Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] Security Pro - Querystring protection against hackers.


FWR Media

Recommended Posts

Modification for Languages that have Special Characters

 

...

 

IMPORTANT:

This file now MUST be saved as the correct charset, it can no longer be saved as a standard ASCII file.

 

Hello, thank you for another great contribution.

Everything seems to work fine, but situation gets complicated because of special chars in my shop. I have a polish language shop encoded in UTF-8. When I "install" the modification for languages that have Special Characters and save the file in UTF-8 encode I get a warning at the very top of my page:

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\xampp\htdocs\sklep\includes\modules\fwr_media_security_pro.php:1) in C:\xampp\htdocs\sklep\includes\functions\sessions.php on line 102

 

but the search with special char which I inserted in $lang_additions = 'Ż'; works fine. It's just that wired warning.

 

Line 102 in ...\includes\functions\sessions.php:

return session_start();

 

Any advice?

Please help.

Link to comment
Share on other sites

Any advice?

Please help.

 

It simply means that after you have edited the file it is sending information to the browser.

 

This usually means a space or BOM before the opening <?php tab.

 

Are you using a flat file editor like notepad?

Link to comment
Share on other sites

It simply means that after you have edited the file it is sending information to the browser.

 

This usually means a space or BOM before the opening <?php tab.

 

Are you using a flat file editor like notepad?

 

Thank you for quick replying. You are right, I'm using notepad++. Now I've saved the file using adobe dreamweaver and it's working.

 

Best regards!

Link to comment
Share on other sites

Thank you for quick replying. You are right, I'm using notepad++. Now I've saved the file using adobe dreamweaver and it's working.

 

Best regards!

 

notepad++ is a much better editor than Dreamweaver ( which I think is aweful ) probably you just had the settings wrong in notepadd++ e.g. saving with BOM.

Link to comment
Share on other sites

Your security addon strips / out of the $_get which is killing "Product URL"s where they are "www.somesite.com/somefolder" - it comes back as www.somesite.comsomefolder

 

Which would be better? Changing product_info.php to just create a straight link, skipping the call to redirect.php or altering the $_get cleansing to allow / through??

 

Based on you saying that allowing "/" through is a big big risk, it sounds like I should alter product_info.php to build a direct link and avoid using redirect.php - yes?

Link to comment
Share on other sites

Your security addon strips / out of the $_get which is killing "Product URL"s where they are "www.somesite.com/somefolder" - it comes back as www.somesite.comsomefolder

 

Which would be better? Changing product_info.php to just create a straight link, skipping the call to redirect.php or altering the $_get cleansing to allow / through??

 

Based on you saying that allowing "/" through is a big big risk, it sounds like I should alter product_info.php to build a direct link and avoid using redirect.php - yes?

 

Well osCommerce feel that it is fine to have the full URL in the querystring .. and it is in the case where it is coded correctly.

 

Security Pro isn't however necessary because the coding of osCommerce is bad, as it isn't it's very good, it exists to protect against all of the badly coded contributions ( which most are ).

 

Having said that I don't see why it wasn't coded like the manufacturers link like ..

 

redirect.php?action=manufacturer&manufacturers_id=1

 

Instead of ..

 

redirect.php?action=url&goto=www.matrox.com%2Fmga%2Fproducts%2Fg200_mms%2Fhome.cfm

 

Couldn't it just have been ..

 

redirect.php?action=url&goto=product&products_id=1

 

Then pull the URL from the products description table based on the products id

Link to comment
Share on other sites

Modifying the product url code for Security Pro

 

As standard osCommerce allows a link in product info which includes a URI with forward slashes. This is stripped by Security Pro so below is revised code to restore the functionality without compromising the white list or excluding redirect.php.

catalog/product_info.php

 

Find ..

 

   	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

Change to ..

 

    	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td>

 

catalog/redirect.php

Find ..

 

	case 'url':
 	if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
   	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
   	if (tep_db_num_rows($check_query)) {
     	tep_redirect('http://' . $HTTP_GET_VARS['goto']);
   	}
 	}
 	break;

Change to ...

