ASAP Lab is a full-stack team of SysOps and SRE engineers providing business solutions for eCommerce websites. Aside from infrastructure set up and monitoring we focus on information security. Recently, our security team has detected a growing number of attacks on customer sites built on different CMS including the CS-Cart platform which are hosted by Scalesta (our all-in-one managed hosting solution). Fortunately, most attacks were prevented by our experts who protect online businesses data against various leaks and hacking attempts.
Naturally, this is only the “tip of the iceberg” and, alas, all this leads to major security problems. Now let's together look at each cluster, and then don’t forget to show this article to your developers 😉
Sometimes during development, debugging, or any improvements on live websites, developers or administrators include additional logs, for example, in the error_log, error.log files. At first sight this looks quite innocent, but it might actually lead to a huge security issue: expose store paths or disclose bug information that can be further exploited.
Files like phpinfo.php, info.php, i.php and others containing phpinfo() information can reveal not only paths, but in combination with Cross Site Scripting (XSS) attack provide the access to all cookies (yes, even with http-only flags) and further access to administrator level. And it all starts with simple PHP version information, right?
An incorrect server configuration can reveal, for example, the project source code or give access to directories and files that no one should have access to. At all! Let's take a look at Git - a collaborative development utility. If a directory exists and is accessible, then with certain knowledge and skills, you can get the entire project source code and then look for vulnerabilities or access keys if they were added to the project code.
And now let’s pass to the “root cause” of most frequent leaks, and we are talking about the Adminer utility. It has many vulnerabilities fixed by its vendor in new versions, but developers and administrators are very reluctant to update it on a regular basis.
In general, an externally accessible Adminer utility (as well as phpMyAdmin and other utilities that allow access to the database), especially in combination with available log files and phpinfo, or even simply enabled debug mode, can provide an attacker with enough information to exploit such vulnerabilities as CVE-2021-43008 (7.5/10 HIGH), CVE-2021-21311 (7.2/10 HIGH) and CVE-2020-35572 (6.1/10 MEDIUM). And this in 90% of cases will lead to access to the database or a leak.
> Yes, we all understand that sometimes developers or analysts might need direct access to a database, but this rather indicates a broken development process. It is better to make changes to the database using migrations that are available in CS-Cart, for analysts it’s recommended to make a read-only replica of the database which is closed from the outside and accessible only through an SSH tunnel.
In order to prove our conclusions let’s address the results of our investigation. The ASAP Lab information security team together with the CS-Cart team found that:
As you might notice during this article besides available log files and externally accessible utilities we mentioned several times the outdated or not updated software. CMS, applications, add-ons or server software - all this needs regular updating to be on a safe side. Updates provide not only new features but what is more important - vulnerabilities fixes, performance improvements and security patches.
To sum it up, information security of your store is not only about the quality of CMS you use or the experience of your developers and service providers. Attention to detail, well arranged development process and regular updates might protect you against the common security issues as well. If you have any security concerns we in ASAP Lab will take care of your website.