarden + cupargarden is offline
Interspire Customer
 
Join Date: Nov 2009
Posts: 549
Default

I'm afraid this isn't the only insecure area of the software. Whilst Interspire are currently blackmailing me in effect to paying for a support contract JUST to update the license, I don't want, need or will ever have a purpose for future versions of Interspire, ever, I'll hold this post for a few days, if no favourable response from Interspire, I'll post EVERYTHING right here. This is not a threat, but a promise
Reply With Quote
  #9  
Old 11-21-2011, 12:36 PM
websnail + websnail is offline
Interspire Customer
 
Join Date: Jul 2008
Posts: 1,548
Default

Can I just repeat my request for those aware of whatever this/these exploit(s) are to please contact me either by PM or via support (at) Snailsolutions co.[uk] so I can review the information and do some research with a view to providing a fix that does not require:

a) public dispersal of an exploit that seriously damages those who are still using the software.

b) the payment of a ransom or similar just to obtain said fix.


As much as anything else I want to verify whether there is a cause for concern or not and if it is, find a solution so I can get some sleep over the coming weeks/months.

Thank-you in advance.
__________________
ShoppingCartCommunity - Community Forum, Mods, Hacks, Add-ons & a growing KB (was InterspireD)
SnailSolutions Mod Shop - for Royal Mail Adv, Max Chars, Currency Converters, etc...
Web Mollusc appreciation fund (Paypal: info [at] websnail.net)
Reply With Quote
  #10  
Old 12-21-2011, 04:13 PM
Kurtd + Kurtd is offline
Interspire Customer
 
Join Date: Jan 2009
Location: USA
Posts: 767
Default

It looks like they released 6.1.8 and the only change was security fixes?? I wonder how serious the security holes are in 6.1.1? https://www.interspire.com/forum/showthread.php?t=18847
__________________
.


Vote for Preorder \ Backorder Functionality
http://ideas.interspire.com/pages/sh...-functionality

Vote for better shipping calculations, multiple boxes, etc.
http://ideas.interspire.com/pages/35...oxes?ref=title
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump