♥FWR Media Posted November 27, 2008 Author Share Posted November 27, 2008 Hi Robert, one question. It's necessary to pass through special characters like äüöÄÜÖß posted from the search box. What's the way to do it? I've found it works if i modify the function like this: function tep_clean_get__recursive($get_var) { if (!is_array($get_var)) return preg_replace("/[^ {}a-zA-Z0-9ßäüöÄÜÖ_.-]/i", "", urldecode($get_var)); // Add the preg_replace to every element. return array_map('tep_clean_get__recursive', $get_var); } What do you think, do you see any problems? Please comment and point me in the right direction! Thank you in advance BJ Yes adding limited but valid language characters is not an issue as long as you are careful not to allow in bad characters. A shortened version that should work is .. $get_var = preg_replace("/[^\s{}a-z0-9ßäüö_.-]/i", "", urldecode($get_var)); Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Black Jack 21 Posted November 27, 2008 Share Posted November 27, 2008 Yes adding limited but valid language characters is not an issue as long as you are careful not to allow in bad characters. A shortened version that should work is .. $get_var = preg_replace("/[^\s{}a-z0-9ßäüö_.-]/i", "", urldecode($get_var)); Thank you very much! Quote Link to comment Share on other sites More sharing options...
vicster Posted December 21, 2008 Share Posted December 21, 2008 Great contribution! Thank you! I have one problem, however, and I'm pretty sure it's SecurityPro causing it. My Categories infobox has disappeared from my index page (and only from my index page). I use the ' » ' character in my categories infobox. I have tried excluding it in admin by typing in the following in the 'excude from cleansing' area: includes/boxes/categories.php but it still does not show. I did not want to type in 'categories.php' because there is also a file called categories.php in admin and I only wanted to exclude the file that is in catalog/includes/boxes/. How should I handle this? (And I'm really hoping that it is SecurityPro causing the prob - I installed a few security contrib's before I noticed it was missing dummy me!) Thanks! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 21, 2008 Author Share Posted December 21, 2008 Great contribution! Thank you! I have one problem, however, and I'm pretty sure it's SecurityPro causing it. My Categories infobox has disappeared from my index page (and only from my index page). I use the ' » ' character in my categories infobox. I have tried excluding it in admin by typing in the following in the 'excude from cleansing' area: includes/boxes/categories.php but it still does not show. I did not want to type in 'categories.php' because there is also a file called categories.php in admin and I only wanted to exclude the file that is in catalog/includes/boxes/. How should I handle this? (And I'm really hoping that it is SecurityPro causing the prob - I installed a few security contrib's before I noticed it was missing dummy me!) Thanks! Turn it off see what happens. I'd also add that allowing a file to bypass like a plain old categories file is not in keeping with the contributions intentions. You should sort out the offending file not lower your security. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
vicster Posted December 21, 2008 Share Posted December 21, 2008 I forgot I could turn it off! LOL! I've been too busy pulling my hair...and comparing files again. Anyway, I turned it off and it's still not showing, so it must be another contrib causing the problem. Thank you for your quick response! It's much appreciated! Quote Link to comment Share on other sites More sharing options...
bobsi18 Posted December 28, 2008 Share Posted December 28, 2008 Thanks for what looks like a great contrib... Just one question, how do I test it? I tried following the instructions on the first page (added the section to application top, excluded product_info etc), but as I use a contribution that re-writes the url to a .html url, I don't think I'm getting the results I should be. Any suggestions on what I can do to check it's working? I'll continued to test, to see if any of my other files aren't working... Thanks :) Quote Link to comment Share on other sites More sharing options...
