Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#441 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 03 March 2012 - 19:40

You can also try this as it could be associated with the way osC_Sec deals with post form data.

Find these two lines:

	  # check _POST variables against the blacklist
	  $this->postShield();

and replace with:
	  # check _POST variables against the blacklist
	  # $this->postShield();

Let me know if that helps
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#442   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 05 March 2012 - 15:20

Hi Taipo,

I'm taking your advice on another topic and I'm now building a new shop with osCommerce 2.3.1. Should this contribution also be used with osCommerce 2.3.1?

Thanks!

#443 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 06 March 2012 - 06:42

It is not needed due to the fact that there are no known security issues with 2.3.1, however it doesn't hurt to install it.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#444   altoid

altoid
  • Community Sponsor
  • 1,050 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 10 March 2012 - 02:11

Taipo, if you could help out with an issue that apparently osc_sec is causing it would be appreciated.

With one of the latest udpates, there apparently is an effect on an action on a page what Jack_MCS calls, "It is just a normal form update page" that effects that update in the adminstrative side of Header Tags SEO.

Specifically, when you select a keyword that is displayed on a table on the page, and click the appropriate activator, the intended delete action doesn't occur. I disable osc_sec in admin and the action then works. Another user, tried rolling back a version or two of osc_sec and that corrected the issue for him as well.

I wish I could be more descriptive of the actual code that is effected, but I don't know the coding well enough to figure it out. But it appears one of the last version or two of osc_sec is causing this.

Any hunches based on what I provided? Thanks
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#445 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 10 March 2012 - 19:32

Try following the instructions at my previous post and let me know if that fixes the issue.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#446   altoid

altoid
  • Community Sponsor
  • 1,050 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 11 March 2012 - 03:31

Try following the instructions at my previous post and let me know if that fixes the issue.


That was the issue. After commmenting out as above, the issue is resolved. Thank you
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#447 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 11 March 2012 - 05:46

osC_Sec 5.0.2

Whats New?
- Fixed issues causing conflicts with some addons concerning the postShield() function

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/8283
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#448   altoid

altoid
  • Community Sponsor
  • 1,050 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 11 March 2012 - 11:24

Taipo, I downloaded the latest but the problem came back again, so I changed that line of code to
# $this->postShield();
and the issue is resolved again.
FYI
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#449   ptt81

ptt81
  • Members
  • 63 posts
  • Real Name:PT

Posted 11 March 2012 - 17:29

hey Taipo,

I have the same problem with the new version, my checkout page still will not let me pass payment selection page and I changed # $this->postShield(); and it fixed the problem as well. Looks like everyone has problem with this function.

#450 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 11 March 2012 - 17:35

Try this one PT, I have removed the postShield function for now.
http://pastebin.com/RELeMuXL
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#451   ptt81

ptt81
  • Members
  • 63 posts
  • Real Name:PT

Posted 13 March 2012 - 22:34

Hey Taipo,

Thanks for that but Is this the same as me commented out the function # $this->postShield(); ? or is there anything new added?

#452 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 15 March 2012 - 09:35

basically the same PT
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#453   walkman

walkman
  • Members
  • 95 posts
  • Real Name:Wayman
  • Gender:Male

Posted 15 March 2012 - 15:53

Does this add on prevent "url injection"?

This method was just flagged by my PCI scanning company. I previously installed code to prevent SQL injection in my input fields but didn't realize the SQL could be imbeded in the URL osCsid.

#454 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 17 March 2012 - 07:43

@walkman

Yes osC_Sec prevents malicious url injections.

I have made a small change to osC_Sec for those using IP Trap in conjunction. Here is the update. Will release it officially in a day or so.

http://pastebin.com/uqDeDR0k
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#455   mafiouso

mafiouso
  • Members
  • 159 posts
  • Real Name:mafiouso

Posted 30 March 2012 - 04:08

hello, i installed osC_Sec_5.0.2 seem everything was working ok,
i have one problem with paypal IPN (PayPal IPN v2.3.4.6)
the orders go through, the payment to, but does not return the status or paypal details to OSC.

please let me know if you can help. thanks.

#456   mr_absinthe

mr_absinthe
  • Members
  • 447 posts
  • Real Name:Alex
  • Location:London, UK

Posted 01 April 2012 - 08:10

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://forums.oscomm...ost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

admin file:
// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

catalog file:
// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

Absinthe Original Liquor Store

#457 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 01 April 2012 - 22:33

hello, i installed osC_Sec_5.0.2 seem everything was working ok,
i have one problem with paypal IPN (PayPal IPN v2.3.4.6)
the orders go through, the payment to, but does not return the status or paypal details to OSC.

please let me know if you can help. thanks.


Unless I am mistaken I believe the callback from the Paypal server is a POST request. The latest version of osC_Sec as of http://pastebin.com/uqDeDR0k does not filter the POST variables at all so should not be interferring with the order callback.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#458 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 01 April 2012 - 22:34

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://forums.oscomm...ost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

catalog file:
// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();


They mostly do the same thing, but you would be best to change the code to the one in osC_Sec as that is the latest code supplied by the developers of osCommerce as part of the fix to that serious security issue.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#459   mafiouso

mafiouso
  • Members
  • 159 posts
  • Real Name:mafiouso

Posted 04 April 2012 - 13:02

Warning: require_once(/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php) [function.require-once]: failed to open stream: No such file or directory in /home/USER/public_html/shopping/includes/application_top.php on line 43

Fatal error: require_once() [function.require]: Failed opening required '/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php' (include_path='.:/usr/lib/php') in /home/USER/public_html/shopping/includes/application_top.php on line 43

line 43 is
require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

if i leave this on paypal ipn wont work?

can advice would be great.

thank you

Edited by mafiouso, 04 April 2012 - 13:03.


#460 ONLINE   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 04 April 2012 - 21:23

replace:

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

with:

require_once( '/home/youruser/public_html/includes/osc_sec.php' );

This is so that you can use the actual file path.

So replace '/home/user/public_html/includes/osc_sec.php' with the actual file path to osc_sec.php
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW