506 replies to this topic

[Taipo]

osC_Sec 4.1[r9]

Whats New?

Finally got around to developing out the check_ip() and getRealIP() functions.
- check_ip() can now test the format of both IPv4 and IPv6 ip addresses.
- getRealIP() has been modified to better handle proxy servers

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834

[altoid]

Hi there, osc_sec generated a different type of ban that I've seen before and I was wondering if you would explain what the reason for the ban means and it's importance

Here's the first part of the notification:


This IP [ xx.xxx.xxx.xx ] has been htaccess banned on the "myshop.com" website by osC_Sec.php version 4.1[r9]

REASON FOR BAN: osC_Sec Array listed item is banned: %0d%0a.

Time of ban: Thu, 01 Dec 2011 13:21:48

.------------[ ALL Array VARIABLES ]------------- # # - products_id = 485 #
`--------------------------------------------------------

.---------[ ALL Array FORM VARIABLES ]------- # # - No POST form data #

thank you..

Edited by altoid, 01 December 2011 - 08:44 PM.

[geoffreywalton]

Why would you want a url with \r\n in it?

G

[altoid]

geoffreywalton, on 01 December 2011 - 09:20 PM, said:

Why would you want a url with \r\n in it?

G

if you mean from my post, the there isn't anything like that.

its something like this:

"http://www.myshop.com/my-listed-product--c-66_99.html"

[geoffreywalton]

no, someone tried to accees your site with 0d0a in the url.

Why?

I don't know but this contribution doesn't like it.

Hope that makes sese.

G

[altoid]

geoffreywalton, on 01 December 2011 - 10:26 PM, said:

no, someone tried to accees your site with 0d0a in the url.

Why?

I don't know but this contribution doesn't like it.

Hope that makes sese.

G

That's what I was wondering about. Hope Taipo can offer something.   I'll take a look at the logs too and see what I can find.

Thanks

[altoid]

If I am reading the log correctly, it looks like it was a Bing search that brought the IP to my site, then this line looks like the 403 part that resulted in the ban

xx.xxx.xxx.xx - - [01/Dec/2011:13:21:48 -0500] "GET /my-product-p-485.html HTTP/1.1" 403 20 "http://www.myshop.com/my-product-c-66_99.html" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

[Taipo]

I can see there is an issue with the way the emails are formatted, I will fix that in the next release.

As Geoffrey stated,

%0d%0a

has no place in a request_uri and if it is resident then that is often a sign that someone is running a security vulnerability scan of your site. Tools like Havij and Acunetix are used by both security professionals and attackers alike, and these tools along with many others will as a part of their assessment, test query strings to see if they can generate database or php errors which in themselves can be signs of possible security vulnerabilities. Adding a line feed, return combination into a query string, on some web systems can result in a database or php error.

So the original idea was to ban the occurrence of that url encoded line feed code in order to put a stop to security scans, however in doing so in earlier versions of osC_Sec I noticed that there were too many false positive bans coming in so removed it from the getShield() blacklist in a later release.

It looks like I need to also remove it from the cookieshield blacklist as well, so will do so in the next update coming out shortly.

[Taipo]

osC_Sec 4.2

Whats New?

- Added additional checks in the getRealIP() function
- Fixed print issues with the email notification
- Removed an item from the cookieshield blacklist that could cause false positive results

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834

[altoid]

Taipo and G thanks for responding.

I just installed Taipos latest version in my shops.  Thanks

[Taipo]

osC_Sec 4.2[r1]

Whats New?

- More updates to getRealIP() and check_ip() functions

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

[Taipo]

osC_Sec 4.2[r4]

Whats New?

# Removal of $osCSpamTrap from osC_Sec.
In order for $osCSpamTrap to work most effectively and securely it must be included further down the application_top.php page. Therefore I have decided to remove it from osC_Sec and will be releasing it shortly as a stand-alone addon.

# Fixed an error with the IP Trap code

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace both the osc_sec.php and osc.php files in your website includes directory with the osc_sec.php and osc.php files in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834

[dthomas_ceo]

Good Evening,

Just installed this add-on due to multiple hacks.  Started over from scratch.  I see that it's working, but now i'm having issues using my Admin Interface.  Can you give some guidance on how to temporarily disable Osc_Sec or provide a work around?

Thanks in advance,

Dedric [img]http://forums.oscommerce.com//public/style_emoticons/default/whistling.gif[/img])

[Taipo]

What problems are you specifically having with your admin area?

[FrostyFred]

I too am having problems in he admin area.

If I install the latest os sec and comment out the powered by line, as suggested eleswhere, it works for all my other admin options except configuration.

For this one I just get a blank screen.

comment out the code as below and it works fine

// some code to solve compatibility issues
  require(DIR_WS_FUNCTIONS . 'compatibility.php');
echo "<br>pre<br>";
//  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );
echo "<br>post<br>";

version is

  define('PROJECT_VERSION', 'osCommerce 2.2-MS2');

Now to find out where it is having a sense of humour failure unless you know

[Taipo]

That is rather odd that the error is triggered by configuration.php calls. Can you pm me the contents of your admin/configuration.php file thanks.

[ctec2001]

Just set up the latest version of osc_Sec without issue. Thanks again for the help.

[altoid]

Taipo,  Jack has modified the Site Monitor add on significantly, and I believe that osc_sec -- Site Monitor issue is arising again.  After I uploaded Jack's latest, when I went to the configure part in Site Monitor, I got banned.  I have a work around by manually editing the file, but when I try to run the script that does it via php, it bans me.   So FYI on that.  Jack's latest is:  http://addons.oscommerce.com/info/4441
Thanks

[Taipo]

Ok I will take a look at it and pop out an update shortly.

[Taipo]

osC_Sec 4.2[r6]

Whats New?
- Cleanup of excess code and functions no longer used
- Removed ip bypass list from the oscSecBypass() function
- Further work on the getShield() function
- Update to instructions in readme.htm
- Faster HTTPS check
- osC_Sec's osc_sec.php can now work as a standalone file for users who have multiple websites and use the default settings
- Fixed an issue with Sitemonitor so that osC_Sec bypasses Sitemonitor files correctly

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace the osc_sec.php file in your website includes directory with the osc_sec.php file in this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/7834