Jump to content
Latest News: (loading..)

Taipo

Members
  • Content count

    819
  • Joined

  • Last visited

  • Days Won

    6

Taipo last won the day on October 20 2011

Taipo had the most liked content!

Profile Information

  • Real Name
    Te Taipo
  • Gender
    Male
  1. WP Callback Problem - Intermittent

    When Suhosin is installed, the string length for the suhosin.get.max_value_length is 512. In order for a callback to succeed that setting would need to be something closer to 2000+. The problem I believe is that Suhosin is applied at a server level and server admins will probably not allow a change in their server configurations merely because one of the many thousands of websites on their server has a malfunctioning callback. But there is no harm in trying.
  2. Updated Security Thread

    In both application_top.php files where it has the following: // set php_self in the local scope $PHP_SELF = .... Make sure that the $PHP_SELF line contains the following: // set php_self in the local scope $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); If you scroll to the bottom of that page you linked to you will see that this is the actual fix to that specific issue you posted above. The other primary code change is to the code which governs the login process here. Those are the two primary code changes needed to prevent the admin login bypass exploit. There are more code changes needed but at least with those two you will secure your site code against the main exploit that has ravaged through many 10s of thousands of osCommerce sites who use the older versions. Read more about these two code changes here .
  3. Latest update ########## Hardcore Security for osCommerce HTACCESS v1.0.2 ########### Options +SymLinksIfOwnerMatch # disable the server signature ServerSignature off # set the server administrator email SetEnv SERVER_ADMIN default@yourdomain.com # ~~~~ START OF FILTERING ~~~~~ # # secure htaccess and other files <FilesMatch "(\.htaccess|\.htpasswd)$"> Order Allow,Deny Deny from all </FilesMatch> # add whatever configuration files here that are hosted on your server # that you want blocked <FilesMatch "^(php\.ini|php5\.ini)$"> Order allow,deny Deny from all </FilesMatch> # disable access to the osCommerce config.php <Files ~ "includes/configure.php$"> deny from all </Files> # disable access to the osCommercce admin config.php <Files ~ "admin/includes/configure.php$"> deny from all </Files> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / # server request method RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS) [OR] # osCommerce 2.2x RewriteCond %{THE_REQUEST} ^.*\.php/login\.php.*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*login.php\?action\=backupnow.*$ [NC,OR] # _REQUEST RewriteCond %{THE_REQUEST} \?\ HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} \/\*\ HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} %20HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (showimg=|cookies=|passwd) [NC,OR] RewriteCond %{QUERY_STRING} (file_get_contents\(|setcookie\() [NC,OR] RewriteCond %{QUERY_STRING} (\,0x3a\,|unescape\(|fromcharcode|pwtoken_get|php_uname|passthru\() [NC,OR] RewriteCond %{QUERY_STRING} (eval\%28|eval\%2528|eval\(|base64_(en|de)code[^(]*\([^)]*\)|base64_encode.*\(.*\)) [NC,OR] RewriteCond %{QUERY_STRING} (JHs\=|replace\(|return\%20clk|boot\.ini|php\/password_for|announce\?info_hash) [NC,OR] RewriteCond %{QUERY_STRING} (\_START\_|\=alert\(|mysql\_query|\.\.\/cmd|rush\=|EXTRACTVALUE\(|phpinfo\() [NC,OR] RewriteCond %{QUERY_STRING} (\/frameset|\$\_SESSION|\$\_REQUEST|\$HTTP\_|mosConfig\_|inurl\:|\/iframe|onload\=) [NC,OR] RewriteCond %{THE_REQUEST} (allow_url_fopen|\%23include\+\<|get_defined_vars\(|\%22\'\%2f|error_reporting\(0\)) [NC,OR] RewriteCond %{THE_REQUEST} (fwrite\(|waitfor\%20delay|shell_exec|gzinflate\(|prompt\(|php_value\%20auto) [NC,OR] RewriteCond %{THE_REQUEST} (onmouseover|onmousedown|ct\(this) [NC,OR] RewriteCond %{THE_REQUEST} (ftp\:\/\/|1\=1\-\-|current\_user\(\)|\%3Cform|sha1\(|self\/environ) [NC,OR] RewriteCond %{THE_REQUEST} (\<\%3Fphp|\%\%|1\+and\+1|\/iframe|\$\_GET|document\.cookie|onload\%3d|onunload\%3d) [NC,OR] RewriteCond %{THE_REQUEST} (\%00|hex\_ent|ob\_starting|PHP\_SELF|etc\/passwd|shell\_exec|data\:\/\/|\$\_SERVER|\$\_POST) [NC,OR] RewriteCond %{THE_REQUEST} (\%bf\%5c\%27|\%bf\%27|\%ef\%bb\%bf|\%8c\%5c|\%a3\%27) [NC,OR] RewriteCond %{THE_REQUEST} (\@\@datadir|\@\@version|version\(\)|localhost|\}\)\%3B|Set\-Cookie|\%253C\%2Fscript\%253E) [NC,OR] RewriteCond %{THE_REQUEST} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # http referer RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%00) [NC,OR] # mysql related RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (order).*(by).