Critical Security Patch: September 30, 2015

Last Updated: Sep 29, 2015 03:37PM EDT

Contents

Installing Security Patch 20150930

What is new in Security Patch 20150930

About the vulnerability

Addressing the vulnerability

Consequences of a breach

Likelihood of a breach

Identifying a breach

Securing your store

Contacting your customers


Installing Security Patch 20150930

This patch contains a database update. Please read this section carefully.

Before you do anything else, regardless of whether your store appears to have been breached, and even if you have already installed security patch 20150820. Please install this patch by uploading the ProductCart files that have been made available to you via the "Check for Updates" page in your control panel. A support and updates plan is not required to download this patch and files are available for v4.1+ and v5+. All v4.0 and earlier stores are deprecated and should upgrade immediately.

  1. Download the patch via "Help > Check for Updates" link in your control panel.
  2. Upload the files to your store as described here.
  3. Run the database update script:
    • Log into your control panel.
    • From the main menu, replace "menu.asp" in the URL with "upddbPCD.asp".
    • Click enter to direct your browser to the new page.
    • Follow the onscreen instructions to update your database.
  4. Come back to this document and read the rest of it: it is very important that you do so.

What is new in Security Patch 20150930

This patch is a roll-up of all previously released security patches, but also includes an important new feature.  ProductCart Defender was built to help keep your store safe 24/7 without you needing to install any complicated security patches.  learn more

About the vulnerability

This security patch is a roll-up of previous patches, but also includes a new feature called ProductCart Defender.  It addresses the following vulnerabilities:

  • SQL Injection
    This is the same type of vulnerability that was addressed with security patch 20150731 and security patch 20150820. In this specific SQL Injection attack, the hacker attempts to inject a new user account with control panel access into the store’s database. If the attack is successful the hacker would have access to all data and capabilities available to the store owner.
  • Information Disclosure
    This vulnerability allows a hacker to discover the name of the control panel folder even if it had been renamed from the default "pcadmin" to something random.
  • File MIME Type Spoofing
    This vulnerability allows a hacker to upload malicious scripts disguised as an image file via a technique known as MIME spoofing. The hacker must first gain access to the control panel via the previously mentioned "SQL Injection" in order to exploit this vulnerability.

We will cover “Addressing the vulnerability”, “Identifying a breach”, and “Consequences of a breach” later in this article.

Addressing the vulnerability

When we first became aware of the vulnerability, our primary goal became to release a patch as quickly as possible, that would effectively prevent stores from being breached. We believe that blocking the SQL Injection denies the hacker the ProductCart Control Panel access that is required to exploit the image upload via "File MIME Type Spoofing". On July, 31, 2015 we posted security patch 20150731, which was designed to block the known attacks at that time. On August, 20, 2015 we posted security patch 20150820, which further improved the security filter with the goal of blocking all future attacks.  With this current patch we are introducing a new feature that will allow us to delivery automatic updates to the security definitions, which will allow us to respond quickly to future attacks without having to issue software patches.

Although our tests indicate that these updated files will prevent future breaches from happening, they will not stop an existing breach from being exploited. For this reason, it is imperative that you read the rest of this document and follow the instructions included in it.

Consequences of a breach

If the attacks are successful the hacker would have access to a store’s ProductCart Control Panel and would be able to upload malicious files disguised as images.

With regard to a ProductCart-powered store, a hacker may be able to:

  • Download customer information. (e.g. emails and passwords)
  • Capture credit card information at the time an order is submitted, if the credit card information is entered on a form hosted by the store. (i.e. this does not apply to alternative checkout methods such as PayPal Advanced, PayPal Express Checkout, PayPal Standard, 2Checkout, and WorldPay).

Likelihood of a breach

At the time of this writing, we believe that preventing the initial database injection from occurring is the key to maintaining data integrity. In other words, blocking the point of entry denies the hacker the control panel access that is required to exploit the image upload, via "File MIME Type Spoofing". We addressed the specific SQL Injection attack with security patch 20150731 on July 31, 2015 (also included with this latest patch). If you have already applied the first patch the likelihood that your data could be compromised is lessened significantly. The risk was further mitigated by applying the security patch 20150820 and implementing the recommended security "Best Practices" explained below.  The latest patch security patch 20150930 when combined with a support and updates plan represents the best protection available; it will allow your store to receive updated security filter definitions without having to install any new software updates. 

Unfortunately there is no way to fully rule out the possibility of a breach due to the many factors involved. We’ve responded as fast as possible so the likelihood of a breach is substantially reduced the sooner you install the patch.

