Jump to content



Photo
* * * * * 2 votes

Oscommerce Security - Osc_Sec.php


  • Please log in to reply
541 replies to this topic

#101   rdva

rdva
  • Members
  • 23 posts
  • Real Name:rdva
  • Gender:Male
  • Location:Saint-Petersburg, Russia

Posted 24 May 2011 - 09:40

It works at Windows (my test server) and do not works at Linux (production server).

I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings.

/**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
     if ( is_array( $nodes ) ) {
	  foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
  		      scrubster( $value );
                } else {
                      $nodes = getCleaner( $nodes, TRUE );
                      $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                      $nodes = getCleaner( $nodes, FALSE );
                }
          }
     } else {
          $nodes = getCleaner( $nodes, TRUE );
          $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
          $nodes = getCleaner( $nodes, FALSE );
    }
    return $nodes;
  }

  /**
  * Called above, this will clean up
  * values but not interfere with umlauts
  */
  function getCleaner($string, $conv=1) {
    $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
	          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
    $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,&szlig");
    $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
    $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
    for($wr=0;$wr<=count($tolist);$wr++) {
       if ( $conv > 0 ) {
           $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
       } else {
	   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
       }
    }
    return $string;
}



#102   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 24 May 2011 - 10:41

Try the last version I put up if you get a chance. Below is a slightly modified version which replaces the previous two functions.

  /** 
  * Clean up GET request vars 
  * as well as multidimensional arrays 
  */ 
  setlocale(LC_CTYPE, 'C');
  function scrubster( $nodes ) { 
     if ( is_array( $nodes ) ) { 
          foreach( $nodes as $key=>$value ) { 
                if ( is_array( $value ) ) { 
                      scrubster( $value ); 
                } else { 
                      $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) ); 
                } 
          } 
     } else { 
          $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) ); 
    } 
    return $nodes; 
  }

I have uploaded it to a production server here: http://warbeast.netne.net/

This is what I am seeing in FF

[img]http://i53.tinypic.com/28hctjo.jpg[/img]

The test code I am using in application_top.php below the osc_sec.php require include is:

echo  "ABCDEFGabcdefg,=,.,@,:,{,},_,-ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g";
echo "<br>\n";
echo scrubster( "ABCDEFGabcdefg,=,.,@,:,{,},_,-ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" );

In my browser it is displaying correctly. However using the PCRE method of filtering can run into probs depending on the servers locale settings.

Edited by Taipo, 24 May 2011 - 10:42.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#103   popsel

popsel
  • Members
  • 23 posts
  • Real Name:Hans Lang
  • Gender:Male
  • Location:Germany

Posted 24 May 2011 - 14:41

I think the problem again is that for some reason some of these addons are calling constant defined variables via HTTP_GET_VARS instead of just calling the defined item directly.

However, these are some of the issues we have to face when working around each others addons.

Try this one out then. It is a bit of the old (as in a bit of the original fix) and a bit of the new.

Replace the entire piece above with this. It should at a guess, cause the order editor to work better.

  /**
  * Clean up GET request vars
  * as well as multidimensional arrays
  */
  function scrubster( $nodes ) {
 	if ( is_array( $nodes ) ) {
  	foreach( $nodes as $key=>$value ) {
                if ( is_array( $value ) ) {
  	      	scrubster( $value );
                } else {
                      $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
                }
          }
 	} else {
          $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
    }
    return $nodes;
  }


Hi!

FF with test line shows:
auml,ouml,uuml,Auml,Ouml,Uuml,euro,szlig,ampauml,ampauml,ampuuml,ampAuml,ampOuml,ampUuml,ampeuro,ampszlig,ä,ö,ü,Ä,Ö,Ü,€,ß working

I did a test and Order Editor is working again /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />

FF (Coupon Codes shows):
Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht

sign is still filtered, but beside it looks good.
I did a test with Coupon Codes and Order Editor only.
These made most problems in combination with osc_sec.
Best regards

Popsel

#104   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 24 May 2011 - 21:02

That may have to be the final balance in the end I think. Its not the optimum, but at least the main function is working.

In the end that filter is not as crucial to the security of 2.2.x as the other non-optional parts of osC_Sec. The optional sections are optional for that reason, if they create a conflict they can at least be switched off unless, like yourself, you know how to code your way around them.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#105   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 26 May 2011 - 10:46

osC_Sec_2.5[r3] Updated
Whats New?
- GET cleanup now better presents special characters
- Added the osC_Sec version to the diagnostic email. If you have allowed a diagnostic email to be sent, it will now include which version of osC_Sec you are using.
- Changed the whitelisting function to the perl compatible regular expression
- Added more blacklisted items to the form filtering ($_POST requests)

NOTE: For users upgrading from osC_Sec_2.5[r2] you only need replace the osc_sec.php with the one contained in this zip file.

Download from: http://www.oscommerc...tributions,7834
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#106   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 29 May 2011 - 11:11

Hi,

I have been trying to implement this addon but have been encountering errors and I am hoping you can help me with them.

Firstly, I keep getting the error
####### OSC_SEC.PHP WARNING: Please enable write access to your shop catalogs .htaccess file thanks #######
at the top of the front end and the admin backend pages. Which .htaccess should I be providing write access to and what level access should I be giving it? I have tried updating the one in the includes folder (I set it to 777 to ensure that it was completely open) and the error does not go.

Secondly:
I get the following errors on the website front end
Notice: Undefined variable: getHexvars in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 245

Notice: Undefined variable: _SESSION in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 397

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 404

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/includes/functions/sessions.php on line 102

The website works regardless of the errors.

Finally, I get the following errors when I access the website/admin page
Notice: Undefined variable: getHexvars in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 245

Notice: Undefined variable: _SESSION in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 397

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 404

Notice: Constant SESSION_FORCE_COOKIE_USE already defined in /var/www/vhosts/*Website*/httpdocs/*admin*/includes/application_top.php on line 85

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/*admin*/includes/functions/sessions.php on line 102

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/*admin*/includes/functions/general.php on line 22

I am unable to access the admin pages due to these errors.

I will have to disable the addon for now as the client will no doubt want to access the admin page tomorrow. If you have any suggestions please let me know. If you need any additional information, please let me know.

Thanks in advance

Simon

Edited by SimonLG, 29 May 2011 - 11:14.


#107   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 29 May 2011 - 11:26

Hi,

I have been trying to implement this addon but have been encountering errors and I am hoping you can help me with them.

Firstly, I keep getting the error
####### OSC_SEC.PHP WARNING: Please enable write access to your shop catalogs .htaccess file thanks #######
at the top of the front end and the admin backend pages. Which .htaccess should I be providing write access to and what level access should I be giving it? I have tried updating the one in the includes folder (I set it to 777 to ensure that it was completely open) and the error does not go.


The htaccess in the root directory of your store is the one that needs to be made writable. Probably a setting of 666 would do it. But try 644 first, if no go then 666.

Secondly:
I get the following errors on the website front end
Notice: Undefined variable: getHexvars in /path_to/includes/osc_sec.php on line 245

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 397


Are you running this on a test server? Generally the production servers have error notices disabled.

Warning: Cannot modify header information - headers already s
ent by (output started at /path_to/includes/osc_sec.php:50) in /path_to/osc_sec.php on line 404

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:50) in /path_to/includes/functions/sessions.php on line 102


These will probably disappear once you set the htaccess to writable.

Finally, I get the following errors when I access the website/admin page
Notice: Undefined variable: getHexvars in /path_to/includes/osc_sec.php on line 245

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 397

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:50) in /path_to/includes/osc_sec.php on line 404

Notice: Constant SESSION_FORCE_COOKIE_USE already defined in /path_to/admin/includes/application_top.php on line 85

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:50) in /path_to/admin/includes/functions/sessions.php on line 102

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:50) in /path_to/admin/includes/functions/general.php on line 22


Most of those will disappear once you correct the htaccess issue.

