502 replies to this topic

[Taipo]

You can also try this as it could be associated with the way osC_Sec deals with post form data.

Find these two lines:

 
	  # check _POST variables against the blacklist
	  $this->postShield();

and replace with:

 
	  # check _POST variables against the blacklist
	  # $this->postShield();

Let me know if that helps

[modem2.0]

Hi Taipo,

I'm taking your advice on another topic and I'm now building a new shop with osCommerce 2.3.1. Should this contribution also be used with osCommerce 2.3.1?

Thanks!

[Taipo]

It is not needed due to the fact that there are no known security issues with 2.3.1, however it doesn't hurt to install it.

[altoid]

Taipo, if you could help out with an issue that apparently osc_sec is causing it would be appreciated.  

With one of the latest udpates, there apparently is an effect on an action on a page what Jack_MCS calls, "It is just a normal form update page" that effects that update in the adminstrative side of Header Tags SEO.  

Specifically, when you select a keyword that is displayed on a table on the page, and click the appropriate activator, the intended delete action doesn't occur.   I disable osc_sec in admin and the action then works.  Another user, tried rolling back a version or two of osc_sec and that corrected the issue for him as well.

I wish I could be more descriptive of the actual code that is effected, but I don't know the coding well enough to figure it out.  But it appears one of the last version or two of osc_sec is causing this.

Any hunches based on what I provided?  Thanks

[Taipo]

Try following the instructions at my previous post and let me know if that fixes the issue.

[altoid]

Taipo, on 10 March 2012 - 07:32 PM, said:

Try following the instructions at my previous post and let me know if that fixes the issue.

That was the issue.  After commmenting out as above,  the issue is resolved.  Thank you

[Taipo]

osC_Sec 5.0.2

Whats New?
- Fixed issues causing conflicts with some addons concerning the postShield() function

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/8283

[altoid]

Taipo, I downloaded the latest but the problem came back again, so I changed that line of code to
# $this->postShield();
and the issue is resolved again.
FYI

[ptt81]

hey Taipo,

I have the same problem with the new version, my checkout page still will not let me pass payment selection page and I changed # $this->postShield(); and it fixed the problem as well. Looks like everyone has problem with this function.

[Taipo]

Try this one PT, I have removed the postShield function for now.
http://pastebin.com/RELeMuXL

[ptt81]

Hey Taipo,

Thanks for that but Is this the same as me commented out the function # $this->postShield(); ? or is there anything new added?

[Taipo]

basically the same PT

[walkman]

Does this add on prevent "url injection"?  

This method was just flagged by my PCI scanning company. I previously installed code to prevent SQL injection in my input fields but didn't realize the SQL could be imbeded in the URL osCsid.

[Taipo]

@walkman

Yes osC_Sec prevents malicious url injections.

I have made a small change to osC_Sec for those using IP Trap in conjunction. Here is the update. Will release it officially in a day or so.

http://pastebin.com/uqDeDR0k

[mafiouso]

hello, i installed osC_Sec_5.0.2 seem everything was working ok,
i have one problem with paypal IPN (PayPal IPN v2.3.4.6)
the orders go through, the payment to, but does not return the status or paypal details to OSC.

please let me know if you can help. thanks.

[mr_absinthe]

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

catalog file:

// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

[Taipo]

mafiouso, on 30 March 2012 - 04:08 AM, said:

hello, i installed osC_Sec_5.0.2 seem everything was working ok,
i have one problem with paypal IPN (PayPal IPN v2.3.4.6)
the orders go through, the payment to, but does not return the status or paypal details to OSC.

please let me know if you can help. thanks.

Unless I am mistaken I believe the callback from the Paypal server is a POST request. The latest version of osC_Sec as of http://pastebin.com/uqDeDR0k does not filter the POST variables at all so should not be interferring with the order callback.

[Taipo]

mr_absinthe, on 01 April 2012 - 08:10 AM, said:

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

catalog file:

// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
	/**
	* Reliably set PHP_SELF as a filename .. platform safe
	*/
	function setPhpSelf() {
	  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
	  foreach ( $base as $index => $key ) {
		if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
		  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
			preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
			if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
									  && ( substr( $matches[0], -4, 4 ) == '.php' )
									  && ( is_readable( $matches[0] ) ) ) {
			  return $matches[0];
			}
		  }
		}
	  }
	  return 'index.php';
	} // end method
  
	$PHP_SELF = setPhpSelf();

They mostly do the same thing, but you would be best to change the code to the one in osC_Sec as that is the latest code supplied by the developers of osCommerce as part of the fix to that serious security issue.

[mafiouso]

Warning: require_once(/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php) [function.require-once]: failed to open stream: No such file or directory in /home/USER/public_html/shopping/includes/application_top.php on line 43

Fatal error: require_once() [function.require]: Failed opening required '/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php' (include_path='.:/usr/lib/php') in /home/USER/public_html/shopping/includes/application_top.php on line 43

line 43 is
require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

if i leave this on paypal ipn wont work?

can advice would be great.

thank you

Edited by mafiouso, 04 April 2012 - 01:03 PM.

[Taipo]

replace:

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

with:

 
require_once( '/home/youruser/public_html/includes/osc_sec.php' );

This is so that you can use the actual file path.

So replace '/home/user/public_html/includes/osc_sec.php' with the actual file path to osc_sec.php