Jump to content



Photo
* * * * - 6 votes

How to secure your osCommerce 2.2 site.


This topic has been archived. This means that you cannot reply to this topic.
656 replies to this topic

#641   Taipo

Taipo
  • Members
  • 794 posts

Posted 27 December 2011 - 19:44

If osC_Sec is the addon you are looking for then download it from
http://addons.oscommerce.com/info/8283

Unpack the zip file into your hardrive and open the readme.htm file which has all the instructions in it of how to install.

For a list of other recommended addons for versions of osCommerce earlier than 2.3, see this link
http://forums.oscomm...ecurity-thread/
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#642   m.ather

m.ather
  • Members
  • 14 posts

Posted 03 January 2012 - 03:03

Let me explain again,
The problem is that the catalog i am using for a site didn't have any .httaccess file which is the file where we add all the contents to secure ourselves from ip attacks and to make admin site secure.
I tried to use some one's contents and added the long script from "Deny domain access to spammers httaccess script" contribution but it doesn't work. Thats why i am asking what is the best solution for that.
Thanks so much

The contents of the htaccess file differs by site and the contributions you have added, so it would be a complete guess as to what yours should contain.

Sorry

G



#643   builder_bob

builder_bob
  • Members
  • 34 posts

Posted 07 January 2012 - 18:51

thanks for this!

#644   adobe19

adobe19
  • Members
  • 19 posts

Posted 18 January 2012 - 16:39

I installed site monitor , ip trap security addons for 2.2rc2a tomorrow and some errors appeared.Today when i try to login admin page didnt open and this errors appeared.

Warning: include(includes/secret.php) [function.include]: failed to open stream: No such file or directory in/home/freeus78/public_html/admin/includes/application_top.php on line 48

Warning: include() [function.include]: Failed opening 'includes/secret.php' for inclusion (include_path='.:/usr/local/php53/pear') in/home/freeus78/public_html/admin/includes/application_top.php on line 48

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/freeus78/public_html/admin/includes/application_top.php:48) in /home/freeus78/public_html/admin/includes/functions/sessions.php on line 102

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/freeus78/public_html/admin/includes/application_top.php:48) in /home/freeus78/public_html/admin/includes/functions/sessions.php on line 102

Warning: Cannot modify header information - headers already sent by (output started at /home/freeus78/public_html/admin/includes/application_top.php:48) in/home/freeus78/public_html/admin/includes/functions/general.php on line 22

i also tried installing security pro but couldnt.it says


Find ...


if ($request_type == 'NONSSL') {

Add immediately ABOVE ...


// Security Pro by FWR Media
include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
$security_pro = new Fwr_Media_Security_Pro;
// If you need to exclude a file from cleansing then you can add it like below
//$security_pro->addExclusion( 'some_file.php' );
$security_pro->cleanse( $PHP_SELF );
// End - Security Pro by FWR Media

That's it .. all installed!



can someone show me exactly how it seems in code page are there spaces between sentences and at the bottom and the top.Thanks


Edited by adobe19, 18 January 2012 - 16:51.


#645   DunWeb

DunWeb

    The Censored One

  • Members
  • 13,084 posts

Posted 18 January 2012 - 16:46

@adobe19,

You failed to upload the files included in the add on to the appropriate directories.




Chris
:|: Was this post helpful ? Click the LIKE THIS button :|:

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

#646   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts

Posted 19 January 2012 - 01:23

Look at the installation instructions for IP Trap and read the bit about where to put the file secret.php.

You have either not uploaded it or it is in the wrong place.

HTH

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#647   adobe19

adobe19
  • Members
  • 19 posts

Posted 28 January 2012 - 00:22

Hi.I almost know nothing about web site creation.While following the guides i couldnt figure out how the codes should look after i paste the new lines.I put the lines before and after pasting.Can you check if these are correct.Also i would ask the location of htaccess file.Thanks

security pro

before

// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
}

after

// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
// Security Pro by FWR Media
include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
$security_pro = new Fwr_Media_Security_Pro;
// If you need to exclude a file from cleansing then you can add it like below
//$security_pro->addExclusion( 'some_file.php' );
$security_pro->cleanse( $PHP_SELF );
// End - Security Pro by FWR Media
if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
}


-----------------------------------------------

before

// include the list of project filenames
require(DIR_WS_INCLUDES . 'filenames.php');

// include the list of project database tables
require(DIR_WS_INCLUDES . 'database_tables.php');


after

// include the list of project filenames
require(DIR_WS_INCLUDES . 'filenames.php');
// IP Trap V5
include(DIR_WS_INCLUDES . 'secret.php');
// include the list of project database tables
require(DIR_WS_INCLUDES . 'database_tables.php');

------------------------------------------

#648   adobe19

adobe19
  • Members
  • 19 posts

Posted 28 January 2012 - 21:52

i reread my previous post and realized couldnt make my point.I am asking if there are spaces between lines and should the lines be aligned to left or is there a spaces.Generally what do i need to do after pasting the lines.thanks

#649   sarahw167

sarahw167
  • Members
  • 7 posts

Posted 29 January 2012 - 03:53

Do the steps outlined by spooks to secure your site apply to v2.3 also?

kind regards,
Sarah

#650   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts

Posted 29 January 2012 - 10:10

The changes to secure the log on do not need to be done in 2.3.1.

