254 replies to this topic

[spooks]

Sam's Anti-hacker Account Page Mods
Secure your account pages against code/SQL injection attempts, yet allow strong passwords.


[indent]There are many instances now of websites being hacked (or cracked to use the correct term) and it is necessary to make your site as secure as possible, one important measure in this is to sanitize all visitor inputs to ensure no code injection etc. attempt can work.

However this creates an issue, if your user creates a strong password by using characters that are likely to be 'cleaned' either their password will not work, or the account gets a password that is different to what was input (as it was 'sanitized'). This is especially an issue if adding input sanitizing to an old site where visitors have added passwords that are now 'illegal'.

This contribution resolves this issue by safely allowing any character to be used within the password, it does this by processing all password inputs before anything else, passwords are translated to hex values, the inputs validated then deleted as no longer required (only the hex strings are processed further). An option is provided to allow string to be reverse translated at the point of password checking to ensure existing passwords will work. This means the passwords now stored in the dBase are salted hashes of the hex string. Once the initial processing is done, all inputs are sanitized.

A new option is added to require the user to input a 'strong' password.

Other account fields are also subject to additional checks or the input converted:

• The date of birth field is now a drop down which automatically formats according to the store country, this ensures the format is correct, slashes (/) can still be sanitized and the visitor cannot transpose days & months.
• The telephone field is checked its numeric (if entered) and contains only limited allowed chars.
• The post code field is checked for the correct format, but only for UK & USA sites.
• If strong password is enabled, password forgotten will generate strong passwords.
• The State/Province/County: field is pre-filled with the zones for the store country, rather than a blank field that gets populated on submit!
• The Country drop down is pre-selected to the store country.
• All input fields are sanitized.

Contribution will be found at: http://addons.oscommerce.com/info/7202


Keep your site & user data safe. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img] [/indent]

Edited by spooks, 18 January 2010, 20:37.

[sky_diver]

Excellent addon for security. Much better than any type of false trap.

There was one error in includes/functions/account_secure.php:
At the end it has an extra ) needs to be replaced with ;

For those using Master Password v1.0 with MD5 hash, you will have a couple of querks getting it going. Just replace your includes/functions/password_funcs.php with the following:

////
// This funstion validates a plain text password with an
// encrpyted password
  function tep_validate_password($plain, $encrypted) {
	  // anti-hacker account
	  $old_exist = true; // if passwords exist in dbase that have not been hexed set to true
		// EOF anti-hacker account
    if (tep_not_null($plain) && tep_not_null($encrypted)) {
// split apart the hash / salt
      $stack = explode(':', $encrypted);

      if (sizeof($stack) != 2) return false;
	  // START MARTIN'S MASTER PASSWORD MD5 MODIFICATION
      if (md5($plain) == MASTER_PASS) { return true; }
      // END MARTIN'S MASTER PASSWORD MD5 MODIFICATION
      if (md5($stack[1] . $plain) == $stack[0]) {
        return true;
			// anti-hacker account	
      }	elseif ($old_exist) {
					for ($i=0; $i < strlen($plain)-1; $i+=2)
    					{
        					$password .= chr(hexdec($plain[$i].$plain[$i+1]));
    					}
					 // START MARTIN'S MASTER PASSWORD MD5 MODIFICATION
      				if (md5($password) == MASTER_PASS) { return true; }
      				// END MARTIN'S MASTER PASSWORD MD5 MODIFICATION
					if (md5($stack[1] . $password) == $stack[0]) return true;
			// EOF anti-hacker account		
      }
    }

    return false;
  }

////
// This function makes a new password from a plaintext password. 
  function tep_encrypt_password($plain) {
    $password = '';

    for ($i=0; $i<10; $i++) {
      $password .= tep_rand();
    }

    $salt = substr(md5($password), 0, 2);

    $password = md5($salt . $plain) . ':' . $salt;

    return $password;
  }

[spooks]

sky_diver, on 20 January 2010, 21:09, said:

Thanks for that, I`m not sure how that charcter got swapped, must have been a gremlin as I saved the last. [img]http://forums.oscommerce.com/public/style_emoticons/default/blush.gif[/img]

Whats suprising is that your the first to spot it, ie the first to use this, implies that most could actually care less about security!!



