503 replies to this topic

[EricK]

Does using server-wide SSL create these PHP Warnings?

Thanks,
EricK

[11-Apr-2012 14:55:44] PHP Warning:  file() [<a href='function.file'>function.file</a>]: Filename cannot be empty in /home/<user>/public_html/includes/osc_sec.php on line 636

[11-Apr-2012 14:55:44] PHP Warning:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

[11-Apr-2012 14:55:44] PHP Warning:  session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

[11-Apr-2012 14:55:44] PHP Warning:  Cannot modify header information - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in Unknown on line 0

[Taipo]

No, but I think if you are using IP Trap along with osC_Sec then you may get that warning.  I have written up a fix for this, it will be officially posted up shortly.

[Taipo]

osC_Sec 5.0.3
Whats New?
- Fixed issues causing conflicts with some addons concerning the postShield() function
- Fixed issues causing conflicts with some addons concerning the ipTrap function

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating: Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/8283

[mr_absinthe]

It took me a while to nail this down... but if I keep osC_Sec enabled on one of my stores, I'm unable to supply a xml feed to one of the shopping sites. The feed is being generated by a .php file and with the osC_Sec enabled, I was receiving the following error from them: Warning: extract() expects parameter 1 to be array, null given in...

I was receiving no emails from osC_Sec to help me nail it, despite the fact that it is enabled.

I was able to see the xml file in my browser just fine. To be able to supply them with the feed, I have to keep the osC_Sec disabled at the moment. Any idea please?

[Taipo]

Can you PM me the full error message thanks.

[RMD27]

Hello Taipo

Does osc_sec stop 2 question marks being included in the URL?

Google is trying to see this page *************.php?product_info.php?cPath************

But it is finding ***********.phpproduct_info.php?cPath************

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

Ill open a new thread

Edited by RMD27, 01 May 2012 - 07:26 AM.

[Mort-lemur]

Hi Taipo,

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

osC_Sec blacklist hex encoded query_string value is banned: %%.
What is this checking for or what could be causing it ?

Many Thanks

[Taipo]

RMD27, on 01 May 2012 - 07:13 AM, said:

Hello Taipo

Does osc_sec stop 2 question marks being included in the URL?

Google is trying to see this page *************.php?product_info.php?cPath************

But it is finding ***********.phpproduct_info.php?cPath************

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

Ill open a new thread

Perhaps it may be linked to Security Pro as that does rewrite the $_GET global.

[Taipo]

Mort-lemur, on 03 May 2012 - 11:04 AM, said:

Hi Taipo,

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

osC_Sec blacklist hex encoded query_string value is banned: %%.
What is this checking for or what could be causing it ?

Many Thanks

Can you PM me the entire email notification please.

[Mort-lemur]

Hi Taipo,

Sent you the email text by pm.

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

Thanks

[RMD27]

Taipo

Okay I looked into this issue again because I was not able to access the modules box in the admin

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now!

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

[RMD27]

RMD27, on 05 May 2012 - 01:33 PM, said:

Taipo

Okay I looked into this issue again because I was not able to access the modules box in the admin

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now!

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

actually, scratch that, the translation works now regardless of the htaccess, its just the modules box that is effected by the htaccess

[RMD27]

Mort-lemur, on 05 May 2012 - 11:26 AM, said:

Hi Taipo,

Sent you the email text by pm.

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

Thanks

osc_sec creates a trapped.txt file? if so where would I find it???

Edited by RMD27, 05 May 2012 - 02:21 PM.

[Mort-lemur]

Sorry no - the .txt file is part of the IP Trap contribution.

You can select OSC SEC to ban IPs be either .htaccess or by using the IP Trap as I have done.

[Taipo]

Mort-lemur, on 05 May 2012 - 11:26 AM, said:

Hi Taipo,

Sent you the email text by pm.

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

Thanks

Try the latest update Heather

http://addons.oscommerce.com/info/8283

[Mort-lemur]

@Taipo

Thanks Taipo - Just uploaded the latest version and will let you know how it goes.

Many Thanks

[Mort-lemur]

@Taipo

Hi Again Taipo,

Installed the latest version and would just comment on the following:

When I first accessed my admin this morning and clicked on one of the customers in "whos Online" to see what they had in their basket I was banned from the site and added to the IP trap.

This happened around 4 times and then I was able to access without problem.

Again I received emails from OSC SEC stating that the hex filtering had banned me.

I can send you the email text again if you like.

Many Thanks

[Taipo]

PM it through to me thanks.

[gewoon09]

Hi,

I installed the latest version of osc_sec
Now i cannot access my site anymore, both admin and “live”
At first, it also generated problems in logoff.php

Fatal error: Maximum execution time of 30 seconds exceeded in /home/admin/domains/gewoongezond.be/public_html/includes/osc_sec.php on line 590

Any ideas?

Michiel Lap

[DogFoodIT]

gewoon09, on 15 May 2012 - 09:55 AM, said:

Hi,

I installed the latest version of osc_sec
Now i cannot access my site anymore, both admin and “live”
At first, it also generated problems in logoff.php

Fatal error: Maximum execution time of 30 seconds exceeded in /home/admin/domains/gewoongezond.be/public_html/includes/osc_sec.php on line 590

Any ideas?

Michiel Lap

same type of issue here, i have just updated 5 sites.

osc v2.2, 1 works ok, the other wont load
osc v2.3.1,  2 work 1 will not load - 3 identical sites/code also all on same server.