-
Posts
147 -
Joined
-
Last visited
Everything posted by celextel
-
PHP Intrusion Detection System for osCommerce
celextel replied to celextel's topic in General Add-Ons Support
FAQ: What kinds of attacks are detected by the PHPIDS Currently the PHPIDS detects all sorts of XSS, SQL Injection, header injection, directory traversal, RFE/LFI, DoS and LDAP attacks. Through special conversion algorithms the PHPIDS is even able to detect heavily obfuscated attacks – this covers several charsets like UTF-7, entities of all forms – such as JavaScript Unicode, decimal- and hex-entities as well as comment obfuscation, obfuscation through concatenation, shell code and many other variants. Furthermore the PHPIDS is able to detect yet unknown attack patterns with the PHPIDS Centrifuge component. This component does in depth string analysis and measurement and detects about 85% to 90% of all tested vectors given a minimum length of 25 characters. What’s required to run the PHPIDS You need at least PHP 5.1.6 to use all features of the PHPIDS. Depending on which kind of logging and caching you chose you might need a database that is able to work together with PDO. SimpleXML is required if you wish to use the XML based filter rules – if your system doesn’t provide SimpleXML you can use the fallback JSON based rules. A nice to have for the generic attack detection is Unicode support for the PCRE engine. The PHP packages shipped with current distributions should fulfill all requirements out-of-the-box. How to work with the impact? The impact indicates the severity of the attack. The PHPIDS brings around 50 filter rules to detect attacks and each one of them has an impact – the more rules match on the incoming data, the more likely it’s an attack and the higher ranks the resulting impact. The impact can be received by using the $result->getImpact() on the result object. You can store the impact as session value, if you want to track an attackers activity for some time and wish to react later – when session impact has risen to 50 or 100. A usual very first attack impact is around 5 – 10 – sometimes 15 -20. A typical XSS probing monitored by session based impact usually results in an impact of 50 – 150. So it’s pretty easy to separate the false alerts from the real attacks using session based impact. What can be done in case the impact is very high? There are several ways to react on high (around 15) or very high (around 25-50) impact – first and easiest would be a hard redirect – the suspicious user could be redirected to a warning page which tells him that the application considered his input malicious and asks him to stop. Meanwhile all important parameters of the user can be logged and used for forensics. Another effective way would be to destroy the users session. What about performance issues? The PHPIDS is being developed under constant profiling with xdebug and performance measurements to make sure that your application will not become noticeably slower. Only request parameters are checked whose values inhabits characters besides a-Z, 0-9, @ and _. Furthermore modules like the HTML parser are only included and used in case there is input coming in with a key matching the ones given in the Config.ini / via $monitor->setHtml() for content with HTML allowed. So the performance hungry components normally won’t be loaded during about 95% of all requests. -
PHP Intrusion Detection System for osCommerce
celextel replied to celextel's topic in General Add-Ons Support
1. This works well in osC v2.2. We have tested this only on osC v2.2. v2.1 was selected by mistake while doing the contribution upload. We are unable to change it now. We could do another upload under v2.2 if required. 2. Please visit the following websites to know more about its functioning: http://php-ids.org/downloads/ http://www.h-online.com/security/features/Getting-started-with-the-PHPIDS-intrusion-detection-system-746233.html 3. Yes, it does the following: form input with attempts at injecting PHP or MySQL code [ii] Detects attempt to run arbitrary PHP scripts from the browser [iii] Detects injection attacks via URL Query Strings 4. PHPIDS is an unique Intrusion Detection System which is already popular. We have not seen this type of software elsewhere. We also do not have this type of software in the existing osCommerce contributions. 5. Yes, this works in conjunction with other security measures. This might not replace any other contribution. PHPIDS enables you to see who’s attacking your site and how and all without the tedious trawling of log files or searching hacker forums for your domain. Web applications are regularly threatened by attacks that try to exploit programming weaknesses. The PHP-based, open source PHPIDS solution detects attempted intrusions and raises the alarm when a threat is identified. PHPIDS helps protect PHP-based applications from Cross-Site-Scripting, SQL-Injection and other attacks. The simplest scenario involves logging attacks to establish whether a site is being targeted and requires further protective measures. Installing PHPIDS is usually only a matter of a few simple steps. -
