651 replies to this topic

[spooks]

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

ie SecurityPro_installer.php in your browser!!!!!!!!!

[Anthony Watkins]

I've done it at last - Thanks both. There's no stopping me now!.

Thanks for taking the timeto help me.

Anthony

spooks, on Mar 23 2009, 01:12 PM, said:

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

ie SecurityPro_installer.php in your browser!!!!!!!!!

[mariemeh]

Coopco, on Mar 23 2009, 08:55 AM, said:

Not sure we are talking about the same thing. I didn't really understand your post (sorry).

I do not have your htaccess stuff (a lot of this stuff did not work for me anyway and crashed my site).

I do have ip trap working.

My only issue is with Security Pro and the files that I added to Security Pro exclude list in admin.

Security Pro on, modules do not work.

Security Pro off, modules do work.

Security Pro is now off before I permantently remove it.

I thougth I had that situation too... but curiously enough having tried everything else... I decided to put Security Pro back up (cause I remembered that I installed that one first, Site Monitor second and IP Trap last... and after installing Security Pro... everything was working with my payments)... so Security Pro is back on... I removed the call to the secret.php file in the application_top.php file and funny enough... my payments are working again. As soon as my site isn't interacting with the Ip Trap contrib... all is well. As soon as I put the call to secret.php file, everything starts to go wrong again.

I'm starting to think that maybe what I did wrong is how I coded this line that shows up twice in personal/index.php and once in includes/secret.php : /home/***username***/public_html/catalog/banned/IP_Trapped.txt

I coded mine this way... and please note, I'm sooooooooooo not an expert so I'm pretty sure I did it wrong:
/var/www/vhosts/mysite.com/httpdocs/catalog/banned/IP_Trapped.txt

could it be that I did that wrong and it's what's been creating all this havoc?

Any toughts?

[Coopco]

mariemeh, on Mar 24 2009, 01:36 PM, said:

I thougth I had that situation too... but curiously enough having tried everything else... I decided to put Security Pro back up (cause I remembered that I installed that one first, Site Monitor second and IP Trap last... and after installing Security Pro... everything was working with my payments)... so Security Pro is back on... I removed the call to the secret.php file in the application_top.php file and funny enough... my payments are working again. As soon as my site isn't interacting with the Ip Trap contrib... all is well. As soon as I put the call to secret.php file, everything starts to go wrong again.

I'm starting to think that maybe what I did wrong is how I coded this line that shows up twice in personal/index.php and once in includes/secret.php : /home/***username***/public_html/catalog/banned/IP_Trapped.txt

I coded mine this way... and please note, I'm sooooooooooo not an expert so I'm pretty sure I did it wrong:
/var/www/vhosts/mysite.com/httpdocs/catalog/banned/IP_Trapped.txt

could it be that I did that wrong and it's what's been creating all this havoc?

Any toughts?

What was the sympton with the payment module not working?

[mariemeh]

the customer would pick Paypal as their payment option... and click continue... they would be redirected to the Paypal page... the payment would complete and on the customer screen, the customer was redirected to the checkout_success.php page and the order was completed on the customers side but on the admin side, the "completion" of the payment never appeared which leads me to believe that something in my IP Trap was preventing the Paypal gateway to return to the cart and give the information of payment completed.

Every single time I remove the call to the secret.php page in the application_top.php page... everything works. The htaccess file new code doesnt' seem to affect anything... the new robot.txt file doesn't affect anything either in the working of my site nor is Security Pro or Site Monitor...and I would think the robot.txt and htaccess files, if they were causing issues, would still be causing them weither the call to the IP Trap contrib was made or not. I'm not a pro at this... but that's what my gut's telling me at this time.

If anything in my thinking is flawed... don't hesitated to say so.

[Coopco]

mariemeh, on Mar 25 2009, 02:03 AM, said:

the customer would pick Paypal as their payment option... and click continue... they would be redirected to the Paypal page... the payment would complete and on the customer screen, the customer was redirected to the checkout_success.php page and the order was completed on the customers side but on the admin side, the "completion" of the payment never appeared which leads me to believe that something in my IP Trap was preventing the Paypal gateway to return to the cart and give the information of payment completed.

Every single time I remove the call to the secret.php page in the application_top.php page... everything works. The htaccess file new code doesnt' seem to affect anything... the new robot.txt file doesn't affect anything either in the working of my site nor is Security Pro or Site Monitor...and I would think the robot.txt and htaccess files, if they were causing issues, would still be causing them weither the call to the IP Trap contrib was made or not. I'm not a pro at this... but that's what my gut's telling me at this time.

If anything in my thinking is flawed... don't hesitated to say so.

Yours is different to mine. After payment was made via the payment gateway, the customer was returned to the shops payment page with the card error message at the top.

