274 replies to this topic

[vakondweb]

FWR Media, on 01 April 2011, 13:12, said:

Hi Laci

Read back a bit in this support thread.

You can add valid special language characters to the whitelist.

Thank you very much, I did not found it first.
Now it is perfect!

[here2learn]

I see the latest Security Pro version (2.0) was released in 23 Dec 2010 i.e. after osC 2.31 came out.

Will it (Security Pro 2.0) work with my osC 2.2 RC2 or should I download the Security Pro 1.02, released in 2008 which was especifically for osC 2.2x?

Another question.

How do I add these characters to be allowed:
àÀ áÁ ãà â äÄ
èÈ éÉ êÊ ëË
ìÌ íÍ ïÏ
òÒ óÓ õÕ ôÔ öÖ
ùÙ úÚ üÜ
çÇ
@ <-- for email purpose

My language is portuguese so all the characters above may be used.

[here2learn]

Nobody? I just want to know if the latest version of Security Pro works with osC 2.2 RC2 and how to add the letters above to the list of allowed characters.

I am not asking how to install it. As far as I understood, Security Pro latest version is for osC 2.31 and if this is really the case, then I am not sure whether I will be protected since like I said before I am using osC 2.2 RC2, and thus I could be fooled into believing everything is ok while my site is vulnerable to hackers.

Edited by here2learn, 13 April 2011, 03:34.

[here2learn]

Has anyone heard of HTML Purifier?

http://htmlpurifier.org/

A better way to whitelist, since it doesn't remove characters as far as I understood. Interesting that I stay hours awake, searching for things like this, but have very little acknowledge on how to implement it. I will continue with my search, because I want to retain the maximum characters possible, including latin1 ones, while knowing I am safe.

Maybe I will start a thread about this later.

Edited by here2learn, 15 April 2011, 05:05.

[Guzappum]

Greetings,

I applied this very useful contribution and have special language characters in product names so made the required modifications from:
#198 -Modification for Languages that have Special Characters

Everything works fine now, thanks for this modification to Robert. I was just wondering about the solution:

In the spirit of the-smaller-whitelist-the-better couldn't the special characters be replaced with their "normal" counterparts (example: ö to o)?

That way no expansion of the whitelist would be necessary as OsC search brings up products with specials if searched for the normal counterpart.

What do you think and how could one do this?

[cornishpirate]

In the UK, Streamline, now part of Worldpay, are pushing hard for PCI DSS compliance. They've teamed up with TrustWave and we've been encouraged to use their TrustKeeper IP Scanning system for vulnerabilities.

The only item my site is failing on is XSS, despite the magnificent presence of Security Pro 2!!

URL: ....../product_info.php?products_id=%3Cscript%3Ealert%28TK00000004%29%3C%2Fscript%3E
Body matches:
Vulnerability type: Reflected Cross-Site Scripting
Vulnerable input type: URL Query Parameter
Vulnerable input name: products_id

This may be a very dubious failure, but many of us will have to deal with it.

Any thoughts?

[midijay]

I've installed version 2.0 and nothing seems to have change, if I search using the string "[w](o)%3Cr%3Ek|i*n^g" then I get this in my URL: advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&search_in_description=1

So looks like it's not working? I'm running 2.2 RC2a with STS, and it wasn't totally clear if 2.0 of this contrib was suitable for 2.2 or just limited to 2.3, so I went ahead and instaled version 1.0.2 of the contrib....and still no change.

Any thoughts anyone? I know a lot of contributions need to work differently when STS is installed but I got the idea this worked fine with STS.

[midijay]

midijay, on 12 November 2011, 08:55, said:

I've installed version 2.0 and nothing seems to have change, if I search using the string "[w](o)%3Cr%3Ek|i*n^g" then I get this in my URL: advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&search_in_description=1

So looks like it's not working? I'm running 2.2 RC2a with STS, and it wasn't totally clear if 2.0 of this contrib was suitable for 2.2 or just limited to 2.3, so I went ahead and instaled version 1.0.2 of the contrib....and still no change.

Any thoughts anyone? I know a lot of contributions need to work differently when STS is installed but I got the idea this worked fine with STS.

sincere apologies, I was expecting the URL to look clean but in fact I had not properly read the simple instructions which state:

Quote

Do the search then look back at the search box which should have been repopulated with the cleansed value. It should read "working".

so yes, my search box read "working", where as without the contrib it would read the full crazy string.

[fotomedia]

Hi all

I install everything, but when I try if I search using the string "[w](o)%3Cr%3Ek|i*n^g" I get "wo3Cr3Eking"

Also not working search in my language (Slovenian). I use $lang_additions ...

What I'm doing wrong?

[sarahw167]

Is Security Pro 2.0 ( r7 ) the full contribution?

kind regards,
Sarah

[DunWeb]

sarahw167, on 30 January 2012, 10:16, said:

Is Security Pro 2.0 ( r7 ) the full contribution?

kind regards,
Sarah

Yes it is,



Chris

[sarahw167]

DunWeb, on 30 January 2012, 13:59, said:

Yes it is,



Chris

Thanks for your response.

[Gergely]

I installed security pro and works perfect.
I found a little problem with exact search. ("Exact matches can be searched for by enclosing keywords in double-quotes.")

Tested on oscommerce 2.3.1 shop.
Search "Speed 2" without security pro
results 1 record

with security pro
results 3 record

I need some help.

Thank you in advance!

is it good?
change:

"/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i"

to:

'/[^\s{}a-z0-9_\.\-"' . $lang_additions . "]/i"

Gergely

Edited by Gergely, 11 February 2012, 17:17.

[RMD27]

Hello Robert,

I left a message on the osc_sec thread to see if the contribution could be causing a problem with translation. http://forums.oscommerce.com/topic/373777-oscommerce-security-osc-secphp/page__st__420__p__1625068#entry1625068

Here is what I wrote

Quote

Hi Taipo

Google & Babel translate do not work on my site anymore, could the OSC SEC contirbution be stopping it from working?

I also have Security Pro 2.0 installed.

These are the characters Google uses
http://translate.google.com/translate?hl=en&sl=en&tl=sq&u=http%3A%2F%2Fwww.oscommerce.com%2F

And this is what Babel uses

http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.oscommerce.com%2F&lp=en_nl&btnTrUrl=Translate

I added % and & and = to the Secuity Pro whitelist but the translation from these pages comes back as

blank page for Google and with an

error(0) for Babel

Are the characters used by the translation services causing a problem?

If so, can you please tell me what I need to do to get them working?

Edited by RMD27, 01 March 2012, 13:33.

[alfredor]

Hi, very nice contribution, I only have a question. you write:

-----------------------
Find ...
if ($request_type == 'NONSSL') {
Add immediately ABOVE ...
// Security Pro by FWR Media
include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
$security_pro = new Fwr_Media_Security_Pro;
// If you need to exclude a file from cleansing then you can add it like below
//$security_pro->addExclusion( 'some_file.php' );
$security_pro->cleanse( $PHP_SELF );
// End - Security Pro by FWR Media
That's it .. all installed!
------------------------

The question is: This contributions only works in NONSSL ? It's not necessary in the pages with SSL? Thanks for the answer. )