Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#481   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 15 May 2012 - 23:02

Revert to the next older version for now, I will have a look at this tonight when I get a chance and put out an update shortly after.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#482   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 16 May 2012 - 01:51

Ive made a few minor alterations below
http://pastebin.com/uQH30z6v

Copy the RAW Paste Data from that link into your osc_sec.php file and let me know if that sorts the issue.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#483   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 23 May 2012 - 07:50

osC_Sec 5.0.8
Whats New?
- Fixed a bug in the getshield() function which could allow for partial filter bypassing
- Recoded the getRealIP() to work more efficiently
- Fixed time outs issues caused by code changes in 5.0.6

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.
Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/8283
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#484   DogFoodIT

DogFoodIT
  • Members
  • 70 posts
  • Real Name:ben

Posted 25 May 2012 - 05:07

Taipo, I love this security contib you have worked with its fantastic, just of late i have noticed a little issue with a site that i have setup. i have been using the old Credit card payment module with OSC2.2 i have noticed that it blocks me when i get an error from that module. eg:

i don't put in the correct card number it shouls throw an error! when it does i get blocked (IPTrap). if i enter the details correctly it will proceed through the order.

this is what i have been sent in the email.

This IP [ 220.245.75.138 ] has been IP Trap banned on the site.com website by osC_Sec.php version 5.0.8
REASON FOR BAN: osC_Sec detected a base64 encoded blacklisted query_string value: £'.
Time of ban: Fri, 25 May 2012 04:45:41
.------------[ ALL $_GET VARIABLES ]-------------
#
# - payment_error = cc
# - error = The first four digits of the number entered are: . If that number is correct, we do not accept that type of credit card. If it is wrong, please try again.
# - cc_owner = Jack Nicolsen - Employee
# - cc_expires_month = 02
# - cc_expires_year = 13
#
`--------------------------------------------------------
.---------[ ALL $_POST FORM VARIABLES ]-------
#
# - No POST form data
#
`--------------------------------------------------------
.------------[ $_SERVER VARIABLES ]--------------
#
# - DOCUMENT_ROOT = /home/catfood/public_html
# - GATEWAY_INTERFACE = CGI/1.1
# - HTTPS = on
# - HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# - HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.3
# - HTTP_ACCEPT_ENCODING = gzip,deflate,sdch
# - HTTP_ACCEPT_LANGUAGE = en-US,en;q=0.8
# - HTTP_CACHE_CONTROL = max-age=0
# - HTTP_CONNECTION = keep-alive
# - HTTP_COOKIE = __utma=7699744.1440227245.1288772200.1288772200.1291197083.2; osCsid=23d75122ee251e63cc45161d76af15b6; cookie_test=please_accept_for_session
# - HTTP_HOST = site.com
# - HTTP_REFERER = https://site.com/checkout_confirmation.php
# - HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
# - PATH = /bin:/usr/bin
# - QUERY_STRING = payment_error=cc&error=The+first+four+digits+of+the+number+entered+are%3A+.+If+that+number+is+correct%2C+we+do+not+accept+that+type+of+credit+card.+If+it+is+wrong%2C+please+try+again.&cc_owner=Jack+Nicolsen+-+Employee&cc_expires_month=02&cc_expires_year=13
# - REDIRECT_STATUS = 200
# - REMOTE_ADDR = 220.245.75.138
# - REMOTE_PORT = 19173
# - REQUEST_METHOD = GET
# - REQUEST_URI = /checkout_confirmation.php?payment_error=cc&error=The+first+four+digits+of+the+number+entered+are%3A+.+If+that+number+is+correct%2C+we+do+not+accept+that+type+of+credit+card.+If+it+is+wrong%2C+please+try+again.&cc_owner=Jack+Nicolsen+-+Employee&cc_expires_month=02&cc_expires_year=13
# - SCRIPT_FILENAME = /path_to/checkout_confirmation.php
# - SCRIPT_NAME = /checkout_confirmation.php
# - SERVER_ADDR = 202.191.62.46
# - SERVER_ADMIN = webmaster@[member='site'].com
# - SERVER_NAME = site.com
# - SERVER_PORT = 443
# - SERVER_PROTOCOL = HTTP/1.1
# - SERVER_SIGNATURE = <address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at site.com Port 443</address>
# - SERVER_SOFTWARE = Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# - UNIQUE_ID = T78Odcq-PicABrqoW2sAAAAv
# - PHP_SELF = /checkout_confirmation.php
# - REQUEST_TIME = 1337921141
# - 0 = payment_error=cc&amp;error=The
# - 1 = first
# - 2 = four
# - 3 = digits
# - 4 = of
# - 5 = the
# - 6 = number
# - 7 = entered
# - 8 = are%3A
# - 9 = .
# - 10 = If
# - 11 = that
# - 12 = number
# - 13 = is
# - 14 = correct%2C
# - 15 = we
# - 16 = do
# - 17 = not
# - 18 = accept
# - 19 = that
# - 20 = type
# - 21 = of
# - 22 = credit
# - 23 = card.
# - 24 = If
# - 25 = it
# - 26 = is
# - 27 = wrong%2C
# - 28 = please
# - 29 = try
# - 30 = again.&amp;cc_owner=Jack
# - 31 = Nicolsen
# - 32 = -
# - 33 = Employee&amp;cc_expires_month=02&amp;cc_expires_year=13
# - argc = 34
# - $PHP_SELF filename ( osC_Sec ) = checkout_confirmation.php
#
`--------------------------------------------------------
OTHER INFO
is htaccess writeable =
Resolve IP address: http://en.utrace.de/?query=220.245.75.138
Search Project Honeypot: http://www.projecthoneypot.org/ip_220.245.75.138
This email was generated by osC_Sec. To disable email notifications, open osc.php file, and in the Settings section change $emailenabled = 1 to $emailenabled = 0
Keep up with the latest version of osC_Sec.php at http://addons.oscommerce.com/info/8283 and http://goo.gl/dQ3jH
Email rohepotae [at] gmail dot com with any suggestions.


i have even tried back to version 5.04 and still get blocked. any help would be appreciated.

Edited by Jan Zonjee, 15 August 2012 - 05:54.


#485   MrPhil

MrPhil
  • Members
  • 5,152 posts
  • Real Name:Phil
  • Gender:Male

Posted 26 May 2012 - 02:13

Ben, if you're using the old 2.2 osC cc module, you'd better be fully PCI-DSS compliant. If you ain't, and there's a security problem, you are toast. The cc module was intended only as an example or template of credit card processing, and was removed from 2.3.1 because it was so insecure, yet stores were actually using it in production.

#486 ONLINE   Peper

Peper
  • Members
  • 382 posts
  • Real Name:Pierre
  • Gender:Male
  • Location:South Africa

Posted 26 May 2012 - 18:11

Hi Taipo,

Need some help, we moved to a new fasta server today but unable to display the catalog side - only shows up HTTP 403 Forbidden in tab name with blank page
If addon is disabled will give no errors

I played around with the older versions and found last years version of 5.0.0 is loading up pages atleast for now

Seems to be perhaps the IP checking part though but not even too sure

Any help please
Is there a debug mode or so?
Contributions successfully installed : Header tags SEO, Scrolling new products, Customer testimonials, Support tickets, Polls, Link exchange, SPPC, X-sell, Master products, Dhtml menu, Image cache, Slide show, Product videos, Product custom sort, Product notes, Discount coupons, Ask question(review style + admin), CP builder, Customers also purchased, price list, // SEO URLS 5, and forgot the others and then a real admin setup.

#487   MrPhil

MrPhil
  • Members
  • 5,152 posts
  • Real Name:Phil
  • Gender:Male

Posted 27 May 2012 - 17:07

"fasta"? A couple of things to check:
1. Turn off "mod security" if it's on. That may be seeing certain strings in your URLs or POST data and thinks it's a hack attempt.
2. Check ownership of your directories and files, and permissions should be 755 for directories and 644 for files (444 for configure.php).

#488 ONLINE   Peper

Peper
  • Members
  • 382 posts
  • Real Name:Pierre
  • Gender:Male
  • Location:South Africa

Posted 24 June 2012 - 11:26

"fasta"? A couple of things to check:
1. Turn off "mod security" if it's on. That may be seeing certain strings in your URLs or POST data and thinks it's a hack attempt.
2. Check ownership of your directories and files, and permissions should be 755 for directories and 644 for files (444 for configure.php).

All above is correctly setup on server

Took me now a while to find how customers is getting errors
For one thing is they are using mobile devices - confirmed using blackberry and all the errors pops up from oscsec
Still also unable to figure out why 404 blank page is served by osc_sec using latest version

Anyone run into simillar errors?
Contributions successfully installed : Header tags SEO, Scrolling new products, Customer testimonials, Support tickets, Polls, Link exchange, SPPC, X-sell, Master products, Dhtml menu, Image cache, Slide show, Product videos, Product custom sort, Product notes, Discount coupons, Ask question(review style + admin), CP builder, Customers also purchased, price list, // SEO URLS 5, and forgot the others and then a real admin setup.

#489   geoffreywalton

geoffreywalton

    Available for Hire

  • Community Sponsor
  • 8,201 posts
  • Real Name:Geoffrey Walton
  • Gender:Male
  • Location:Norfolk, UK (close to the centre of the universe)

Posted 07 August 2012 - 08:22

Has anyone seen this error message

[07-Aug-2012 01:41:01] PHP Warning:  strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter in /home3
/xxxxxxxxx1/public_html/sites/yyyyyyyyyy/includes/osc_sec.php on line 671

Which in turn sends this in the job email

Status: 302 Moved Temporarily
Location: http://www.zzzzzzzzzzzzzz.co.uk/blocked.php
Content-type: text/html

I am trying to run cron job

/ramdisk/bin/php5 /home3/xxxxxxxxxxxx/public_html/sites/yyyyyyyyyyyy/googlesitemap/index.php

Running it manually does not generate an entry in the error log

Thanks

G

@Taipo

Edited by geoffreywalton, 07 August 2012 - 08:22.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

Virus Threat Scanner
My Contributions
Basic install answers.
Click here for Contributions / Add Ons.
UK your site.
Site Move.
Basic design info.

For links mentioned in old answers that are no longer here follow this link Useful Threads.

If this post was useful, click the Like This button over there ======>>>>>.

#490   callenords

callenords
  • Members
  • 67 posts
  • Real Name:Carl Nordström
  • Gender:Male
  • Location:Sweden

Posted 07 August 2012 - 11:56

I receive many visitors from Google Ads (display network) and I've noticed that many of these visitors are banned when they enter my site with the reason:

REASON FOR BAN: osC_Sec base64 encoded blacklist query_string value is banned: 0.

Is this a bug or perhaps I need to disabled the query_string check? I have been using version 5.0.1a but I just updated to 5.0.8 - not sure if it will help.

Thanks.

#491   callenords

callenords
  • Members
  • 67 posts
  • Real Name:Carl Nordström
  • Gender:Male
  • Location:Sweden

Posted 14 August 2012 - 08:12

I receive many visitors from Google Ads (display network) and I've noticed that many of these visitors are banned when they enter my site with the reason:

REASON FOR BAN: osC_Sec base64 encoded blacklist query_string value is banned: 0.

Is this a bug or perhaps I need to disabled the query_string check? I have been using version 5.0.1a but I just updated to 5.0.8 - not sure if it will help.

Thanks.


The solution: Find and remove (line 428 in osc_sec.php): "%000",

If you are using Google Adwords ads, the code above triggers the security system for some of your paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter that in some cases triggers the security system).

I hope removing the code above is ok?

#492   modem2.0

modem2.0
  • Members
  • 70 posts
  • Real Name:Modem 2.0

Posted 29 December 2012 - 16:34

I moved to a new host, and now I can't upload files with Osc_Sec active. The upload is made to /tmp/ folder, which I don't have rights to write into due to security reasons. I have the following error:
Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpC6BR9N) is not within the allowed path(s): (/home/myDomain/public_html/) in /home/myDomain/public_html/admin/includes/classes/upload.php on line 86
When I disable this contrib the upload is done, so there is some kind of an incompatibility between this addon and my servers security.