*(\%[0-9A-Z]{0,2}) [NC,OR] RewriteCond %{QUERY_STRING} (waitfor|delay|shutdown).*(nowait) [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\(|extract\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(field\(|floor\(|format\(|from|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|\^).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] # cookies RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\(|extract\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(field\(|floor\(|format\(|from|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|\^).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] # LFI and session hijacking RewriteCond %{QUERY_STRING} \=(\.\./\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.//\./?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.\\\.\./?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.\\\\\./?)+ [OR] RewriteCond %{QUERY_STRING} \/tmp\/sess_ [NC,OR] RewriteCond %{QUERY_STRING} php:\/\/filter\/read=convert\.base64-(en|de)code\/ [NC,OR] # if expose_php is set to on RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> # ~~~~ END OF FILTERING ~~~~~ # # OPTIONAL EXTRAS # Uncomment and use. # If Error 500 encountered then comment out # disable directory browsing, if error 500 encountered then comment out # Options All -Indexes # prevent folder listing, if error 500 encountered then comment out # IndexIgnore * # php_value session.use_trans_sid 0 # auto keep the config file read only # chmod configure.php files 444 # turn off magic_quotes_gpc # <ifmodule mod_php4.c> # php_flag magic_quotes_gpc off # </ifmodule> ########## End of Hardcore Security for osCommerce HTACCESS v1.0.2 #################
  4. When it comes to that particular error, the webserver does not give you any indication what would be the cause. So your options are to go through each section and comment them out to see which is conflicting with your webserver configuration. Performance wise it if not the optimum to have more than one occurence of RewriteEngine On. But in most cases users are rewriting URLs, however in 99% of the time with this code where the filtering finds no conditions met the page loads as it should with no extra work done by the server. Keep in mind the point of having this discussion up under this section is for the development of this script, which means it will have bugs in it since it has not been tested in the wild nor have we had any of the htaccess people come in here and pull it apart, which I hope will happen sooner than later. I have had a bit of a play with it yesterday and found a number of issues and will be pasting an update in a day or so. But that gives you some idea about why it is not ready for production use yet.
  5. Yes I can certainly see that your intentions are good, and for your conditions you are doing what you can to add every possible layer of security in so as to reduce the chances of your site being attacked to the lowest degree possible. In my experience though, adding this method into an addon as I mentioned above, can lead to people depending on it more than one should, no matter what you write in the readme instructions. For example, even though I put in the readme when I first released this alongside osC_Sec, that this was only for those experienced with htaccess, and to basically dont use it unless you really know what you are doing, well, surprise surprise as soon as I released it, I started getting emails from people who obviously have no clue about htaccess, and were trying to install it asking what is htaccess and where do they add the file. Same goes for that test feature I added into osC_Sec that I eventually took out, no matter how I tried to stipulate that this was merely for test purposes, many users still activated it. You can see this too with the development of osC 3.x, people are still trying to install and use it live when it is only half complete. It is possible more a psychological thing perhaps, post hack trauma perhaps...where people gobble up every possible security addon they can. The security addons available fall into a couple of categories, 1) addons that patch the security hole as their primary purpose, 2) addons that cover general security issues thus reducing bandwidth and cpu consumption, 3) addons that patch what users thought were the security issues that were behind the site instrusions, before the real holes were discovered, 4) addons that make you feel better about your security but offer little or no added security and in some cases possibly less security. So while there is a particular set of circumstances where the method you are using above may enhance your security just a little, my guess is from experience that the moment an addon writer adds that to an addon, it will be taken out