Jump to content



Photo
* * * * - 6 votes

How to secure your osCommerce 2.2 site.


This topic has been archived. This means that you cannot reply to this topic.
656 replies to this topic

#1   spooks

spooks
  • Members
  • 7,017 posts

Posted 29 August 2008 - 11:41

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

You can add htaccess protection http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'
Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

Update Sep. 09

The following addresses issues that have arisen or were not mentioned since this post was placed:

SECURING THE ADMIN:

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

FILEMANAGER:

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

To remove filemanger:

Delete file_manager.php from catalog/admin

open admin/includes/boxes/tools.php and delete the line:

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .


It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

BACKUPS:

To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format.

INSTALLATION:

If you are unsure about installing these contributions this thread should help you.

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

require('includes/application_top.php');

add:
// clean posted vars
reset($_POST);
	  while (list($key, $value) = each($_POST)) {
		   if (!is_array($_POST[$key])) {
			  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
   		} else { unset($_POST[$key]); } // no arrays expected 
	  }


This does not allow for arrays, additional code is needed if they are used.

Edited by Jan Zonjee, 23 September 2009 - 16:33.

Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#2   stubbsy

stubbsy
  • Members
  • 551 posts

Posted 29 August 2008 - 15:09

Thanks Sam,

there were a couple of tips in there that had passed me by...

Cheers

Dave

#3   webbydeb

webbydeb
  • Members
  • 674 posts

Posted 29 August 2008 - 15:24

It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable. Never hurts to alert you to vulnerabilities.

I love the Security Pro. I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*. Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file. That may not be the best way to do it, but it's what I've got for now.
Debora
Breaking code....  one website at a time.
Vibrators:  like cute little puppies without the puppy breath.  Who can't like a vibrator?
Life Tip: Taking yourself too seriously? Put on a penis hat and look in the mirror every 5 minutes.  That should fix it.
"Finally found the ball gag for those damn voices. Now to pull out the whip....
" - Me
Member of the CODE BREAKERS CLUB - WE RULE!

#4   php_Guy

php_Guy
  • Members
  • 179 posts

Posted 04 September 2008 - 05:13

When you say...

Permissions on folders should be no higher than 755.


... I assume you mean all except:

/catalog/images
/catalog/admin/backups
/catalog/admin/images/graphs

I get errors when I drop the permissions below 777 on those folders.

#5   Black Jack 21

Black Jack 21
  • Members
  • 81 posts

Posted 05 September 2008 - 06:47

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.


Read it once again!

#6   php_Guy

php_Guy
  • Members
  • 179 posts

Posted 05 September 2008 - 14:48

Read it once again!


Thank you for your enlightened reply. However, it is osCommerce, not the host that requires that those folders be world writable. The docs and the knowledgebase both state that they should be left at 777. If there is a way to secure them while still keeping osCommerce happy please let me know how to do so.

#7   m.a.t.t

m.a.t.t
  • Members
  • 106 posts

Posted 05 September 2008 - 14:53

Not one of my folders has permissions 777, everything works fine.

#8   sponna

sponna
  • Members
  • 42 posts

Posted 05 September 2008 - 18:47

I believe 777 is only vulnerable if the server itself is vulnerable i.e. not set up securely. You cannot upload and execute a file remotely as far as I'm aware - the attack would need to come from within. Although this post is quite old, I think it makes interesting reading. Irrespective, always chmod to the most secure settings that still allow your site to run:

http://www.simplemac...hp?topic=2987.0
up the down escalator..........

#9   php_Guy

php_Guy
  • Members
  • 179 posts

Posted 06 September 2008 - 04:46

Not one of my folders has permissions 777, everything works fine.


With /catalog/images set below 777, all is fine with the store. When I then enter admin, everything is still fine untill I click on products/catalog. At this point, osc sees that it is unable to write to the images directory (and therefore unable to upload images for new products, etc via admin) and therefore generates an error that is listed at the top of the screen.

Since I ftp images up anyway this isn't a big issue but the /catalog/admin/backups and /catalog/admin/images/graphs have a similar problem. if they aren't world-writable, they cannot work as intended. Unless of course there is more to it tht I am unaware of. That's why I asked the initial question.

As to it really being a security issue, I agree. I think a properly configured server manages the risk. However, it could be a bandwidth issue. Someone could use your world-writable directory as a warez file depository and post on warez boards where to get them. Suddenly, you could see a huge jump in bandwidth which could be costly if you have to pay for use beyond your allowance.

#10   DJStealth

DJStealth
  • Members
  • 14 posts

Posted 07 September 2008 - 22:01

This seems a little confusing here.

