656 replies to this topic

[Taipo]

If osC_Sec is the addon you are looking for then download it from
http://addons.oscommerce.com/info/8283

Unpack the zip file into your hardrive and open the readme.htm file which has all the instructions in it of how to install.

For a list of other recommended addons for versions of osCommerce earlier than 2.3, see this link
http://forums.oscommerce.com/topic/375288-updated-security-thread/

[m.ather]

Let me explain again,
The problem is that the catalog i am using for a site didn't have any .httaccess file which is the file where we add all the contents to secure ourselves from ip attacks and to make admin site secure.
I tried to use some one's contents and added the long script from "Deny domain access to spammers httaccess script" contribution but it doesn't work. Thats why i am asking what is the best solution for that.
Thanks so much

geoffreywalton, on 27 December 2011 - 10:50 AM, said:

The contents of the htaccess file differs by site and the contributions you have added, so it would be a complete guess as to what yours should contain.

Sorry

G

[builder_bob]

thanks for this!

[adobe19]

I installed site monitor , ip trap  security addons for 2.2rc2a tomorrow and some errors appeared.Today when i try to login admin page didnt open and this errors appeared.

Warning: include(includes/secret.php) [function.include]: failed to open stream: No such file or directory in/home/freeus78/public_html/admin/includes/application_top.php on line 48

Warning: include() [function.include]: Failed opening 'includes/secret.php' for inclusion (include_path='.:/usr/local/php53/pear') in/home/freeus78/public_html/admin/includes/application_top.php on line 48

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /home/freeus78/public_html/admin/includes/application_top.php:48) in /home/freeus78/public_html/admin/includes/functions/sessions.php on line 102

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/freeus78/public_html/admin/includes/application_top.php:48) in /home/freeus78/public_html/admin/includes/functions/sessions.php on line 102

Warning: Cannot modify header information - headers already sent by (output started at /home/freeus78/public_html/admin/includes/application_top.php:48) in/home/freeus78/public_html/admin/includes/functions/general.php on line 22

i also tried installing security pro but couldnt.it says

Find ...

  if ($request_type == 'NONSSL') {

Add immediately ABOVE ...

  // Security Pro by FWR Media
  include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
  $security_pro = new Fwr_Media_Security_Pro;
  // If you need to exclude a file from cleansing then you can add it like below
  //$security_pro->addExclusion( 'some_file.php' );
  $security_pro->cleanse( $PHP_SELF );
  // End - Security Pro by FWR Media

That's it .. all installed!

can someone show me exactly how it seems in code page are there spaces between sentences and at the bottom and the top.Thanks

Edited by adobe19, 18 January 2012 - 04:51 PM.

[DunWeb]

@adobe19,

You failed to upload the files included in the add on to the appropriate directories.




Chris

[geoffreywalton]

Look at the installation instructions for IP Trap and read the bit about where to put the file secret.php.

You have either not uploaded it or it is in the wrong place.

HTH

G

[adobe19]

Hi.I almost know nothing about web site creation.While following the guides i couldnt figure out how the codes should look after i paste the new lines.I put the lines before and after pasting.Can you check if these are correct.Also i would ask the location of htaccess file.Thanks

security pro

before

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

  if ($request_type == 'NONSSL') {
    define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
  } else {
    define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
  }

after

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
  // Security Pro by FWR Media
  include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
  $security_pro = new Fwr_Media_Security_Pro;
  // If you need to exclude a file from cleansing then you can add it like below
  //$security_pro->addExclusion( 'some_file.php' );
  $security_pro->cleanse( $PHP_SELF );
  // End - Security Pro by FWR Media
  if ($request_type == 'NONSSL') {
    define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
  } else {
    define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
  }


-----------------------------------------------

before

// include the list of project filenames
  require(DIR_WS_INCLUDES . 'filenames.php');

// include the list of project database tables
  require(DIR_WS_INCLUDES . 'database_tables.php');


after

// include the list of project filenames
  require(DIR_WS_INCLUDES . 'filenames.php');
// IP Trap V5
include(DIR_WS_INCLUDES . 'secret.php');
// include the list of project database tables
  require(DIR_WS_INCLUDES . 'database_tables.php');

------------------------------------------

[adobe19]

i reread my previous post and realized couldnt make my point.I am asking if there are spaces between lines and should the lines be aligned to left or is there a spaces.Generally what do i need to do after pasting the lines.thanks

[sarahw167]

Do the steps outlined by spooks to secure your site apply to v2.3 also?

kind regards,
Sarah

[geoffreywalton]

The changes to secure the log on do not need to be done in 2.3.1.

