Jump to content

Taipo

Members
  • Content count

    819
  • Joined

  • Last visited

  • Days Won

    6

Reputation Activity

  1. Like
    Taipo got a reaction from Biancoblu in Hardcore Security for osCommerce HTACCESS   
    Here is the working code: ver 1.0.1
     

    ########## Hardcore Security for osCommerce HTACCESS v1.0.1 ########### ########## AUTHOR: TE TAIPO - rohepotae@gmail.com ########### ## See readme.txt for instructions ########### Options +SymLinksIfOwnerMatch # disable the server signature ServerSignature off # set the server administrator email SetEnv SERVER_ADMIN default@yourdomain.com # ~~~~ START OF FILTERING ~~~~~ # # secure htaccess and other files <FilesMatch "(\.htaccess|\.htpasswd)$"> Order Allow,Deny Deny from all </FilesMatch> # add whatever configuration files here that are hosted on your server # that you want blocked <FilesMatch "^(php\.ini|php5\.ini)$"> Order allow,deny Deny from all </FilesMatch> # disable access to the osCommerce config.php <Files ~ "includes/configure.php$"> deny from all </Files> # disable access to the osCommercce admin config.php <Files ~ "admin/includes/configure.php$"> deny from all </Files> <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / # server request method RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD|OPTIONS) [OR] # osCommerce 2.2x RewriteCond %{THE_REQUEST} ^.*\.php/login\.php.*$ [NC,OR] RewriteCond %{THE_REQUEST} ^.*login.php\?action\=backupnow.*$ [NC,OR] # _REQUEST RewriteCond %{THE_REQUEST} \?\ HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} \/\*\ HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} %20HTTP/1. [NC,OR] RewriteCond %{THE_REQUEST} cgi-bin [NC,OR] RewriteCond %{THE_REQUEST} (showimg=|cookies=|passwd) [NC,OR] RewriteCond %{QUERY_STRING} (file_get_contents\(|setcookie\() [NC,OR] RewriteCond %{QUERY_STRING} (\,0x3a\,|unescape\(|fromcharcode|pwtoken_get|php_uname|passthru\() [NC,OR] RewriteCond %{QUERY_STRING} (eval\%28|eval\%2528|eval\(|base64_(en|de)code[^(]*\([^)]*\)|base64_encode.*\(.*\)) [NC,OR] RewriteCond %{QUERY_STRING} (JHs\=|replace\(|return\%20clk|boot\.ini|php\/password_for|announce\?info_hash) [NC,OR] RewriteCond %{QUERY_STRING} (\_START\_|\=alert\(|mysql\_query|\.\.\/cmd|rush\=|EXTRACTVALUE\(|phpinfo\() [NC,OR] RewriteCond %{QUERY_STRING} (\/frameset|\$\_SESSION|\$\_REQUEST|\$HTTP\_|mosConfig\_|inurl\:|\/iframe|onload\=) [NC,OR] RewriteCond %{THE_REQUEST} (allow_url_fopen|\%23include\+\<|get_defined_vars\(|\%22\'\%2f|error_reporting\(0\)) [NC,OR] RewriteCond %{THE_REQUEST} (fwrite\(|waitfor\%20delay|shell_exec|gzinflate\(|prompt\(|php_value\%20auto) [NC,OR] RewriteCond %{THE_REQUEST} (onmouseover|onmousedown|ct\(this) [NC,OR] RewriteCond %{THE_REQUEST} (ftp\:\/\/|1\=1\-\-|current\_user\(\)|\%3Cform|sha1\(|self\/environ) [NC,OR] RewriteCond %{THE_REQUEST} (\<\%3Fphp|\%\%|1\+and\+1|\/iframe|\$\_GET|document\.cookie|onload\%3d|onunload\%3d) [NC,OR] RewriteCond %{THE_REQUEST} (\%00|hex\_ent|ob\_starting|PHP\_SELF|etc\/passwd|shell\_exec|data\:\/\/|\$\_SERVER|\$\_POST) [NC,OR] RewriteCond %{THE_REQUEST} (\%bf\%5c\%27|\%bf\%27|\%ef\%bb\%bf|\%8c\%5c|\%a3\%27) [NC,OR] RewriteCond %{THE_REQUEST} (\=0\^\() [NC,OR] RewriteCond %{THE_REQUEST} (\@\@datadir|\@\@version|version\(\)|localhost|\}\)\%3B|Set\-Cookie|\%253C\%2Fscript\%253E) [NC,OR] RewriteCond %{THE_REQUEST} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] # http referer RewriteCond %{HTTP_REFERER} (<|>|'|%0A|%0D|%00) [NC,OR] # mysql related RewriteCond %{QUERY_STRING} (null\,null|outfile|load_file) [NC,OR] RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{QUERY_STRING} (order).*(by).*(\%[0-9A-Z]{0,2}) [NC,OR] RewriteCond %{QUERY_STRING} (waitfor|delay|shutdown).