PHP Intrusion Detection System for osCommerce
celextel replied to celextel's topic in General Add-Ons Support
This module [front end] automatically creates the database during its first intrusion [test] call. -
PHP Intrusion Detection System for osCommerce
celextel replied to celextel's topic in General Add-Ons Support
Additional Note: This module [front end] automatically creates the database during its first call. Access the website pages and do the testing as mentioned by us, after installing the catalog portion, before going to the admin for accessing the log report. -
PHP Intrusion Detection System for osCommerce Module to include PHPIDS into osCommerce to Log and Prevent Intrusions http://addons.oscommerce.com/info/7368 PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
-
Hello, We are also getting multiple emails for the same order for the last one month or so. There is some problem with this module or with Paypal IPN notification. We had to de-activate this module. Please give us a solution to this problem if there is any. Thanks, Lakshmanan
-
[Contribution] Define Content 1.x Support
celextel replied to surfalot's topic in General Add-Ons Support
Thanks. It is showing up correctly now. We have made the define content to load before the language file in the application_top.php. Thanks. -
Purchase Without Account Updated & Admin Functionality
celextel replied to a topic in General Add-Ons Support
Hello, "PWA Customer Account Delete Addon" has been added to the contribution at the following URL: http://addons.oscommerce.com/info/355 Please make those changes to delete the temporary customer account after a customer does the purchase through PWA. Temporary customer account created through PWA also gets deleted if the customer does the logoff before completing the purchase. My Account and Logoff links would not show up after the Checkout Success. Lakshmanan -
[Contribution] Define Content 1.x Support
celextel replied to surfalot's topic in General Add-Ons Support
Hello, Thanks for providing us this useful contribution. I have installed "Define Content 1.4". Everything is working fine. <?php echo tep_get_defined_content('About Us'); ?> shows up the About Us content correctly. But the same code inside a define is showing a error message. In the language file, we have the following codes: // page title define('TITLE', ''. STORE_NAME .''); define('DESCRIPTIONS', 'tep_get_defined_content('Store Description');'); define('KEYWORDS', ''. STORE_KEYWORDS .''); STORE_NAME and STORE_KEYWORDS show up the configuration_value correctly. But the code in the DESCRIPTIONS is showing the following error message; Parse error: syntax error, unexpected T_STRING in /home/celextel/domains/lodhajewellery.in/public_html/includes/languages/english.php on line 53 Kindly let us know as to how to show up the tep_get_defined_content inside the defines. Thanks, Lakshmanan -
Dear Mr. Alex, Some of our customers [based in France and other countries] are getting "shipping address error" messages while trying to make their payment through Paypal IPN. They do not have problem in paying through Paypal Express Chekout. We have done this addition [if (empty($state_abbr)) $state_abbr = 'none';] as suggested by you. Please let us know if anything else has to be done. Thanks, Lakshmanan S.
-
Thanks a lot.
-
Dear Mr. Alex, Thanks for the update. We are using "Order IP Recorder v1.0" for recording IP addresses for each of the orders. IP details do not get recorded for checkouts done through this Paypal IPN module, even after adding the required codes to the ipn files. We have added the codes as follows: ----------------------------------------------------------- In /ext/modules/payment/paypal/ipn.php just after require('includes/application_top.php'); * added $ip = $HTTP_SERVER_VARS["REMOTE_ADDR"]; $client = gethostbyaddr($HTTP_SERVER_VARS["REMOTE_ADDR"]); $str = preg_split("/\./", $client); $i = count($str); $x = $i - 1; $n = $i - 2; $isp = $str[$n] . "." . $str[$x]; In /includes/modules/payment/payment/paypal_ipn.php * changed: 'email_address' => $order['customers_email_address']); * to: 'email_address' => $order['customers_email_address'], 'ipaddy' => $order['ipaddy'], 'ipisp' => $order['ipisp']); ----------------------------------------------------------- Kindly help us as to what we should do in this regard [to get the IP details recorded]. Thanks, Lakshmanan S.