of context and in fact lead to 'less' security, rather than more. I hope that better explains the position I am trying to convey here. So rather than the scatter gun approach of adding every security addon until you 'feel' safe, what I want to promote is that users understand what is good web script security and structure your security planning based on what really works, and therefore move away a little from those ideas that create the perception of security. There is only one real layer of security and that responsibility lays with the code developers to use the most up to date secure coding methods out. For everything else there are the following: 1) Keep your web applications up to date. That means using the latest version of your web script no matter the cost. It was one of the dilemmas I had to face when writing osC_Sec, knowing that it was going to encourage people to keep using out of date versions of osCommerce, the reality though was that people were still going to use the out of date versions no matter what due to the perception of security some of these other addons were giving users. Since no actual specific patch was released for the security hole. There are only 2 addons I know of that provide either a partial patch or the actual patch to the specific login issue. 2) Block attacks at the gate. Most users do not have access to the webserver configuration or for keeping it up to date with the latest server applications and extensions, so their first port of call is htaccess. Htaccess allows for a limited amount of security to be added by webspace users, because it cannot ascertain conditions, i.e. if something exists then do this or that. So what I am proposing above would probably be on the border of insanity when it comes to what htaccess should be used for. However I do not profess to be an expert in the htaccess field, so I am leaving that open for others to pick up on. There is a limit to this, and this addon probably goes over the limit at its current state. 3) Use tried and true methods of restricting access to directories. htaccess and htpasswd would be that method, others involving hiding admin directories. 4) Block attacks at the script level. Filtering the HTTP requests is not the most optimal use of server resources, but it beats the amount of CPU and data resources that are expended when virus code is exploiting or hammering your site. Reducing attack requests to a mere few bytes of data is the best use of server resources. 5) Monitoring the state of your files. SiteMonitor does a good job at this, I have not checked out the other addons. This again though is limited. For example if a server is hacked at a root level, one of the first things an attacker could do is delete SiteMonitor and any other emailer addons. But it does what can be done from an addon level. As do any of the addons. As you can also see I have not focussed on things like file permissions which are still necessary, but to a lesser extent these days especially with the number of web hosts moving to configurations where the PHP script has owner level privaleges. For example, having to change the configure.php file to read only achieves what exactly if PHP has the permission to change the file permission back to something writable. No doubt it makes users feel safer having to change the file permissions to a perceived state of read only, but is about where that ends. No matter the file permissions, if a local file read security hole exists, an attacker can still read the contents of any file including the read-only configure file to get the database username and password, which is also often the cpanel username and password where the web owner has not been careful enough. Where a local file or code include exists, an attacker can change the file permissions of any file to writable and prepend or append any code they wish to the site files as has happened in the last. Same goes with some security holes which allow attackers to change directories therefore look up into directories that are not in the public_html area. At the end of the day those methods of hiding files have a more feel good affect to them rather than actual security enhancements. Again, the best security practice in coding and the use of htaccess/htpasswd restrictions are still the number one method of best security practices.
