security info left in cache file

[jmelson]

OK, a bit of a long story, I got up one morning and found 150 credit card transactions for $0.10 and $0.12 so I went to my credit card processor (authorize.net) and found 1300+ attempts, most of them denied, but 152 of them still in the authorize hold. I called Authorize.net, and they had me turn on velocity filtering, a minimum transaction amount, and change my transaction key.

I'm REALLY sure this was NOT done through the store software, as it would have run up a large number of GET and POST requests on the web server, and I did not see that.
So, somehow, somebody must have gotten my merchant account # or my API credentials on Authorize.net

I have a daily program that checks for any updated files on the system.
It found, when I changed my transaction key in osCmax, that a new file was generated:
~/osc2.5/catalog/cache/cachefile.inc.php

this file has cleartext of all my Authorize.net API credentials and my Fedex API credentials! It also has at least a portion of my USPS and PayPal credentials.
It seems a bit of a bug to have all this info in a persistent file under the catalog tree. Now, I have a .htaccess file that keeps this whole directory /catalog/cache
non-readable from the web server, but this still seems like a dangerous thing to leave around. Is there any reason this file is even created? Why is it in the catalog tree instead of the renamed "admin" section? Shouldn't this file at least be deleted after the update is performed into the database? This is an osCmax 2.5 RC1 system.

Thanks,

Jon

[ridexbuilder]

The reason for its' existence is to dramatically reduce lookups on the database, for configuration items. Personally, I haven't delved into the code, nor the cache file contents.
Your observations do seem to be a bit alarming though.

[jmelson]

I have set up my system so that the admin directory tree cannot be accessed at all from outside the local network, with the directory settings in the web server configuration.
So, having such a file in the admin tree would be less worrying. Since it is a php file and in the catalog tree, it seems like hackers would be able to execute this file and maybe obtain info like API credentials from it. (I'm not much of a php hacker, so I really don't even know how to test this.)

Thanks,

Jon

[ridexbuilder]

In a properly setup webserver, the supplied as standard .htaccess file should offer protection.

Code:

<FilesMatch "\.(ser|php|cache|htaccess)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Resulting in a 403 Forbidden page.


(I got a forum notification, for the 1st time in years! )

[jmelson]

Right, I have this, but it allows outsiders to access the admin login page. I don't want them to even be able to see any part of the admin section, so I have the web server set up to not allow any part of the admin directory tree to be accessed outside my local net. When traveling, I have to set up a tunnel so I appear to be coming from inside to access the admin section.

Thanks,

Jon

[ridexbuilder]

I usually secure the admin directory with the simple .htaccess password method.

[JRR]

I have my admin directory password protected via cPanel, which then has .htaccess protection as well, not to mention having a new name because 'admin' is just plain wrong...

I also tried ridex's suggestion for protecting the cache file, but that made my catalog forbidden...so I need to make a change or two to it. My regular htaccess uses "files" instead of "filesMatch" but I don't think that is the problem. More likely because I am already blocking access to a number of files and so it is just unhappy with me and saying 'RTFM'...so I will.

Tomorrow.

Good night!