158 replies to this topic

[zinor]

does anyone know how hackers could be damage for the previous mode of $PHP_SELF; ?

[kenkja]

Hello all,

I'm new to osc and have managed to deal with all of the issues in post 1 of the security forum in an osc V2.3.1 install, but I have to be honest this thread or actually the fixes are bit much for me to undertstand at the moment.

So first question is - Is this an issue in v2.3.1 ?

thanks

Ken

[Xpajun]

kenkja, on 26 February 2011, 09:30, said:

Hello all,

I'm new to osc and have managed to deal with all of the issues in post 1 of the security forum in an osc V2.3.1 install, but I have to be honest this thread or actually the fixes are bit much for me to undertstand at the moment.

So first question is - Is this an issue in v2.3.1 ?

thanks

Ken

Ken,

By reading the thread it wasn't a issue on the last release of 2.2 let alone 2.3

[zinor]

Hello All can anyone tell me why this topic told ? i mean how they can abuse and attack us with previous kind of $PHP_SELF; ?

[Taipo]

The basis of the admin exploit in earlier versions of oscommerce stems from the way it used to try and set the $PHP_SELF

Since then there are several fixes that have come out, one is in the latest osc 2.3.1 as below

$PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);

Robert Fishers function (FWR Media) also achieves the same outcome real well

/**
    * Reliably set PHP_SELF as a filename .. platform safe
    */
    function setPhpSelf() {
      $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
      foreach ( $base as $index => $key ) {
        if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
          if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
            preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                      && ( substr( $matches[0], -4, 4 ) == '.php' )
                                      && ( is_readable( $matches[0] ) ) ) {
              return $matches[0];
            } 
          } 
        }
      } 
      return 'index.php';
    } // end method 
    
    $PHP_SELF = setPhpSelf();

You can overwrite the PHP_SELF line in both application tops with either of those, anything is better than what is currently in the earlier versions of oscommerce.

Edited by Taipo, 07 March 2011, 13:41.

[Tom172]

FWR Media, on 16 December 2009, 21:09, said:

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

The following is code based on that used in ..

Ultimate Seo Urls 5

Ultimate Seo Urls 5 PRO

and ..
KiSSMT Dynamic SEO Meta Tags

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

In application_top.php where PHP self is set ..

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Change to ..

    /**
    * Reliably set PHP_SELF as a filename .. platform safe
    */
    function setPhpSelf() {
      $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
      foreach ( $base as $index => $key ) {
        if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
          if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
            preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                      && ( substr( $matches[0], -4, 4 ) == '.php' )
                                      && ( is_readable( $matches[0] ) ) ) {
              return $matches[0];
            } 
          } 
        }
      } 
      return 'index.php';
    } // end method 
    
    $PHP_SELF = setPhpSelf();

I read through the tread and am still confused, well actually even more confused than before:)

So, to make it simple:

in Catalog/includes/application_top.php I have ULTIMATE Seo Urls 5 PRO by FWR Media´s code in place


=> question 1: That should do, right?



in Admin/includes/application_top.php I have Taipo´s osc_sec code in place:

// BOF 7834 OSC_SEC
// set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }
// EOF 7834 OSC_SEC

=> question 2: That should cover it also, right?


Both questions refer to a 2.2rca shop.

[Tom172]

To make my point more clear:

should I expect any unwanted result as I use two different approaches to solve one problem?

[Taipo]

Quote

in Catalog/includes/application_top.php I have ULTIMATE Seo Urls 5 PRO by FWR Media´s code in place
=> question 1: That should do, right?

To save the confusion just use the code from osC_Sec to replace the $PHP_SELF code in both application_top.php files.

  // set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }

Quote

should I expect any unwanted result as I use two different approaches to solve one problem?

I believe there is an update to the Ultimate SEO URLS 5 code, the one above is a little out of date. But again, just use the adaption of the RC3 code from osC_Sec.

Edited by Taipo, 23 August 2011, 12:28.

[Tom172]

Taipo, on 23 August 2011, 12:27, said:

To save the confusion just use the code from osC_Sec to replace the $PHP_SELF code in both application_top.php files.

If I may add some extra confusion

now this part of catalog/includes/application_top.php looks like the following. It does work as far as I can see now, however one thing just looks strange to me: I have two replacements for the "// set php_self in the local scope" part. One by fwr and ultimate seo urls pro, and another from osc_sec.

Again, it looks like evereything works ... jus clicked around a bit for now.