  6. I would agree with adding something like that in as an addition to the admin htaccess if you had a static IP. The problem with adding something that has a relative security value is that people that do not understand the implications of such a thing can unintentionally put too much dependency on that method as a means of protection. We saw this with the implimentation of an admin login system for osCommerce where a good majority of newer users did not put .htaccess protection on their admin directories because there was another method that was less time intensive to install. When the admin login bypass was discovered and let loose into the wild, the damage was far more extensive than it should have been if users had stayed with the tried and true apache basic authentication by way of the htpasswd method. So in keeping with the idea of hardening a system, the best practice should be promoted where directory/folder protection should be used as it is with osC 2.3.1 where there are both htaccess login protection as well as a script based login method. My only dislike of the 2.3.1 method is the fact that users end up using the same username and password for both login layers which completely defeats the purpose of using htaccess basic authentication. While it is far more convenient to only log in once, it is not asking too much in my opinion to have two separated layers of login access by having different credentials for both layers. All shop owners of real shops can have up to 3 layers of 'login' access levels to their shops, a padlock and bolt with a pull down security roller door, a key entry for the actual door and an alarm system which they have to unlock to get in and relock at the end of every day. What has happened in the past when admin authentication was added was new and upgraded shop owners, figuratively speaking, left the lock and bolt and pull down roller door off. But I digress, unfortunately the safest method of using that method above is to go and purchase a static IP from your internet service provider. That is the real pull down roller door, osC_Sec working with 2.2 range of osCommerce sites is like the real door locking system, and SiteMonitor is like your alarm system should all of that fail. That will protect you from 99.9% of unauthorized access attempts which is about as good as it can get and that is really the standard that needs to be kept for this particular layer of security. I would still encourage you to try and get a static IP first if you intend to use htaccess in that manner. Most ISPs are shifting back toward static ips now that governments are heading toward using legislation to catch and penalize people who download music and films via file sharing. But in your case, if you are not able to add the proper htaccess basic user authentication (folder/directory protection), and are unable to get a static IP, then what you have done is better than nothing. Changing the name of your admin directory (if you haven't already done so) would be another way of further securing your site.
  7. Here is the working code: ver 1.0.1 ########## Hardcore Security for osCommerce HTACCESS v1.0.1 ########### ########## AUTHOR: TE TAIPO - rohepotae@gmail.com ########### ## See readme.txt for instructions ########### Options +SymLinksIfOwnerMatch # disable the server signature ServerSignature off # set the server administrator email SetEnv SERVER_ADMIN default@yourdomain.com # ~~~~ START OF FILTERING ~~~~~ # # secure htaccess and other files <FilesMatch "(\.htaccess|\.htpasswd)$"> Order Allow,Deny Deny from all </FilesMatch> # add whatever configuration files here that are hosted on your server # that you want blocked <FilesMatch "^(php\.ini|php5\.ini)$"> Order allow,deny Deny from all </FilesMatch> # disable access to the osCommerce config.php <Files ~ "includes/configure.php$"> deny from all </Files> # disable access to the osCommercce admin config.php <Files ~ "admin/includes/configure.php$"> deny from all </Files> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / # server request method RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS) [OR] # osCommerce 2.2x RewriteCond %{THE_REQUEST} ^.*\.php/login\.php.*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*login.php\?action\=backupnow.*$ [NC,OR] # _REQUEST RewriteCond %{THE_REQUEST} \?\ HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} \/\*\ HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} %20HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (showimg=|cookies=|passwd) [NC,OR] RewriteCond %{QUERY_STRING} (file_get_contents\(|setcookie\() [NC,OR] RewriteCond %{QUERY_STRING} (\,0x3a\,|unescape\(|fromcharcode|pwtoken_get|php_uname|passthru\() [NC,OR] RewriteCond %{QUERY_STRING} (eval\%28|eval\%2528|eval\(|base64_(en|de)code[^(]*\([^)]*\)|base64_encode.*\(.*\)) [NC,OR] RewriteCond %{QUERY_STRING} (JHs\=|replace\(|return\%20clk|boot\.ini|php\/password_for|announce\?info_hash) [NC,OR] RewriteCond %{QUERY_STRING} (\_START\_|\=alert\(|mysql\_query|\.\.