Jump to content



Photo
* * * * - 6 votes

How to secure your osCommerce 2.2 site.


This topic has been archived. This means that you cannot reply to this topic.
656 replies to this topic

#61   ncoded

ncoded
  • Members
  • 44 posts

Posted 18 February 2009 - 15:05

I apreciate that a lot of talented people write add-ons, but personally i NEVER install any add-ons, not unless you can reverse-engineer the code so that you know what it is doing, and if that were the case you would just write the add-on yourself.

Lets be honest, how would you know that the add-on not only did what you wanted, but didnt also email out admin logins, etc.

Personally i think the OSC need to have 2 types of add-ons, unvalidated (untested by OSC) and validated (tested by OSC).

well thats my opinion anyhow, we will see what v3 has to offer (hot on the heels of Magento).

#62   spooks

spooks
  • Members
  • 7,017 posts

Posted 18 February 2009 - 15:21

If contribs were damaging especially these security related ones, it would quickly be discovered by the osC experts here, reported & the offending item removed.

If your saying you have installed no security measures such as these on your site, then the hackers will love you, they wont tell you that though!!!

/huh.gif' class='bbc_emoticon' alt=':huh:' />
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#63   ncoded

ncoded
  • Members
  • 44 posts

Posted 19 February 2009 - 11:16

thanks for your reply Sam.

this is really good news to hear that some people are looking at add-ons (security), however to be honest i ment more 'all add-ons'.

clearly once you put code on your server it can pretty much do what it wants.

i read about the 'reviews sql inject flaw' picked up by (a dodgy sounding) security company.

are you saying that osc has many security flaws? what type? is there a response from osc on this?

is there a list of osc security flaws somewhere?

Edited by ncoded, 19 February 2009 - 11:17.


#64   spooks

spooks
  • Members
  • 7,017 posts

Posted 19 February 2009 - 11:47

I`ve not seen one, then I`ve not looked that hard.

I believe having installed those listed here you should have no problems, bareing issues intruduced by any other contrib you install, certainly havng applied these to sites that have been attacked has prevented any repeat.

I must say I was surprised to see that 'testimonials' still has issues, since its been known for a very long time it has security flaws & there are well published info on the web showing how to execute the hack.

Clearly you do need to check that any contrib you add does not open any new holes, it might be prudent to simply add sanitising code to any page that allows customer input using POST (GET is cleaned by security pro) for any contrib you install, better safe than sorry.

/smile.gif' class='bbc_emoticon' alt=':)' />
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#65   TheZag

TheZag
  • Members
  • 55 posts

Posted 24 February 2009 - 19:40

Thanks a lot for this helpful and precious post !
A BIG THANKS !

#66   XxWickedxX

XxWickedxX
  • Members
  • 271 posts

Posted 02 March 2009 - 11:49

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

#67   Coopco

Coopco
  • Members
  • 9,557 posts

Posted 02 March 2009 - 11:57

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

I think it depends on how your server is set up. I do not the same results with some of them, I just can not access the site via http.


The Coopco Underwear Shop



If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

#68   chrish123

chrish123
  • Members
  • 126 posts

Posted 04 March 2009 - 16:35

Lately Ive been locking down a few problems on our server, so I thought I'd share this one:

Disable HTTP TRACK | TRACE Method in Apache which is enabled by defualt which is used for cross site tracing which is similar to cross site scripting (XSS)


Open your httpd.conf on the server:

somewhere in there you can ADD:

TraceEnable Off

There is another method which uses apache rewrite but the above method is obviously better, But anyway second method is to add the below code in the same httpd.conf file, not in your www .htacess file:

# Anti cross site tracing - protection
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F]


#69   chrish123

chrish123
  • Members
  • 126 posts

Posted 04 March 2009 - 16:52

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.


The "anti XSS script" after pixclinics I added would fail on certain files, I did ask for my file to be removed, but they removed my comment instead!

I use SEO-G and noticed I needed to put "advanced_search.php" in the exclude list otherwise it wont work as I have a "ajax search" contribution in there.


I'm currently just using the below in my htacess file, but note the track|trace reference, that wont actually do anything in the website root, as it needs to be put directly in the httpd.conf. A PCI Compliance scan would confirm it!

# 1) add these lines to your .htaccess file
# 2) create an index_error.php file with whatever content you want to be displayed.

# Anti XSS 

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

# prevent image theft / hotlinking except the sites below

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?change-to-your-sitename.com/.*$ [NC]
#if your using images directly from your site to ebay.com for example , you can uncomment the 2 lines below:
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay.co.uk/.*$ [NC]
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|bmp|swf|pdf)$ - [F]


<Files .htaccess>
order allow,deny
deny from all
</Files>

<FilesMatch "\.(bak|sql|inc)$" >
deny from all
</FilesMatch>
[/code]

#70   XxWickedxX

XxWickedxX
  • Members
  • 271 posts

Posted 04 March 2009 - 21:03

So making those edits to that httpd.conf will achieve the same thing without .htaccess modification or is the .htaccess code from the contrib still needed?