*(nowait) [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{QUERY_STRING} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] # cookies RewriteCond %{HTTP_COOKIE} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR] RewriteCond %{HTTP_COOKIE} (eval\%28|eval\%2528|eval\(|information_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (null\,null|outfile) [NC,OR] RewriteCond %{HTTP_COOKIE} union([^a]*a)+ll([^s]*s)+elect [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(ascii\(|bin\(|benchmark\(|cast\(|char\(|charset\(|collation\(|concat\(|concat_ws\(|table_schema) [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(conv\(|convert\(|count\(|database\(|decode\(|diff\(|distinct\(|elt\(}encode\(|encrypt\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(extract\(|field\(|floor\(|format\(|hex\(|if\(|in\(|information_schema|insert\(|instr\(|interval\(|lcase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(left\(|length\(|load_file\(|locate\(|lock\(|log\(|lower\(|lpad\(|ltrim\(|max\(|md5\(|mid\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(mod\(|now\(|null\(|ord\(|password\(|position\(|quote\(|rand\(|repeat\(|replace\(|reverse\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(right\(|rlike\(|row_count\(|rpad\(|rtrim\(|_set\(|schema\(|sha1\(|sha2\(|sleep\(|soundex\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(space\(|strcmp\(|substr\(|substr_index\(|substring\(|sum\(|time\(|trim\(|truncate\(|ucase\() [NC,OR] RewriteCond %{HTTP_COOKIE} (union|and|position).*(select).*(unhex\(|upper\(|_user\(|user\(|values\(|varchar\(|version\(|xor\() [NC,OR] # LFI and session hijacking RewriteCond %{QUERY_STRING} \=(\.\./\.\.//?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.//\./?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.\\\.\./?)+ [OR] RewriteCond %{QUERY_STRING} \=(\.\.\\\\\./?)+ [OR] RewriteCond %{QUERY_STRING} \/tmp\/sess_ [NC,OR] RewriteCond %{QUERY_STRING} php:\/\/filter\/read=convert\.base64-(en|de)code\/ [NC,OR] # if expose_php is set to on RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC] RewriteRule ^(.*)$ - [F,L] </IfModule> # ~~~~ END OF FILTERING ~~~~~ # # OPTIONAL EXTRAS # Uncomment and use. # If Error 500 encountered then comment out # disable directory browsing, if error 500 encountered then comment out # Options All -Indexes # prevent folder listing, if error 500 encountered then comment out # IndexIgnore * # php_value session.use_trans_sid 0 # auto keep the config file read only # chmod configure.php files 444 # turn off magic_quotes_gpc # <ifmodule mod_php4.c> # php_flag magic_quotes_gpc off # </ifmodule> ########## End of Hardcore Security for osCommerce HTACCESS v1.0.1 #################
     
    Like I said, it needs work.
  2. Like
    Taipo got a reaction from oscommerce21 in Message: I am able to write to the configuration file - can not change permissions   
    Some webhosts do not allow 444 to be set via a web based file manager. That is also true for FTP as well.
     
    However usually on those configurations I have found that PHP has owner level privaleges anyways so you can use PHP itself to change the permissions.
     
    Try this below.
     
    Make a file, call it whatever you want and add the following code.
     

    <?php error_reporting(0); if ( ( !chmod( "includes/configure.php", 0444 ) ) || ( !chmod( "admin/includes/configure.php", 0444 ) ) ) { header( "Location: ./index.php" ); } ?>
     
    Upload it into your catalog directory for your shop and then browse to it in your web browser.
     
    It should set both config files to 444 for you.
     
    If you have changed the name of your admin directory, then replace the 'admin' in the code above with your new admin name.
     
    Once its done then you can safely delete the file you used to make the change.
×