\/cmd|rush\=|EXTRACTVALUE\(|phpinfo\() [NC,OR] RewriteCond %{QUERY_STRING} (\/frameset|\$\_SESSION|\$\_REQUEST|\$HTTP\_|mosConfig\_|inurl\:|\/iframe|onload\=) [NC,OR] RewriteCond %{THE_REQUEST} (allow_url_fopen|\%23include\+\<|get_defined_vars\(|\%22\'\%2f|error_reporting\(0\)) [NC,OR] RewriteCond %{THE_REQUEST} (fwrite\(|waitfor\%20delay|shell_exec|gzinflate\(|prompt\(|php_value\%20auto) [NC,OR] RewriteCond %{THE_REQUEST} (onmouseover|onmousedown|ct\(this) [NC,OR] RewriteCond %{THE_REQUEST} (ftp\:\/\/|1\=1\-\-|current\_user\(\)|\%3Cform|sha1\(|self\/environ) [NC,OR] RewriteCond %{THE_REQUEST} (\<\%3Fphp|\%\%|1\+and\+1|\/iframe|\$\_GET|document\.cookie|onload\%3d|onunload\%3d) [NC,OR] RewriteCond %{THE_REQUEST} (\%00|hex\_ent|ob\_starting|PHP\_SELF|etc\/passwd|shell\_exec|data\:\/\/|\$\_SERVER|\$\_POST) [NC,OR] RewriteCond %{THE_REQUEST} (\%bf\%5c\%27|\%bf\%27|\%ef\%bb\%bf|\%8c\%5c|\%a3\%27) [NC,OR] RewriteCond %{THE_REQUEST} (\=0\^\() [NC,OR] RewriteCond %{THE_REQUEST} (\@\@datadir|\@\@version|version\(\)|localhost|\}\)\%3B|Set\-Cookie|\%253C\%2Fscript\%253E) [NC,OR] RewriteCond %{THE_REQUEST} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # http referer RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%00) [NC,OR] # mysql related RewriteCond %{QUERY_STRING} (null\,null|outfile|load_file) [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (order).*(by).*(\%[0-9A-Z]{0,2}) [NC,OR] RewriteCond %{QUERY_STRING} (waitfor|delay|shutdown).*(nowait) [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] # cookies RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR] RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] # LFI and session hijacking RewriteCond %{QUERY_STRING} \=(\.\./\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.//\./?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.\\\.\./?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.\\\\\./?)+ [OR] RewriteCond %{QUERY_STRING} \/tmp\/sess_ [NC,OR] RewriteCond %{QUERY_STRING} php:\/\/filter\/read=convert\.base64-(en|de)code\/ [NC,OR] # if expose_php is set to on RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> # ~~~~ END OF FILTERING ~~~~~ # # OPTIONAL EXTRAS # Uncomment and use. # If Error 500 encountered then comment out # disable directory browsing, if error 500 encountered then comment out # Options All -Indexes # prevent folder listing, if error 500 encountered then comment out # IndexIgnore * # php_value session.use_trans_sid 0 # auto keep the config file read only # chmod configure.php files 444 # turn off magic_quotes_gpc # <ifmodule mod_php4.c> # php_flag magic_quotes_gpc off # </ifmodule> ########## End of Hardcore Security for osCommerce HTACCESS v1.0.1 ################# Like I said, it needs work.
  8. Hardcore Security for osCommerce HTACCESS If you are familiar with editing .htaccess code then have a look through the example in the htaccess_code.txt. To use it, copy and paste the entire contents appending to the end of your current .htaccess file in the root catalog shop directory. If any 500 internal errors occur, try commenting out parts of the code. If all else fails, just be sure to use this addon here ( http://addons.oscommerce.com/info/8283 ) as it does what Hardcore Security for HTACCESS does plus more If you are using both the ip address banning and email notification and notice that you are receiving dozens of notifications per hour then using the code examples in this htaccess file will help reduce the load on your server considerably. Finally a warning about htaccess filtering. This is hardcore request filtering and 'can' prevent legitimate requests from completing in odd circumstances for example where a site is heavily modified with custom code not a part of the osCommerce codeset. Secondly, Hardcore Security for HTACCESS is about as good as it gets (or at least, it attempts to be...) with htaccess hardening in terms of blocking the usual hack attempts, although like any addon security script, it cannot block them all. But what it does do is reach the limits of the potential of what can be achieved in blocking hack attempts using directives in htaccess. Only add this to your root directory's .htaccess file if you are experienced in .htaccess code or else have an expert look at it and implement it on your behalf. While this method is not as thorough as osC_Sec ( http://addons.oscommerce.com/info/8283 ) in blocking attack attempts, blocking a majority of attacks however before the php is executed is far less server intensive so therefore will at least lighten the load on your webserver if it receives a lot of attention from attackers. Unlike other .htaccess addons, this one does not ban ip addresses. It does not have to because a blocked attempt is a blocked attempt. I am leaving this addon open for others to develop as it needs work. see it here: http://addons.oscommerce.com/info/8296 Taipo rohepotae@gmail.com
  9. Updated Security Thread

