656 replies to this topic

[spooks]

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

You can add htaccess protection http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'
Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

Update Sep. 09

The following addresses issues that have arisen or were not mentioned since this post was placed:

SECURING THE ADMIN:

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

FILEMANAGER:

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

To remove filemanger:

Delete file_manager.php from catalog/admin

open admin/includes/boxes/tools.php and delete the line:

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

BACKUPS:

To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format.

INSTALLATION:

If you are unsure about installing these contributions this thread should help you.

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
	  while (list($key, $value) = each($_POST)) {
		   if (!is_array($_POST[$key])) {
			  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
   		} else { unset($_POST[$key]); } // no arrays expected 
	  }

This does not allow for arrays, additional code is needed if they are used.

Edited by Jan Zonjee, 23 September 2009 - 04:33 PM.

[stubbsy]

Thanks Sam,

there were a couple of tips in there that had passed me by...

Cheers

Dave

[webbydeb]

It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable.  Never hurts to alert you to vulnerabilities.

I love the Security Pro.  I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*.  Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file.  That may not be the best way to do it, but it's what I've got for now.

[php_Guy]

When you say...

Some guy claiming to be spooks, on Aug 29 2008, 04:41 AM, said:

Permissions on folders should be no higher than 755.

... I assume you mean all except:

/catalog/images
/catalog/admin/backups
/catalog/admin/images/graphs

I get errors when I drop the permissions below 777 on those folders.

[Black Jack 21]

spooks, on Aug 29 2008, 01:41 PM, said:

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

Read it once again!

[php_Guy]

Black Jack 21, on Sep 4 2008, 11:47 PM, said:

Read it once again!

Thank you for your enlightened reply. However, it is osCommerce, not the host that requires that those folders be world writable. The docs and the knowledgebase both state that they should be left at 777. If there is a way to secure them while still keeping osCommerce happy please let me know how to do so.

[m.a.t.t]

Not one of my folders has permissions 777, everything works fine.

[sponna]

I believe 777 is only vulnerable if the server itself is vulnerable i.e. not set up securely. You cannot upload and execute a file remotely as far as I'm aware - the attack would need to come from within. Although this post is quite old, I think it makes interesting reading. Irrespective, always chmod to the most secure settings that still allow your site to run:

http://www.simplemachines.org/community/in...hp?topic=2987.0

[php_Guy]

m.a.t.t, on Sep 5 2008, 07:53 AM, said:

Not one of my folders has permissions 777, everything works fine.

With /catalog/images set below 777, all is fine with the store. When I then enter admin, everything is still fine untill I click on products/catalog. At this point, osc sees that it is unable to write to the images directory (and therefore unable to upload images for new products, etc via admin) and therefore generates an error that is listed at the top of the screen.

Since I ftp images up anyway this isn't a big issue but the /catalog/admin/backups and /catalog/admin/images/graphs have a similar problem. if they aren't world-writable, they cannot work as intended. Unless of course there is more to it tht I am unaware of. That's why I asked the initial question.

As to it really being a security issue, I agree. I think a properly configured server manages the risk. However, it could be a bandwidth issue. Someone could use your world-writable directory as a warez file depository and post on warez boards where to get them. Suddenly, you could see a huge jump in bandwidth which could be costly if you have to pay for use beyond your allowance.

[DJStealth]

This seems a little confusing here.

OSCommerce requires 777 for backup directory, images directory, and a few other places.  Also, if you use a script that does caching of resized images, it also requires 777.

I guess the questions are this..
a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?
If so, maybe one can setup an .htaccess file to block write access this way?

[FWR Media]

DJStealth, on Sep 7 2008, 11:01 PM, said:

This seems a little confusing here.

OSCommerce requires 777 for backup directory, images directory, and a few other places.  Also, if you use a script that does caching of resized images, it also requires 777.

I guess the questions are this..
a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?
If so, maybe one can setup an .htaccess file to block write access this way?

Add a .htaccess including the following code.

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

Not my code. Was suggested to me by BL4CK from thedefaced[d0t]org security group, and I can see the benefit.

Wont work with suexec but a php.ini version would suffice.

Edited by FWR Media, 07 September 2008 - 10:34 PM.

[Bushmaster]

DJStealth, on Sep 7 2008, 03:01 PM, said:

This seems a little confusing here.

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

I guess the questions are this..
a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?
If so, maybe one can setup an .htaccess file to block write access this way?

Its not osCommerce that requires it. It is the config of the server. On the host I use I have to set the configure.php set to 0444 to get the I can write error to go away so my image folder goes no higher then 0755

[skunkbad]

spooks, on Aug 29 2008, 04:41 AM, said:

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

You can add htaccess protection http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'
Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation.

[web-project]

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

example:

Quote

Time:     Sun Sep  7 18:16:39 2008 +0100
IP:       193.xx.xxx.xxx (country name)
Failures: 1 (mod_security)
Interval: 215 seconds
Blocked:  Yes

Log entries:

[Sun Sep 07 18:16:35 2008] [error] [client 193.xx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(??:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(??:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:goto. [id "950006"] [msg "System Command Injection. Matched signature </mail>"] [severity "CRITICAL"] [hostname "domain name"] [uri "/admin/file_manager.php?goto=/home/user_name/public_html//images/mail"] [unique_id "dvZTxFXqk2sAAH@an4YAAAAE"]

Edited by web-project, 08 September 2008 - 04:59 PM.

[FWR Media]

web-project, on Sep 8 2008, 05:58 PM, said:

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

example:

Server set up is no replacement at all for code side  input/output escaping, server security is a totally different animal addressing totally different needs.

[WoodsWalker]

Thanks for the list, Sam, and thanks Deborah for that hint regarding PCI compliance. You're right on.

Right now my compliance people are failing me due to apparent vulnerability to cross-site scripting, so this thread came at just the right time.

~Wendy

[themilkman]

Hi

I am looking at the install instructions for Anti XSS and do not understand how it can write to a file called iplog.txt?

Nowhere in the .htaccess code is there are reference to ip address being written to the .txt file.

Am I missing code here?

=======

Also I have installed Secure your site with an IP trap http://addons.oscommerce.com/info/5914.

The add-on successfully blocks you but when it write the IP address to a text file alled IP_trapped.txt the blocked IP address is written as an invisible line. Also when the program writes an email to you again the IP address is not shown/invisible.

Does any one know how to make the IP address visible?

Thank You

TMM

Edited by themilkman, 12 September 2008 - 09:53 AM.

[themilkman]

Hi

I have installed security pro latest version but get the follwoing error after entire add-on installation:

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MAX_RANDOM_SELECT_NEW' at line 1

select products_id, products_image, products_tax_class_id, products_price from products where products_status = '1' order by products_date_added desc limit MAX_RANDOM_SELECT_NEW


Can anyone please suggest what to do here?

Thanka

Bal

[geoffreywalton]

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.

[themilkman]

geoffreywalton, on Sep 13 2008, 10:41 PM, said:

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.

Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

Please explain


Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message.  I have not put back the old application_top file and it is back to normal until I find out the fix.


Thanks

B

Edited by themilkman, 13 September 2008 - 09:55 PM.