 

case 'url':
 	if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product'  ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) {
   	$url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");
   	if (tep_db_num_rows($url_query)) {
     	$row = tep_db_fetch_array( $url_query );
     	tep_db_free_result( $url_query );
     	if ( tep_not_null( $row['products_url'] ) ) {
       	tep_redirect('http://' . $row['products_url']);
     	}
   	}
 	} elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
   	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
   	if (tep_db_num_rows($check_query)) {
     	tep_redirect('http://' . $HTTP_GET_VARS['goto']);
   	}
 	}
 	break;

 

Excuse the lack of formatting and indentation but the forum currently breaks it.

Edited by FWR Media
Link to comment
Share on other sites

Modifying the product url code for Security Pro

 

As standard osCommerce allows a link in product info which includes a URI with forward slashes. This is stripped by Security Pro so below is revised code to restore the functionality without compromising the white list or excluding redirect.php.

catalog/product_info.php

 

Find ..

 

   	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

Change to ..

 

    	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td>

 

catalog/redirect.php

Find ..

 

	case 'url':
 	if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
   	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
   	if (tep_db_num_rows($check_query)) {
     	tep_redirect('http://' . $HTTP_GET_VARS['goto']);
   	}
 	}
 	break;

Change to ...

 

case 'url':
 	if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product'  ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) {
   	$url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");
   	if (tep_db_num_rows($url_query)) {
     	$row = tep_db_fetch_array( $url_query );
     	tep_db_free_result( $url_query );
     	if ( tep_not_null( $row['products_url'] ) ) {
       	tep_redirect('http://' . $row['products_url']);
     	}
   	}
 	} elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
   	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
   	if (tep_db_num_rows($check_query)) {
     	tep_redirect('http://' . $HTTP_GET_VARS['goto']);
   	}
 	}
 	break;

 

Excuse the lack of formatting and indentation but the forum currently breaks it.

 

Perfect, but I mut point out that

 

   	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

is actually

 

   	<div class="product_url"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></div>

 

I don't *think* I changed that... but I could be wrong...

 

 

Also, aren't we "supposed" to be using $_get now? (really I don't know)

Edited by TedThompson
Link to comment
Share on other sites

Perfect, but I mut point out that

 

   	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

is actually

 

   	<div class="product_url"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></div>

 

I don't *think* I changed that... but I could be wrong...

 

No the original code is a td.

 

Also, aren't we "supposed" to be using $_get now? (really I don't know)

 

I always use $_GET as the long arrays are deprecated, but, the osCommerce team have decided to retain them in the core code so when changing core code I have to respect that.

Edited by FWR Media
Link to comment
Share on other sites

Security Pro has nothing to do with base file names it cleanses the querystring.

 

If you have already installed USU5 or USU5 PRO then this has already been done.

 

Thanks for your help. I'll make a note of this for my new installation of osC v 2.3.1 when I put your USU5 PRO in. Thanks again.

Link to comment
Share on other sites

After installing the Security Pro 2.0(r7) http://addons.oscommerce.com/info/5752.

 

My Advanced Search at the bottom part (search Date From, Date To) does not work properly. I entered correct date format, it came up with this warning message: "Errors have occured during the process of your form. *Invalid From Date, *Invalid To Date"

When I remove the code added on catalog/includes/application_top.php in this contribution below, it is working properly.

 include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
 $security_pro = new Fwr_Media_Security_Pro;
 // If you need to exclude a file from cleansing then you can add it like below
 //$security_pro->addExclusion( 'some_file.php' );
 $security_pro->cleanse( $PHP_SELF );

 

I am seeking the solution, if any experienced helper can help for solving this issue.

 

Thanks.

Edited by snowrabbit
Link to comment
Share on other sites

  • 2 weeks later...

I removed the old Security Pro and installed the new one.

 

It works fine on the search string.

 

It does not cleanse the Full Name, E-Mail Address, and Enquiry fields of the Contact Us (catalog/contact_us.php) page.