Thanks for the mod for Master Password v1.0, I`ve not seen that add-on b4.


Glad you liked it [img]http://forums.oscommerce.com/public/style_emoticons/default/biggrin.gif[/img]

[tigergirl]

Sam,
whilst I am using WinMerge I'm finding it quite troublesome to compare/ edit as I have Active Countries Mod installed (only UK activated but don't use zones). Is there any chance of listing the instructions in the form of = Find this code and replace with this code etc...although it may not help with mod-ed stores.

On create_account.php for instance there are a number of conflicts with the Active Countries code and my brain is fried... I hate when people post a whole file so should I break it down into the parts I'm unsure of or just post the file?

Thanks to Sky Diver for the heads up on Master Password fix as I have that installed (v1.4 I think).


Sorry, forgot to add:

I noticed on line 385 of included file catalog/create_account.php it has

// anti-hacker account
	$def_year = 1980;
	$day = isset($HTTP_POST_VARS['dob_ind']) ? $HTTP_POST_VARS['dob_ind'] : '00';
	$month = isset($HTTP_POST_VARS['dob_inm']) ? $HTTP_POST_VARS['dob_inm'] : '00';
?>

Should the $HTTP_POST_VARS be $_POST as I thought the installation page said they had all been changed to $_POST.

Edited by tigergirl, 21 January 2010, 21:03.

[spooks]

tigergirl, on 21 January 2010, 20:50, said:

Yes they should be post, sorry, that got missed.

I don't have time to make a manual install, its a lot of effort to do them & rarely appreaciated, wouldn't you still have issues though, as iinstructions would still be with un-modded files, so still would'nt mathch your mods.

All changes are commented. They are many changes/additions to input validations. There are few content changes.

[tigergirl]

spooks, on 22 January 2010, 01:55, said:

I don't have time to make a manual install

I have written this minus 2 files (which are heavily moded so don't know original code) You are welcome to add my input to your contribution if you wish. Let me know if you want the file although I can't see a way to attach it on the forum!

[tigergirl]

Ok, fresh day, fresh brain!

I'm still struggling with 2 changes in create_account.php due to Active Countries Mod - please can you take a look?

I have:

    //-MS- Added Active Countries
    if ($process == true) {
      if ($entry_state_has_zones == true) {
        $zones_array = array();
        $zones_array = array(array('id' => '', 'text' => PULL_DOWN_DEFAULT));
        $zones_query = tep_db_query("select zone_id, zone_name from " . TABLE_ZONES . " where zone_status='1' and zone_country_id = '" . (int)$country . "' order by zone_name");
        while ($zones_values = tep_db_fetch_array($zones_query)) {
          $zones_array[] = array('id' => $zones_values['zone_id'], 'text' => $zones_values['zone_name']);
        }
        echo tep_draw_pull_down_menu('state', $zones_array);
      } else {
        $zones_array = array();
        $zones_array = array(array('id' => '', 'text' => PULL_DOWN_DEFAULT));
        $zones_query = tep_db_query("select zone_id, zone_name from " . TABLE_ZONES . " where zone_status='1' order by zone_name");
        while ($zones_values = tep_db_fetch_array($zones_query)) {
        $zones_array[] = array('id' => $zones_values['zone_id'], 'text' => $zones_values['zone_name']);
        }
        echo tep_draw_pull_down_menu('state', $zones_array);
      }
    } else {
        $zones_array = array();
        $zones_array = array(array('id' => '', 'text' => PULL_DOWN_DEFAULT));
        $zones_query = tep_db_query("select zone_id, zone_name from " . TABLE_ZONES . " where zone_status='1' and zone_country_id = '" . (int)$country . "' order by zone_name");
        while ($zones_values = tep_db_fetch_array($zones_query)) {
          $zones_array[] = array('id' => $zones_values['zone_id'], 'text' => $zones_values['zone_name']);
        }
        echo tep_draw_pull_down_menu('state', $zones_array);
    }
//-MS- Added Active Countries EOM