    recover_cart_sales.php is from an addon http://www.oscommerce.com/community/contributions,1688
  10. osc_sec question

    Glad to help. While osC_Sec plugs most of the holes in the proverbial dyke for the 2.2 range, because you are using 2.2, I would still suggest you use Sitemonitor if you were considering not using it.
  11. osc_sec question

    Basically the same. I've uploaded osC_Sec again in the addons section so as to give a better description in the main description box. See the old one here http://addons.oscommerce.com/info/7834 Versus the new one here http://addons.oscommerce.com/info/8283 In the process I felt it pertinant to give it a different version number since that will be the last update....yunno...end on a round number. ; ) There is a slight difference in the code but not enough to warrant users having to update. I will leave that up to you.
  12. osc_sec question

    Version 2.3.1 does not actually 'need' any of the security addons although it doesn't hurt to use a few of them. osC_Sec was designed for versions earlier than 2.3 so is not mandatory to use on 2.3 and higher. On the issue of updates, the last update 4.2[r8] will be the final update unless some issues arise.
  13. getIPAddress() development

    I guess if the ip address is only used for general logging purposes, and callback companies do not exclusively depend on the ip address as their method of security, then yes, in the case when its a callback, the REMOTE_ADDR should be the only ip address used....assuming 3rd party processors IPs are the REMOTE_ADDR... The point there is to keep in mind that the REMOTE_ADDR can often be (as is the case with rackspace when https is on) the upline load balancing proxy, so that would introduce more problems than it solves if left merely to calling the REMOTE_ADDR for callbacks, for example on the rackspace type cluster configurations.
  14. Some webhosts do not allow 444 to be set via a web based file manager. That is also true for FTP as well. However usually on those configurations I have found that PHP has owner level privaleges anyways so you can use PHP itself to change the permissions. Try this below. Make a file, call it whatever you want and add the following code. <?php error_reporting(0); if ( ( !chmod( "includes/configure.php", 0444 ) ) || ( !chmod( "admin/includes/configure.php", 0444 ) ) ) { header( "Location: ./index.php" ); } ?> Upload it into your catalog directory for your shop and then browse to it in your web browser. It should set both config files to 444 for you. If you have changed the name of your admin directory, then replace the 'admin' in the code above with your new admin name. Once its done then you can safely delete the file you used to make the change.
  15. SiteMonitor

    What version of osC_Sec are you using Fred? If its the latest, then replace the following code: replace: # Set your own x-powered-by # or leave as is header( "X-Powered-By: osC_Sec" ); with: # Set your own x-powered-by # or leave as is # header( "X-Powered-By: osC_Sec" );
×