vicster Posted December 29, 2008 Share Posted December 29, 2008 I have a question. I have installed SecurityPro and I have installed the Anti Cross Site Scripting (originally by pixclinic and then updated by someone else) as per a Tips and Tricks thread regarding securing our sites. SecurityPro seems to be working just fine. However, the anti-xss contrib is causing my 'advanced search' to stop working (taking you to a HTTP 403 page) when the 'include description' option is checked. My question is does the anti-xss contribution do the same as the SecurityPro contribution? So that I can remove the .htaccess file (or at least the part that's breaking my advanced search)? I have deducted that it is pixclinic's part of the htaccess file that is breaking my advanced search. For more info, here is a thread I had started about this before I had figured out exactly what was causing the problem: http://www.oscommerce.com/forums/index.php?showtopic=324462 I know absolutely nothing about htaccess files and so don't know what to change or add to fix the problem. And if this contrib's purpose is being served with SecurityPro anyway, I'd like to remove it. Thanks! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 29, 2008 Author Share Posted December 29, 2008 I have a question. I have installed SecurityPro and I have installed the Anti Cross Site Scripting (originally by pixclinic and then updated by someone else) as per a Tips and Tricks thread regarding securing our sites. SecurityPro seems to be working just fine. However, the anti-xss contrib is causing my 'advanced search' to stop working (taking you to a HTTP 403 page) when the 'include description' option is checked. My question is does the anti-xss contribution do the same as the SecurityPro contribution? So that I can remove the .htaccess file (or at least the part that's breaking my advanced search)? I have deducted that it is pixclinic's part of the htaccess file that is breaking my advanced search. For more info, here is a thread I had started about this before I had figured out exactly what was causing the problem: http://www.oscommerce.com/forums/index.php?showtopic=324462 I know absolutely nothing about htaccess files and so don't know what to change or add to fix the problem. And if this contrib's purpose is being served with SecurityPro anyway, I'd like to remove it. Thanks! It is really up to you which contributions you add, and any questions related to the individual contributions should be directed at the relevant support thread. I am happy to support security pro but other contributions are outside of the scope of support here. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
vicster Posted December 29, 2008 Share Posted December 29, 2008 Hi! I completely understand where you are coming from :) ...I was just wondering if SecurityPro already performs the task that the Anti-XSS (htaccess file) is performing. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 29, 2008 Author Share Posted December 29, 2008 (edited) Hi! I completely understand where you are coming from :) ...I was just wondering if SecurityPro already performs the task that the Anti-XSS (htaccess file) is performing. fair enough :) All I will say is that security pro (used correctly) secures your querystring. There is no need to my mind (other than standard vigilence to user input) to use more (related ONLY to querystring) Edited December 29, 2008 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
vicster Posted December 29, 2008 Share Posted December 29, 2008 Thank you so much for your input! It's greatly appreciated! I can stop banging my head now. :) I think you've saved both my hair and my head in this thread! :lol: Quote Link to comment Share on other sites More sharing options...
Becki Posted January 28, 2009 Share Posted January 28, 2009 Are there any known issues of using this with STS? Thanks Quote Link to comment Share on other sites More sharing options...
Becki Posted January 29, 2009 Share Posted January 29, 2009 Are there any known issues of using this with STS? Thanks Installed last night and everything seems to be working great. Thanks! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 29, 2009 Author Share Posted January 29, 2009 Installed last night and everything seems to be working great. Thanks! Pleasure. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
mr_absinthe Posted February 4, 2009 Share Posted February 4, 2009 Hello, thank you for the contribution. I wanted to install, however I'm unable to find the code mentioned in application_top.php: // set the application parameters $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION); while ($configuration = tep_db_fetch_array($configuration_query)) { define($configuration['cfgKey'], $configuration['cfgValue']); } Where can I insert your code if the above is missing from my application_top.php? I have this version: 2.2-MS2 Quote Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
mr_absinthe Posted February 5, 2009 Share Posted February 5, 2009 OK, my mistake, that code was replaced by this: // set application wide parameters // Configuration Cache modification start require ('includes/configuration_cache_read.php'); // Configuration Cache modification end Could it cause any harm if I place your code just underneath the code above? Quote Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 5, 2009 Author Share Posted February 5, 2009 OK, my mistake, that code was replaced by this: // set application wide parameters // Configuration Cache modification start require ('includes/configuration_cache_read.php'); // Configuration Cache modification end Could it cause any harm if I place your code just underneath the code above? No that is the correct location. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted March 19, 2009 Share Posted March 19, 2009 Has anyone had problems with their payment modules after installing Security Pro (even though those payment modules are excluded in admin)? In my case the return code is not handled properly and you go back to the payment page (Credit Card Error is at the top of the page) instead of checkout success. The module reads the return code as an error when security pro is on, no error when security pro is off. Quote Link to comment Share on other sites More sharing options...