    if (tep_not_null(ENTRY_STATE_TEXT)) echo '&nbsp;<span class="inputRequirement">' . ENTRY_STATE_TEXT;

and your file has this:

    if ($process == true) {
      if ($entry_state_has_zones == true) {
        $zones_array = array();
        $zones_query = tep_db_query("select zone_name from " . TABLE_ZONES . " where zone_country_id = '" . (int)$country . "' order by zone_name");
        while ($zones_values = tep_db_fetch_array($zones_query)) {
          $zones_array[] = array('id' => $zones_values['zone_name'], 'text' => $zones_values['zone_name']);
        }
        echo tep_draw_pull_down_menu('state', $zones_array);
      } else {
        echo tep_draw_input_field('state');
      }
     } else {
		 // anti-hacker account
  		// echo tep_draw_input_field('state');
			// FORM NOT PROCESSED YET
			$zone_id = 0;
      $check_query = tep_db_query("select count(*) as total from " . TABLE_ZONES . " where zone_country_id = '" . (int)STORE_COUNTRY . "'");
      $check = tep_db_fetch_array($check_query);
      $entry_state_has_zones = ($check['total'] > 0);
      if ($entry_state_has_zones == true) {
			$zones_array = array();
			$zones_array[] = array('id' => PULL_DOWN_DEFAULT, 'text' => PULL_DOWN_DEFAULT);
        $zones_query = tep_db_query("select zone_name from " . TABLE_ZONES . " where zone_country_id = '" . (int)STORE_COUNTRY . "' order by zone_name");
        while ($zones_values = tep_db_fetch_array($zones_query)) {
          $zones_array[] = array('id' => $zones_values['zone_name'], 'text' => $zones_values['zone_name']);
        }
        echo tep_draw_pull_down_menu('state', $zones_array);
      } else {
        echo tep_draw_input_field('state'); }
			// EOF anti-hacker account	
    }

    if (tep_not_null(ENTRY_STATE_TEXT)) echo '&nbsp;<span class="inputRequirement">' . ENTRY_STATE_TEXT. '</span>';

AND
I have this:

                <td class="main"><b><?php echo ($tmp_object = tep_get_country_active_list('country', $country, 'onChange="this.form.submit();"')) . tep_draw_hidden_field('country_old', $country) . ' ' . (is_array($tmp_object) ? '<span class="inputRequirement">' . ENTRY_COUNTRY_TEXT . '</span>': ''); ?></b></td>

your file says:

<!-- anti-hacker account -->
                <td class="main"><?php echo tep_get_country_list('country',($country ? $country : STORE_COUNTRY)) . '&nbsp;' . (tep_not_null(ENTRY_COUNTRY_TEXT) ? '<span class="inputRequirement">' . ENTRY_COUNTRY_TEXT . '</span>': ''); ?></td>
									<!-- EOF anti-hacker account -->

So I'm unsure what's required here, afriad I break the page!

Have done all the other changes that state //anti-hacker account but not tested yet.

[spooks]

tigergirl, on 22 January 2010, 15:20, said:

I have written this minus 2 files (which are heavily moded so don't know original code) You are welcome to add my input to your contribution if you wish. Let me know if you want the file although I can't see a way to attach it on the forum!