/// following section replaced for 7704 ultimate seo urls pro
// set php_self in the local scope
/**  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];**/
// End replacement 

// BOF 7704 ultimate seo urls pro
/**
  * ULTIMATE Seo Urls 5 PRO by FWR Media
  * function to return the base filename 
  */
  function usu5_base_filename() {
    // Probably won't get past SCRIPT_NAME unless this is reporting cgi location
    $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) );
    while ( $base->valid() ) {
      if ( array_key_exists(  $base->current(), $_SERVER ) && !empty(  $_SERVER[$base->current()] ) ) {
        if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) {
          preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches );
          if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                    && ( substr( $matches[0], -4, 4 ) == '.php' )
                                    && ( is_readable( $matches[0] ) ) ) {
            return $matches[0];
          } 
        } 
      }
      $base->next();
    }
    // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php
    if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) {
      return 'index.php';
    }
    // Return the standard RC3 code 
    return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] );
  } // End function

// set php_self in the local scope
  $PHP_SELF = usu5_base_filename();

// BOF 7834 OSC_SEC
  // set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }
// EOF 7834 OSC_SEC  
// EOF 7704 ultimate seo urls pro
// BOF 5752 Security Pro 2.0.7

Maybe that is how it should look like. I don´t know. It just looks a bit strange to someone who is usually only doing some copy and paste

Edited by Tom172, 23 August 2011, 12:47.

[Taipo]

Its a bit of a double up, but it will work fine.

Be sure to at least have the following in your admin/includes/application_top.php file to replace the original faulty code.

  // set php_self in the local scope 
  if( !isset( $PHP_SELF ) ) { 
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; 
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); 
  } 

Edited by Taipo, 23 August 2011, 12:57.

[Tom172]

Taipo, on 23 August 2011, 12:55, said:

Its a bit of a double up, but it will work fine.

Be sure to at least have the following in your admin/includes/application_top.php file to replace the original faulty code.

  // set php_self in the local scope 
  if( !isset( $PHP_SELF ) ) { 
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; 
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); 
  } 

yes, that´s part your osc_sec contribution I already had in place:

admin/includes/application_top.php

// set php_self in the local scope
// replaced for 7834 OSC_SEC:
//  $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
// BOF 7834 OSC_SEC
// set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }
// EOF 7834 OSC_SEC

... more than twice around the corner, I know. But it helps to remember what and why ...

Thanks again for your effort. It´s appreciated!
tom

[Parikesit]

tigergirl, on 16 October 2010, 22:36, said:

I came across another thread proposing a fix and wondered if any of the PHP Guru's could make comment on it? Will it remove the offending admin name from email headers?

X-PHP-Script fix

Mort-lemur, on 21 October 2010, 18:40, said:

Like Tigergirl - I would like to know more about this as well - any views?

Thanks

I thinks that will remove admin folder exposed when sending email. Here another link with similar solution to obfuscate X-PHP-Script : Preventing X-PHP-Script Exposure of Variables.

We can make generic modification to tep_mail function in (CATALOG/ADMIN)/includes/general.php

  function tep_mail($to_name, $to_email_address, $email_subject, $email_text, $from_email_name, $from_email_address) {
    if (SEND_EMAILS != 'true') return false;
	   
    global $PHP_SELF;
    //obfuscate url address
    $tmpSelf = $PHP_SELF;
    $tmpAddr = $_SERVER['REMOTE_ADDR'];
    $_SERVER['PHP_SELF'] = "/";
    $_SERVER['REMOTE_ADDR'] = $_SERVER['SERVER_ADDR'];
    $_SERVER['X_PHP_SCRIPT'] = $_SERVER['REMOTE_ADDR'] . $_SERVER['PHP_SELF'];
   
    // Instantiate a new mail object
    $message = new email(array('X-Mailer: osCommerce'));
   
    // Build the text version
    $text = strip_tags($email_text);
    if (EMAIL_USE_HTML == 'true') {
	  $message->add_html($email_text, $text);
    } else {
	  $message->add_text($text);
    }
    // Send message
    $message->build_message();
    $message->send($to_name, $to_email_address, $from_email_name, $from_email_address, $email_subject);
   
    //revert default value
    unset($_SERVER['X_PHP_SCRIPT']);
    $_SERVER['REMOTE_ADDR'] = $tmpAddr;
    $_SERVER['PHP_SELF'] = $tmpSelf;
  }

@zaenal

[Taipo]

Moving the admin directory or changing its name is a bit like putting a painting in front of the hidden wall safe. A burglar discovering the wall safe behind the picture does not automatically mean that the safe can be cracked.

However, hiding a wall safe => with faulty locking mechanism, behind a wall painting is rather risky, as the first priority in that situation, as with the outdated versions of osCommerce situation, is to fix the faulty locking mechanism.

Once that is completed successfully then hiding the admin directory from wouldbe attackers either via changing the name of the admin directory or adding HTTP Basic Authentication (or both) would be the finishing layer of security on your site.

osCommerce Security Hole Fix: http://forums.oscommerce.com/topic/380144-fixing-the-admin-login-bypass-exploit/
osC_Sec Security addon: http://addons.oscommerce.com/info/7834

[callenords]

I have installed "Ultimate Seo Urls 5" and I understand it takes care of osCommerce Security Hole in application_top.php (correct?)

