chrometweaks.org

ASP code to connect .aspx file to SQL Server on iPage?

Click Here To View All Answers...


My question is ASP code to connect .aspx file to SQL Server on iPage? Thanks for any answer or 2. Another question I got... Hi,.

I have noticed a potential security risk when any emails are either sent from the 'store admin' feature (send a customer an email), or, in the case of any customer ordering via osCommerce..

From memory, the function that is used for email is called 'tep_mail', which eventually calls the PHP mail() function. The "Return-Path:" header value in these emails always defaults to the "root" (shell) username of the domain, and therefore is accessible by anyone who makes an order. We had a 'bogus' order the other day, and that is all a person has to do to obtain the login username to the domain..

I have done, over the last few weeks, investigations to see how to change the username in the "Return-Path:", and it is done by passing an additional parameter via the PHP mail() function, or you can try 'ini_set' to change the sendmail path (from memory)..

Why can't osCommerce default to username of 'localhost', rather than supplying the login username via emails ? .

Unfortunately, there is nothing I can do, there are some restrictions with our web hosts, in changing the username with the mail() function, but there is a way to 'force' it by using SMTP rather than sendmail, and 'authenticate' with 'localhost' as the username.. It's going to be a painful exercise though, and when it is working okay, I will need to modify osCommerce code where the emails are called. After that, changing the (root/shell) username on the hosts, which if not (easily) possible, could mean moving the whole iPage website to the new 'username' (.... great)..

No doubt this issue may depend on what platform osCommerce is run on, and the availability of 'tweaking' that your web host allows, but it could be a potential security risk for you, it sure is for me..

Peter..

Comments (93)

That's a good question. I'm not sure what is the answer. I'll do some investigation and get back to you if I got an anything. You should email the people at iPage as they probably could give you help..

Comment #1

Knowing about any potential security risk is valuable information for everyone here, but could you translate what you were talking about. That all went way over my head..

Peter..

Comment #2

What Peter is saying is that to get shell (command line access) to the server you would need two things: 1) the shell username and 2) the password. The very first line of the email return path provides 1 of the 2 pieces of information needed..

Rather than the cracker having to figure out 2 pieces of information s/he only has to figure out one..

Wouldn't a complex password for the shell username help solve the issue - for the short term, if changed frequently?.

I can see your concern. In reality people do not change passwords often, if ever. A cracker only has to run a script that continually tries different passwords until he stumbles on the correct one...

Comment #3

Hi,.

Sorry about not explaining it too well; the other thread has lots more info, but I guess, sometimes we get too much or too little; ....... a practical example..

Let's say I just bought a new domain, it is called 'example.com', and the root/shell username I have chosen is "pr678" , and the password is "............."..

I'm the only person who knows this (the username and password), I need it for FTP access (SFTP I hope), telnet, or any SSH access. I will also need it for any 'control panel' access. The username and password gain access to.

Anything.

, so therefore I don't want any other person/s to know, otherwise I run the risk of my iPage site being hacked into..

So, ....... I don't tell anyone, no-one knows..

Then, a person visits my iPage site and creates an account. They get an email, and my (very secret) username of "pr678" is all there, in the email headers..

It's also there in any email sent from 'my store' to the customer (orders,etc) , ....... great..

Some people may argue that this isn't important, but if I wanted anyone to have the root/shell username of my website, I'd send it to them..

It simply makes the work for any hacker then very easy, because having the username, a simple brute force and they are into your site, with all privledges..

Hope that clarifies it,.

Peter..

Comment #4

Hi Frank,.

Thanks, you were replying at the same time, in fact you probably explained it better than me..

Peter..

Comment #5

Hi,.

Yes, for the short term as you say. I'm actually so concerned about the issue, after I modify osCommerce to change the username in emails, I'll seriously consider moving the website, just so that a new username can be assigned (I do web hosting, so it's not _that_ hard)..

Sounds like an overkill, but the last few days, we have had 'bogus' orders and 'bogus' account sign-ups; it's all people need to get that username..

Peter..

Comment #6

Okay, I have read the other forum post again and again. Now for the big question. In english, what is the fix for this..

Peter..

Comment #7

Hi Peter,.

Having spent some time on this in the last few weeks (bits here and there), the BIG factor in being able to fix it will depend on your web hosts. I say that because I researched a lot, asked a lot, and you CAN pass a 5th parameter to the PHP mail() function, and the osC code actually has allowed for this, BUT, for me, the 'security' and other setup at the web server I use, will not allow me to do it the 'normal' way. Well, that's my story, and you asked, it to be in english, sorry. I'll try again..

1. Try it in isolation, that is, don't go changing any osC code, unles you know _what_ you can do , on your website. Try this bit of code to see if you can change the 'return-path' email header:.

<?php.

$to = '", "Test email #3 from website", $message,.

