Who should use it?
- Users of Oscommerce versions 2.2.1 and earlier
- If your site has been hacked before
- If your site gets heavy attention from exploiters and you wish to lower the bandwidth being used by these attacks.
As simple as it gets.
1/ Upload osc_sec.php into the main catalogs includes folder.
2/ Add a piece of code to both includes/application_top.php and admin/includes/application_top.php, as well as overwrite a piece of faulty code in both those files too (in versions 2.2.1 and earlier). For detailed instructions see the readme.htm file
There are a number of custom settings you can also set in Oscommerce Security. Those are explained in the readme.htm file included in the package.
The main settings that need your attention are:
$httphost = "www.yoursite.com";
# enter your site host without http:// using this format www.yourwebsite.com
$youremail = "email@example.com";
# set your email address here so that the server can send you a notification of any action taken
$fromemail = "firstname.lastname@example.org";
# set up an email like email@example.com where the attack notifications will come from
The rest can be left as it is, and is probably safest left as is.
What Oscommerce Security Will Not Do:
This part is important for those trying to prevent more attacks on your sites. If your site has been hacked in the past and you have opted not to completely clean out the web directory and start again with the new version 2.3.1, there is a chance that there may still be rogue files or file code included in your web files. Others have been lucky and have not had this happen, but for those that were not so lucky, and have missed just one of the rogue files added in the attacks, that means that attacks can be launched on your site from within your own site, or triggered via other websites that have also been exploited and are yet to be fixed.
Installing any security file will not prevent this from happening as the only thing that can prevent this is you either going through every php, html and .js file on your site and checking it for exploit code, or saying to hell with it all and install the latest code and starting again (by far the best option although not always the easiest).
What Osc_Sec Will Do (default settings):
- Block incoming attack vectors that are specific to the exploit hole that exists in version 2.2.1 and earlier, using the least amount of banwidth as possible to do so (unless you decide to receive an email of the ban at which point you need to count the amount of bytes being sent in the email).
- Ban the IP address of these attacks. The attacks are specific to Oscommerce so therefore it is by no accident that they occur on your site. Osc_Sec can either add the IP address to the htaccess file or even add the IP address to the IP Trap file if you have IP trap installed, or just block the attack attempt without banning the IP address.
- When an IP is banned, the script in osc_sec ends the execution of the page therefore not only banning the IP address from further exploitation of your site, but also preventing the attack from continuing.
- Whitelisting requests. This is designed to minimize the possibility of malicious code injections into the database. Whitelisting should be standard practice for web script design, however it is often not the case.
- Checks that the application viewing your site is a web browser. Many spam bots are not in fact web browers so therefore do not act as one should.
Optional Extras (not activated by default):
- Prevent security bylass attacks via forged requests
- Check to see if cookies and referer are set before accepting a form post. This can be easily circumvented by an attacker, but its there as an option anyways. Do not activate this if you are using PayPal or any 3rd party payment processor that uses POST as a return call (if none of that makes sense to you then it should just be left in the off position).
- Prevent arbitrary session injections. There are other addons that cover this issue. If your admin directory is secured then you do not need to activate this.
- Automatically send an email to the developer with the ban IP address and the reason for the ban to help improve osc_sec. This is a tiny email at present that has the banned IP address and the 'reason' (a one line sentence why the ip was banned). This is set to off by default, but if you wish, you can set this to '1' if you wish to assist in helping in the development of osc_sec. If your site is heavily attacked then do not activate this as the bandwidth for sending emails will add to your current bandwidth usage.
Edited by Taipo, 10 April 2011 - 11:05.