Download and read the installation instrutoins for the contributions.

Then you can decide if you want to install them.

Cheers

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#651   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts

Posted 29 January 2012 - 10:11

i reread my previous post and realized couldnt make my point.I am asking if there are spaces between lines and should the lines be aligned to left or is there a spaces.Generally what do i need to do after pasting the lines.thanks


If it was importnt the installation instructions would have said so.

To learn more aout php look at w3schools.com

HTH

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#652   sarahw167

sarahw167
  • Members
  • 7 posts

Posted 29 January 2012 - 23:22

The changes to secure the log on do not need to be done in 2.3.1.

Download and read the installation instrutoins for the contributions.

Then you can decide if you want to install them.

Cheers

G


Thanks for your response. I'll review the rest of them. I ran through the process in a previous version but have since installed the new one.

thanks,
Sarah

#653   Carbon_Fibre

Carbon_Fibre
  • Members
  • 19 posts

Posted 24 July 2012 - 11:28

Hello

I have an OSC 2.2 RC2A site installed. I'm using the Products URL field to link to pdf manuals located in another folder. Since I installed the add-ons suggested on the first page i.e. Security Pro, Site Monitor, IP Trap and Anti-XSS as well as copied the .htaccess files from OSC 2.3 and copied them to this site.

But after this website, visitors are unable view these pdf documents. When clicked, the link directs back to index.php instead of the pdf document. (Note from the backend admin, if you view the product and click on the link, it works.)

I've tested it on another installation without the add-ons and that works. Obviously, something is blocking the pdf document from being opened and kicking it back to the home page. I have removed the Anti-XSS, but that didn't help.

Does anyone have any ideas which of the above add-ons it could be?

Thanks in advance /smile.png' class='bbc_emoticon' alt=':)' />

Edited by Carbon_Fibre, 24 July 2012 - 11:29.


#654   Carbon_Fibre

Carbon_Fibre
  • Members
  • 19 posts

Posted 24 July 2012 - 12:36

Please ignore post above. See http://forums.oscomm...-ons-installed/

#655   bigpicture

bigpicture
  • Members
  • 5 posts

Posted 22 September 2012 - 08:02

Can anyone help with this?

I've added multiple security features including FWR Security Pro and .htaaccess additions listed through pixclinic under ANTI Cross Site Scripting attacks, but SecurityMetrics are still flagging the following:

Description: CGI Generic Remote File Inclusion Synoposis: Arbitrary code may be run on the remote server. Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to include a remote file from a remote server and execute arbitrary commands on the target host. See also : http://en.wikipedia...._File_Inclusion http://projects.weba...-File-Inclusion Data Received: Using the POST HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to web code injection : + The 'osCsid' parameter of the /shopping_cart.php CGI : /shopping_cart.php [osCsid=http://Fh3il70z.example.com/] -------- output --------< /TR>< TR> [...] includes/languages/english/images/buttons/menu_top6.gif" alt="" width="97" height="16" /></A><A HREF="http://www.<MYSITENA...ME>.com/contact _us.php?osCsid=http://Fh3il70z.example.com/"><img src="includ [...]< /TR>< /TABLE></TD> ------------------------ /shopping_cart.php [action=update_product&osCsid=http://Fh3il70z.example .com/] -------- output --------< /TR>< TR> [...] includes/languages/english/images/buttons/menu_top6.gif" alt="" width="97" height="16" /></A><A HREF="http://www.<MYSITENA...ME>.com/contact _us.php?osCsid=http://Fh3il70z.example.com/"><img src="includ [...]< /TR>< /TABLE></TD> ------------------------ Other references : CWE:98, CWE:78, CWE:434, CWE:632, CWE:73, CWE:473, CWE:801, CWE:714, CWE:727 Resolution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade. Risk Factor: High/ CVSS2 Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P


Seems strange that they've never spotted anything before. Does anyone have any ideas on how to fix this?

Thanks,
Simon

#656   sionsweet

sionsweet
  • Members
  • 10 posts

Posted 21 October 2012 - 22:16

quick question with the ip trap.
will it ban ip's that go to ANY of the disallowed folders in robots.txt?

we run oscommerce alongside our normal info site, and didnt want visiters to land straight into the shop from google etc, so the whole catalog folder is in the robots.txt.
just checking im not going to end up banning all visiters /smile.png' class='bbc_emoticon' alt=':)' />

CHeers,
Sion.

#657   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,211 posts

Posted 16 March 2013 - 15:11

IP trap only catches visitors to

/personal

or if you have changed/renamed your admin and you have followed the instructions in the installation instructions

/admin

HTH

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.