-
Thanks.
-
Dear Mr. Alex, One of our customer has got the following email message due to the Total amount mis-match: ------------------------------------------------------------------------------------- 10/03/2007 Completed [PayPal EC IPN] Transaction ID: xxxxxxxx Payment Type: PayPal Express Checkout IPN Payment Status: Completed 10/03/2007 Pending PayPal IPN Verified [Completed (PayPal account:Unverified; USD 6.58)] Toatl amount did not match Address status: unconfirmed ------------------------------------------------------------------------------------- "Total amount did not match" messages are being generated automatically when the total amount shown in the order is in a currency other than US$. Our Transaction Currency [Paypal Express Checkout]: Only USD. We do not mind getting these messages. But the customers should not get these messages as they create confusion in them. Please guide us as to what to do in this regard. Thanks, Lakshmanan S.
-
Dear Mr. Alex, We are getting "PayPal EC IPN Error" emails with "Toatl amount did not match" for most of the payments even though the amounts are the same after installing this new version. Please help. Thanks, Lakshmanan S.
-
Thanks. Express Checkout Button remains disabled in our website. We have changed 0.02 to 0.2 in both the places in ipn.php. Thanks. Lakshmanan S.
-
Dear Mr. Alex, Okay. I would check once again. Even after completing the payment process in Sand Box for one order, it was not showing the "Express Checkout button" for the subsequent orders. If a button is provided for cancelling the payment in the store itself that may solve the problem. [This may be due to the Contribution "Customer Never Loses Cart - Even without Sign In" that we have which prolongs the Session]. Another problem is we are getting "PayPal EC IPN Error" emails with "Toatl amount did not match" for most of the payments even though the amounts are the same: ------------------------------------------------------------------ Order Number: 2139 Date Ordered: February 04, 2007 This order has been updated to the following status and requires your attention. New status: Pending The IPN response contained following message: [Completed (PayPal account:Verified; USD 47.41)] Toatl amount did not match Address status: confirmed OrderTotal= USD 47.41 ------------------------------------------------------------------ This may be due to the invisible difference [in the decimals] as INR gets converted to USD in our store. Thanks, Lakshmanan S.
-
Dear Mr. Alex, When we enabled "Utilize Express Checkout Button" [after making the changes to checkout_shipping.php], it showed the Express Checkout Button few times while testing. Mostly, after doing the Chekout, it is showing the ec_shipping.php with all the shipping options. After selecting one of the shipping options, it is directly taking us to the "express_checkout.php" without showing the "checkout_payment.php". Kindly do the needful so that "Express Checkout Button" is shown always at the ec_shipping.php when it is enabled. Thanks, Lakshmanan S.
-
Dear Mr. Alex, Thanks for posting this new version. This version is working fine [in the SandBox] even without implementing your modifications to our existing checkout_shipping.php. We do not want to modify this file as that process gets skipped in our Live Store if the total weight is "0". Kindly confirm that it [not modifying checkout_shipping.php] would not affect the other functions of this "PayPal Express Checkout IPN Payment Module". Thanking you, Lakshmanan S.
-
Hello, No problem with the sort order as all have unique numbers: Money Order /DD /Wire Transfer 9 PayPal 4 PayPal Express Checkout 3 Transecute [Visa & Master Card] 1 ICICI Bank Transfer 7 Western Union Money Transfer 6 Must be something else. Please help. Thanks, Lakshmanan S.
