Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] Security Pro - Querystring protection against hackers.


FWR Media

Recommended Posts

I have the same issue as starcarlton above so I dont know how to verify its working. I dont think it does.... I enter ©essna a common search term on my site and expect the () to get filtered out. The search box is left blank but looking in the URL of my site www dot ecardmodels dot com the url at the top shows ©essna and i expect it to just read cessna. My site has been defaces a couple times now and I suspect sql injection of some sort... any suggestions greatly appreciated

Thanks in advance!

Chris

Chris Gutzmer

Link to comment
Share on other sites

I have the same issue as starcarlton above so I dont know how to verify its working. I dont think it does....

 

If you installed it correctly then it works, neither of you have "an issue".

 

The contents of the URL bar in the browser is irrelevent as it contains the original query.

 

The server populates the _GET superglobal with the parsed representation of the URL then Security Pro cleanses it at source ( early in the bootstrap/application_top.php ).

Link to comment
Share on other sites

  • 3 weeks later...

I've downloaded the contrib tonight and installed it correctly (file uploaded to correct path, code inserted as instructed). I did not have any errors. I closed my browser and reopened the store and did an advanced search (and looking in description) on the term: [w](o)%3Cr%3Ek|i*n^g

 

The response was "no product found" and the characters remained in the search box, without anything stripped. When I do an advance search (and looking in description) on the term "working" I get several results as expected.

 

It appears to me that this isn't working. Did I miss something?

 

Here's the snippet from includes/application_top:

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

// Security Pro by FWR Media

include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';

$security_pro = new Fwr_Media_Security_Pro;

// If you need to exclude a file from cleansing then you can add it like below

//$security_pro->addExclusion( 'some_file.php' );

$security_pro->cleanse( $PHP_SELF );

// End - Security Pro by FWR Media

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

Link to comment
Share on other sites

I've downloaded the contrib tonight and installed it correctly (file uploaded to correct path, code inserted as instructed). I did not have any errors. I closed my browser and reopened the store and did an advanced search (and looking in description) on the term: [w](o)%3Cr%3Ek|i*n^g

 

The response was "no product found" and the characters remained in the search box, without anything stripped. When I do an advance search (and looking in description) on the term "working" I get several results as expected.

 

It appears to me that this isn't working. Did I miss something?

 

Nevermind. I applied the patch below and every tests fine now. Thanks!

 

In (catalog)/includes/functions/compatibility.php

 

Find ..

 

// $HTTP_xxx_VARS are always set on php4

if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array();

if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array();

if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array();

 

 

Replace with ..

 

if (PHP_VERSION >= 4.1) {

$HTTP_GET_VARS =& $_GET;

$HTTP_POST_VARS =& $_POST;

$HTTP_COOKIE_VARS =& $_COOKIE;

$HTTP_SESSION_VARS =& $_SESSION;

$HTTP_POST_FILES =& $_FILES;

$HTTP_SERVER_VARS =& $_SERVER;

} else {

if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array();

if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array();

if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array();

}

Link to comment
Share on other sites

Hi,

First of all, thanks a lot for sharing this, it seems to be a very useful and important contribution.

I just installed this in my test site, and it seems to work but I'm not sure.

If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off.

 

When switched on, the shop returns the product found correctly, and the search box shows "C65" without the dangerous characters. When switched off, it returns "no such product found" qnd the search box shows the full string with all the characters.

I understand this is OK and the way it's supposed to work.

 

OTOH, I have tried this:

 

 

But it simply returns the shop's normal start page, both with the contrib switched on or off. Is this normal or am I missing something? It looks to me as if it's ignoring the "fwrtest=..." parameter.

 

TIA for your time.

 

Hi Daniel

 

You are taking testing a little too far than you need I think. Your first example of: -

 

If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off.

 

is a perfect test as it uses the osCommerce search system and proves that Security PRO is working as intended.

 

The second test will never do anything unless you code into the site the _GET array to be printed out..

Link to comment
Share on other sites

  • 2 weeks later...

Hi there,

 

Firstly, thanks for the contrib!

 

I have downloaded and installed this module and it all seems to work when tested. The only conflict I am having is with my payment module. I have added the filename (cc_via_migs.php) in the exclude list and I am assuming this is the correct file as it is the only one that references the payment gateway in the includes/module folder.

 

Unfortunately there is still a conflict even when I exclude the file.

 

If you could let me know if there is any other area that I need to look at then your help would be much appreciated.

 

Regards, Sam

Link to comment
Share on other sites

I installed the security pro, it works, but it is too good :)

The problem it also removes the special hungarian characters, so customers can not search words which contain: őŐűŰöÖóÓéeÉeúÚáÁíÍüÜ characters.

 

How can I enable these special characters?

 

Thank you in advance!

 

Laci from Hungary

Link to comment
Share on other sites

I installed the security pro, it works, but it is too good :)

The problem it also removes the special hungarian characters, so customers can not search words which contain: őŐűŰöÖóÓéeÉeúÚáÁíÍüÜ characters.

 

How can I enable these special characters?

 

Thank you in advance!

 

Laci from Hungary

 

Hi Laci

 

Read back a bit in this support thread.

 

You can add valid special language characters to the whitelist.

Link to comment
Share on other sites

Hi Laci

 

Read back a bit in this support thread.

 

You can add valid special language characters to the whitelist.

 

Thank you very much, I did not found it first.

Now it is perfect! :thumbsup:

Link to comment
Share on other sites

  • 2 weeks later...

I see the latest Security Pro version (2.0) was released in 23 Dec 2010 i.e. after osC 2.31 came out.