#493   Roaddoctor

Roaddoctor
  • Members
  • 1,018 posts
  • Real Name:David Jennings
  • Gender:Not Telling
  • Location:Texas

Posted 03 January 2013 - 19:15

I receive many visitors from Google Ads (display network) and I've noticed that many of these visitors are banned when they enter my site with the reason:

REASON FOR BAN: osC_Sec base64 encoded blacklist query_string value is banned: 0.

Is this a bug or perhaps I need to disabled the query_string check? I have been using version 5.0.1a but I just updated to 5.0.8 - not sure if it will help.

Thanks.


The solution: Find and remove (line 428 in osc_sec.php): "%000",

If you are using Google Adwords ads, the code above triggers the security system for some of your paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter that in some cases triggers the security system).

I hope removing the code above is ok?


Taipo - I too have seen the same lately - is the proposed delete of "%000" proper?

Anyone else done this?

@Taipo

Edited by Roaddoctor, 03 January 2013 - 19:17.

-Dave

#494   EricK

EricK
  • Members
  • 315 posts
  • Real Name:Eric_K
  • Gender:Male
  • Location:Atlanta, GA USA

Posted 04 February 2013 - 17:36

This fixed my error using Google AdWords, see post #491

The solution: Find and remove (in line 428 of osc_sec.php): "%000",

If you are using Google Adwords ads, the code above triggers the security system for paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter).

#495   nico.verduin

nico.verduin
  • Members
  • 1 posts
  • Real Name:Nico Verduin

Posted 11 February 2013 - 14:05

No doubt I am doing something worng but this is the case:
My site is blocked as It was submitting spam mail through the "Tell a Friend" option.
a) I installed osc_sec 5.0.8 exactly as instructed
/cool.png' class='bbc_emoticon' alt='B)' /> now both the catalog and the admin sites just give a blank screen on startup
c) if I remove the require_once statement, it works again.

I am using osccommerce 2.2 (I think, 2008 version)

Can anybody tell me what I am doing wrong?

Regards
Nico

Edited by nico.verduin, 11 February 2013 - 14:12.


#496   Roaddoctor

Roaddoctor
  • Members
  • 1,018 posts
  • Real Name:David Jennings
  • Gender:Not Telling
  • Location:Texas

Posted 15 February 2013 - 14:23

No doubt I am doing something worng but this is the case:
My site is blocked as It was submitting spam mail through the "Tell a Friend" option.
a) I installed osc_sec 5.0.8 exactly as instructed
/cool.png' class='bbc_emoticon' alt='B)' /> now both the catalog and the admin sites just give a blank screen on startup
c) if I remove the require_once statement, it works again.

I am using osccommerce 2.2 (I think, 2008 version)

Can anybody tell me what I am doing wrong?

Regards
Nico


Check your htaccess file and make sure you have not banned yourself. If so, delete your ip from htaccess and you should be back
-Dave

#497   MrPhil

MrPhil
  • Members
  • 5,152 posts
  • Real Name:Phil
  • Gender:Male

Posted 15 February 2013 - 15:18

now both the catalog and the admin sites just give a blank screen on startup

The White Screen of Death (WSOD) is usually a sign of a fatal PHP syntax error. Double check your coding. Look in your site error log and for any error_log files scattered about your site directories -- maybe they'll give a hint of what went wrong. If removing the require_once statement fixes the WSOD, then either you have a syntax error in the require_once statement, or some code in whatever it's requiring is bad.

Feel free to show here (in [ code ] tags) the offending require_once statement, and five or so lines before and after it. At least we can rule out that one statement...

#498   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 16 March 2013 - 01:15

Apologies for the extended hiatus, back now and will be working on an updated version of osC_Sec.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#499   Mort-lemur

Mort-lemur
  • Members
  • 1,927 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 16 March 2013 - 08:22

Apologies for the extended hiatus, back now and will be working on an updated version of osC_Sec.


Welcome back Taipo /smile.png' class='bbc_emoticon' alt=':)' />

Now running on a fully modded 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.


#500   jamo32

jamo32
  • Members
  • 9 posts
  • Real Name:jim Harris

Posted 24 April 2013 - 08:25

What is the easy way to test that osc_sec is working , if it is an url test what should be the resulting info on the page.

Many thanks