-
Hello, Sorry, the problem is still there. Even though "PayPal Express Checkout IPN Payment Module" does not show up for a total of < 400, it does not go to Paypal website for a total of > 400 even though it is seen as one of the payment option. We are getting the following error message: ------------------------------------------------------- Please select a payment method for your order. ------------------------------------------------------- We do not have this problem with other payment modules including "paypal". You may kindly check this at our following demo site: https://celextel.com/demo/index.php As suggested, we have replaced the codes in the checkout_shipping.php around line 45 - 51: // BOF PayPal Express Checkout IPN v0.3 beta $paypal_ec_check = tep_db_query("SELECT configuration_id FROM " . TABLE_CONFIGURATION . " WHERE configuration_key = 'MODULE_PAYMENT_PAYPAL_EC_STATUS' AND configuration_value = 'True'"); $ec_enabled = (tep_db_num_rows($paypal_ec_check) ? 1 : 0); if ($ec_enabled) { require(DIR_WS_CLASSES . 'payment.php'); $payment_modules = new payment; $paypal_ec->update_status(); $ec_enabled = (($paypal_ec->enabled)? 1 : 0); } And added the function exactly in the paypal_ec.php. Kindly let us know as to what to do in this regard. Thanking you, Lakshmanan S.
-
Hello, Kindly explain as to where we have to enter the minimum order total amount and minimum order weight in this function to enable this module. Thanks, Lakshmanan S.
-
Hello, Thanks for the quick response. Shipping cost is missing in the order record also. Version: paypal_express_checkout_IPN_v0_2a Just installed the new one. Yet to get new payment through that. Thanks, Lakshmanan S.
-
Hello, We have installed this module [one of the earlier versions] and the Order process email does not show up the Shipping Cost and the total amount also does not include that even though Payment Process emails are showing up everything. Products ------------------------------------------------------ 1 x Sudarshana Satakam (CDA143) = $2.30 ------------------------------------------------------ Sub-Total: $2.30 Total: $2.30 ----------------------------------- PayPal Shopping Cart Contents ----------------------------------- Item Name: Sudarshana Satakam Item Number: 1933 (CDA143) Quantity: 1 Total: $2.30 USD Cart Subtotal: $2.30 USD Shipping: $14.53 USD Cart Total: $16.83 USD ----------------------------------- Hope you have done the needful in the newer versions. Thanks, Lakshmanan S.
-
Hello, Thanks for this contribution. We are using the following function for disabling certain payment modules: // disable if shipping is less than Rupees 400 - start if($order->info['total'] < 400){ $this->enabled = false; } // disable if shipping is less than Rupees 400 - end Even though "PayPal Express Checkout IPN Payment Module" does not show up for a total of < 400, it does not go to Paypal website for a total of > 400 even though it is seen as one of the payment option. We are getting the following error message: ------------------------------------------------------- Please select a payment method for your order. ------------------------------------------------------- We do not have this problem with other payment modules including "paypal". Kindly let us know as to what we should do in this regard. If possible, please add this disabling function in this module configuration itself so that it would be easy and useful. Thanks, Lakshmanan S. --------------------------------------------------------- The function is shown as under: --------------------------------------------------------- // class methods function update_status() { global $order, $shipping; if ( ($this->enabled == true) && ((int)MODULE_PAYMENT_PAYPAL_ZONE > 0) ) { $check_flag = false; $check_query = tep_db_query("select zone_id from " . TABLE_ZONES_TO_GEO_ZONES . " where geo_zone_id = '" . MODULE_PAYMENT_PAYPAL_ZONE . "' and zone_country_id = '" . $order->billing['country']['id'] . "' order by zone_id"); while ($check = tep_db_fetch_array($check_query)) { if ($check['zone_id'] < 1) { $check_flag = true; break; } elseif ($check['zone_id'] == $order->billing['zone_id']) { $check_flag = true; break; } } if ($check_flag == false) { $this->enabled = false; } } // disable if shipping is less than Rupees 400 - start if($order->info['total'] < 400){ $this->enabled = false; } // disable if shipping is less than Rupees 400 - end // disable if shipping is free - start if ($shipping['id']=="free_free") { $this->enabled = false; } // disable if shipping is free - end } function javascript_validation() { ---------------------------------------------------------