Jump to content



Photo
* * * * * 4 votes

Updated Security Thread


  • Please log in to reply
83 replies to this topic

#1   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 16 May 2011 - 11:45

The other security thread is good, but times have moved on. Here are my base suggestions (in no particualr order) for securing a unhacked site;

1. Security Pro from FWR Media
2. OSC SEC from Taipo
3. Filesafe from FWR Media
4. Add htaccess to all public folders
5. Rename /admin/ and htpasswd it
6. Remove references to (newly renamed) admin area in outgoing emails
7. Add extra login parameter (JanZ)
8. Fix $PHP_SELF spoofability

Bad Conduct from Debs (undecided on this, I am still "road-testing" it).

I am not in favour of IP trapping, as most hackers don't use their own IP addresses.

If anyone has any extra thoughts on this, please post.

For securing a hacked site - exactly the same, but make sure that the hack is cleaned out first. This can be done by manually inspecting the files and removing any files/code that is not supposed to be there. Or by re-installing from a known unhacked backup. Or of course, starting from scratch with a brand new install of oscommerce.

Edited by burt, 16 May 2011 - 11:59.

IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#2   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 16 May 2011 - 23:28

8. Fix $PHP_SELF spoofability

This is fixed in osC_Sec.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#3   Xpajun

Xpajun
  • Members
  • 1,310 posts
  • Real Name:Julian
  • Gender:Male
  • Location:UK

Posted 17 May 2011 - 18:51

Gary,

It would be nice if you added links to your above post - Add extra login parameter (JanZ) is what add-on / forum post for instance


Also, are you referring your post to 2.2 or are you including 2.3 and if the latter which of you list does not apply to 2.3?

Edited by Xpajun, 17 May 2011 - 18:53.


#4   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 17 May 2011 - 19:44

I'll probably make it into a blog post in the coming days Juls.
IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#5   modelspecialist

modelspecialist
  • Members
  • 10 posts
  • Real Name:Steven

Posted 18 May 2011 - 11:07

6. Remove references to (newly renamed) admin area in outgoing emails


how to you do this?

#6   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 24 May 2011 - 10:48

I got 3/4 the way through a more detailed update to this, then the laptop died /sad.gif' class='bbc_emoticon' alt=':(' />
IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#7   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 24 May 2011 - 11:15

1. Security Pro from FWR Media {
2.3.1 and lower.
a. Addon
b. Support
}

2. OSC SEC from Taipo {
2.2rc2a and lower.
a. Addon
b. Support
}

3. Filesafe from FWR Media {
2.3.1 and lower
a. Addon
b. Support
Filesafe replaces "Site Monitor". Site Monitor is old and tired.
}

4. Add htaccess to all public folders {
2.2rc2a and lower
a. If you still run pre 2.3.1 cart, use the .htaccess files from a 2.3.1 installation.
Example: https://github.com/o...mages/.htaccess
}

5. Rename /admin/ and htpasswd it {
2.3.1 and lower
a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/
b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)
}

6. Remove references to (newly renamed) admin area in outgoing emails {
2.3.1 and lower
a. renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address. More.
}

7. Add extra login parameter (JanZ) {
2.3.1 and lower
a. link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading.
}

8. Fix $PHP_SELF spoofability {
2.2rc2a and lower
a. Use the PHP_SELF line of code from 2.3.1
a1. Admin: https://github.com/o...ion_top.php#L38
a2. Catalog: https://github.com/o...ion_top.php#L47
b. Note that SOME contributions update PHP_SELF so you MIGHT not need to change this, example: FWR Media USU5.
b1. The Osc Sec module does not make changes to PHP_SELF, however, Taipo correctly advises in the installation instructions to change this.
}

More thoughts

i. IP Trapping - pointless. Any "hacker" worth more than a penny is not using his own IP address.

ii. Removal of File Manager - not needed. There never was a problem with this file, other than the fact it could be accessed thru an insecure admin area. If you have renamed and secured your admin, no problem to leave it as is, if you want to. Personally I would still remove it as it mangles code when used.

iii. Bad Conduct Banning - I am road testing this. Will update the thread when I have some conclusions.

Edited by burt, 24 May 2011 - 11:16.

IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#8   modelspecialist

modelspecialist
  • Members
  • 10 posts
  • Real Name:Steven

Posted 24 May 2011 - 11:31

Sweet post! I suggest someone of the staff sticky this.

#9   Xpajun

Xpajun
  • Members
  • 1,310 posts
  • Real Name:Julian
  • Gender:Male
  • Location:UK

Posted 24 May 2011 - 19:51

5. Rename /admin/ and htpasswd it {
2.3.1 and lower
a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/
b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)
}


2.3.1 installation gives you the option to rename your admin, doing it at this time also saves the problem of not getting the configure.php change right.

htpasswd on 2.3 is a bit of a problem causer - the user name and password MUST be the same as admin login details otherwise the login won't work

iii. Bad Conduct Banning - I am road testing this. Will update the thread when I have some conclusions.


I've been using Bad Behavior Block for some time, I like it for the following:

  • It provides a first line of defence against hackers
  • It protects your whole website not just osC
  • It is easily adaptable to include other hack attempt conditions
  • It bans the hacking IP address - there is much discussion on this principle but I would say that the ban stops that IP from continuous attempts to hack your store (sometimes in the region of 240 attempts per minute) thus easing server load.
  • The ban is only directed at an active hacker, so there is no need for ad-hock bans of complete countries thus allowing you to trade anywhere in the world
  • At the end of the day you can always remove banned IP addresses from the list - after all if they attempt to hack your store again they will be banned

Thought you might like a list of reasons why I think it is useful with osC Gary - yes there are others that will say that their contribution makes it redundant but they should understand that this contribution, being first in line, makes their one redundant, but that doesn't stop me from using theirs as a second line of defence...

#10   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 24 May 2011 - 20:30

Thanks Juls. Welcome more comments from anyone else too.

Bad Conduct would I think be better if it added IP addresses for say 15 minutes. Thoughts?
IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#11   sucuri

sucuri
  • Members
  • 27 posts
  • Real Name:sucuri

Posted 24 May 2011 - 20:59

I will add some things that are not specific to osCommerce, but are very good to have to prevent attacks (in addition to all that was said):


1-Use strong passwords for the admin interface and FTP/SFTP/SSH. Sound obvious, but we see so many sites hacked through brute force attacks that it is not even funny.


2-If you have additional sites in the same FTP account (on shared hosts), make sure all of them are updated and secure too. Otherwise an attack in one of them can spread to the other sites...


3-If you are on a dedicated server (or VPS), monitor your server closely. A good tool is the open source OSSEC (free): http://www.ossec.net . It will check all your logs, files, etc for attacks and block them.


4-Daily offsite backups. If your site is compromised or you have a hosting error (or even by mistake), make sure you can easily recover your files and database. There are some many services that offer that (and they are cheap). Examples: http://gudado.com , site-vault.com, etc.


5-Check your site for malware/spam/etc. I am a bit biased on this, but I recommend checking your site for security issues. The earlier your know that something is happening, the earlier you can respond and fix things. A free checker: http://sitecheck.sucuri.net


Thanks,

#12   Taipo

Taipo
  • Members
  • 796 posts
  • Real Name:Te Taipo
  • Gender:Male

Posted 25 May 2011 - 05:44

The Osc Sec module does not make changes to PHP_SELF, however, Taipo correctly advises in the installation instructions to change this


osC_Sec does change the $PHP_SELF, the 2.3.1 patched $PHP_SELF is in osC_Sec as well as a safeguard in case another addon is included after osC_Sec that causes the $PHP_SELF to report an empty result.

Scroll to the section headed by:
/**
  * Reliably set $PHP_SELF
  * as a filename .. 
  * platform safe
  * Base of this is from Oscommerce ver 2.3.1
  **/

Also if someone is going to use both osC_Sec and Security Pro 2.0 together, then its best they set $GETcleanup = 1; to $GETcleanup = 0; in osC_Sec because there is no point in doing that cleanup twice.
- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1BkbNA1tK3q7ZRkCJj6f1ELK2A152eEtoW

#13   Xpajun

Xpajun
  • Members
  • 1,310 posts
  • Real Name:Julian
  • Gender:Male
  • Location:UK

Posted 25 May 2011 - 08:32

Thanks Juls. Welcome more comments from anyone else too.

Bad Conduct would I think be better if it added IP addresses for say 15 minutes. Thoughts?



I would say 15 minutes is too short, 24 hours should be minimum but a month would be the optimum.

It is possible that Bad Conduct will ban an "innocent" that has an infected computer; a redirect to a 403 that explains what has happened and why would be a good thing.



Innocent - there is no such thing as an innocent with an infected computer that will try to hack your store they lose their right to innocence when they failed to take precautions and allowed their computer to become infected, however an explanation stating that their computer 'may' be infected would not come amiss

#14   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 25 May 2011 - 12:14

Taipo - thanks, I stand corrected.

Juls - I see no value in banning fake IP addresses. Perhaps we are talking about different things?
IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#15   modelspecialist

modelspecialist
  • Members
  • 10 posts
  • Real Name:Steven

Posted 25 May 2011 - 13:44

I managed to remove the X-PHP reference from the mail module in my admin folder by replacing

while ($mail = tep_db_fetch_array($mail_query)) {
      $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
    }

with

// before sending mail, change PHP_SELF to hide admin dir from mail header
    $tempvar = $HTTP_SERVER_VARS['PHP_SELF'];
    $HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
    while ($mail = tep_db_fetch_array($mail_query)) {
      $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', $from, $subject);
    }
    $HTTP_SERVER_VARS['PHP_SELF'] = $tempvar;

however, I don't find this code in the Orders.php file. The only code I find is a tep_mail action but I don't have an idea on how to change/alter this to hide the x-php referencen my php knowledge doesn't reach that far. any help is appreciated, the linked topic above doesn't really specify this.

#16   modelspecialist

modelspecialist
  • Members
  • 10 posts
  • Real Name:Steven

Posted 25 May 2011 - 14:04

apparently i can't edit my own posts on this forum; just to be clear the file I edited succesfully was [youradminfoldernamehere]\mail.php

#17   burt

burt

    Vanquisher of Demons

  • Community Team
  • 10,002 posts
  • Real Name:G Burton
  • Gender:Male
  • Location:UK/DEV/on

Posted 26 May 2011 - 12:01

Same basis.

FROM THIS:
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

TO THIS:
$tempvar = $PHP_SELF;
$HTTP_SERVER_VARS['PHP_SELF'] = "/mail.php";
tep_mail($check_status['customers_name'], $check_status['customers_email_address'], EMAIL_TEXT_SUBJECT, $email, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
$PHP_SELF = $tempvar;

IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS
 
Big Bang Templates for 2.3 osCommerce - 2.3.1 > 2.3.4 - Buy One, Get One Free
 
--
Making your osCommerce better, one module at a time - get in touch.

#18   modelspecialist

modelspecialist
  • Members
  • 10 posts
  • Real Name:Steven

Posted 26 May 2011 - 12:15

worked like a charm. thanks!

#19   Juto

Juto
  • Members
  • 369 posts
  • Real Name:Sara
  • Gender:Female

Posted 27 May 2011 - 21:20

Hi Burt and thanks for this thread /smile.gif' class='bbc_emoticon' alt=':)' />

wondering is this Spooks addon obsolete now?

function clean_var ($vars) { 
  if (!is_array($vars)) {                               
  return preg_replace("/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars)); 
  } else {      
  return array_map('clean_var', $vars); 
  }
} 
   if (PHP_VERSION >= 4.1) $_POST =& $_POST; 
  reset($_POST);        
  while (list($key, $value) = each($_POST)) {                           
  $_POST[$key] = clean_var ($_POST[$key]);      
  }


#20   Annisse

Annisse
  • Members
  • 79 posts
  • Real Name:Annette
  • Gender:Female

Posted 28 May 2011 - 12:38

Hello there!

Loving all the security contributions and advice! Soaking it up like a wet sponge. Thanks Burt and Xpajun

Now, this is probably an easy answer for you guys but I am in the dark about this.

5. Rename /admin/ and htpasswd it

So I change the admin folder to my new name of choice, then when I go to my Admin page to log into OSCommerce I now get an Error 403. My catalog is still trying to locate the old folder name, admin/login.php

What steps do I also need to do after changing my admin folder name to access my Admin login page again with the new folder name?

Thank you for your help. Total noob with anything having to do with computers and code /rolleyes.gif' class='bbc_emoticon' alt=':rolleyes:' />