Let me know if there are any errors left after you have corrected those.

If you cannot change the server settings for error notices then add this line to osC_Sec.php

At the top find:
$currentVersion = "2.5.[r3]";

In the line above it add the following:
error_reporting(6135);

Edited by Jan Zonjee, 30 May 2011 - 10:59.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#108   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 29 May 2011 - 11:56

Wow, thanks for the quick reply.

I changed the code so that the errors were appearing on the screen, this is something that I was toggling on/off to see what was happening.

I am actually in the process of restoring the files back to before I started to change everything because there seems to be some problems with the code now. Once I have done that I will try installing it all again and I will let you know if I have any issues,

Thanks

Simon

#109   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 29 May 2011 - 12:06

Generally error notices are not something that affects the way the site runs. If you would rather not add the error code above, which will turn off notices, then try this way.

In the line under:
$oscsec_ipPass = 1;

Add:
$getHexvars = "";

That way you can still toggle error notices off and on.

Edited by Taipo, 29 May 2011 - 12:06.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#110   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 29 May 2011 - 13:33

Hi,

Unfortunately this has not worked. I have updated the .htaccess file to permission 644 and then 666 with no luck. i still get the error message.

When I installed the addon, I had to modify the installation process slightly. Firstly I was getting an error that the code couldn't access something at httpdocsincludes/osc_sec.php. I had to change the line "require(DIR_FS_CATALOG . 'includes/osc_sec.php');" in the includes directory version of the application_top.php to "require(DIR_FS_CATALOG . '/includes/osc_sec.php');"

I then got an error in the includes/osc_sec.php file. I had to change line 15 from " include(DIR_FS_CATALOG . 'includes/osc.php');" to "include(DIR_FS_CATALOG . '/includes/osc.php');"

I don't know if they are in any way significant, but I am at a loss. Let me know if you can think of anything.

The only other thing that I might mention is, for the line of code that I need to replace (as per your install instructions), in the includes version of that file, the following code appears under the comment
// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

When I changed it, I set it to:
// set php_self in the local scope
// if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

// set php_self in the local scope
if ( empty( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );


if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
}

I am assuming that this is correct.

Thanks

Simon

#111   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 29 May 2011 - 13:47

Hi,

Unfortunately this has not worked. I have updated the .htaccess file to permission 644 and then 666 with no luck. i still get the error message.

When I installed the addon, I had to modify the installation process slightly. Firstly I was getting an error that the code couldn't access something at httpdocsincludes/osc_sec.php. I had to change the line "require(DIR_FS_CATALOG . 'includes/osc_sec.php');" in the includes directory version of the application_top.php to "require(DIR_FS_CATALOG . '/includes/osc_sec.php');"

I then got an error in the includes/osc_sec.php file. I had to change line 15 from " include(DIR_FS_CATALOG . 'includes/osc.php');" to "include(DIR_FS_CATALOG . '/includes/osc.php');"


The easiest fix for this is to replace the require statement with the direct path to osc_sec.php.

Use this example instead:

require('/home/youruser/public_html/includes/osc_sec.php');

Replacing the path (/home/....) above with the actual path to the osc_sec file in the includes directory. Place this code in both application_top.php files replacing the one you have used already.

Also in osc.php replace the following also with the entire path

$htaccessfile = DIR_FS_CATALOG . ".htaccess";

with:

$htaccessfile = "/home/youruser/public_html/.htaccess";

and replace:

$ipTrappedURL = DIR_FS_CATALOG . "banned/IP_Trapped.txt";

with:

$ipTrappedURL = "/home/youruser/public_html/banned/IP_Trapped.txt";

(replacing the path above with your own site path.

The only other thing that I might mention is, for the line of code that I need to replace (as per your install instructions), in the includes version of that file, the following code appears under the comment
// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

When I changed it, I set it to:
// set php_self in the local scope
// if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

// set php_self in the local scope
if ( empty( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );


if ($request_type == 'NONSSL') {
define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
} else {
define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
}

I am assuming that this is correct.