Is there still a need to install osC_Sec Security addon?

Thanks!

[DunWeb]

@callenords,

NO, Ultimate SEO URL's does not fix ANY security issues with osCommerce. If you have v2.2, I suggest reading and installing the security contributions mentioned in the Security Thread

If you are using v2.3.1, there is no need to install ANY contributions but you can if you wish.



Chris

[Taipo]

In my opinion there are two parts to the security fix often called ( by me ) the admin login bypass exploit, in the 2.2 range of osCommerce sites.

1/ patch the admin login process which can be bypassed in the 2.2 range
2/ patch the $PHP_SELF code in application_top.php which is reports login.php as the $PHP_SELF rather than administrators.php when the URL is malformed like /admin/administrators.php/login.php

If you do either one of those, the admin login bypass exploit will cease to work. IMO, do both of them.

That takes care of the biggest security hole in that range of osCommerce systems.

From memory, Ultimate SEO URLs 5 by FWR Media has a fix to the $PHP_SELF code in it, which will prevent the misreporting thus prevent the malformed URL 'trick' from working, however the official fix is 1/

If you have installed that version of USU5 then test it out for yourself.

While logged out of your admin section, go to http://www.yoursite.com/admin/administrators.php/login.php and see if you are redirected to the admin login.php page, or whether you are able to see a rather distorted version of the administrators.php page.

If you get the distorted version of that administrators.php page, then add at least the first patch I listed above, or if you want an almost all in one patch up, then install osC_Sec.

Putting htaccess basic authentication protection on your admin directory is the first place to start though. version 2.3.1 has htaccess inbuilt into the install process. However I recommend site owners use a different set of login credentials for htaccess logins to those used in their admin user logins. ( 2.3.1 has them both the same probably for reasons of convenience ).

[roneada]

my problem is I'm installing osc_sec and I find that I do change a variable and change for this $ PHP_SELF = usu5_base_filename (); in application_top.php

Code: Select all
/ / Set PHP_SELF in the local scope
if (isset ($ PHP_SELF)) $ PHP_SELF = $ HTTP_SERVER_VARS ['PHP_SELF'];

IMPORTANT: Remove or comment out the line from Above Both application_top.php files and replace Entire line with:

/ / Set PHP_SELF in the local scope
if (isset ($ PHP_SELF)) {
if (@ phpversion ()> = "5.0.0" && (! ini_get ("register_long_arrays") | | @ ini_get ("register_long_arrays") == "0" | | strtolower (@ ini_get ("register_long_arrays")) == "off")) $ HTTP_SERVER_VARS = $ _SERVER;
$ PHP_SELF = (((strlen (ini_get ('cgi.fix_pathinfo'))> 0) && ((bool) ini_get ('cgi.fix_pathinfo') == false)) | |! Isset ($ HTTP_SERVER_VARS ['SCRIPT_NAME'] ))? basename ($ HTTP_SERVER_VARS ['PHP_SELF']): basename ($ HTTP_SERVER_VARS ['SCRIPT_NAME']);
}



I have installed ultimate-seo-urls-5 which is the variable $ PHP_SELF = usu5_base_filename this (), which is the substitution ask me, as I do to be compatible with the 2? thanks!
and tested this

/// following section replaced for 7704 ultimate seo urls pro
// set php_self in the local scope
/**  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];**/
// End replacement 
// BOF 7704 ultimate seo urls pro
/**
  * ULTIMATE Seo Urls 5 PRO by FWR Media
  * function to return the base filename
  */
  function usu5_base_filename() {
    // Probably won't get past SCRIPT_NAME unless this is reporting cgi location
    $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) );
    while ( $base->valid() ) {
	  if ( array_key_exists(  $base->current(), $_SERVER ) && !empty(  $_SERVER[$base->current()] ) ) {
	    if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) {
		  preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches );
		  if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								    && ( substr( $matches[0], -4, 4 ) == '.php' )
								    && ( is_readable( $matches[0] ) ) ) {
		    return $matches[0];
		  }
	    }
	  }
	  $base->next();
    }
    // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php
    if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) {
	  return 'index.php';
    }
    // Return the standard RC3 code
    return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] );
  } // End function
// set php_self in the local scope
  $PHP_SELF = usu5_base_filename();
// BOF 7834 OSC_SEC
  // set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }
// EOF 7834 OSC_SEC 
// EOF 7704 ultimate seo urls pro
// BOF 5752 Security Pro 2.0.7

but I get this error Error 310 (net::ERR_TOO_MANY_REDIRECTS):

[roneada]

yes its compatible, the ultimate solution it´s osc_sec 5.0.6, the 5.0.5 have problems with redirect, 5.0.6 perfect

[Taipo]

Because ULTIMATE Seo Urls 5 PRO by FWR Media already sets the correct $PHP_SELF code then it is fine to leave out that part of the code changes in the osC_Sec instructions.