mariemeh Posted March 23, 2009 Share Posted March 23, 2009 I've installed Security Pro with Ip Trap and Site Monitor as suggested in an attempt to make my site secure... and my osC Paypal IPN is now not working as it should. The store goes to the Paypal screen... the payment is made but somehow eventough on screen, it comes back to my checkout_success page... my order in my admin shows as if the payment hasn't complete when it actually did complete. I saw the note that i needed to be careful with my payment options and to test which I did. I've been searching the forum for the last 2 days to find how to correct the issue I have and tried everything I could find including excluding some pages through admin and nothing works. Either I'm excluding the wrong pages or I missed something or I'm too dumb to breathe. I've searched thsi entire thread... I've also read the entire How To Secure my site in Tips... I've searched the forum through the search engine of the forum and moved on to searching the entire forum through Google... and I'm not finding a fix for this. I really need some help with this because after reading all that I've read I still can't figure out how and after 2 days of this, it's creating issues that I can't see my way out of. Any help would be truly appreciated... a link to where the info might be found... or a hint to what I'm overlooking... anything adn everything would be much appreciated. Thanks Quote Link to comment Share on other sites More sharing options...
mariemeh Posted March 24, 2009 Share Posted March 24, 2009 I decided to retrace my steps by removing everything in the order I had added. The first thing I removed was the Ip Trap contrib and everything is now working for the Security Pro and Site Monitor in relation to Paypal IPN... My apologies... on my way to look elsewhere for my answer. Quote Link to comment Share on other sites More sharing options...
sctsang Posted May 17, 2009 Share Posted May 17, 2009 Thank you for your great contribution. Our osComerce default language is Traditional Chinese, hence, we have to exclude advanced_search.php & advanced_search_result.php so that the search box works. Can hackers inject malicious codes via the search box? If so, do you have any suggestions? Thank you in advance. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted May 17, 2009 Author Share Posted May 17, 2009 Thank you for your great contribution. Our osComerce default language is Traditional Chinese, hence, we have to exclude advanced_search.php & advanced_search_result.php so that the search box works. Can hackers inject malicious codes via the search box? If so, do you have any suggestions? Thank you in advance. As standard osCommerce uses input filtering. As long as you are using the RC2a versions of these files you should be fine .. it uses .. tep_db_prepare_input tep_db_input And type casting on all user input added to the query. Hope that helps. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
sctsang Posted May 17, 2009 Share Posted May 17, 2009 As standard osCommerce uses input filtering. As long as you are using the RC2a versions of these files you should be fine .. it uses .. tep_db_prepare_input tep_db_input And type casting on all user input added to the query. Hope that helps. Thank you for your prompt reply. I've just learnt from an online article that the only real way to defend against all malicious code injection attacks is to validate every input from every user and the correct way to validate input is to start with a whitelist. So we'd definitely install your contribution on every osCommerce web site that we develop. Quote Link to comment Share on other sites More sharing options...
designcraft Posted June 5, 2009 Share Posted June 5, 2009 I installed SecurityPro a couple of months back and my PCI scan passed with flying colors. But recently a new scan went through and now I am receiving an error message saying, "Possible Blind SQL injection on....." The pages that are listed are my product_info.php pages. Why is this happening now? I installed everything correctly and I just double checked the code about a half hour ago. Any suggestions? I am using version 2rc2a. Thanks!! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted June 6, 2009 Author Share Posted June 6, 2009 (edited) I installed SecurityPro a couple of months back and my PCI scan passed with flying colors. But recently a new scan went through and now I am receiving an error message saying, "Possible Blind SQL injection on....." The pages that are listed are my product_info.php pages. Why is this happening now? I installed everything correctly and I just double checked the code about a half hour ago. Any suggestions? I am using version 2rc2a. Thanks!! What code did they suggest was used to action this SQL injection? Quite often these scans do produce false positives. Edited June 6, 2009 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.