Post by ASTRA Security Suite » Wed Sep 16, 2020 1:54 am

We've been tracing this pattern over the last couple of weeks where hackers send across an email to store owners with screenshots of their database. And then they offer to disclose the vulnerability (with a detailed report) in exchange of money ofcourse.

After dealing with a few such cases, we realized there seemed to be a pattern/common traits among the compromised stores. The two common patterns found

  • Pro order module installed
  • Journal theme
Technical details:

The hackers are exploiting the older versions of the PreOrder extension that had no validation implemented for the public function GetPreorderedProduct($product_id). This caused SQLi issues for the sites.

More details right here: https://www.getastra.com/blog/911/plugi ... ase-hacked (included the email hackers send)

Image

On further inspection, turns out an older version of the Pre order module was the culprit. Version we've seen surface a couple of times was 2.9.3. We tried to check if the vulnerability exists in the latest version, thankfully it doesn't :)

Fix:
  • Update the PreOrder module by iSenselabs to the latest version. It's always good to use the latest versions regardless :)
  • Update Journal to the latest version.
  • For Astra Security users, SQLi is prevented by default. Always good to use a firewall :)
Cheers and stay safe!

- Shikhil

Spreading happiness while securing OpenCart websites with Astra Security Suite

Real-time protection against Credit Card Hack, SQLi, XSS, Malware, Bad Bots & 100+ cyber threats.


User avatar

Posts

Joined
Tue Jan 31, 2017 11:37 pm

Post by EvolveWebHosting » Mon Sep 21, 2020 2:37 am

Great catch of this! You guys do a great job of protecting websites.

Image
Take a close look at our domain pricing. It's cheaper than most of the 'big name' registrars.
Detailed guide on how to install Opencart


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA

Post by JNeuhoff » Mon Sep 21, 2020 6:16 pm

Update Journal to the latest version.
Or better, use a proper web theme instead of the Journal extension, the latter doesn't comply to OpenCart standards and will therefore be of a higher security risk, with unnecessary core engine file modifications.

Override Engine * Integrated VQMod * Unused Images Manager * Instant Option Price Calculator * Number Option * Google Rich Snippets * Google Tag Manager * Export/Import Tool * SpamBot Buster * Survey Plus


User avatar
Expert Member

Posts

Joined
Wed Dec 05, 2007 3:38 am


Post by OSWorX » Mon Sep 21, 2020 9:55 pm

Well, while ASTRA may make a good job, we should all not forget that not only the extension from Isenselab can be the "evil".

Due some work for new clients (came to me because they had this problem too), I discovered that they had the script adminer installed.
adminer is a database tool - similiar to phpMyAdmin.
See: https://www.adminer.org/en/

And these clients did not install that tool - some stupid and lazy developers before have used it.
And did not remove it.
The more: the version they have used, had massive security holes - can be read here: https://github.com/vrana/adminer/blob/m ... hanges.txt

While this tool may help some developers to have a temporary access to the database - what for ??? - it must be deleted afterwards.
So to all those users who are in the need of a developer:
1. argue that you want to have a full changelog what was done, was was repaired, what was used
2. developer must delete/ uninstall all used external tools
3. never give access (does no matter through which tool) to your database - these datas are yours, and nobody has to view them (see als the GDPR in such cases)
4. if the developer need access to the database, he must argue why. And the shopowner hast to verify that the data is NOT misused

If a shop is compromised because such scripts like adminer are still left on the server, these webshop owners are entitled for indemnification.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by EvolveWebHosting » Tue Sep 22, 2020 12:33 am

JNeuhoff wrote:
Mon Sep 21, 2020 6:16 pm
Update Journal to the latest version.
Or better, use a proper web theme instead of the Journal extension, the latter doesn't comply to OpenCart standards and will therefore be of a higher security risk, with unnecessary core engine file modifications.
I personally agree but good luck stopping those that already have it and continue to use it. Since it's still being used, it's good that they caught this. Journal aside, Astra does great for all websites they protect.

Image
Take a close look at our domain pricing. It's cheaper than most of the 'big name' registrars.
Detailed guide on how to install Opencart


User avatar
Active Member

Posts

Joined
Fri Mar 27, 2015 11:13 pm
Location - Denver, Colorado, USA
Who is online

Users browsing this forum: No registered users and 2 guests