656 replies to this topic

[themilkman]

themilkman, on Sep 13 2008, 10:52 PM, said:

Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

Please explain


Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message.  I have not put back the old application_top file and it is back to normal until I find out the fix.


Thanks

B

Hi this issue is fixed - I accidentall commented something out.



On another note - does anyone have any test cases to test all the contributions in this thread?

Many Thanks

B

[lakay]

hello

[Hotclutch]

I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this?

[Celebrimbor]

When i tried install the AntiXSS.. o had an error>>>>>>>>>

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/factoryr/public_html/includes/functions/general.php on line 39

Can somebody help me please..

Thank you

Rafael

[So_Not_an_HTML_genius]

spooks, on Aug 29 2008, 07:41 AM, said:

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

You can add htaccess protection http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'
Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

How do I install addons.  I know this is probably a thread elsewhere but for the life of me, I cannot find it.  Can someone please tell me where I can learn or get a tutorial as to how to install addons?  I really feel lost with phps.  I also have a question as to how to find php pages in my store/catalog that appear in my index.  If I look at my index page live on the web and look at the source, there is more info there than is found on my index.php.  I know these may seem like basic questions and you all may think...my god, they should know how to do this but I do not.  So, even if there is a tutorial that can help.  I can use it!

Thanks,
Kelly

[spooks]

Contributions will have instructions contained within on install details, follow those.

If a contib don`t, then don`t use it.

Use of a compare tool will also help.

[mwiznitzer]

I had an error with AntiXSS as well. Just putting the function into general.php broke it, without the call in application_top.php. That makes no sense... how could an uncalled function cause the page to break?

[forensicit]

Any help for Windows installations?  The .htaccess stuff does not work on the IIS server.

[php_Guy]

forensicit, on Nov 12 2008, 09:39 AM, said:

Any help for Windows installations?  The .htaccess stuff does not work on the IIS server.

That is correct. It does not.

[php_Guy]

mwiznitzer, on Nov 12 2008, 01:11 AM, said:

I had an error with AntiXSS as well. Just putting the function into general.php broke it, without the call in application_top.php. That makes no sense... how could an uncalled function cause the page to break?

If you get errors simply from adding a function, then you added the function into the middle of code or outside of the php tags. Double check the documentation and ensure that you are adding the function in the correct place.

[forensicit]

forensicit, on Nov 12 2008, 11:39 AM, said:

Any help for Windows installations?  The .htaccess stuff does not work on the IIS server.

So what is the procedure for securing a site on a windows OS?  Just use password protect?

[jailaxmi]

Hotclutch, on Sep 23 2008, 04:12 PM, said:

I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this?

Yeah, same thing here. I got myself banned, but I can still browse and shop all I want. My IP does not get logged, although I got the email saying it was banned. I have an .htaccess file, so I am no sure what the problem is. Any ideas out there?  

Thanks,

Yol

[charinlasvegas]

Re: IP Trap

I just installed and am getting these errors:

Warning: fopen(http://www.bellafavori.com/banned/IP_Trapped.txt) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections in /home/bellafav/public_html/personal/index.php on line 25

Warning: flock() expects parameter 1 to be resource, boolean given in /home/bellafav/public_html/personal/index.php on line 26

Warning: Cannot modify header information - headers already sent by (output started at /home/bellafav/public_html/personal/index.php:25) in /home/bellafav/public_html/personal/index.php on line 41


Help?

[charinlasvegas]

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

[bobsi18]

spooks, on Aug 29 2008, 10:41 PM, said:

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Thanks for the great post, am working through the list now.  Two questions, in regards to the Anti XSS
- ) there are two (reasonably) different contributions under that link - which is the better/more effective one?
- ) how do I know it's working?!

Thanks

[FIMBLE]

Quote

Re: IP Trap

I just installed and am getting these errors:

Warning: fopen(http://www.bellafavori.com/banned/IP_Trapped.txt) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections in /home/bellafav/public_html/personal/index.php on line 25

Warning: flock() expects parameter 1 to be resource, boolean given in /home/bellafav/public_html/personal/index.php on line 26

Warning: Cannot modify header information - headers already sent by (output started at /home/bellafav/public_html/personal/index.php:25) in /home/bellafav/public_html/personal/index.php on line 41


Help?

This means that your banned / IP_Trapped.txt is not writable,
set the folder to 755 the file IP_Trapped.txt to 777

Quote

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

have you added the call in application_top.php?

If you are using the latest version then it should not be any problem as i rewrote it to be robust :-)

[whitehawk43]

Quote

If you are using the latest version then it should not be any problem as i rewrote it to be robust :-)

Fimble

was that taking care of when you did my install

Ben

[EricK]

charinlasvegas, on Dec 7 2008, 08:51 PM, said:

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

Files changed:
catalog/includes/secret.php
catalog/personal/index.php

Regards,
Eric_K

[lowkey704]

Warning: file(DOCUMENT_ROOT/../banned/IP_Trapped.txt) [function.file]: failed to open stream: Permission denied in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 7

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 15

This is coming from the Application Top

I also wasn't getting banned... my IP never showed up... but then again maybe it all has to do with the error above... I disabled the application top code for now... any takers on this?

[rednme]

hi, I have applied most of the recommended addons without problems, except the last one : Anit cross site attack.

I added all 3 files in the contribution page.
after adding the contribution, I have the following error.(seems like from the first package)

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/... /catalog/includes/functions/general.php on line 33

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/.../catalog/includes/functions/general.php on line 39

general.php line 33 and 39 are as follows :

  
   $search .= '~`";:?+/={}[]-_|'\';  // this is #33
   for ($i = 0; $i < strlen($search); $i++) { 
	  // ;? matches the ;, which is optional 
	  // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 
	
	  // &#x0040 @ search for the hex values 
	  $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // this is #39
	  // @ @ 0{0,7} matches '0' zero to seven times 

is that line 33 correct? I wonder.
so, I tried with commenting out line 33, then it seemed working fine, except,
I couldn't add any products into shopping cart, and could not login as a customer.
all email address that I enter changed into some other character and says email and password don't match...

so, again I went to includes/application_top.php and commented out some from the addon lines :
removing top 2 lines made my site function normally.

// BOF : Remove XSS ATTACK
//		if (!empty($_POST)) array_walk_recursive($_POST, 'RemoveXSS');
//		if (!empty($_GET)) array_walk_recursive($_GET, 'RemoveXSS');
		if (!empty($_COOKIE)) array_walk_recursive($_COOKIE, 'RemoveXSS');
		if (!empty($_SERVER)) array_walk_recursive($_SERVER, 'RemoveXSS');
		if (!empty($_SESSION)) array_walk_recursive($_SESSION, 'RemoveXSS');
		if (!empty($_REQUEST)) array_walk_recursive($_REQUEST, 'RemoveXSS');
// EOF : Remove XSS ATTACK

can someone help ?

thanks to you all.

genesis