#71   grreatone31

grreatone31
  • Members
  • 3 posts

Posted 05 March 2009 - 08:40

i was curious about after i download all php files are they to be uploaded to admin folder? as i am unable to get it to "install" security pro.php.if it is in the wrong folder i am will to move it where ever it needs to be. i am a total newbie at this but not an idiot.

#72   spooks

spooks
  • Members
  • 7,017 posts

Posted 05 March 2009 - 09:22

All contribs contain installation instructions, just follow those to the letter.


/wink.gif' class='bbc_emoticon' alt=';)' />
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#73   catlover

catlover
  • Members
  • 15 posts

Posted 07 March 2009 - 06:04

I added the contribs suggested by Sam in the original message. Excellent info, thanks Sam!

I did run across a problem with IP Trap. When I tested the install, I received the banned message, as expected, and an email was sent with the IP address. I noticed in IP_Trapped.txt the blocked IP was 999.999.999.999. I removed this number and tested again, received the banned message, but no IP address was added to IP_Trapped.txt. I set the permissions to 755 for the folder and 666 for IP_Trapped. I followed the install instructions, but cannot get the IP_Trapped file to read the IP addresses. If I leave the default IP address 999.999.999.999, then I cannot access our site at all. Any one have suggestions on a workaround?

Thanks,

Regards,
Joe

#74   catlover

catlover
  • Members
  • 15 posts

Posted 08 March 2009 - 04:11

I got the IP Trap to work. My robots.txt was not identifying the folder personal - I inadvertently left out "/". IP address was then written to the IP_Trapped.txt. My advice is to double check robot.txt file.

Regards,
Joe

#75   vivithemage

vivithemage
  • Members
  • 13 posts

Posted 11 March 2009 - 04:25

I tried out all CHMOD's on this config file and I keep getting the same error RIGHT after installation :

Warning Warning: I am able to write to the configuration file: /home2/alistaqu/public_html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

I go to the file and I went through 644, 444, 400, etc...read, read, read only on all 3...but it still says it /sad.gif' class='bbc_emoticon' alt=':(' />.

Linux system.

#76   XxWickedxX

XxWickedxX
  • Members
  • 271 posts

Posted 11 March 2009 - 04:39

I am not sure this questions pertains to the contribs this I am going to go out a limb and guess you just installed oscommerce for the first time. 444 works just fine but 400 being ideal there should be no message or problem. Im not sure but you may need to contact your host and ask why your permission settings are not being applied. Also keeping mind there are 2 configure files. Make sure you get both of them. One in the admin directory and one and the includes directory. This particular error is of course talking about the one in your /includes/ directory. I would contact your host for further help on why your permissions are not being applied.

#77   spooks

spooks
  • Members
  • 7,017 posts

Posted 11 March 2009 - 08:44

not related to this thread, search theres plenty on this (+ you can't set with ftp!!!)
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:


Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#78   vivithemage

vivithemage
  • Members
  • 13 posts

Posted 11 March 2009 - 13:15

I am not sure this questions pertains to the contribs this I am going to go out a limb and guess you just installed oscommerce for the first time. 444 works just fine but 400 being ideal there should be no message or problem. Im not sure but you may need to contact your host and ask why your permission settings are not being applied. Also keeping mind there are 2 configure files. Make sure you get both of them. One in the admin directory and one and the includes directory. This particular error is of course talking about the one in your /includes/ directory. I would contact your host for further help on why your permissions are not being applied.


changing it via cpanel FTP worked out better, thanks /smile.gif' class='bbc_emoticon' alt=':)' />

#79 ONLINE   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,206 posts

Posted 14 March 2009 - 09:07

Anybody got any thoughts why after entering cc details on authorize.net

https://secure.autho...ay/transact.dll

the ip trap is activated when returning to the xss script is too?

I know some people do not like authorize.net but this is overkill!!

:-)

The ip trap script, block.php, displays a you are blocked page but it is not shown if I change punish = 2 to = 0 in secret.php script

$ua = ( isset($_SERVER['HTTP_USER_AGENT']) && ($_SERVER['HTTP_USER_AGENT'] != "")) ? $_SERVER['HTTP_USER_AGENT'] : "";
$ip = $_SERVER["REMOTE_ADDR"]."\n";
$punish = 0;
if ( $ua == "" )
{
$punish = 2;
}

The browser agent is not shown on the screen. Just had a thought is it single quotes around HTTP_USER_AGENT?

So once that was changed I then get told to "go away" by the XSS script. Looks like the rules in .htaccess redirects the page as well.

Took this out and everything worked

# extra anti uri and xss attack script 2 - sql injection prevention
#Options +FollowSymLinks
#RewriteEngine On
#RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteCond %{QUERY_STRING} (java script:).*(wink.gif.* [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteRule (,|;|<|>|'|`) /log.php [NC]

Put transact.dll in the exclude list and turned on the functionality.

and only the secrep.php seemed to trigger the block

Can you see what is being invoked?

I would prefer to re-enable ip trap and xss so any help would be appreciaed.

Thanks

Geoffrey
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#80   web-project

web-project
  • Members
  • 4,320 posts

Posted 14 March 2009 - 10:55

100% secured my website? without any contributions.

The simple solution is firewall protection + Mod Security
Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!
8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.
Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.
Any issues with oscommerce, I am here to help you.