Identifying a breach

Unfortunately there is no automated way to detect whether a malicious file has been uploaded to your store. This is typically a “silent hack” (i.e. the hacker is interested in remaining stealth in order to capture sensitive information over time, such as credit card numbers), so you might have not noticed anything different in the running of your store.
In order to identify a breach we recommend doing the following…

Searching for malicious files

List of upload folders

The following is a list of folders that files are uploaded to in ProductCart, using different features:
  • pc/images (e.g. image buttons and icons)
  • pc/images/pc (e.g. image buttons and icons)
  • pc/catalog (e.g. product images)
  • pc/Library (e.g. help desk files)
  • pc/Tax (e.g. tax files)
  • pc/Themes (e.g. theme files)

Visual review

  1. Connect to the store using FTP or Remote Desktop Connection
  2. Navigate to the “pc” folder
  3. Making note of the file modified date. Note, hackers can manipulate the file dates so this is not a catch all. However, a recently modified file is a sure indicator that a file was edited. So you want to make note of recent, unfamiliar file changes.
  4. To narrow things down further, do you see any recently modified files that start with the letters “gw”? If so, immediately remove those files, close the store, and file a support ticket with NetSource. We will provide you with the original versions of those files. Continue with the following steps...
  5. Navigate to the "includes" folder. Again, noting the file's last modified date, do you see any recently modified files? If so, file a support ticket with NetSource. We will provide you with the original versions of those files. Continue with the following steps...
  6. Does the "includes" folder contain a file named "pcCheckLicense.asp" or "checkLicense.asp"? If so, then file a support ticket with NetSource and we'll assist with the remaining visual inspection.
  7. Visit all of the folders listed above under "List of upload folders".
    For each of the upload Folders (and their sub folders), look for files that end with:
  • *.asp
  • *.asp;.jpg
  • *.asp;.gif
  • *.asp;.png
  • *.asp;.csv
  • *.asp;.xls
  • *.asp;.txt
  • *.asp;.doc
  • *.asp;.htm
  • *.asp;.pdf
  • *.asp;.zip

Remove any files that match these criteria. For example, a potential hacked file in the images folder may have the file name “default.asp” or “log.asp”. Based on accounts from breached stores we have a list of paths where malicious files were saved. Please don't skip checking any sub folders, especially the following file paths:
  • pc\images\highslide\outlines\_notes\default.asp
  • pc\images\highslide\outlines\pd.asp
  • pc\images\highslide\outlines\log.asp
  • includes\checkLicense.asp

If you did not find any files that matched the criteria mentioned above, the likelihood of a breach is limited. Still, it is very important to continue and perform a source code search...

Source code search

  1. Download the entire site via FTP, including all ProductCart and non-ProductCart folders and files. Depending on the number of Folders and Files the FTP process will likely take some time, but it is important to download all files from the site, since the hacker may have moved the file management shell file to a different folder (outside of ProductCart).
  2. Launch a utility that allows you to search file content. Programs that you can use include the search utility that is built into Adobe Dreamweaver, or a free program such as Search My Files. If you are a web host and need a tool to search large directories and you may try PowerGrep or AstroGrep.
  3. Do a source code (all file content) search on the productcart directory for the following strings:
    1. ("QUERY_STRING")="x=a"
    2. #@~^ivICAA
    3. ProcessSignature(Signature)
    4. EnCryptGo
  4. When you run the search, the search utility should locate zero matching ProductCart files.
  5. If it locates any additional file(s):
    1. Has your store been customized? If so, check with the Web developer that worked on those customizations if you believe that the file could have been placed there by that developer. The file date could be an indication as to whether that is the case or not.
    2. Otherwise, remove the file immediately. Do not rename the file!

Change the existing password for ALL Control Panel User accounts

You can find your user accounts under the control panel menu option "Settings > Advanced Settings > Manage Control Panel Users". Review the list and change the password for all Sub User and Primary Admin User Accounts (delete any Sub User Accounts that are no longer necessary).

Searching for unusual database tables

When we posted the first patch in July we mentioned that at the time of writing the article we were aware of a single store being breached. Since that time other breaches have been reported. In all of those cases the hacker created a table called “pcEventDetails”. If you have this table, then you were likely compromised and the table should be removed. Additionally, it would be necessary to update the SQL database password in your connection string. We will cover password changes below.

Securing your store

Please carefully review and complete the following steps to secure your store. Regardless of whether your store has been compromised, or not, you must upload all patches. We also recommend taking the additional steps below as a precaution:

Follow these steps to improve security, if your store was breached:

Follow these steps to improve security, regardless of whether your store was breached:

  • Using a “web.config” to protect upload directories. click here
  • Contact your Web Host and make sure your site is on a server running IIS7 or higher.
  • Implement as many "Best Practices" as is possible within your hosting environment:
    • Security Recommendations for MS SQL Database. click here
    • Rename your control panel directory. click here

Contacting your customers

Consumer privacy regulations in your state or country may require that you contact your customers when an event has occurred that suggests that their confidential information might have been compromised. Regulations differ in different states and countries.

You can find extensive information on this topic on the Internet.

For example:

Menu

  • Support Forums
  • Video Tutorials
  • Support Request
  • Support Policy
647e99095133bd6d1ae916f97dc7f92f@productcart.desk-mail.com
https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete