656 replies to this topic

[ncoded]

I apreciate that a lot of talented people write add-ons, but personally i NEVER install any add-ons, not unless you can reverse-engineer the code so that you know what it is doing, and if that were the case you would just write the add-on yourself.

Lets be honest, how would you know that the add-on not only did what you wanted, but didnt also email out admin logins, etc.

Personally i think the OSC need to have 2 types of add-ons, unvalidated (untested by OSC) and validated (tested by OSC).

well thats my opinion anyhow, we will see what v3 has to offer (hot on the heels of Magento).

[spooks]

If contribs were damaging especially these security related ones, it would quickly be discovered by the osC experts here, reported & the offending item removed.

If your saying you have installed no security measures such as these on your site, then the hackers will love you, they wont tell you that though!!!

[ncoded]

thanks for your reply Sam.

this is really good news to hear that some people are looking at add-ons (security), however to be honest i ment more 'all add-ons'.

clearly once you put code on your server it can pretty much do what it wants.

i read about the 'reviews sql inject flaw' picked up by (a dodgy sounding) security company.

are you saying that osc has many security flaws? what type? is there a response from osc on this?

is there a list of osc security flaws somewhere?

Edited by ncoded, 19 February 2009 - 11:17 AM.

[spooks]

I`ve not seen one, then I`ve not looked that hard.

I believe having installed those listed here you should have no problems, bareing issues intruduced by any other contrib you install, certainly havng applied these to sites that have been attacked has prevented any repeat.

I must say I was surprised to see that 'testimonials' still has issues, since its been known for a very long time it has security flaws & there are well published info on the web showing how to execute the hack.

Clearly you do need to check that any contrib you add does not open any new holes, it might be prudent to simply add sanitising code to any page that allows customer input using POST (GET is cleaned by security pro) for any contrib you install, better safe than sorry.

[TheZag]

Thanks a lot for this helpful and precious post !
A BIG THANKS !

[XxWickedxX]

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

[Coopco]

XxWickedxX, on Mar 2 2009, 10:49 PM, said:

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

I think it depends on how your server is set up. I do not the same results with some of them, I just can not access the site via http.

[chrish123]

Lately Ive been locking down a few problems on our server, so I thought I'd share this one:

Quote

Disable HTTP TRACK | TRACE Method in Apache which is enabled by defualt which is used for cross site tracing which is similar to cross site scripting (XSS)

Open your httpd.conf on the server:

somewhere in there you can ADD:

TraceEnable Off

There is another method which uses apache rewrite but the above method is obviously better, But anyway second method is to add the below code in the same httpd.conf file, not in your www .htacess file:

# Anti cross site tracing - protection
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F]

[chrish123]

XxWickedxX, on Mar 2 2009, 11:49 AM, said:

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

The "anti XSS script" after pixclinics I added would fail on certain files, I did ask for my file to be removed, but they removed my comment instead!

I use SEO-G and noticed I needed to put "advanced_search.php" in the exclude list otherwise it wont work as I have a "ajax search" contribution in there.


I'm currently just using the below in my htacess file, but note the track|trace reference, that wont actually do anything in the website root, as it needs to be put directly in the httpd.conf. A PCI Compliance scan would confirm it!

# 1) add these lines to your .htaccess file
# 2) create an index_error.php file with whatever content you want to be displayed.

# Anti XSS 

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

# prevent image theft / hotlinking except the sites below

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?change-to-your-sitename.com/.*$ [NC]
#if your using images directly from your site to ebay.com for example , you can uncomment the 2 lines below:
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay.co.uk/.*$ [NC]
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|bmp|swf|pdf)$ - [F]


<Files .htaccess>
order allow,deny
deny from all
</Files>

<FilesMatch "\.(bak|sql|inc)$" >
deny from all
</FilesMatch>

[/code]

[XxWickedxX]

So making those edits to that httpd.conf will achieve the same thing without .htaccess modification or is the .htaccess code from the contrib still needed?

[grreatone31]

i was curious about after i download all php files are they to be uploaded to admin folder? as i am unable to get it to "install" security pro.php.if it is in the wrong folder i am will to move it where ever it needs to be. i am a total newbie at this but not an idiot.

