Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#401   altoid

altoid
  • Community Sponsor
  • 1,084 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 15 December 2011 - 22:52

Ok I will take a look at it and pop out an update shortly.


The update took care of the site monitor issue. All's good. Thanks again for your support!
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#402   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 16 December 2011 - 06:05

You're welcome Steve. Seems the issue was actually with something I did in the previous update, not so much an issue with any changes in Site Monitor.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#403   PeterHS

PeterHS
  • Members
  • 25 posts
  • Real Name:Peter Havart-Simkin

Posted 18 December 2011 - 19:44

Hi - this is an FYI...

Loaded the latest version of osc_sec. We use IP_Trap. Noticed osc_sec it was not sending emails any longer. Looks like there needs to be a change in the email send function as it checks if banipaddress is set as well as send email but not if IP_Trap is set. made the following change and it now works ....

	    # send the notification
	    if ( (( false !== ( bool )$this->_banipaddress ) || (false !== ( bool )$this->_useIPTRAP )) && ( false !== ( bool )$this->_emailenabled ) ) {
P

Peter

#404   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 18 December 2011 - 22:56

Thanks for that Peter, will pop that in the next update.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#405   godside

godside
  • Members
  • 10 posts
  • Real Name:Johan Nathan
  • Gender:Male
  • Location:Jakarta, Indonesia

Posted 23 December 2011 - 20:52

sorry I'm a beginner,my website was just hacked.
I've finished the install instructions.
then from where I know that the plugin is installed or not?

sorry for this stupid question, please help.

thanks

Edited by godside, 23 December 2011 - 20:53.


#406   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 December 2011 - 21:56

If you have set it to ban ip addresses and receive emails then you will start to receive emails shortly with exploit attempts.

If not then try going to www.yourwebsite.com/admin/administrators.php/login.php and it should result in the browser producing an access denied error...unless you are using Firefox which just produces a blank page.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#407   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 25 December 2011 - 06:21

osC_Sec 4.2[r7]

Whats New?
- Removed double up entries in the bypass function
- Added a filter to look specifically for osCommerce admin login bypass attempts. Unlike other filters, no requests or files are exempt from this filter.
- (re)Added a x_powered_by() function to overwrite the apache response header with a custom string to prevent automated attacks from identifying what version of PHP your site is hosted on if expose_php is enabled in the php.ini
- Added an option to disable the tell_a_friend.php page and therefore prevent it from being used to send spam (see readme.htm).
- Fixed issue with the emailer when IP Trap is enabled (thanks to Peter for pointing this out).
- Optional code additions for htaccess to further harden the security of your website.
- Added a check for the multi-byte GBK character
- Added a Local File Inclusion filter to prevent PHP stream php://filter LFI exploit attempts

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace both the osc_sec.php and osc.php files in your website /includes/ directory with the osc_sec.php and osc.php files in the includes directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#408   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 26 December 2011 - 08:11

osC_Sec 4.2[r8]

Unless any other issues arise, this is the final update for osC_Sec.

Whats New?
- Update to additional htaccess code to catch local file includes and session hijacking attempts
- Update to getShield and databaseShield filter lists

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
If you are upgrading from version 4.2[r6] and earlier then please replace both the osc_sec.php and osc.php files in your website /includes/ directory with the osc_sec.php and osc.php files in the includes directory of this zip file.
If updating from 4.2[r7] then all you need do is replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#409   ctec2001

ctec2001
  • Members
  • 224 posts
  • Real Name:Michael
  • Gender:Male

Posted 26 December 2011 - 23:38

Thanks Te Taipo for all your efforts in providing a line of defense.
Do or Do Not, there is no try.

#410   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 27 December 2011 - 00:05

Glad to help Michael.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#411   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 27 December 2011 - 01:20

Since this addon has significantly changed since it began, like other addon makers, I have reuploaded osC_Sec to a new location with a greatly expanded description.

New Download Location: http://addons.oscommerce.com/info/8283

Has a small change in it to the previous upload but nothing serious enough that needs updating, but feel free to though.

Final release: osC_Sec 5.0.0 Final
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#412 ONLINE   Mort-lemur

Mort-lemur
  • Members
  • 2,023 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 31 December 2011 - 11:34

Hi Taipo,

Thanks for the continued development of this great enhancement.

I have been trying to install the .htaccess hardening portion of the mod, but using the following gives me a 500 error

Options +FollowSymlinks

Looking on various forums, some say this is required within .htaccess, and some say that it is not.

Why would that line of code give me a 500 error?
Is it required?

Many Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#413   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 31 December 2011 - 12:05

Chances are your webhost has blocked the use of +FollowSymlinks in htaccess.

If this is not already somewhere at the top of your htaccess file, use this instead

Options +SymLinksIfOwnerMatch

However if you are using one of the SEO mods you may find this is already at the top of your htaccess file so no need to add it twice.

Also remember that code in the htaccess file in the extras directory is more for test purposes than to be used on a working site.

If you are familiar with htaccess and are comfortable with what the code in there is trying to achieve then by all means try it out.

However just a friendly reminder that it is a rather hardcore method of preventing malicious requests from being executed.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#414 ONLINE   Mort-lemur

Mort-lemur
  • Members
  • 2,023 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 02 January 2012 - 10:57

Thanks Taipo,

I may just "cherry pick" some of the code from the .htaccess hardening as I don't have a lot of attack attempts on my stores.

I have read that a good way to stop access attempts to the admin section is to have a dedicated IP address for your ISP connection and to ban all but this IP address via .htaccess.