That is correct.

Edited by Taipo, 29 May 2011 - 13:49.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#112   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 29 May 2011 - 13:53

After a quick rethink. The issue is that in your configure files there is a forward slash missing in the DIR_FS_CATALOG setting. So ignore all that above for now and try adding a trailing slash to DIR_FS_CATALOG.

Example: (includes/configure.php)

change:
define('DIR_FS_CATALOG', '/home/yourusername/public_html/catalog');

to:
define('DIR_FS_CATALOG', '/home/yourusername/public_html/catalog/');

and see if that does not cause more problems than it fixes.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#113   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 29 May 2011 - 14:32

Hi Taipo,

I changed the files as per the post about setting the full path, and the site is still returning errors (actually warnings rather than errors).

Then I noticed your last post so I reversed the changes I made and changes the DIR_FS_CATALOG and tried again. The same warnings appeared (with the error logging showing on the screen).

Here are the warnings. The site is working ok, so my question is, do these warnings indicate a problem with the addon not working? If it is working then I am happy to ignore the warnings.

Website

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 400

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:400) in /path_to/includes/osc_sec.php on line 407

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:400) in /path_to/includes/functions/sessions.php on line 102


Admin back end

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 400

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:400) in /path_to/includes/osc_sec.php on line 407

Notice: Constant SESSION_FORCE_COOKIE_USE already defined in /path_to/admin/includes/application_top.php on line 86

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:400) in /path_to/admin/includes/functions/sessions.php on line 102

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:400) in /path_to/admin/includes/functions/general.php on line 22

Edited by Jan Zonjee, 30 May 2011 - 10:56.


#114   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 29 May 2011 - 21:17

Since correcting the 'DIR_WS_CATALOG' in configure.php files in both includes directories seems to have fixed the other issues (these are different warnings), it is probably a good idea at this point to upload a fresh copy of osC_Sec to your server.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#115   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 30 May 2011 - 10:22

Heya Taipo,

I have reuploaded the files but the error messages still appear.

Thanks

Simon

#116   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 30 May 2011 - 10:37

If you are still getting the error notices then add this to osc_sec.php

Find:
$currentVersion = "2.5.[r3]";

on the next line add
error_reporting(6135);

That will leave the session errors.

In osc.php find
$testExpiredCookie = 1;

change this to
$testExpiredCookie = 0;

Let me know what errors are left after that.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#117   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 30 May 2011 - 10:49

Heya,

No errors appearing now.

Does that mean that it is working correctly, or does it just mean that we have hidden the errors?

Thanks

Simon

#118   mauriziomagnino

mauriziomagnino
  • Members
  • 11 posts
  • Real Name:maurizio magnino
  • Gender:Male
  • Location:Italy

Posted 30 May 2011 - 11:15

all ok.
this contrib is fantastic !

Edited by mauriziomagnino, 30 May 2011 - 11:24.


#119   Taipo

Taipo
  • Members
  • 794 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 30 May 2011 - 11:41

Heya,

No errors appearing now.

Does that mean that it is working correctly, or does it just mean that we have hidden the errors?

Thanks

Simon


As I explained earlier the notices are not errors to be concerned about and in the properly configured production server they would be disabled by default. The expired cookie test is a tripwire I added in to catch out spam bots. It is clashing with some other code in your website so it is best disabled. It is not critical to the operation of osC_Sec which is why it is an optional component that can be switched off.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#120   SimonLG

SimonLG
  • Members
  • 9 posts
  • Real Name:Simon

Posted 30 May 2011 - 11:55

As I explained earlier the notices are not errors to be concerned about and in the properly configured production server they would be disabled by default. The expired cookie test is a tripwire I added in to catch out spam bots. It is clashing with some other code in your website so it is best disabled. It is not critical to the operation of osC_Sec which is why it is an optional component that can be switched off.



In that case, I am a happy man.

Thank you so much for your help!

Simon