    "From: webmaster@{$_SERVER['SERVER_NAME']}", "-flocalhost@{$_SERVER['SERVER_NAME']}");.

It may work for you , it didn't for me though..

Basically, once you have found that you _can_ modify the username in the "Return-Path:" email header, then there are only very minor mods (I think) in osC, because, from memory, the tep_mail passes the 5 parms already..

Hope that helps, and I hope it was in english..

Peter..

Comment #8

OK - I am confused..

I just sent myself a test email and these were the headers:.

Return-path: <>.

Date: Thu, 25 Mar 2004 12:29:20 +0100.

Now the return path is nothing to do with my username. I don't quite know why it says nobody but the rest is just my iPage hosting company..

When you say username, which username do you mean anyway? The one to get into the CPanel?..

Comment #9

Hi,.

Yes, the one to get into CPanel..

If.

That.

Username is.

Not.

Anywhere in the email headers, then you are okay (lucky you)..

Peter..

Comment #10

When I first read this thread I agreed that this is a problem but ....

Interesting enough when the iPage site sends out a confirmation email the header starts like this.

Return-Path: <.

(InterMail vK.4.04.00.00 201-232-137 license ac98e04b23802b25ff26d48c352bda07).

With ESMTP id <20040325090022.HNFC398.fe6@[66.76.61.87]>.

So I have the problem when sending out mail directly from an account on the iPage domain but not when osC sends one out. Very odd, I dropped my iPage hosting company a line to see what they have to say on the matter...

Comment #11

Mine comes up, for both ways, as Return-Path: www@www.kynet.co.uk which is fine ..

Just checking with my host to see if it something they have set-up - will advise any findings here...

Comment #12

Host has advised that this is a standard server setting/config, on the server we are on, and that they use sendmail for the mail server..

Hopefully that means something to you ?

Comment #13

The username set in the headers is set by the server not by the software..

This should be set in the php.ini file.. some hosts set this correctly some just leave it as default...

Comment #14

Hi Richard,.

Well that's good news that the email sourced from osC is okay. If sending out email from the iPage domain has the username (that you don't want people to know) in it, then it's only a problem in regards to who you send the email 'to'. Check if there are any other 'sources' of sending email (Perl, feedback forms,etc), on your website, that are not part of Osc..

Peter..

Comment #15

Hi,.

It's good that it works okay for you. The host I use does have sendmail (really a pipe to Exim), and SMTP, but the way they have the security and everything else setup, I cannot change the username with sendmail (either via perl or PHP), but if I use SMTP and force authentication (supply a hostname), then it is okay..

It means some mods to osC, to ensure any emails do not give out confidential info..

Peter..

Comment #16

Hi Mark,.

Some hosts let you change PHP.INI (I can), but even trying all the necessary 'sendmail' settings in PHP.INI, it still didn''t work, because the server settings (security) won't allow this..

Thanks,.

Peter..

Comment #17

Hmm - I just sent myself an email NOT from osc but from neomail, one of the webmail programs my host provides..

It did what you said, put my username in the return path. Which is odd, because when I send mail from osc, it doesn't do that. From osc it says <>.

So perhaps it is not so much an osc problem as a host problem...

Comment #18

Hi,.

I have noticed a potential security risk when any emails are either sent from the 'store admin' feature (send a customer an email), or, in the case of any customer ordering via osCommerce..

From memory, the function that is used for email is called 'tep_mail', which eventually calls the PHP mail() function. The "Return-Path:" header value in these emails always defaults to the "root" (shell) username of the domain, and therefore is accessible by anyone who makes an order. We had a 'bogus' order the other day, and that is all a person has to do to obtain the login username to the domain..

I have done, over the last few weeks, investigations to see how to change the username in the "Return-Path:", and it is done by passing an additional parameter via the PHP mail() function, or you can try 'ini_set' to change the sendmail path (from memory)..

Why can't osCommerce default to username of 'localhost', rather than supplying the login username via emails ? .

Unfortunately, there is nothing I can do, there are some restrictions with our web hosts, in changing the username with the mail() function, but there is a way to 'force' it by using SMTP rather than sendmail, and 'authenticate' with 'localhost' as the username.. It's going to be a painful exercise though, and when it is working okay, I will need to modify osCommerce code where the emails are called. After that, changing the (root/shell) username on the hosts, which if not (easily) possible, could mean moving the whole iPage website to the new 'username' (.... great)..

No doubt this issue may depend on what platform osCommerce is run on, and the availability of 'tweaking' that your web host allows, but it could be a potential security risk for you, it sure is for me..

Peter..

Comment #19

Peter all sounds very interesting - but unfortunately you have completely lost me(which is probably quite easy)..

Could you explain in simpler terms for me please..

Thanx...

Comment #20


This question was taken from a support group/message board and re-posted here so others can learn from it.