Well done [img]http://forums.oscommerce.com/public/style_emoticons/default/thumbsup.gif[/img]

You could simply add that to the contrib download section as a update/mod to this, I`ve not locked the contrib. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

[tigergirl]

spooks, on 22 January 2010, 15:37, said:

You could simply add that to the contrib download section as a update/mod to this, I`ve not locked the contrib. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

That would be my first - arrgghhh! Will do but there are a few things I noticed in testing (mostly because I am fussy, sorry ):

1) in catalog/account_edit.php
a) phone no min set to 11 but I can enter 0123456789B (11 chars), B is cleaned off leaving 10 chars which doesn't meet my 11 chars min.
b ) I assume my Anti-Robot Registration field is fine as it will only accept the given validation code?
c) fax cleaned to "working" but not restricted to numbers only (not a problem)

2) in catalog/account_edit.php
If customers postcode is invalid they get the pink warning at top of page but postcode remains the same as before, that's fine but I wondered if customer might think they have changed it when they haven't and perhaps a pop-up box (like what you get if you don't meet the minimum tel no characters) may be better. Otherwise it "may" cause address issues and we don't want to send products to a mismatching address!

3) in catalog/contact_us.php
email address field still said [w](o)%3Cr%3Ek|i*n^g even though there was the email address invalid error message. Shouldn't it be cleaned to "working"?

4) can't test catalog/create_account.php due to previous post re Active Countries.

Mod seems pretty wicked though. ThanQ Sam

[spooks]

tigergirl, on 22 January 2010, 21:21, said:

That would be my first - arrgghhh! Will do but there are a few things I noticed in testing (mostly because I am fussy, sorry [img]http://forums.oscommerce.com/public/style_emoticons/default/blush.gif[/img] ):

1) in catalog/account_edit.php
a) phone no min set to 11 but I can enter 0123456789B (11 chars), B is cleaned off leaving 10 chars which doesn't meet my 11 chars min.
b ) I assume my Anti-Robot Registration field is fine as it will only accept the given validation code?
c) fax cleaned to "working" but not restricted to numbers only (not a problem)

2) in catalog/account_edit.php
If customers postcode is invalid they get the pink warning at top of page but postcode remains the same as before, that's fine but I wondered if customer might think they have changed it when they haven't and perhaps a pop-up box (like what you get if you don't meet the minimum tel no characters) may be better. Otherwise it "may" cause address issues and we don't want to send products to a mismatching address!

3) in catalog/contact_us.php
email address field still said [w](o)%3Cr%3Ek|i*n^g even though there was the email address invalid error message. Shouldn't it be cleaned to "working"?

4) can't test catalog/create_account.php due to previous post re Active Countries.

Mod seems pretty wicked though. ThanQ Sam [img]http://forums.oscommerce.com/public/style_emoticons/default/thumbsup.gif[/img]

1a simply due to order of checks, easily changed.
1b yes
1c fax not checked for numeric on this version (it is the initial release)

2 post code only checks for valid format, if you want a more extensive check requires a subscription service, popup wuold need javascript version.

3 Would imply an error in your instal, does not happen in my tests.

[sky_diver]

I applied it with active countries. Just leave your files as is anywhere you have the active country code. I believe for that particular section of Sams code, it does basically the same thing and provides dropdown menus of the Providences/states.

And I do use Master Password 1.4 as well. So those changes will work for you.

[sky_diver]

spooks, on 23 January 2010, 00:29, said:

3 Would imply an error in your instal, does not happen in my tests.

Mine did the same thing, when I input [w](o)%3Cr%3Ek|i*n^g, the email field does not strip it out, and the warning message shows up, but it cannot be edited because it is now replaced by the text, [w](o)%3Cr%3Ek|i*n^g, with no text field to edit.

I just replaced my contact_us.php with what you provided.

[spooks]

sky_diver, on 23 January 2010, 02:16, said:

Mine did the same thing, when I input [w](o)%3Cr%3Ek|i*n^g, the email field does not strip it out, and the warning message shows up, but it cannot be edited because it is now replaced by the text, [w](o)%3Cr%3Ek|i*n^g, with no text field to edit.

I just replaced my contact_us.php with what you provided.