[spooks]

All contribs contain installation instructions, just follow those to the letter.

[catlover]

I added the contribs suggested by Sam in the original message.  Excellent info, thanks Sam!

I did run across a problem with IP Trap.  When I tested the install, I received the banned message, as expected, and an email was sent with the IP address.  I noticed in IP_Trapped.txt the blocked IP was 999.999.999.999.  I removed this number and tested again, received the banned message, but no IP address was added to IP_Trapped.txt.  I set the permissions to 755 for the folder and 666 for IP_Trapped.  I followed the install instructions, but cannot get the IP_Trapped file to read the IP addresses.   If I leave the default IP address 999.999.999.999, then I cannot access our site at all.  Any one have suggestions on a workaround?

Thanks,

Regards,
Joe

[catlover]

I got the IP Trap to work.  My robots.txt was not identifying the folder personal - I inadvertently left out "/".  IP address was then written to the IP_Trapped.txt.  My advice is to double check robot.txt file.

Regards,
Joe

[vivithemage]

I tried out all CHMOD's on this config file and I keep getting the same error RIGHT after installation :

Warning Warning: I am able to write to the configuration file: /home2/alistaqu/public_html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

I go to the file and I went through 644, 444, 400, etc...read, read, read only on all 3...but it still says it .

Linux system.

[XxWickedxX]

I am not sure this questions pertains to the contribs this I am going to go out a limb and guess you just installed oscommerce for the first time. 444 works just fine but 400 being ideal there should be no message or problem. Im not sure but you may need to contact your host and ask why your permission settings are not being applied. Also keeping mind there are 2 configure files. Make sure you get both of them. One in the admin directory and one and the includes directory. This particular error is of course talking about the one in your /includes/ directory. I would contact your host for further help on why your permissions are not being applied.

[spooks]

not related to this thread, search theres plenty on this (+ you can't set with ftp!!!)

[vivithemage]

XxWickedxX, on Mar 10 2009, 11:39 PM, said:

I am not sure this questions pertains to the contribs this I am going to go out a limb and guess you just installed oscommerce for the first time. 444 works just fine but 400 being ideal there should be no message or problem. Im not sure but you may need to contact your host and ask why your permission settings are not being applied. Also keeping mind there are 2 configure files. Make sure you get both of them. One in the admin directory and one and the includes directory. This particular error is of course talking about the one in your /includes/ directory. I would contact your host for further help on why your permissions are not being applied.

changing it via cpanel FTP worked out better, thanks

[geoffreywalton]

Anybody got any thoughts why after entering cc details on authorize.net

https://secure.authorize.net/gateway/transact.dll

the ip trap is activated when returning to the xss script is too?

I know some people do not like authorize.net but this is overkill!!

:-)

The ip trap script, block.php, displays a you are blocked page but it is not shown if I change punish = 2 to = 0 in secret.php script

$ua = ( isset($_SERVER['HTTP_USER_AGENT']) && ($_SERVER['HTTP_USER_AGENT'] != "")) ? $_SERVER['HTTP_USER_AGENT'] : "";
$ip = $_SERVER["REMOTE_ADDR"]."\n";
$punish = 0;
if ( $ua == "" )
{
$punish = 2;
}

The browser agent is not shown on the screen. Just had a thought is it single quotes around HTTP_USER_AGENT?

So once that was changed I then get told to "go away" by the XSS script. Looks like the rules in .htaccess redirects the page as well.

Took this out and everything worked

# extra anti uri and xss attack script 2 - sql injection prevention
#Options +FollowSymLinks
#RewriteEngine On
#RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteCond %{QUERY_STRING} (java script:).*(wink.gif.* [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
#RewriteRule ^(.*)$ log.php [NC]
#RewriteRule (,|;|<|>|'|`) /log.php [NC]

Put transact.dll in the exclude list and turned on the functionality.

and only the secrep.php seemed to trigger the block

Can you see what is being invoked?

I would prefer to re-enable ip trap and xss so any help would be appreciaed.

Thanks

Geoffrey

[web-project]

100% secured my website? without any contributions.

The simple solution is firewall protection + Mod Security