Critical Security Patch: December 13, 2016

Last Updated: Dec 15, 2016 08:28PM EST

Contents

Installing Security Patch 20161213

About the vulnerability

Addressing the vulnerability

Consequences of a breach

Likelihood of a breach

Identifying a breach

Securing your store

Locking Down the Control Panel

Contacting your customers


Installing Security Patch 20161213

This patch is an upgrade to ProductCart Defender, which was released as a critical security patch on September 30, 2015. If you are running v5.1.00, or below, and have not installed ProductCart Defender, then please download and install that patch first! All patches are available via “check for updates” in your ProductCart Control Panel.

Before you do anything else, regardless of whether your store appears to have been breached. Please install this patch by uploading the ProductCart files that have been made available to you via the "Check for Updates" page in your control panel. A support and updates plan is not required to download this patch and files are available for v4.1+ and v5+. All v4.0 and earlier stores are deprecated and should upgrade immediately.

  1. Download the patch via "Help > Check for Updates" link in your control panel.
  2. Upload the files that correspond to your version to their respective folders, as described here. Start by uploading the folders appended with the text "all versions" (e.g. v5.05 all versions).  Next, if you also use the Apparel or Conflict Management Add-On, you'll need to upload files associated with your add-on (e.g. v5.05 apparel add-on).
  3. If logged in during the install, then close your browser after installing the patch to clear the old admin session.  When you open the browser you can login with a fresh admin session.
  4. Come back to this document and read the rest of it: it is very important that you do so.

About the vulnerability

This security patch addresses the following vulnerabilities:

  • Information Disclosure
    This vulnerability allows a hacker to discover the name of the control panel folder even if it had been renamed from the default "pcadmin" to something random.
  • Session Manipulation
    This vulnerability allows a hacker to elevate control panel permissions, and then use injection to gain access to the control panel.

We will cover “Addressing the vulnerability”, “Identifying a breach”, and “Consequences of a breach” later in this article.

Addressing the vulnerability

When we first became aware of the vulnerability, our primary goal became to release a patch as quickly as possible, that would effectively prevent stores from being breached. With this latest security patch we have added new features to ProductCart Defender with the goal of not only blocking future attacks, but also detecting attacks while they are in progress.

This patch addresses the "Information Disclosure" and "Session Manipulation" vulnerabilities by restricting access to specific files and applying additional validation. It is imperative that you read the rest of this document and follow the instructions included in it.

Consequences of a breach

If the attacks are successful the hacker would have access to a store’s ProductCart Control Panel.

With regard to a ProductCart-powered store, a hacker may be able to:

  • Download customer information. (e.g. emails and passwords)
  • Capture credit card information at the time an order is submitted, if the credit card information is entered on a form hosted by the store. (i.e. this does not apply to alternative checkout methods such as PayPal Advanced, PayPal Express Checkout, PayPal Standard, 2Checkout, and WorldPay).

Likelihood of a breach

At the time of this writing, we believe the individual that reported this exploit gained access to several ProductCart stores.  The individual appears to being trying to sell the information back to the store, but claims they will not use this information for any further malicious purposes. We believe that all exploits related to this breach have been identified and closed. The risk will be further mitigated by implementing the recommended security "Best Practices" explained below.

Identifying a breach

Unfortunately there is no automated way to detect whether a breach has occurred, but in this case it appears that knowledge of the exploit was limited to a single individual.  This is typically a “silent hack” (i.e. the hacker is interested in remaining stealth in order to capture sensitive information over time), but in this case the individual has emailed the store owners alerting them of the breach.

If you received an email from the individual you should assume that your store was breached.  However, we recommend that all store owners complete the following…

Searching for malicious files

List of files used in this exploit

The following files may remain in your control panel directory after a breach.  If you find either of these files please remove them from your store, then submit copies to Technical Support:
  • admsettings.asp
  • adminasettings.asp
If you did not find any files that matched the criteria mentioned above, it does not mean you were not breached.  The files may have been removed after the attack. It is very important to continue and perform a source code search...

Source code search

  1. Download the entire site via FTP, including all ProductCart and non-ProductCart folders and files. Depending on the number of Folders and Files the FTP process will likely take some time, but it is important to download all files from the site, since the hacker may have moved the file management shell file to a different folder (outside of ProductCart).
  2. Launch a utility that allows you to search file content. Programs that you can use include the search utility that is built into Adobe Dreamweaver, or a free program such as Search My Files. If you are a web host and need a tool to search large directories and you may try PowerGrep or AstroGrep.
  3. Do a source code (all file content) search on the productcart directory for the following string:
    1. productcartexpert
  4. When you run the search, the search utility should locate zero matching ProductCart files.
  5. If the search locates any file(s) containing that string, please contact ProductCart Technical Support for assistance.

Change the existing password for ALL Control Panel User accounts

You can find your user accounts under the control panel menu option "Settings > Advanced Settings > Manage Control Panel Users". Review the list and change the password for all Sub User and Primary Admin User Accounts (delete any Sub User Accounts that are no longer necessary).

Securing your store

Please carefully review and complete the following steps to secure your store. Regardless of whether your store has been compromised, or not, you must upload all patches. We also recommend taking the additional steps below as a precaution:

Follow these steps, regardless of whether your store was breached:

  • Delete all log files from the folder "CPLogs" contained in your control panel directory.
  • Change the passwords of all control panel users. click here
  • Update the Master User. click here
  • Enable a new feature in ProductCart Defender:  Lock Suspicious User Accounts
  • Using a “web.config” to protect upload directories. click here
  • Contact your Web Host and make sure your site is on a server running IIS7 or higher.
  • Implement as many "Best Practices" as is possible within your hosting environment:
    • Security Recommendations for MS SQL Database. click here
    • Rename your control panel directory. click here

Follow these steps to improve security, if your store was breached:

Locking Down the Control Panel

The most effective way to protect against future attacks is to limit access to your control panel to specific computers or devices. We strongly recommend reading more about IP-based Security. This method is simple to implement and is available with most Web Hosts.

Click here to Lock Down the Control Panel.

Contacting your customers

While no credit cards have been reported stolen at the time this article was created. Consumer privacy regulations in your state or country may require that you contact your customers when an event has occurred that suggests that their confidential information might have been compromised. Regulations differ in different states and countries.

You can find extensive information on this topic on the Internet.

For example:

647e99095133bd6d1ae916f97dc7f92f@productcart.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete