651 replies to this topic

[JR Sales Company]

spooks, on 13 November 2009, 21:55, said:

Most pages that use forms use the post method, some simply add this snippit to application top to cover all, but remember some add-ons use arrays that this would delete & some (mainly payment modules) use characters that this would remove.

Sorry not the precise answer you wanted!


PS osC uses $HTTP_POST_VARS, but add-ons may use $_POST, the 2 are interchangable, though $HTTP_POST_VARS is deprecated in php 5

Where would you recommend as the best spot to insert the snippet if you were going to put it in app_top.php? Right before everything else?

Thanks!

[spooks]

JR Sales Company, on 17 November 2009, 20:19, said:

Where would you recommend as the best spot to insert the snippet if you were going to put it in app_top.php? Right before everything else?

Thanks! [img]http://forums.oscommerce.com/public/style_emoticons/default/biggrin.gif[/img]

No, maybe at the end, but I think the best place would be just b4 the cart functions, ie just b4

switch ($HTTP_GET_VARS['action']) {

[tigergirl]

spooks, on 29 August 2008, 11:41, said:

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
	  while (list($key, $value) = each($_POST)) {
		   if (!is_array($_POST[$key])) {
			  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
   		} else { unset($_POST[$key]); } // no arrays expected 
	  }

This does not allow for arrays, additional code is needed if they are used.

Thanks for the last reply. I'm looking at account_edit.php first off. It has $HTTP_POST_VARS so I added the above code. But email address has @ so should that character be added to preg_replace ? The word array appears in the file - will this make a difference? How do I test if it's working?
I have anti-robot registration installed.

I'm unsure about this and a little nervous I break something.

[spooks]

tigergirl, on 19 November 2009, 11:23, said:

Thanks for the last reply. I'm looking at account_edit.php first off. It has $HTTP_POST_VARS so I added the above code. But email address has @ so should that character be added to preg_replace ? The word array appears in the file - will this make a difference? How do I test if it's working?
I have anti-robot registration installed.

I'm unsure about this and a little nervous I break something.

If you look the @ is already there in that string.

osC uses array a lot, but arrays within post vars very rarely and not within account_edit.php, just test to see if any entered data is lost where the form action includes the add_multi param.

[tigergirl]

spooks, on 19 November 2009, 11:59, said:

If you look the @ is already there in that string.

OOPS! Perhaps I should have gone to the optician first! Sorry about that! Double DOH! In account_edit I put this for customer name : [w](o)%3Cr%3Ek|i*n^g but it still says [w](o)%3Cr%3Ek|i*n^g . Shouldn't is say "working"? Or did I test it wrongly?

[spooks]

tigergirl, on 19 November 2009, 13:18, said:

OOPS! Perhaps I should have gone to the optician first! Sorry about that! Double DOH! In account_edit I put this for customer name : [w](o)%3Cr%3Ek|i*n^g but it still says [w](o)%3Cr%3Ek|i*n^g . Shouldn't is say "working"? Or did I test it wrongly?

Likely your server is treating $_POST & $HTTP_POST_VARS seperatly.



Near the start of application_top.php add:

if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; }

[tigergirl]

spooks, on 19 November 2009, 13:28, said:

Likely your server is treating $_POST & $HTTP_POST_VARS seperatly.

Near the start of application_top.php add:

if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; }

Thank you Sam, it is now "working" so I will go and do the other files. Should we do the admin side as well?

[tigergirl]

Would there be a potential issue using the $_POST fix on pages that require a password? It's just that the most secure passwords may contain values that may be cleaned off??

checkout_success appears to have POST and array together? Should fix be applied on that page?

[Jitty25]

Hello spooks,
thank you for your constant support. I usually find all answers, but I am not sure this time.

I installed Security Pro, IP trap, Anti XSS, htaccess for renamed admin folder, I deleted file_maganer and define_language.php, and I added the code that you have mentioned to every file containing $_POST vars.

Can I remove the Anti XSS now when I have your code in every of those files?

How can I add my language characters to the code? I mean something like š etc. All those characters get omitted in every form now.

Should we add your code to admin part of the website too? I am asking because of this report http://secunia.com/advisories/22275/ I am sorry if it was discussed on the forum previously, I haven´t found it.

Thank you very much for your help

[OilyPablo]

My first post here.

I just wanted to thank spooks and others for saving our bacon.

We were on our third day of fighting off hackers and somehow I stumbled on this site. A couple of the "patches" stopped the jealous idiot in his tracks.

THANKS!!

[Lgn.Magic]

Hello There!!

Great tips for securing shop, thank you very much.

I Got 2 little questions.

why would i get a SSI Error when loading my site whenever i add this to my .htaccess

# Deny domain access to spammers and other scumbags

RewriteEngine on
php_flag register_globals off
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

i've added all of the htaccess code i found good to my htaccess and after having SSI Error, i deleted what i added 1 by 1 to see wich one was caliing error and this seems to be the code writed above.

For information i've had a similar error (SSI error) at first when installed my shop on my hoster, and this was coming from seo url htaccess code wich i needed to change from

# Ultimate SEO URLs BEGIN
Options +FollowSymLinks
RewriteEngine On
RewriteBase /

to

# Ultimate SEO URLs BEGIN
# Options +FollowSymLinks
RewriteEngine On
RewriteBase /

(commenting 2nd line)

----------------

Also as you may know when u install SEO url you got a bunch of bad bot blocking from seo htaccess code to add.

There is more in http://addons.oscommerce.com/info/6066 i've not checked the whole list since it's very long, but i saw some are already in seo htaccess code to add.

Any problem if one is listed 2 time in my htaccess or i should just go through whole list with a compare prog and make 1 single list, delting those who are there 2 times?

thank you for your time, Fabien.

[DanLun]

Spooks!, Do the link in this part (original input in this link) realy point at the correct place? Thanks //Dan

FILEMANAGER:

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

[spooks]

DanLun, on 22 November 2009, 21:43, said:

Spooks!, Do the link in this part (original input in this link) realy point at the correct place? Thanks //Dan

FILEMANAGER:

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

It points to one of the issues with filemanager, why, what did u want it to point to? [img]http://forums.oscommerce.com/public/style_emoticons/default/huh.gif[/img]

[JoeySchmoe]

OK, newbie here trying to make OSC secure before getting to deep into personalization. With that said, I tried to install FWR Security Pro, got the administration panel working but then I got this error "Fatal error: Call to a member function add_current_page() on a non-object in /home/chevypar/public_html/includes/application_top.php on line 341". Do I need to "UNINSTALL.sql" and if so how do I do that? Thanks for any help since I'm dead in the water now...

[JoeySchmoe]

JoeySchmoe, on 24 November 2009, 04:28, said:

OK, newbie here trying to make OSC secure before getting to deep into personalization. With that said, I tried to install FWR Security Pro, got the administration panel working but then I got this error "Fatal error: Call to a member function add_current_page() on a non-object in /home/chevypar/public_html/includes/application_top.php on line 341". Do I need to "UNINSTALL.sql" and if so how do I do that? Thanks for any help since I'm dead in the water now...

OK. Now it's working and I don't know exactly what I did.

[Stroker396]

Subscribing to this thread
This has become a top priority

[Lgn.Magic]

Lgn.Magic, on 21 November 2009, 19:54, said:

why would i get a SSI Error when loading my site whenever i add this to my .htaccess

# Deny domain access to spammers and other scumbags

RewriteEngine on
php_flag register_globals off
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

Ok i found out answer for this. it seems you are not allowed to add phpflag into a .htaccess Since most time(like it's on my hoster) you already got register global option in your vhost control panel to switch on/off register global.

To make it work just enter this to your htaccess instead (delting php flag line)

# Deny domain access to spammers and other scumbags

RewriteEngine on
SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots

[Mort-lemur]

Hi,

Back to the (thorny?) subject of file and folder permissions, I have spoken to my host who say basically that I am stuck with using 777 as they do not use PHPsuExec.

So Im looking at moving hosts.

Im concious that I don't want this thread to be bombarded with Host adverts - so could anyone (UK Based) pm me with their preferred host who does use PHPsuExec (and doesnt cost the earth!)

Many Thanks

[Ben Nevis]

Mort-lemur, on 26 November 2009, 21:55, said:

Hi,

Back to the (thorny?) subject of file and folder permissions, I have spoken to my host who say basically that I am stuck with using 777 as they do not use PHPsuExec.

So Im looking at moving hosts.

Im concious that I don't want this thread to be bombarded with Host adverts - so could anyone (UK Based) pm me with their preferred host who does use PHPsuExec (and doesnt cost the earth!)

Many Thanks

What about just changing the permissions to 777 when you need to do something in admin that requires that level of permission and changing them back down to 755 afterwards? It seems my directories can run at 555 most of the time without affecting the functionality of the site, although it's a nuisance when it comes to trying to upload or edit files through ftp, so there must be at least a good chance of not needing 777 all the time?

[spooks]

Clean post arrays

tigergirl, on 19 November 2009, 15:36, said:

Would there be a potential issue using the $_POST fix on pages that require a password? It's just that the most secure passwords may contain values that may be cleaned off??

checkout_success appears to have POST and array together? Should fix be applied on that page?

Sorry I missed this, been v-busy. [img]http://forums.oscommerce.com/public/style_emoticons/default/sweatingbullets.gif[/img]

This little snippit will replace the previous & clean any arrays too:

// clean posted vars
function clean_var ($vars) {
   if (!is_array($vars)) {                          
    return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars));   
    } else { 
    return array_map('clean_var', $vars);
  }
}   
reset($_POST);      	
while (list($key, $value) = each($_POST)) {           		
   $_POST[$key] = clean_var ($_POST[$key]);            	
  }

I would note that the cart uses arrays for product attributes, so this is needed should you decide to add to app top.


I don't think it would be a good idea to relax security just to enable complex passwords, your only re-opening the hole!! Just inform your users what they can enter, use php & javascript to validate the inputs. [img]http://forums.oscommerce.com/public/style_emoticons/default/wink.gif[/img]

Edited by spooks, 28 November 2009, 02:47.