Download and read the installation instrutoins for the contributions.

Then you can decide if you want to install them.

Cheers

G

[geoffreywalton]

adobe19, on 28 January 2012 - 09:52 PM, said:

i reread my previous post and realized couldnt make my point.I am asking if there are spaces between lines and should the lines be aligned to left or is there a spaces.Generally what do i need to do after pasting the lines.thanks

If it was importnt the installation instructions would have said so.

To learn more aout php look at w3schools.com

HTH

G

[sarahw167]

geoffreywalton, on 29 January 2012 - 10:10 AM, said:

The changes to secure the log on do not need to be done in 2.3.1.

Download and read the installation instrutoins for the contributions.

Then you can decide if you want to install them.

Cheers

G

Thanks for your response. I'll review the rest of them. I ran through the process in a previous version but have since installed the new one.

thanks,
Sarah

[Carbon_Fibre]

Hello

I have an OSC 2.2 RC2A site installed. I'm using the Products URL field to link to pdf manuals located in another folder. Since I installed the add-ons suggested on the first page i.e. Security Pro, Site Monitor, IP Trap and Anti-XSS as well as copied the .htaccess files from OSC 2.3 and copied them to this site.

But after this website, visitors are unable view these pdf documents. When clicked, the link directs back to index.php instead of the pdf document. (Note from the backend admin, if you view the product and click on the link, it works.)

I've tested it on another installation without the add-ons and that works. Obviously, something is blocking the pdf document from being opened and kicking it back to the home page. I have removed the Anti-XSS, but that didn't help.

Does anyone have any ideas which of the above add-ons it could be?

Thanks in advance

Edited by Carbon_Fibre, 24 July 2012 - 11:29 AM.

[Carbon_Fibre]

Please ignore post above. See http://forums.oscommerce.com/topic/388345-products-url-not-working-after-security-add-ons-installed/

[bigpicture]

Can anyone help with this?

I've added multiple security features including FWR Security Pro and .htaaccess additions listed through pixclinic under ANTI Cross Site Scripting attacks, but SecurityMetrics are still flagging the following:

Description: CGI Generic Remote File Inclusion Synoposis: Arbitrary code may be run on the remote server. Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to include a remote file from a remote server and execute arbitrary commands on the target host. See also : http://en.wikipedia.org/wiki/Remote_File_Inclusion http://projects.webappsec.org/Remote-File-Inclusion Data Received: Using the POST HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to web code injection : + The 'osCsid' parameter of the /shopping_cart.php CGI : /shopping_cart.php [osCsid=http://Fh3il70z.example.com/] -------- output --------< /TR>< TR> [...] includes/languages/english/images/buttons/menu_top6.gif" alt="" width="97" height="16" /></A><A HREF="http://www.<MYSITENAME>.com/contact _us.php?osCsid=http://Fh3il70z.example.com/"><img src="includ [...]< /TR>< /TABLE></TD> ------------------------ /shopping_cart.php [action=update_product&osCsid=http://Fh3il70z.example .com/] -------- output --------< /TR>< TR> [...] includes/languages/english/images/buttons/menu_top6.gif" alt="" width="97" height="16" /></A><A HREF="http://www.<MYSITENAME>.com/contact _us.php?osCsid=http://Fh3il70z.example.com/"><img src="includ [...]< /TR>< /TABLE></TD> ------------------------ Other references : CWE:98, CWE:78, CWE:434, CWE:632, CWE:73, CWE:473, CWE:801, CWE:714, CWE:727 Resolution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade. Risk Factor: High/ CVSS2 Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P


Seems strange that they've never spotted anything before. Does anyone have any ideas on how to fix this?

Thanks,
Simon

[sionsweet]

quick question with the ip trap.
will it ban ip's that go to ANY of the disallowed folders in robots.txt?

we run oscommerce alongside our normal info site, and didnt want visiters to land straight into the shop from google etc, so the whole catalog folder is in the robots.txt.
just checking im not going to end up banning all visiters

CHeers,
Sion.

[geoffreywalton]

IP trap only catches visitors to

/personal

or if you have changed/renamed your admin and you have followed the instructions in the installation instructions

/admin

HTH

G