OpenCart最近有個安全性的漏洞

雷洛

因為最近幫別人架的網站 ,中VIRUS了. 上網查了之後發現原來opencart 有個漏洞. 但是可以修正
現在朋友的網站中了, GOOGLE SEARCH會出現WARNING, 警告你不要進入這個網站.


官網的討論
http://forum.opencart.com/viewtopic.php?f=20&t=13276


You should not see this in 1.4.7
It is a hack that was achieved from the dompdf class file which was announced here:
viewtopic.php?f=2&t=12925

That file was removed from 1.4.7 so unless you did an upgrade and didn't first remove that file, then you will need to remove it first:
system/helper/dompdf/dompdf.php









以下是嵌入的javascript ...
then edit the welcome message in your system settings in source mode and remove all instances of the line:
CODE:select<iframe width=0 height=0 style='display:none' src="http://adsxxxxxxxx.net/in.cgi?2"></iframe>

雷洛

http://forum.opencart.com/viewtopic.php?f=2&t=13519

3rd Party Library Malware Warning: dompdf
by Qphoria &#187; Fri Apr 16, 2010 2:00 pm

This is just a better summary of the dompdf injection script issue including what it is, what caused it, how to check for it, what it does, and how to fix it.

What Is it?
OpenCart includes a few other 3rd party opensource classes in the core that are NOT coded by the OpenCart team. One of them is a pdf library that allows PDF files to be created on-the-fly called "dompdf". This class was added a while back with plans to use it for PDF Invoices. But it has not been used by the core yet. Recently it seems that a hacker found an exploit in the dompdf code that allows it to access the opencart database and filesystem from within, and inject some code onto your site.

What does it do?
The exploit simply add an iframe to your page which appears to be an ad script designed to show ads on your site. This ad url has been red flagged by most Antivirus updates so it triggers the page blocking.

How to check for it? (All versions)
Checking to see if you've been injected is easy.
1. Load your store in any browser
2. Right click and choose "View Source"
3. Search the source (Ctrl+F) for "iframe"
4. If you see something like:

<因為原本的網址有病毒, 所以我改了>
<iframe width=0 height=0 style=\'display:none\' src="http://adsXXXXXXXXX.net/in.cgi?2"></iframe>

Then the exploit has been run on your site.

How to fix it?
Remove the exploitable File first
1. Goto your ftp and find the system/helper folder. Inside that folder is a folder called "dompdf"
2. Delete that folder
earlier it was believed that only the dompdf.php file inside was faulty, but new information shows that there are other files in that folder that can also be used to exploit. So it is best to remove the entire folder

Remove the injected code from your site:
The script has shown that it can inject in 2 ways:
1. In the Welcome Message on the homepage
2. In the Footer
It is best to check both places
For the Welcome Message:
1. Goto the admin page and Edit the System->Settings
2. In the welcome message editor, choose "SOURCE"
3. Search for the iframe code above and remove all instances of it
For the Footer:
1. Log into your FTP client
2. Edit: catalog/view/theme/YOURTHEME/template/common/footer.tpl
3. Search for the iframe code above and remove all instances of it
4. Save and Upload the changes

How did it happen?
The "dompdf.php" file accepts an input file as part of the url. This file then gets turned into a pdf file.
Example:
CODE: SELECT ALL
http://www.example.com/shop/dompdf/dompdf.php?input=filename.txt

The code will process this file make a new "filename.pdf" file.

The hacker made a custom "conf.txt" file that had php code inside of it, and the dompdf file apparently doesn't check for code and as it executed it, it was executing the commands inside that file. So all a hacker would need to do is run that example above on your shop manually and it would execute.

tomsworkshop

請問架這樣的網站收費需要多少呢 ?