 

My PCI Compliance scanner says that these pages represent a Cross-Site Scripting risk, as whatever you type in comes back pre-filled in the forms. E.g., if you type "[w](o)%3Cr%3Ek|i*n^g" in as your e-mail address, the page comes back with an error message saying "Your E-Mail Address does not appear to be valid - please make any necessary corrections." The e-mail address still has "[w](o)%3Cr%3Ek|i*n^g" in it. More to the point, "<script> comes right back.

 

Is there a way to make this cleanse the input, or else is there a way that I can explain to my PCI scanning service that there is not a risk of a cross-site scripting attack here?

Link to comment
Share on other sites

Gah, there doesn't seem to be an "edit" button on this forum.

 

This is a modified 2.2 install, if that matters.

 

In other news, the un-install instructions (for old Security Pro) are wrong. This line:

 

DELETE FROM configuration_GROUP WHERE configuration_group_title = 'FWR Security Pro';

 

should be:

 

DELETE FROM configuration_group WHERE configuration_group_title = 'FWR Security Pro';

Link to comment
Share on other sites

Dan,

 

That's because Security Pro is NOT supposed to cleanse anything which is form related ($_POST). It is only meant for $_GET

 

You will need to install the following to get the forms to work:

 

http://www.oscommerce.com/forums/index.php?showtopic=313323&view=findpost&p=1477869

Link to comment
Share on other sites

Dan,

 

That's because Security Pro is NOT supposed to cleanse anything which is form related ($_POST). It is only meant for $_GET

 

You will need to install the following to get the forms to work:

 

http://forums.oscomm...dpost&p=1477869

 

Not entirely correct, forms can have the method get as well as post but in the case of contact us it is a post form.

 

As far as that contribution is concerned, I personally don't recommend it. It tries to apply Security Pro code to _POST but this is not really appropriate.

 

_POST can contain a far larger range of data, files, images, html code etc. therefore it cannot be whitelisted in the manner of _GET.

Link to comment
Share on other sites

Robert,

 

I understand that $_GET can be used in forms as well but login.php create_account.php and checkout related files all use the post method. Am I correct?

 

Also, can you give some specifics as to why you feel that it is not appropriate to use Security Pro code for $_POST ? I have done a lot of testing to ensure that all the bad data is cleansed and that we do not loose any good data from the forms by using the method mentioned above.

 

Your input is greatly appreciated.

 

Thanks

Link to comment
Share on other sites

Also, can you give some specifics as to why you feel that it is not appropriate to use Security Pro code for $_POST ?

 

I already said, _POST can contain a very wide range of data types so it is not appropriate to white list on a site wide basis.

 

The best way to deal with _POST ( and any user input in fact _GET, _POST, _COOKIE ) is to validate or type cast the expected key => values for a given file, this should always be done in any script.

 

If you are expecting a key of my_val and a value of an int you simply do ..

 

  $my_clean_val = 0;
 if ( array_key_exists( 'my_val', $_POST ) ) {
$my_clean_val = (int)$_POST['my_val'];
 }

Edited by FWR Media
Link to comment
Share on other sites

After installing the Security Pro 2.0(r7) http://addons.oscommerce.com/info/5752.

 

My Advanced Search at the bottom part (search Date From, Date To) does not work properly. I entered correct date format, it came up with this warning message: "Errors have occured during the process of your form. *Invalid From Date, *Invalid To Date"

When I remove the code added on catalog/includes/application_top.php in this contribution below, it is working properly.

 include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
 $security_pro = new Fwr_Media_Security_Pro;
 // If you need to exclude a file from cleansing then you can add it like below
 //$security_pro->addExclusion( 'some_file.php' );
 $security_pro->cleanse( $PHP_SELF );

 

I am seeking the solution, if any experienced helper can help for solving this issue.

 

Thanks.

 

I had the same problem. I have fixed it in this

 

open includes/modules/fwr_media_security_pro.php

 

find

var $excluded_from_cleansing = array(

 

add into array ,'advanced_search_result.php'

 

this ok.

Edited by florist
Link to comment
Share on other sites

I had the same problem. I have fixed it in this

 

open includes/modules/fwr_media_security_pro.php

 

find

var $excluded_from_cleansing = array(

 

add into array ,'advanced_search_result.php'

 

this ok.

