Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#381   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 30 November 2011 - 11:39

osC_Sec 4.1[r9]

Whats New?

Finally got around to developing out the check_ip() and getRealIP() functions.
- check_ip() can now test the format of both IPv4 and IPv6 ip addresses.
- getRealIP() has been modified to better handle proxy servers

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#382   altoid

altoid
  • Community Sponsor
  • 1,086 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 01 December 2011 - 20:43

Hi there, osc_sec generated a different type of ban that I've seen before and I was wondering if you would explain what the reason for the ban means and it's importance

Here's the first part of the notification:


This IP [ xx.xxx.xxx.xx ] has been htaccess banned on the "myshop.com" website by osC_Sec.php version 4.1[r9]

REASON FOR BAN: osC_Sec Array listed item is banned: %0d%0a.

Time of ban: Thu, 01 Dec 2011 13:21:48

.------------[ ALL Array VARIABLES ]------------- # # - products_id = 485 #
`--------------------------------------------------------

.---------[ ALL Array FORM VARIABLES ]------- # # - No POST form data #

thank you..

Edited by altoid, 01 December 2011 - 20:44.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#383 ONLINE   geoffreywalton

geoffreywalton

    Professional Developer

  • Community Sponsor
  • 8,247 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 01 December 2011 - 21:20

Why would you want a url with \r\n in it?

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#384   altoid

altoid
  • Community Sponsor
  • 1,086 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 01 December 2011 - 21:41

Why would you want a url with \r\n in it?

G


if you mean from my post, the there isn't anything like that.

its something like this:

"http://www.myshop.co...--c-66_99.html"
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#385 ONLINE   geoffreywalton

geoffreywalton

    Professional Developer

  • Community Sponsor
  • 8,247 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 01 December 2011 - 22:26

no, someone tried to accees your site with 0d0a in the url.

Why?

I don't know but this contribution doesn't like it.

Hope that makes sese.

G
Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#386   altoid

altoid
  • Community Sponsor
  • 1,086 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 02 December 2011 - 00:50

no, someone tried to accees your site with 0d0a in the url.

Why?

I don't know but this contribution doesn't like it.

Hope that makes sese.

G


That's what I was wondering about. Hope Taipo can offer something. I'll take a look at the logs too and see what I can find.

Thanks
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#387   altoid

altoid
  • Community Sponsor
  • 1,086 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 02 December 2011 - 02:28

If I am reading the log correctly, it looks like it was a Bing search that brought the IP to my site, then this line looks like the 403 part that resulted in the ban

xx.xxx.xxx.xx - - [01/Dec/2011:13:21:48 -0500] "GET /my-product-p-485.html HTTP/1.1" 403 20 "http://www.myshop.co...t-c-66_99.html" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#388   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 02 December 2011 - 06:37

I can see there is an issue with the way the emails are formatted, I will fix that in the next release.

As Geoffrey stated,
%0d%0a
has no place in a request_uri and if it is resident then that is often a sign that someone is running a security vulnerability scan of your site. Tools like Havij and Acunetix are used by both security professionals and attackers alike, and these tools along with many others will as a part of their assessment, test query strings to see if they can generate database or php errors which in themselves can be signs of possible security vulnerabilities. Adding a line feed, return combination into a query string, on some web systems can result in a database or php error.

So the original idea was to ban the occurrence of that url encoded line feed code in order to put a stop to security scans, however in doing so in earlier versions of osC_Sec I noticed that there were too many false positive bans coming in so removed it from the getShield() blacklist in a later release.

It looks like I need to also remove it from the cookieshield blacklist as well, so will do so in the next update coming out shortly.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#389   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 02 December 2011 - 06:43

osC_Sec 4.2

Whats New?

- Added additional checks in the getRealIP() function
- Fixed print issues with the email notification
- Removed an item from the cookieshield blacklist that could cause false positive results

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#390   altoid

altoid
  • Community Sponsor
  • 1,086 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 02 December 2011 - 11:55

Taipo and G thanks for responding.

I just installed Taipos latest version in my shops. Thanks
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#391   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 02 December 2011 - 20:43

osC_Sec 4.2[r1]

Whats New?

- More updates to getRealIP() and check_ip() functions

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#392   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 04 December 2011 - 08:00

osC_Sec 4.2[r4]

Whats New?

# Removal of $osCSpamTrap from osC_Sec.
In order for $osCSpamTrap to work most effectively and securely it must be included further down the application_top.php page. Therefore I have decided to remove it from osC_Sec and will be releasing it shortly as a stand-alone addon.

# Fixed an error with the IP Trap code

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace both the osc_sec.php and osc.php files in your website includes directory with the osc_sec.php and osc.php files in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#393   dthomas_ceo

dthomas_ceo
  • Members
  • 3 posts
  • Real Name:Dedric Thomas

Posted 06 December 2011 - 02:27

Good Evening,

Just installed this add-on due to multiple hacks. Started over from scratch. I see that it's working, but now i'm having issues using my Admin Interface. Can you give some guidance on how to temporarily disable Osc_Sec or provide a work around?

Thanks in advance,

Dedric [img]http://forums.oscommerce.com//public/style_emoticons/default/whistling.gif[/img])

#394   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 06 December 2011 - 08:20

What problems are you specifically having with your admin area?
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#395   FrostyFred

FrostyFred
  • Members
  • 20 posts
  • Real Name:Fred

Posted 07 December 2011 - 16:48

I too am having problems in he admin area.

If I install the latest os sec and comment out the powered by line, as suggested eleswhere, it works for all my other admin options except configuration.

For this one I just get a blank screen.

comment out the code as below and it works fine

// some code to solve compatibility issues
  require(DIR_WS_FUNCTIONS . 'compatibility.php');
echo "<br>pre<br>";
//  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );
echo "<br>post<br>";

version is

  define('PROJECT_VERSION', 'osCommerce 2.2-MS2');


Now to find out where it is having a sense of humour failure unless you know

#396   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 07 December 2011 - 19:27

That is rather odd that the error is triggered by configuration.php calls. Can you pm me the contents of your admin/configuration.php file thanks.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#397   ctec2001

ctec2001
  • Members
  • 224 posts
  • Real Name:Michael
  • Gender:Male

Posted 13 December 2011 - 06:28

Just set up the latest version of osc_Sec without issue. Thanks again for the help.
Do or Do Not, there is no try.

#398   altoid

altoid
  • Community Sponsor
  • 1,086 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 15 December 2011 - 00:24

Taipo, Jack has modified the Site Monitor add on significantly, and I believe that osc_sec -- Site Monitor issue is arising again. After I uploaded Jack's latest, when I went to the configure part in Site Monitor, I got banned. I have a work around by manually editing the file, but when I try to run the script that does it via php, it bans me. So FYI on that. Jack's latest is: http://addons.oscommerce.com/info/4441
Thanks
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#399   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 15 December 2011 - 02:59

Ok I will take a look at it and pop out an update shortly.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#400   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 15 December 2011 - 04:00

osC_Sec 4.2[r6]

Whats New?
- Cleanup of excess code and functions no longer used
- Removed ip bypass list from the oscSecBypass() function
- Further work on the getShield() function
- Update to instructions in readme.htm
- Faster HTTPS check
- osC_Sec's osc_sec.php can now work as a standalone file for users who have multiple websites and use the default settings
- Fixed an issue with Sitemonitor so that osC_Sec bypasses Sitemonitor files correctly

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace the osc_sec.php file in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW