Latest News: (loading..)


  • Content count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About smiler99

Profile Information

  • Real Name
  • Gender

Contact Methods

  1. Steve, I am getting lots of vosits from users who have SIMBAR in their user agent, from what i have read it appears that these users have some sort of malware/adware on their system. Should i be concerned in any way, should i block any user with SIMBAR in their user agent.
  2. already done :), 3 years in and i cross my fingers that i have not had any hacks, (plenty of attempts but nothing thats taken over) im simply looking to ensure that any PCI compliance passes, and to continue to be one step ahead where i can to ensure google never gets the opportunity to flag my site as containing malicious code.
  3. Hi Taipo I have installed OSC_Sec (and for those that have some slight descrepecies in \includes\Application_Top.php) this is the code i had in application_top which i removed // set php_self in the local scope // commented out for OSC_SEC $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']); and replaced with // set php_self in the local scope if( !isset( $PHP_SELF ) ) { if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); } Now - Results! Sec_pro succesfully produced a significant drop in vulnarability Alerts, infact if fixed all vunerabilities with the exception of one any attack that uses 1<script/acu src=//></ScRiPt> remained an issue, having looked at the post blacklistings in OSC_Sec.php i can see that this attack is not covered, i dont see any blacklist that captures <script>, i suspect this is known but i dont understand why it would be missing, i cant see any reason for <script> being used in any input form - Taipo can you advise if there are any reason why i shouldnt add a check for <script> in the blacklist 1 last point - whilst testing, switch of ipban / htaccess ban or add your ip to the exclude list otherwise you keep banning yourself and have to remove your ip from the ban list!!
  4. Hi i have installed Security Pro, added htaccess updates, upgraded from 2.2rc2 to 2.3 and then ran a xss test using Acunetix (free version) results are a phenominal number of high level risks (thousands!!). using contact_us.php as an example page Having tested Security pro using the test mask of [w](o)%3Cr%3Ek|i*n^g in the full name field and also the enquiry field and the email address field neither change to 'working' after submitting i also used the test code that Acunetix used (1<script>prompt(976805)</ScRiPt>) and that does not get cleansed in any of the 3 fields Acunetix shows the following for contact_us.php This vulnerability affects /contact_us.php. Discovered by: Scripting (XSS_in_URI.script). The impact of this vulnerability Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify the content of the page presented to the user. Attack details URI was set to 1<script>prompt(976805)</ScRiPt> The input is reflected inside a text element. The input is reflected inside a tag element between double quotes. http header contains ... GET /contact_us.php/1<script>prompt(976805)</ScRiPt> HTTP/1.1 also for contact_us.php Attack details URL encoded POST input email was set to '"()&%1<script >prompt(928175)</ScRiPt> http header contains ... POST /contact_us.php?action=send HTTP/1.1 with a variable showing email=%27%22%28%29%26%251%3cScRiPt%20%3eprompt%28928175%29%3c%2fScRiPt%3e&enquiry=&name=qjfpqnop how can i know for sure that the security i have added are working, or they are not working I am fairly adept with OSc can usually debug / trace php ( 3 year using, many upgrades and mods without Major issues) Stumped on this one.
  5. gbot picks up this spider - line 27 in spiders.txt (presuming you havnt changed the order of the bots from the original file). my Whos online registers User Agent: Mozilla/5.0 (compatible; bingbot/2.0; + as a bot Smiler
  6. hi, I have googlefeeder running perfectly and have for some time, all products list ok, and a couple are actually listed within the top 3 for my keywords, however i have noticed that the url's generated are https:// - i have ssl so the url's are valid, however i would prefer normal url's as my standard store pages and google sitemap etc dont use ssl (ssl only used for checkout etc.) Question 1. how can i rectify this Question 2. should i rectify this question 3. is there any bennefit either way ? thanks
  7. Hi, whilst waiting for a reply to the above query, i have manually entered the defines in filenames.php I think i have spotted a bug. Here is section from Headertags.php, after i had run Add missing Pages // Marble-Fireplaces-West-Yorkshire.php case (basename($_SERVER['PHP_SELF']) === FILENAME_MARBLE-FIREPLACES-WEST-YORKSHIRE): $header_tags_array = tep_header_tag_page(FILENAME_MARBLE-FIREPLACES-WEST-YORKSHIRE); break; As you can see above the filename i have used is Marble-Fireplaces-West-Yorkshire.php when headertags creates its code as above, it also uses the hyphen within its defined name, however the hyphen is being seen as a 'Minus' sign as it is coloured blue, this stops headertags matching this define with the entry in filenames.php (hope that makes sense) ? If i change the above to FILENAME_MARBLE_FIREPLACES_WEST_YORKSHIRE and also change the filename.php to FILENAME_MARBLE_FIREPLACES_WEST_YORKSHIRE everything works ok and the tags show as they should instead of the default tags which get used as headertag cannot find a match in filenames.php.
  8. hi, Add Missing Pages. When clicked, Header Tags adds the pages to Page control, which also means they are correctly recorded in Headertags.php, however the defined names used to check the page name dont appear in Filenames.php, is headertags supposed to add entries in Filenames.php or do i have to add all my pages in Filenames.php myself ?
  9. Hi, Sorry if this is a lame question, and i have read through this thread and either missed any potential similar questions or it hasnt been asked. How do i add new pages?, i have lots of my own pages i have created, which all are defined in filenames.php and are picked up in headertags contrib without issue, but seo sitemap does not pick them up and does not list them when viewing sitemap.php, they are not boxes (which incidentally do get picked up if i create new boxs)
  10. To answer my own question (and create a solution) - I have created a new allarticles.php file which is a significantly modified and merged copy of the Articles.php / article_listing_box.php files , the code below should be saved as atriclesall.php and saved to catalog\includes\boxes - then add standard STS require tags in sts_column_left.php i.e. require(DIR_WS_BOXES . 'articlesall.php'); $sts->restart_capture ('allarticlesbox', 'box'); place the sts tag $allatriclesbox wherever you would like to show a complete list of the headers for all your articles. Could the experts take a look at this to ensure it is correct - and is this worthy of an addition to this contribution ? articlesall.php <?php /* $Id: articlesall.php, v1.0.0 2009/09/27 12:00:00 ra Exp $ osCommerce, Open Source E-Commerce Solutions Copyright (c) 2003 osCommerce Released under the GNU General Public License */ //require('includes/application_top.php'); ?> <td><table wisth="100%" border="0" cellspacing="0" cellpadding="0"> <?php $articles_all_array = array(); $articles_all_query_raw = "select a.articles_id, a.articles_date_added, ad.articles_name, ad.articles_head_desc_tag, au.authors_id, au.authors_name, td.topics_id, td.topics_name from " . TABLE_ARTICLES . " a left join " . TABLE_ARTICLES_TO_TOPICS . " a2t on a.articles_id = a2t.articles_id left join " . TABLE_TOPICS_DESCRIPTION . " td on a2t.topics_id = td.topics_id left join " . TABLE_AUTHORS . " au on a.authors_id = au.authors_id left join " . TABLE_ARTICLES_DESCRIPTION . " ad on a.articles_id = ad.articles_id where (a.articles_date_available IS NULL or to_days(a.articles_date_available) <= to_days(now())) and a.articles_status = '1' and ad.language_id = '" . (int)$languages_id . "' and td.language_id = '" . (int)$languages_id . "' order by a.articles_date_added desc, ad.articles_name"; $listing_sql = $articles_all_query_raw; ?> <?php $listing_split = new splitPageResults($listing_sql, MAX_ARTICLES_PER_PAGE); $articles_listing_query = tep_db_query($listing_split->sql_query); while ($articles_listing = tep_db_fetch_array($articles_listing_query)) { ?> <tr> <td valign="top" class="main" width="100%"> <?php // added class=main to the link. echo '<h2><a class="main3" href="' . tep_href_link(FILENAME_ARTICLE_INFO, 'articles_id=' . $articles_listing['articles_id']) . '">' . $articles_listing['articles_name'] . '</a></h2> '; ?> </td></tr> <?php } // End of listing loop ?> </table></td>
  11. hi, i have just installed 1.57_3 and have added the required code to place the articles 'menu' inside an STS TAG. I have switched off new articles, all articles, so i am only left with a menu that shows HEADER Topic1 Topic2 Topic3, etc, etc, etc RSS LINK I have created a topic, and have also created articles inside this topic the topic shows in the articles menu on my homepage, i have also created an article which i have placed outside any topics, this article is shown in admin in the top tier but this article does not show in the top level menu on my homepage., Here is my question. Rather than create topics, i would like to create artices that show their titles in the articles menu on my home page, i dont want to place the articles inside topics, just list them as i create them is this possible? and if so how can i achieve this.
  12. Steve, Thanks for your reply, msnbot was not being picked up, i understand that if any user agent contains any of the words in spiders.txt then it is regarded as a spider. an extract of your spider.txt has the following that contains 'nbot' which in theory should pickup msnbot, however i have had to specifically add 'msnbot' for it to be recognised in supertracker and visitors tracking (it may be those mods that are not using spiders.txt correctly) lbot mbot nbot pbot rbot sbot tbot vbot ybot zbot bot. bot/ _bot .bot /bot -bot :bot
  13. HI, Great contribution.!!! I have a heavily modified OSC and have spent the last 2 days manually inserting all changes (after making painstaking comparisons) :blink: I have installed options V2.1.1 & Atttrib Manager Addon. All works perfectly and . Many thanks :thumbsup: I have one small cosmetic problem. (IN SHORT - can i define which option value is the 'Default' selected option value ????? (and i will try to explain why i am doing what i want to do ) I have the same products listed more than once in my shop, each 'similar' product has a different option, therefore a different price. As i only have limited products i DO need to list them seperatly to give my shop some volume. What i use options for is to allow any prospective buyer to tailor the specific product they are looking at and maybe make it the same as another similar item (this saves them having to go find that specific product. (eg. product 1 is Fireplace without light, Product 2 is fireplace with light) Both products are the same except one has lights and one does not, NOW Here is my ISSUE 1. if someone is looking at the product Fireplace with light, the options they have would be to remove the light (option Light NO -£15.00) 2. if someone is looking at the product Fireplace with NO light, the options they have would be to ADD the light (option Light YES +£15.00) if someone views 1, then i need to have option Light YES shown as default and not option light NO -£15.00 if someone views 2, then i need to have option Light NO shown as default and not option light YES +£15.00 Currently the default 'Selected' option appears to depend in which order you add the option, CAN THE 'DEFAULT' option shown be Assigned anywhere?
  14. is This the latest Spiders.txt file (28/12/2008) I cannot find any other variants. Bling, and AOL? are picking up session id's and are not being reported as BOTS in visitors tracking or super tracker
  15. Thanks for the reply Steve, I am a little confused, i AM using this module for my paypal uk payments, and also have paypal as my full credit card merchant (Hence the use of paypal manager), All my payment activities go through this module as direct payments or express checkout, so why do Paypal advise that i need to change to SDK 4.3, and they say i am using sdk 3.07 ?