[scfcrob]

Apologies in advance - I am feeling my way and have no experience of php/sql web building other than my self taught experience over the last few weeks.
Any step by step support without being flamed would be greatly appreciated

re instruction
Firstly: -
"Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings."

When I try to open the php script in IE it just shows a page of text and doesn't appear run the script. How can I tell if it updated?

I am okay with the other instructions until I get to

"Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

Is this through my store (catalog/admin control panel - same place as new administrators are set up?) or should it be available thro' FTP? I can't see it in either but that may be down to me getting step 1 wrong!!!

[Coopco]

scfcrob, on Apr 2 2009, 10:45 PM, said:

Apologies in advance - I am feeling my way and have no experience of php/sql web building other than my self taught experience over the last few weeks.
Any step by step support without being flamed would be greatly appreciated

re instruction
Firstly: -
"Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings."

When I try to open the php script in IE it just shows a page of text and doesn't appear run the script. How can I tell if it updated?

I am okay with the other instructions until I get to

"Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

Is this through my store (catalog/admin control panel - same place as new administrators are set up?) or should it be available thro' FTP? I can't see it in either but that may be down to me getting step 1 wrong!!!

As Sam said in post 101. http:www.yourdomain.com/catalog/SecurityPro_installer.php

If that does not work, then you cannot do anything in your admin.

[Eirik]

Couple things I'm curious about firstly there is a contribution http://addons.oscommerce.com/info/6536 that supposedly shores up a security risk in the whois_online. So my first question is this actually a risk? and my second question, contribution http://addons.oscommerce.com/info/6044 has an alternative posted that removes html tags as well and Im curious if that means FCKedit would cease to function?

Thank you in advance for your time and consideration.

[spooks]

any time quotes are allowed there is a risk so sanitising them is good.

these contribs work on the client side, so anything operating on the admin side is un-affected.

[Eirik]

Thank you so much for the fast reply, it's very much appreciated.

[bhavatmaj]

thanks

[spooks]

bhavatmaj, on Apr 22 2009, 07:43 AM, said:

thanks

thats all u ever say!!!

[andes1]

HA HA HA

Tomorrow he'll add " thanks a lot".

Ha HA ha


Note: I just kidding (no offense)... some pick of fun is always necessary

[Eirik]

So I have implemented all the security patches that were suggested and I'm running smoothly, that is until I decided I needed to reimplemented the tell a friend for some additional "word of mouth" advertising. I have hit a wall, the Security Pro add-on is so diligent it scrubs my @'s and even after a good amount of searching, I can't figure out how to allow an additional character to escape the cleansing.



edit, this is the add-on I'm referring to.
http://addons.oscommerce.com/info/5752


edit, I have found I can exclude the tell_a_friend.php from the cleansing via the admin, but this isn't really ideal I don't think since I would be leaving a gap in the overall security of the site, maybe I'm wrong on that.

Edited by Eirik, 04 May 2009, 07:01.

[Eirik]

Figured I would post an addition to my original in case other people in future run in to this problem, while I am still looking for a way in which to pass the @ from the info box to the tell_a_friend.php without using the excludes for security pro I have found a way in which you can like your current product to the tell_a_friend so it will email the proper link.

<?php echo '<a href="' . tep_href_link(FILENAME_TELL_A_FRIEND, 'products_id=' . $HTTP_GET_VARS['products_id']) . '">' . tep_image_button('button_tell_a_friend.gif', BOX_HEADING_TELL_A_FRIEND) . '</a>'; ?>

That link can be placed anywhere within the product page and will send the product information to the tell_a_friend.php

[spooks]

security pro works through an 'allowed' list, to allow an additional char u must add to that list.

in security.php

 return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var));

to allow the @ put

return preg_replace("/[^ {}a-zA-Z0-9@_.-]/i", "", urldecode($get_var));

Edited by spooks, 05 May 2009, 20:06.

[Eirik]

spooks, on May 5 2009, 08:04 PM, said:

security pro works through an 'allowed' list, to allow an additional char u must add to that list.

in security.php

 return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var));

to allow the @ put

return preg_replace("/[^ {}a-zA-Z0-9@_.-]/i", "", urldecode($get_var));

Thanks so much, you are a gentleman and a scholar sir!

[support@dir]

EricK, on Dec 30 2008, 01:19 AM, said:

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

Files changed:
catalog/includes/secret.php
catalog/personal/index.php

Regards,
Eric_K

i am having the same problem with the 99.999.99.999 and i still am not baned. i changed the single quotes to double and that didn fix it.

help?!?

will

[support@dir]

QUOTE (charinlasvegas @ Dec 7 2008, 08:51 PM)
Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

Files changed:
catalog/includes/secret.php
catalog/personal/index.php

Regards,
Eric_K

i am having a probem with ip trap it just shows the 999.999.999.999 and i am not baned even thou i tryed to ban myself i did the above fix but it didnt fix the problem. i still am not baned.

please help me

will