 

You have fixed nothing in fact you have broken something.

 

No files should be excluded unless they are payment or perhaps shipping files.

 

All you have done it stopped the search system from being white listed which is a very bad idea.

 

Just change the date so it uses hyphens instead of / or even better use the osCommerce calendar set to use hyphens.

Edited by FWR Media
Link to comment
Share on other sites

Hello all,

 

I am currently trying to set up multiple stores using OSC with Paypal Standard as the payment processor. To this end, I have succeeded in applying relevant code to both stores and have tested purchase / repayment etc and that now appears to work with both, using one PP business account. Took days of research and wonderful assistance from several contributors to this forum to achieve this result.

 

I am looking at the security of the site and am, amongst other things, looking at installing Security Pro (as well as other changes, such as changing the name of Admin file, etc). Not being a coder, I am finding the discussions about Security Pro, quite difficult to grasp. I want to 'keep things simple stupid', but am becoming bogged down and leaning towards the 'feeling stupid' end of the scale.

 

My current concern is if I installed whatever latest version of Security Pro exists, would this effect the payment processor that I have just managed to get working across my two test stores? I will keep reading to enable a better understanding of this contribution, but it is going to take some time.

 

Sorry if my questions / concerns have been raised and answered elsewhere (if they have, I will eventually find them).

Kind regards,

 

Peter...

Link to comment
Share on other sites

Robert, when upgrading to Security Pro 2.0 ( r7 )

 

When:

 

Remove the database settings

 

3) Run the below code using phpMyAdmin or your favoured method.

DELETE FROM configuration WHERE configuration_key = 'FWR_SECURITY_PRO_ON';

DELETE FROM configuration_GROUP WHERE configuration_group_title = 'FWR Security Pro';

DELETE FROM configuration WHERE configuration_key = 'FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON';

DELETE FROM configuration WHERE configuration_key = 'FWR_SECURITY_PRO_FILE_EXCLUSIONS';

 

I get

 

DELETE FROM configuration_GROUP WHERE configuration_group_title = 'FWR Security Pro';

 

MySQL

#1146 - Table 'xxxxxxxx.configuration_GROUP' doesn't exist

 

How should I proceed? Thank you

Edited by Follkes
Link to comment
Share on other sites

Robert, when upgrading to Security Pro 2.0 ( r7 )

 

When:

 

Remove the database settings

 

3) Run the below code using phpMyAdmin or your favoured method.

DELETE FROM configuration WHERE configuration_key = 'FWR_SECURITY_PRO_ON';

DELETE FROM configuration_GROUP WHERE configuration_group_title = 'FWR Security Pro';

DELETE FROM configuration WHERE configuration_key = 'FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON';

DELETE FROM configuration WHERE configuration_key = 'FWR_SECURITY_PRO_FILE_EXCLUSIONS';

 

I get

 

DELETE FROM configuration_GROUP WHERE configuration_group_title = 'FWR Security Pro';

 

MySQL

#1146 - Table 'xxxxxxxx.configuration_GROUP' doesn't exist

 

How should I proceed? Thank you

 

This is covered in this thread, it is a typo.

 

configuration_GROUP

 

Should be ..

 

configuration_group

Link to comment
Share on other sites

 

My current concern is if I installed whatever latest version of Security Pro exists, would this effect the payment processor that I have just managed to get working across my two test stores? I will keep reading to enable a better understanding of this contribution, but it is going to take some time.

 

 

Hello all,

 

Update.

 

Just read a ton of information posted by 'Spooks' and associated contributors regarding security. Still not clicking into place for me 'yet'. Keep reading I suppose? Original newbie question still 'live' at this point until I find the answer.

Kind regards,

 

Peter...

Link to comment
Share on other sites

Hello all,

 

Update.

 

Just read a ton of information posted by 'Spooks' and associated contributors regarding security. Still not clicking into place for me 'yet'. Keep reading I suppose? Original newbie question still 'live' at this point until I find the answer.

 

Install Security Pro, test your payment system.

 

Any problems you can add the payment system file to the file excludes as per the instructions.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...