However, I (like a lot of people Im sure) connect via a dynamic IP address which changes with each connection to the internet.

However, the first two numbers of my IP address are always the same - Is there a way to write this into the .htaccess file to only allow IPs that commence with the two numbers to connect to admin (using wildcards?)

I know that this would only block IPs from outside my region / country? but I think that would be a useful additional security addition - as most of the attempted attacks are, in my case, non-UK in their origin.

Many Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#415   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 02 January 2012 - 12:28

Off the top of my head it would look something like this in your admin .htaccess file.


order deny,allow
deny from all
allow from 123.123

Edited by Taipo, 02 January 2012 - 12:29.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#416   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 02 January 2012 - 12:32

ps the htaccess addon is here now
http://forums.oscomm...merce-htaccess/

It has a few small differences to the one that was first released in osC_Sec
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#417   rbartz

rbartz
  • Members
  • 58 posts
  • Real Name:Richard Bartz

Posted 02 January 2012 - 13:34

Thank you for a great contribution.

I added the latest version (5) tp a site today, on Fedora Core 10, Apache 2.1.4, PHP 5.2.9, OSC 2.2-MS2. After installation, the apache server began throwing segmentations faults in the child processes. Within a few minutes the server load had increased significantly to the point of slowdown. Fedora was unable to kill the fault processes. Restarting httpd solved the problem for a few minutes, but as soon as any hits started on that site, the segmentation faults began again and overloading soon occurred.

Here are a few lines from the httpd error_log
[Mon Jan 02 03:05:20 2012] [notice] child pid 3192 exit signal Segmentation fault (11)
[Mon Jan 02 03:06:00 2012] [notice] child pid 3194 exit signal Segmentation fault (11)
[Mon Jan 02 03:07:21 2012] [notice] child pid 3191 exit signal Segmentation fault (11)
I tried stopping zend eaccelerator which was not the problem. I reset the .htaccess back to what it was before which was not the problem. I tried commenting out the require line first in the catalog and then in the admin, neither stopped the segmentation faults but they slowed. Finally I commented it out in both and the segmentation faults stopped. It seems something in the code itself is causing the faults.

I also have another site on a Centos 5 server, Apache 2.2.3, PH 5.1.6, OSC v2.2 RC2a so added it there. I got the same errors:

[Mon Jan 02 04:14:17 2012] [notice] child pid 20825 exit signal Segmentation fault (11)
[Mon Jan 02 04:15:11 2012] [notice] child pid 21063 exit signal Segmentation fault (11)
[Mon Jan 02 04:17:03 2012] [notice] child pid 21033 exit signal Segmentation fault (11)
On the Centos server, it handled the faults better and was able to kill then with SIGTERM. Again, the faults stopped when I commented out the osc_sec required lines in both application_top.php files.

Any ideas about what may be wrong? Thanks for any help you can give.

Richard

#418   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 03 January 2012 - 06:50

I think many segfault issues have been cleaned up in later versions of PHP however I have endevored to make osC_Sec backward compatible with earlier versions so would be keen to find out which part of the code is causing the error notices to be issued.

To bug fix the code to see which section is causing the conflict, try the following.

1/ set all the settings in osc.php to 0 and see if the errors stop

2/ if the error notices continue, try commenting out these in osc_sec.php, one at a time.

fix_server_vars();
@x_powered_by();
$this->chkSetup();
$PHP_SELF = $this->phpSelfFix();
$this->osCAdminLoginBypass();
$this->disable_tellafriend();
$this->dbShield();
$this->getShield();
$this->postShield();
$this->cookieShield();

They are what triggers the various sections in osC_Sec
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#419   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 09 January 2012 - 11:39

Hi Taipo,

I upgraded to the latest version of OSC_SEC last night for a client, and today they had problems accessing some of the pages in their admin panel. I started commenting out the osc_sec.php lines as per the post 418, and I found that the culprit was the line "$this->dbShield();"

In post 418 you said you were keen to know what was causing the error. I know that my issue might not relate in any way to the issue you were addressing at the time, but I also know that the server that I have the site on is running old version of PHP so I thought I would give you the details.

Firstly, the server that is hosting the site is running the following:
PHP version 5.2.0-8+etch16

The client is running on version 2.2 RC2 of osCommerce.

The majority of the clients admin pages worked ok. The following pages would return errors saying that the connection could not be made (default browser error message). I have changed the clients URL and renamed ADMIN folders for security reasons.

https://www.clientUR...567&action=edit
https://www.clientUR...x=configuration

The page https://www.clientUR...?page=1&oID=567 worked fine, but to try to edit it added the "&action=edit" to the end of the URL which it didn't like.

Additional information....
I have the following setting turned on in the osc.php file.
$nonGETPOSTReqs = 1;
$spiderBlock = 1;
$disable_tellafriend = 1;

$banipaddress = 0;
$useIPTRAP = 0;
$ipTrapBlocked = "";

$emailenabled = 1;

Please let me know if there is any additional information you require.

Please note, I have posted this primarily to give you information on what might be a compatibility issue with an older version of php. If you can find a solution to the dbshield() issue then Great, but that is not a big concern for me.

Thanks

Simon

#420   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 10 January 2012 - 04:02

What you can do to get an accurate report on what is causing the issue, and this will result in osC_Sec banning your ip address, which you can easily unban, is to set $banipaddress = 1 and go back and edit that order, which will cause osC_Sec ban your ip address and more importantly, to send you an email with a report of the ban. PM that report through to me privately and I will help you fix this issue.

To unban yourself merely go to the .htaccess file in your root directory and remove the line... 'deny from youipaddress'
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW