Sql Injection, which contribution?

[npn2531]

Every few weeks a get a call from SITELOCK, ( I have an account) and they tell me my site is open to sql injection attacks and exploits from hackers because I have text entry forms on my site. (Log-in page, new address, etc, etc) They specifically mention the search box.

 

I have installed the (SEC) and (SQL) updates on my 2.2RC2a website from here http://library.oscommerce.com/public/sites/Library/pdf/oscom23-old.pdf

and have installed contributions that add some security features, for example, my htaccess file has things added like:

 

# For security reasons, Option followsymlinks cannot be overridden.
#Options +FollowSymLinks
Options +SymLinksIfOwnerMatch
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


# filter for most common exploits
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]

 

and a long list of # ban spam bots, etc.

 

When I quiz SITELOCK give me more detail about why specifically my site and my text forms are at risk, they are unable to do so, but reassure me that they can fix it for $29.95/month. Of course that's when wonder if everything SITELOCK does is BS.

 

Long story short, what do you need to do to protect text boxes from hacker attacks?

[npn2531]

Actually I have FWR Security Pro http://addons.oscommerce.com/info/5752 installed, does this protect from sql injections or cross-scripting?

 

And is there a way to check if it is working?

[♥altoid]

Actually I have FWR Security Pro http://addons.oscommerce.com/info/5752 installed, does this protect from sql injections or cross-scripting?

 

And is there a way to check if it is working?

 

Robert has this in the documentation:

 

How can I quickly test it is working?

 

Do a search on your site using the search box. Put in a bad character good character mix like [w](o)%3Cr%3Ek|i*n^g

Do the search then look back at the search box which should have been repopulated with the cleansed value. It should read "working"

 

[npn2531]

Thanks!

[MrPhil]

Are they telling you that your site is vulnerable because you have text input fields? Have they actually thoroughly examined your site's code and found vulnerabilities?

 

When I quiz SITELOCK give me more detail about why specifically my site and my text forms are at risk, they are unable to do so, but reassure me that they can fix it for $29.95/month. Of course that's when wonder if everything SITELOCK does is BS.

[polite level=extreme]

Um, I'd be highly suspicious of anyone who says "you're vulnerable, and we can't/won't tell you why, but for only $29.95 a month we can fix it."

[/polite]

Simply keeping up with security patches, and understanding the basics of how attacks work and how they can be defended against, will protect you against 99.9% of all attacks. The vast majority are script kiddies throwing all sorts of canned stuff against you to see if anything sticks. 2.2 is a bit long of tooth, but as long as you apply patches, it shouldn't be any easier target than the latest 2.3.x