506 replies to this topic

[Taipo]

Revert to the next older version for now, I will have a look at this tonight when I get a chance and put out an update shortly after.

[Taipo]

Ive made a few minor alterations below
http://pastebin.com/uQH30z6v

Copy the RAW Paste Data from that link into your osc_sec.php file and let me know if that sorts the issue.

[Taipo]

osC_Sec 5.0.8
Whats New?
- Fixed a bug in the getshield() function which could allow for partial filter bypassing
- Recoded the getRealIP() to work more efficiently
- Fixed time outs issues caused by code changes in 5.0.6

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.
Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Download from: http://addons.oscommerce.com/info/8283

[DogFoodIT]

Taipo, I love this security contib you have worked with its fantastic, just of late i have noticed a little issue with a site that i have setup. i have been using the old Credit card payment module with OSC2.2 i have noticed that it blocks me when i get an error from that module. eg:

i don't put in the correct card number it shouls throw an error! when it does i get blocked (IPTrap). if i enter the details correctly it will proceed through the order.

this is what i have been sent in the email.

This IP [ 220.245.75.138 ] has been IP Trap banned on the site.com website by osC_Sec.php version 5.0.8
REASON FOR BAN: osC_Sec detected a base64 encoded blacklisted query_string value: £'.
Time of ban: Fri, 25 May 2012 04:45:41
.------------[ ALL $_GET VARIABLES ]-------------
#
# - payment_error = cc
# - error = The first four digits of the number entered are: . If that number is correct, we do not accept that type of credit card. If it is wrong, please try again.
# - cc_owner = Jack Nicolsen - Employee
# - cc_expires_month = 02
# - cc_expires_year = 13
#
`--------------------------------------------------------
.---------[ ALL $_POST FORM VARIABLES ]-------
#
# - No POST form data
#
`--------------------------------------------------------
.------------[ $_SERVER VARIABLES ]--------------
#
# - DOCUMENT_ROOT = /home/catfood/public_html
# - GATEWAY_INTERFACE = CGI/1.1
# - HTTPS = on
# - HTTP_ACCEPT = text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# - HTTP_ACCEPT_CHARSET = ISO-8859-1,utf-8;q=0.7,*;q=0.3
# - HTTP_ACCEPT_ENCODING = gzip,deflate,sdch
# - HTTP_ACCEPT_LANGUAGE = en-US,en;q=0.8
# - HTTP_CACHE_CONTROL = max-age=0
# - HTTP_CONNECTION = keep-alive
# - HTTP_COOKIE = __utma=7699744.1440227245.1288772200.1288772200.1291197083.2; osCsid=23d75122ee251e63cc45161d76af15b6; cookie_test=please_accept_for_session
# - HTTP_HOST = site.com
# - HTTP_REFERER = https://site.com/checkout_confirmation.php
# - HTTP_USER_AGENT = Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
# - PATH = /bin:/usr/bin
# - QUERY_STRING = payment_error=cc&error=The+first+four+digits+of+the+number+entered+are%3A+.+If+that+number+is+correct%2C+we+do+not+accept+that+type+of+credit+card.+If+it+is+wrong%2C+please+try+again.&cc_owner=Jack+Nicolsen+-+Employee&cc_expires_month=02&cc_expires_year=13
# - REDIRECT_STATUS = 200
# - REMOTE_ADDR = 220.245.75.138
# - REMOTE_PORT = 19173
# - REQUEST_METHOD = GET
# - REQUEST_URI = /checkout_confirmation.php?payment_error=cc&error=The+first+four+digits+of+the+number+entered+are%3A+.+If+that+number+is+correct%2C+we+do+not+accept+that+type+of+credit+card.+If+it+is+wrong%2C+please+try+again.&cc_owner=Jack+Nicolsen+-+Employee&cc_expires_month=02&cc_expires_year=13
# - SCRIPT_FILENAME = /path_to/checkout_confirmation.php
# - SCRIPT_NAME = /checkout_confirmation.php
# - SERVER_ADDR = 202.191.62.46
# - SERVER_ADMIN = webmaster@[member='site'].com
# - SERVER_NAME = site.com
# - SERVER_PORT = 443
# - SERVER_PROTOCOL = HTTP/1.1
# - SERVER_SIGNATURE = <address>Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at site.com Port 443</address>
# - SERVER_SOFTWARE = Apache/2.2.22 (Unix) mod_ssl/2.2.22 OpenSSL/0.9.8e-fips-rhel5 DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
# - UNIQUE_ID = T78Odcq-PicABrqoW2sAAAAv
# - PHP_SELF = /checkout_confirmation.php
# - REQUEST_TIME = 1337921141
# - 0 = payment_error=cc&amp;error=The
# - 1 = first
# - 2 = four
# - 3 = digits
# - 4 = of
# - 5 = the
# - 6 = number
# - 7 = entered
# - 8 = are%3A
# - 9 = .
# - 10 = If
# - 11 = that
# - 12 = number
# - 13 = is
# - 14 = correct%2C
# - 15 = we
# - 16 = do
# - 17 = not
# - 18 = accept
# - 19 = that
# - 20 = type
# - 21 = of
# - 22 = credit
# - 23 = card.
# - 24 = If
# - 25 = it
# - 26 = is
# - 27 = wrong%2C
# - 28 = please
# - 29 = try
# - 30 = again.&amp;cc_owner=Jack
# - 31 = Nicolsen
# - 32 = -
# - 33 = Employee&amp;cc_expires_month=02&amp;cc_expires_year=13
# - argc = 34
# - $PHP_SELF filename ( osC_Sec ) = checkout_confirmation.php
#
`--------------------------------------------------------
OTHER INFO
is htaccess writeable =
Resolve IP address: http://en.utrace.de/?query=220.245.75.138
Search Project Honeypot: http://www.projecthoneypot.org/ip_220.245.75.138
This email was generated by osC_Sec. To disable email notifications, open osc.php file, and in the Settings section change $emailenabled = 1 to $emailenabled = 0
Keep up with the latest version of osC_Sec.php at http://addons.oscommerce.com/info/8283 and http://goo.gl/dQ3jH
Email rohepotae [at] gmail dot com with any suggestions.

i have even tried back to version 5.04 and still get blocked. any help would be appreciated.

Edited by Jan Zonjee, 15 August 2012 - 05:54 AM.

[MrPhil]

Ben, if you're using the old 2.2 osC cc module, you'd better be fully PCI-DSS compliant. If you ain't, and there's a security problem, you are toast. The cc module was intended only as an example or template of credit card processing, and was removed from 2.3.1 because it was so insecure, yet stores were actually using it in production.

[Peper]

Hi Taipo,

Need some help, we moved to a new fasta server today but unable to display the catalog side - only shows up HTTP 403 Forbidden in tab name with blank page
If addon is disabled will give no errors

I played around with the older versions and found last years version of 5.0.0 is loading up pages atleast for now

Seems to be perhaps the IP checking part though but not even too sure

Any help please
Is there a debug mode or so?

[MrPhil]

"fasta"? A couple of things to check:
1. Turn off "mod security" if it's on. That may be seeing certain strings in your URLs or POST data and thinks it's a hack attempt.
2. Check ownership of your directories and files, and permissions should be 755 for directories and 644 for files (444 for configure.php).

[Peper]

MrPhil, on 27 May 2012 - 05:07 PM, said:

"fasta"? A couple of things to check:
1. Turn off "mod security" if it's on. That may be seeing certain strings in your URLs or POST data and thinks it's a hack attempt.
2. Check ownership of your directories and files, and permissions should be 755 for directories and 644 for files (444 for configure.php).

All above is correctly setup on server

Took me now a while to find how customers is getting errors
For one thing is they are using mobile devices - confirmed using blackberry and all the errors pops up from oscsec
Still also unable to figure out why 404 blank page is served by osc_sec using latest version

Anyone run into simillar errors?

[geoffreywalton]

Has anyone seen this error message

[07-Aug-2012 01:41:01] PHP Warning:  strpos() [<a href='function.strpos'>function.strpos</a>]: Empty delimiter in /home3
/xxxxxxxxx1/public_html/sites/yyyyyyyyyy/includes/osc_sec.php on line 671

Which in turn sends this in the job email

Status: 302 Moved Temporarily
Location: http://www.zzzzzzzzzzzzzz.co.uk/blocked.php
Content-type: text/html

I am trying to run cron job

/ramdisk/bin/php5 /home3/xxxxxxxxxxxx/public_html/sites/yyyyyyyyyyyy/googlesitemap/index.php

Running it manually does not generate an entry in the error log

Thanks

G

@Taipo

Edited by geoffreywalton, 07 August 2012 - 08:22 AM.

[callenords]

I receive many visitors from Google Ads (display network) and I've noticed that many of these visitors are banned when they enter my site with the reason:

REASON FOR BAN: osC_Sec base64 encoded blacklist query_string value is banned:  0.

Is this a bug or perhaps I need to disabled the query_string check? I have been using version 5.0.1a but I just updated to 5.0.8 - not sure if it will help.

Thanks.

[callenords]

callenords, on 07 August 2012 - 11:56 AM, said:

I receive many visitors from Google Ads (display network) and I've noticed that many of these visitors are banned when they enter my site with the reason:

REASON FOR BAN: osC_Sec base64 encoded blacklist query_string value is banned:  0.

Is this a bug or perhaps I need to disabled the query_string check? I have been using version 5.0.1a but I just updated to 5.0.8 - not sure if it will help.

Thanks.

The solution: Find and remove (line 428 in osc_sec.php): "%000",

If you are using Google Adwords ads, the code above triggers the security system for some of your paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter that in some cases triggers the security system).

I hope removing the code above is ok?

[modem2.0]

I moved to a new host, and now I can't upload files with Osc_Sec active. The upload is made to /tmp/ folder, which I don't have rights to write into due to security reasons. I have the following error:

Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/tmp/phpC6BR9N) is not within the allowed path(s): (/home/myDomain/public_html/) in /home/myDomain/public_html/admin/includes/classes/upload.php on line 86

When I disable this contrib the upload is done, so there is some kind of an incompatibility between this addon and my servers security.

[Roaddoctor]

callenords, on 07 August 2012 - 11:56 AM, said:

I receive many visitors from Google Ads (display network) and I've noticed that many of these visitors are banned when they enter my site with the reason:

REASON FOR BAN: osC_Sec base64 encoded blacklist query_string value is banned:  0.

Is this a bug or perhaps I need to disabled the query_string check? I have been using version 5.0.1a but I just updated to 5.0.8 - not sure if it will help.

Thanks.

callenords, on 14 August 2012 - 08:12 AM, said:

The solution: Find and remove (line 428 in osc_sec.php): "%000",

If you are using Google Adwords ads, the code above triggers the security system for some of your paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter that in some cases triggers the security system).

I hope removing the code above is ok?

Taipo - I too have seen the same lately - is the proposed delete of "%000" proper?

Anyone else done this?

@Taipo

Edited by Roaddoctor, 03 January 2013 - 07:17 PM.

[EricK]

This fixed my error using Google AdWords, see post #491

The solution: Find and remove (in line 428 of osc_sec.php): "%000",

If you are using Google Adwords ads, the code above triggers the security system for paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter).

[nico.verduin]

No doubt I am doing something worng but this is the case:
My site is  blocked as It was submitting spam mail through the "Tell a Friend" option.
a) I installed osc_sec 5.0.8 exactly as instructed
now both the catalog and the admin sites just give a blank screen on startup
c) if I remove the require_once statement, it works again.

I am using osccommerce 2.2 (I think, 2008 version)

Can anybody tell me what I am doing wrong?

Regards
Nico

Edited by nico.verduin, 11 February 2013 - 02:12 PM.

[Roaddoctor]

nico.verduin, on 11 February 2013 - 02:05 PM, said:

No doubt I am doing something worng but this is the case:
My site is  blocked as It was submitting spam mail through the "Tell a Friend" option.
a) I installed osc_sec 5.0.8 exactly as instructed
now both the catalog and the admin sites just give a blank screen on startup
c) if I remove the require_once statement, it works again.

I am using osccommerce 2.2 (I think, 2008 version)

Can anybody tell me what I am doing wrong?

Regards
Nico

Check your htaccess file and make sure you have not banned yourself. If so, delete your ip from htaccess and you should be back

[MrPhil]

Quote

now both the catalog and the admin sites just give a blank screen on startup

The White Screen of Death (WSOD) is usually a sign of a fatal PHP syntax error. Double check your coding. Look in your site error log and for any error_log files scattered about your site directories -- maybe they'll give a hint of what went wrong. If removing the require_once statement fixes the WSOD, then either you have a syntax error in the require_once statement, or some code in whatever it's requiring is bad.

Feel free to show here (in [ code ] tags) the offending require_once statement, and five or so lines before and after it. At least we can rule out that one statement...

[Taipo]

Apologies for the extended hiatus, back now and will be working on an updated version of osC_Sec.

[Mort-lemur]

Taipo, on 16 March 2013 - 01:15 AM, said:

Apologies for the extended hiatus, back now and will be working on an updated version of osC_Sec.

Welcome back Taipo

[jamo32]

What is the easy way to test that osc_sec is working , if it is an url test what should be the resulting info on the page.

Many thanks