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

I guess the questions are this..
a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?
/cool.gif' class='bbc_emoticon' alt='B)' /> If so, maybe one can setup an .htaccess file to block write access this way?

#11   FWR Media

FWR Media
  • Members
  • 6,839 posts

Posted 07 September 2008 - 22:30

This seems a little confusing here.

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

I guess the questions are this..
a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?
/cool.gif' class='bbc_emoticon' alt='B)' /> If so, maybe one can setup an .htaccess file to block write access this way?



Add a .htaccess including the following code.

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

Not my code. Was suggested to me by BL4CK from thedefaced[d0t]org security group, and I can see the benefit.

Wont work with suexec but a php.ini version would suffice.

Edited by FWR Media, 07 September 2008 - 22:34.


#12   Bushmaster

Bushmaster
  • Members
  • 456 posts

Posted 08 September 2008 - 01:56

This seems a little confusing here.

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

I guess the questions are this..
a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?
/cool.gif' class='bbc_emoticon' alt='B)' /> If so, maybe one can setup an .htaccess file to block write access this way?


Its not osCommerce that requires it. It is the config of the server. On the host I use I have to set the configure.php set to 0444 to get the I can write error to go away so my image folder goes no higher then 0755

#13   skunkbad

skunkbad
  • Members
  • 42 posts

Posted 08 September 2008 - 15:29

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

You can add htaccess protection http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'
Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc


If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation.
No Links To My Website Here!

#14   web-project

web-project
  • Members
  • 4,320 posts

Posted 08 September 2008 - 16:58

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

example:

Time: Sun Sep 7 18:16:39 2008 +0100
IP: 193.xx.xxx.xxx (country name)
Failures: 1 (mod_security)
Interval: 215 seconds
Blocked: Yes

Log entries:

[Sun Sep 07 18:16:35 2008] [error] [client 193.xx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?/sad.gif' class='bbc_emoticon' alt=':(' />?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?/sad.gif' class='bbc_emoticon' alt=':(' />?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:goto. [id "950006"] [msg "System Command Injection. Matched signature </mail>"] [severity "CRITICAL"] [hostname "domain name"] [uri "/admin/file_manager.php?goto=/home/user_name/public_html//images/mail"] [unique_id "dvZTxFXqk2sAAH@an4YAAAAE"]


Edited by web-project, 08 September 2008 - 16:59.

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.

#15   FWR Media

FWR Media
  • Members
  • 6,839 posts

Posted 08 September 2008 - 17:29

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

example:


Server set up is no replacement at all for code side input/output escaping, server security is a totally different animal addressing totally different needs.

#16   WoodsWalker

WoodsWalker
  • Members
  • 389 posts

Posted 12 September 2008 - 01:58

Thanks for the list, Sam, and thanks Deborah for that hint regarding PCI compliance. You're right on.

Right now my compliance people are failing me due to apparent vulnerability to cross-site scripting, so this thread came at just the right time.

~Wendy

#17   themilkman

themilkman
  • Members
  • 302 posts

Posted 12 September 2008 - 09:51

Hi

I am looking at the install instructions for Anti XSS and do not understand how it can write to a file called iplog.txt?

Nowhere in the .htaccess code is there are reference to ip address being written to the .txt file.

Am I missing code here?

=======

Also I have installed Secure your site with an IP trap http://addons.oscommerce.com/info/5914.

The add-on successfully blocks you but when it write the IP address to a text file alled IP_trapped.txt the blocked IP address is written as an invisible line. Also when the program writes an email to you again the IP address is not shown/invisible.

Does any one know how to make the IP address visible?

Thank You

TMM

Edited by themilkman, 12 September 2008 - 09:53.

Whats the point of a signature?

#18   themilkman

themilkman
  • Members
  • 302 posts

Posted 13 September 2008 - 21:15

Hi

I have installed security pro latest version but get the follwoing error after entire add-on installation:

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MAX_RANDOM_SELECT_NEW' at line 1

select products_id, products_image, products_tax_class_id, products_price from products where products_status = '1' order by products_date_added desc limit MAX_RANDOM_SELECT_NEW


Can anyone please suggest what to do here?

Thanka

Bal
Whats the point of a signature?

#19   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,212 posts

Posted 13 September 2008 - 21:41

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#20   themilkman

themilkman
  • Members
  • 302 posts

Posted 13 September 2008 - 21:52

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.



Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

Please explain


Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix.


Thanks

B

Edited by themilkman, 13 September 2008 - 21:55.

Whats the point of a signature?