Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#461   EricK

EricK
  • Members
  • 315 posts
  • Real Name:Eric_K
  • Gender:Male
  • Location:Atlanta, GA USA

Posted 11 April 2012 - 21:07

Does using server-wide SSL create these PHP Warnings?

Thanks,
EricK

[11-Apr-2012 14:55:44] PHP Warning: file() [<a href='function.file'>function.file</a>]: Filename cannot be empty in /home/<user>/public_html/includes/osc_sec.php on line 636

[11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

[11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

[11-Apr-2012 14:55:44] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in Unknown on line 0

#462   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 11 April 2012 - 22:19

No, but I think if you are using IP Trap along with osC_Sec then you may get that warning. I have written up a fix for this, it will be officially posted up shortly.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#463   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 12 April 2012 - 01:11

osC_Sec 5.0.3
Whats New?
- Fixed issues causing conflicts with some addons concerning the postShield() function
- Fixed issues causing conflicts with some addons concerning the ipTrap function

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/8283
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#464   mr_absinthe

mr_absinthe
  • Members
  • 446 posts
  • Real Name:Alex
  • Location:London, UK

Posted 17 April 2012 - 21:50

It took me a while to nail this down... but if I keep osC_Sec enabled on one of my stores, I'm unable to supply a xml feed to one of the shopping sites. The feed is being generated by a .php file and with the osC_Sec enabled, I was receiving the following error from them: Warning: extract() expects parameter 1 to be array, null given in...

I was receiving no emails from osC_Sec to help me nail it, despite the fact that it is enabled.

I was able to see the xml file in my browser just fine. To be able to supply them with the feed, I have to keep the osC_Sec disabled at the moment. Any idea please?
Absinthe Original Liquor Store

#465   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 18 April 2012 - 00:30

Can you PM me the full error message thanks.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#466   RMD27

RMD27
  • Members
  • 373 posts
  • Real Name:Ricardo
  • Gender:Male

Posted 01 May 2012 - 07:13

Hello Taipo

Does osc_sec stop 2 question marks being included in the URL?

Google is trying to see this page *************.php?product_info.php?cPath************

But it is finding ***********.phpproduct_info.php?cPath************

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

Ill open a new thread

Edited by RMD27, 01 May 2012 - 07:26.


#467   Mort-lemur

Mort-lemur
  • Members
  • 1,911 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 03 May 2012 - 11:04

Hi Taipo,

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

osC_Sec blacklist hex encoded query_string value is banned: %%.
What is this checking for or what could be causing it ?

Many Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#468   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 04 May 2012 - 21:12

Hello Taipo

Does osc_sec stop 2 question marks being included in the URL?

Google is trying to see this page *************.php?product_info.php?cPath************

But it is finding ***********.phpproduct_info.php?cPath************

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

Ill open a new thread


Perhaps it may be linked to Security Pro as that does rewrite the $_GET global.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#469   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 04 May 2012 - 21:14

Hi Taipo,

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

osC_Sec blacklist hex encoded query_string value is banned: %%.
What is this checking for or what could be causing it ?

Many Thanks


Can you PM me the entire email notification please.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#470   Mort-lemur

Mort-lemur
  • Members
  • 1,911 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 05 May 2012 - 11:26

Hi Taipo,

Sent you the email text by pm.

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#471   RMD27

RMD27
  • Members
  • 373 posts
  • Real Name:Ricardo
  • Gender:Male

Posted 05 May 2012 - 13:33

Taipo

Okay I looked into this issue again because I was not able to access the modules box in the admin

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! /w00t.gif' class='bbc_emoticon' alt='(w00t)' />

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

#472   RMD27

RMD27
  • Members
  • 373 posts
  • Real Name:Ricardo
  • Gender:Male

Posted 05 May 2012 - 13:38

Taipo

Okay I looked into this issue again because I was not able to access the modules box in the admin

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! /w00t.gif' class='bbc_emoticon' alt='(w00t)' />

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.


actually, scratch that, the translation works now regardless of the htaccess, its just the modules box that is effected by the htaccess

#473   RMD27

RMD27
  • Members
  • 373 posts
  • Real Name:Ricardo
  • Gender:Male

Posted 05 May 2012 - 14:21

Hi Taipo,

Sent you the email text by pm.

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

Thanks


osc_sec creates a trapped.txt file? if so where would I find it???

Edited by RMD27, 05 May 2012 - 14:21.


#474   Mort-lemur

Mort-lemur
  • Members
  • 1,911 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 05 May 2012 - 16:28

Sorry no - the .txt file is part of the IP Trap contribution.

You can select OSC SEC to ban IPs be either .htaccess or by using the IP Trap as I have done.

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#475   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 06 May 2012 - 19:09

Hi Taipo,

Sent you the email text by pm.

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

Thanks


Try the latest update Heather

http://addons.oscommerce.com/info/8283
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#476   Mort-lemur

Mort-lemur
  • Members
  • 1,911 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 06 May 2012 - 19:59

@Taipo

Thanks Taipo - Just uploaded the latest version and will let you know how it goes.

Many Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#477   Mort-lemur

Mort-lemur
  • Members
  • 1,911 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 08 May 2012 - 09:38

@Taipo

Hi Again Taipo,

Installed the latest version and would just comment on the following:

When I first accessed my admin this morning and clicked on one of the customers in "whos Online" to see what they had in their basket I was banned from the site and added to the IP trap.

This happened around 4 times and then I was able to access without problem.

Again I received emails from OSC SEC stating that the hex filtering had banned me.

I can send you the email text again if you like.

Many Thanks

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#478   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 08 May 2012 - 19:20

PM it through to me thanks.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#479   gewoon09

gewoon09
  • Members
  • 26 posts
  • Real Name:michiel

Posted 15 May 2012 - 09:55

Hi,

I installed the latest version of osc_sec
Now i cannot access my site anymore, both admin and “live”
At first, it also generated problems in logoff.php

Fatal error: Maximum execution time of 30 seconds exceeded in /home/admin/domains/gewoongezond.be/public_html/includes/osc_sec.php on line 590

Any ideas?

Michiel Lap

#480   DogFoodIT

DogFoodIT
  • Members
  • 70 posts
  • Real Name:ben

Posted 15 May 2012 - 21:29

Hi,

I installed the latest version of osc_sec
Now i cannot access my site anymore, both admin and “live”
At first, it also generated problems in logoff.php

Fatal error: Maximum execution time of 30 seconds exceeded in /home/admin/domains/gewoongezond.be/public_html/includes/osc_sec.php on line 590

Any ideas?

Michiel Lap



same type of issue here, i have just updated 5 sites.

osc v2.2, 1 works ok, the other wont load
osc v2.3.1, 2 work 1 will not load - 3 identical sites/code also all on same server.