Ok, I'll take a closer look as soon as I have a moment. [img]http://forums.oscommerce.com/public/style_emoticons/default/sweatingbullets.gif[/img]

[tigergirl]

sky_diver, on 23 January 2010, 02:16, said:

Mine did the same thing, when I input [w](o)%3Cr%3Ek|i*n^g, the email field does not strip it out, and the warning message shows up, but it cannot be edited because it is now replaced by the text, [w](o)%3Cr%3Ek|i*n^g, with no text field to edit.

Although I had [w](o)%3Cr%3Ek|i*n^g I still had the text field so was able to amend the email address and sucessfully send the contact_us form.

If it helps I didn't make all the changes in Sam's contact_us file as there were the "unrelated extra's" mentioned in the instructions that I wasn't sure about - wasn't sure if they were version related so I left them out for now. So it could be my mistake in the install.

Edited by tigergirl, 23 January 2010, 09:31.

[tigergirl]

OOPS, I don't know why that resent my post when I was trying to edit!!

The mods you posted for Master Password worked for me on V1.4 - thankQ

Quote

2 post code only checks for valid format, if you want a more extensive check requires a subscription service, popup wuold need javascript version.

After I posted that I recalled OSC doesn't behave like that anyway, have been considering if a subscription would be beneficial to improve conversion rates. Although what I think would be really cool would be if the postcode input was changed from lower case to upper case. I've always wanted to insert code that dealt with that as it's such a pain when lazy customers don't capitalize properly. Only a suggestion and not necessary for this security mod.

Edited by tigergirl, 23 January 2010, 09:42.

[spooks]

tigergirl, on 23 January 2010, 09:33, said:

It does reformat post code for UK sites, ie df543we will become DF54 3WE what is your store country set to?

[tigergirl]

spooks, on 23 January 2010, 12:00, said:

It does reformat post code for UK sites, ie df543we will become DF54 3WE what is your store country set to?

My apologies, you are of course right, I hadn't noticed that. It was a long day yesterday and I was dreaming code last night... Mod gets more awesome by the minute
I will check out what sky-diver says about the county drop down in Active Countries when I get the chance. I'm sure there's nout on telly anyway.

[tigergirl]

TIP
Anyone wishing to use the STRONG passwords option may wish to amend the following:

in catalog/includes/languages/english.php

Find these two lines:

define('ENTRY_PASSWORD_TEXT', '*');
define('ENTRY_PASSWORD_NEW_TEXT', '*');

Change to:

define('ENTRY_PASSWORD_TEXT', '* (Password must contain at least one lower case letter, one upper case letter & one number.)');
define('ENTRY_PASSWORD_NEW_TEXT', '* (Password must contain at least one lower case letter, one upper case letter & one number.)');

This will alert your customer to the password requirements (on create_account & account_password pages) before they get the error message (well that is the plan anyway).

[spooks]

Uploaded new Version 1.1

• Modified cleaning code to allow any 'latin' characters, other continants will need to modify the character class.
• Locked $HTTP_POST_VARS to $_POST for sanitise function.
• Fixed typo bug in account_secure.php.
• Created phone validation function in account_secure.php.
• Modified phone validation to use new function.
• Added fax input validation (only applied if input made).
• Added compatibility with Master Password, thanks to sky_diver for code.
• Added manual install, created by Tigergirl, thanks for the effort.
• Modified order of some input validations.
• Fixed year bug in dob input.
• Changed post code validation to depend on provided country instead of store country.

[/list]

Changed files:

account_secure.php, account_edit.php, address_book_process.php, create_account.php,
contact_us.php, english.php.

UPGRADING
If your upgading from any previous version, replace all the changed files listed in the Version History or modify your existing by comparing with the new versions.


Keep your site safe [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]

[spooks]

email not cleaned

spooks, on 23 January 2010, 02:43, said:

Ok, I'll take a closer look as soon as I have a moment. [img]http://forums.oscommerce.com/public/style_emoticons/default/sweatingbullets.gif[/img]

I suspect this issue is related to your server settings, I have modified the sanitising function to allow, please can you confirm the issue is gone with the latest version. [img]http://forums.oscommerce.com/public/style_emoticons/default/smile.gif[/img]