158 replies to this topic

[FWR Media]

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

The following is code based on that used in ..

Ultimate Seo Urls 5

Ultimate Seo Urls 5 PRO

and ..
KiSSMT Dynamic SEO Meta Tags

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

In application_top.php where PHP self is set ..

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Change to ..

    /**
    * Reliably set PHP_SELF as a filename .. platform safe
    */
    function setPhpSelf() {
      $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
      foreach ( $base as $index => $key ) {
        if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
          if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
            preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                      && ( substr( $matches[0], -4, 4 ) == '.php' )
                                      && ( is_readable( $matches[0] ) ) ) {
              return $matches[0];
            } 
          } 
        }
      } 
      return 'index.php';
    } // end method 
    
    $PHP_SELF = setPhpSelf();

Edited by FWR Media, 16 December 2009, 21:18.

[baddog]

FWR Media, on 16 December 2009, 21:09, said:

In application_top.php where PHP self is set ..

// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];[/code]

Change to ...

I see that code in catalog/includes/application_top.php but not in admin/includes/application_top.php. Is there code in the admin application_top that you would change?

[FWR Media]

baddog, on 16 December 2009, 21:30, said:

I see that code in catalog/includes/application_top.php but not in admin/includes/application_top.php. Is there code in the admin application_top that you would change?

In a standard RC2a it is ..

// set php_self in the local scope
  $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

[baddog]

FWR Media, on 16 December 2009, 21:52, said:

In a standard RC2a it is ..

// set php_self in the local scope
  $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

That's what I see in the admin application_top. What would you change that to? I assume your first suggestion applies to the catalog application_top, right?

[FWR Media]

baddog, on 16 December 2009, 21:58, said:

That's what I see in the admin application_top. What would you change that to? I assume your first suggestion applies to the catalog application_top, right?

Same thing . it's just setting $PHP_SELF for osCommerce whether admin or catalog side. I should have been more specific though, thanks for pointing it out.

[DANYEYI]

FWR Media, on 16 December 2009, 21:09, said:

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

The following is code based on that used in ..

Ultimate Seo Urls 5

Ultimate Seo Urls 5 PRO

and ..
KiSSMT Dynamic SEO Meta Tags

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

In application_top.php where PHP self is set ..

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Change to ..

    /**
    * Reliably set PHP_SELF as a filename .. platform safe
    */
    function setPhpSelf() {
      $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
      foreach ( $base as $index => $key ) {
        if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
          if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
            preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                      && ( substr( $matches[0], -4, 4 ) == '.php' )
                                      && ( is_readable( $matches[0] ) ) ) {
              return $matches[0];
            } 
          } 
        }
      } 
      return 'index.php';
    } // end method 
    
    $PHP_SELF = setPhpSelf();

so just to confirm do i make this change to both the admin/includes/application_top.php and catlog/includes/application_top.php ?

thanks
dan

[FWR Media]

DANYEYI, on 17 December 2009, 18:30, said:

so just to confirm do i make this change to both the admin/includes/application_top.php and catlog/includes/application_top.php ?

thanks
dan

Yes both.

[DANYEYI]

the code in my catlog/includes/application_top.php look like this:


// set php_self in the local scope
$PHP_SELF = usu5_base_filename();

if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
}



should i replace this with your code above?

thanks
dan

[FWR Media]

DANYEYI, on 17 December 2009, 19:17, said:

the code in my catlog/includes/application_top.php look like this:


// set php_self in the local scope
$PHP_SELF = usu5_base_filename();

if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
}



should i replace this with your code above?

thanks
dan

No you have USU5 this has already been done for you. Just the admin side if you have USU5.

[DANYEYI]

FWR Media, on 12 November 2009, 22:58, said:

I identified the fix for the "login hack" back in July and it is far simpler than the suggestions here.

In admin/includes/application_top.php find this code beginning around line 124:

// redirect to login page if administrator is not yet logged in
  if (!tep_session_is_registered('admin')) {
    $redirect = false;

    $current_page = basename($PHP_SELF);

and change to:

// redirect to login page if administrator is not yet logged in
  if (!tep_session_is_registered('admin')) {
    $redirect = false;

    $current_page = basename($_SERVER['SCRIPT_NAME']);

$_SERVER['SCRIPT_NAME'] is reliable on all server types .. all the various connotations of PHP_SELF are known to be "unreliable/hackable/spoofable".

osCommerce itself and many contributions (Which is why header tags throws errors with Ultimate Seo Urls 5 in standard mode) .. rely on PHP_SELF and there is a possibility if you have installed a contribution such as this .. or any other that relies on the return of PHP_SELF that you may get problems/redirect loops .. the solution is to replace all instances of $PHP_SELF or $_SERVER['PHP_SELF'] or $HTTP_SERVER_VARS['PHP_SELF'] with basename( $_SERVER['SCRIPT_NAME'] ).

PHP_SELF is used (in the main) to return the current file name and for this purpose should NOT be used .. $_SERVER['SCRIPT_NAME'] performs the same function but reliably ..

basename( $_SERVER['SCRIPT_NAME'] ) is what will return a valid filename for the currently executing file.

thanks for the quick reply!

Do i also need to make this change that you posted previously?

thanks
dan

Edited by DANYEYI, 17 December 2009, 19:54.

[FWR Media]

DANYEYI, on 17 December 2009, 19:53, said:

thanks for the quick reply!

Do i also need to make this change that you posted previously?

thanks
dan

No .. if I remember correctly that was a simplified version ( and not cross platform ) of what you just added.

[gaspower]

Hello,

I have one site OSC MS2.2 and I see a fix for the email exploit,

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {

add before:

//fix to stop hacks to send mail

$hack_test = strtolower($_SERVER['PHP_SELF']);

if ( substr_count($hack_test,’.php’) > 1) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

But my application_top.php does not currently have this?

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered(‘admin’)) {

How do I fix the issue?

Thanks DB

[gaspower]

Hello,

Sorry, disregard above email. All fixed, my error.

DB

[ChrisBroadhurst]

FWR Media, on 16 December 2009, 21:09, said:

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

The following is code based on that used in ..

Ultimate Seo Urls 5

Ultimate Seo Urls 5 PRO

and ..
KiSSMT Dynamic SEO Meta Tags

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

In application_top.php where PHP self is set ..

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Change to ..

    /**
    * Reliably set PHP_SELF as a filename .. platform safe
    */
    function setPhpSelf() {
      $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
      foreach ( $base as $index => $key ) {
        if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
          if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
            preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                      && ( substr( $matches[0], -4, 4 ) == '.php' )
                                      && ( is_readable( $matches[0] ) ) ) {
              return $matches[0];
            } 
          } 
        }
      } 
      return 'index.php';
    } // end method 
    
    $PHP_SELF = setPhpSelf();

Hello sorry for being a slow learner.......

I have added this code to both files as mentioned will this now fix my email exploit, some dirty smelly hacker sending my customer viagra emails!!!!!!

Is there anything else I need to do?

thanks in advance

Chris

PS

I have read this thread from start to finish but find myself a bit confused with all the different info a simple 123 plan would be great for me

[spooks]

ChrisBroadhurst, on 23 December 2009, 12:24, said:

Hello sorry for being a slow learner.......

I have added this code to both files as mentioned will this now fix my email exploit, some dirty smelly hacker sending my customer viagra emails!!!!!!

Is there anything else I need to do?

thanks in advance

Chris

PS

I have read this thread from start to finish but find myself a bit confused with all the different info a simple 123 plan would be great for me [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

A list of measures you need to take to secure your site is given here http://forums.oscommerce.com/index.php?showtopic=313323

[shdwknt]

khaos119, on 10 November 2009, 17:08, said:

Hello All,

When this hole was brought to our attention, we were amazed to find that it seems nobody has caught it yet!! There is a page in the admin that can be access without login AND can pass parameters!!

**removed**

All work!

We "patched" this hole by adding this line of code:

if(strstr($_SERVER['REQUEST_URI'], "/**better fixes below**" ) !== false){
	echo "<h1>NO ACCESS</h1>";
	exit;
}

Go fix your carts!!!!

Where do you add this line of code??

[spooks]

shdwknt, on 23 December 2009, 15:49, said:

Where do you add this line of code??

you don't, please try reading a bit more!!

See FWR Media posts and the pinned security topic

[knifeman]

Robert,

I came across this post a few days ago. I spent most of December running my sites and had no time to read the forum. I have 2 ms2 sites and 1 RC2a site. Both MS2 sites have htaccess password protection and now I added it to my RC2a site.

I also added the code in your post to all 3 sites in both application_top files. Now it seems my product pages load much slower on the MS2 sites. ( I have SEO URLS on them). The RC2a site is still loading fine and uses a much newer version of SEO URLS.
Using this site:

http://www.web-inspect.com/speed_test.php

my MS2 home page loads in .5 seconds, but a product page loads in over 7 seconds. It wasn't that slow before adding this code.

Is this code needed for MS2 or just RC2a? And do you think this code is the cause of my slowdown?

Tim

PHP Version 5.2.8 on all 3 sites.

FWR Media, on 16 December 2009, 21:09, said:

This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such.

Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi.

The following is code based on that used in ..

Ultimate Seo Urls 5

Ultimate Seo Urls 5 PRO

and ..
KiSSMT Dynamic SEO Meta Tags

All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible.

In application_top.php where PHP self is set ..

// set php_self in the local scope
  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Change to ..

    /**
    * Reliably set PHP_SELF as a filename .. platform safe
    */
    function setPhpSelf() {
      $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
      foreach ( $base as $index => $key ) {
        if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
          if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
            preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
            if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                      && ( substr( $matches[0], -4, 4 ) == '.php' )
                                      && ( is_readable( $matches[0] ) ) ) {
              return $matches[0];
            } 
          } 
        }
      } 
      return 'index.php';
    } // end method 
    
    $PHP_SELF = setPhpSelf();

[FWR Media]

knifeman, on 28 December 2009, 15:51, said:

Robert,

I came across this post a few days ago. I spent most of December running my sites and had no time to read the forum. I have 2 ms2 sites and 1 RC2a site. Both MS2 sites have htaccess password protection and now I added it to my RC2a site.

I also added the code in your post to all 3 sites in both application_top files. Now it seems my product pages load much slower on the MS2 sites. ( I have SEO URLS on them). The RC2a site is still loading fine and uses a much newer version of SEO URLS.
Using this site:

http://www.web-inspect.com/speed_test.php

my MS2 home page loads in .5 seconds, but a product page loads in over 7 seconds. It wasn't that slow before adding this code.

Is this code needed for MS2 or just RC2a? And do you think this code is the cause of my slowdown?

Tim

PHP Version 5.2.8 on all 3 sites.

No all that code does is grab a filename nothing more so will slow down nothing. As a test do the following: -

Create a file on the problem server called test.php and just put in it my recommended code adding echo $PHP_SELF; to the bottom (obviously surrounded by <?php ?>) then just run it.

What are the newer and older seo urls versions?

Edited by FWR Media, 28 December 2009, 15:59.

[knifeman]

FWR Media, on 28 December 2009, 15:57, said:

What are the newer and older seo urls versions?

Thanks for the quick answer. The RC2a site has the mod from Jack mcs
and my older sites have a much earlier version of the same mod started by Chemo.
http://addons.oscommerce.com/info/2823
Both MS2 sites have good ranking and sales, so i have not bothered updating the add on. I am wanting to upgrade to RC2a, time permitting.

Tim