 

Will it (Security Pro 2.0) work with my osC 2.2 RC2 or should I download the Security Pro 1.02, released in 2008 which was especifically for osC 2.2x?

 

Another question.

 

How do I add these characters to be allowed:

àÀ áÁ ãà â äÄ

èÈ éÉ êÊ ëË

ìÌ íÍ ïÏ

òÒ óÓ õÕ ôÔ öÖ

ùÙ úÚ üÜ

çÇ

@ <-- for email purpose

 

My language is portuguese so all the characters above may be used.

Link to comment
Share on other sites

Nobody? I just want to know if the latest version of Security Pro works with osC 2.2 RC2 and how to add the letters above to the list of allowed characters.

 

I am not asking how to install it. As far as I understood, Security Pro latest version is for osC 2.31 and if this is really the case, then I am not sure whether I will be protected since like I said before I am using osC 2.2 RC2, and thus I could be fooled into believing everything is ok while my site is vulnerable to hackers.

Edited by here2learn
Link to comment
Share on other sites

Has anyone heard of HTML Purifier?

 

http://htmlpurifier.org/

 

A better way to whitelist, since it doesn't remove characters as far as I understood. Interesting that I stay hours awake, searching for things like this, but have very little acknowledge on how to implement it. I will continue with my search, because I want to retain the maximum characters possible, including latin1 ones, while knowing I am safe.

 

Maybe I will start a thread about this later.

Edited by here2learn
Link to comment
Share on other sites

  • 4 months later...

Greetings,

 

I applied this very useful contribution and have special language characters in product names so made the required modifications from:

#198 -Modification for Languages that have Special Characters

 

Everything works fine now, thanks for this modification to Robert. I was just wondering about the solution:

 

In the spirit of the-smaller-whitelist-the-better couldn't the special characters be replaced with their "normal" counterparts (example: ö to o)?

 

That way no expansion of the whitelist would be necessary as OsC search brings up products with specials if searched for the normal counterpart.

 

What do you think and how could one do this?

Link to comment
Share on other sites

  • 1 month later...

In the UK, Streamline, now part of Worldpay, are pushing hard for PCI DSS compliance. They've teamed up with TrustWave and we've been encouraged to use their TrustKeeper IP Scanning system for vulnerabilities.

 

The only item my site is failing on is XSS, despite the magnificent presence of Security Pro 2!!

 

URL: ....../product_info.php?products_id=%3Cscript%3Ealert%28TK00000004%29%3C%2Fscript%3E

Body matches:

Vulnerability type: Reflected Cross-Site Scripting

Vulnerable input type: URL Query Parameter

Vulnerable input name: products_id

 

This may be a very dubious failure, but many of us will have to deal with it.

 

Any thoughts?

Link to comment
Share on other sites

  • 1 month later...

I've installed version 2.0 and nothing seems to have change, if I search using the string "[w](o)%3Cr%3Ek|i*n^g" then I get this in my URL: advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&search_in_description=1

 

So looks like it's not working? I'm running 2.2 RC2a with STS, and it wasn't totally clear if 2.0 of this contrib was suitable for 2.2 or just limited to 2.3, so I went ahead and instaled version 1.0.2 of the contrib....and still no change.

 

Any thoughts anyone? I know a lot of contributions need to work differently when STS is installed but I got the idea this worked fine with STS.

Link to comment
Share on other sites

I've installed version 2.0 and nothing seems to have change, if I search using the string "[w](o)%3Cr%3Ek|i*n^g" then I get this in my URL: advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&search_in_description=1

 

So looks like it's not working? I'm running 2.2 RC2a with STS, and it wasn't totally clear if 2.0 of this contrib was suitable for 2.2 or just limited to 2.3, so I went ahead and instaled version 1.0.2 of the contrib....and still no change.

 

Any thoughts anyone? I know a lot of contributions need to work differently when STS is installed but I got the idea this worked fine with STS.

 

 

sincere apologies, I was expecting the URL to look clean but in fact I had not properly read the simple instructions which state:

 

Do the search then look back at the search box which should have been repopulated with the cleansed value. It should read "working".

 

so yes, my search box read "working", where as without the contrib it would read the full crazy string.

Link to comment
Share on other sites

  • 2 months later...
  • 2 weeks later...

I installed security pro and works perfect.

I found a little problem with exact search. ("Exact matches can be searched for by enclosing keywords in double-quotes.")

 

Tested on oscommerce 2.3.1 shop.

Search "Speed 2" without security pro

results 1 record

 

with security pro

results 3 record

 

I need some help.

 

Thank you in advance!

 

is it good?

change:

"/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i"

 

to:

'/[^\s{}a-z0-9_\.\-"' . $lang_additions . "]/i"

 

Gergely

Edited by Gergely

:blink:
osCommerce based shop owner with minimal design and focused on background works. When the less is more.
Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store.

Link to comment
Share on other sites

  • 3 weeks later...

Hello Robert,

 

I left a message on the osc_sec thread to see if the contribution could be causing a problem with translation. http://www.oscommerce.com/forums/topic/373777-oscommerce-security-osc-secphp/page__st__420__p__1625068#entry1625068

 

Here is what I wrote

 

Hi Taipo

 

Google & Babel translate do not work on my site anymore, could the OSC SEC contirbution be stopping it from working?

 

I also have Security Pro 2.0 installed.

 

These are the characters Google uses

http://translate.google.com/translate?hl=en&sl=en&tl=sq&u=http%3A%2F%2Fwww.oscommerce.com%2F

 

And this is what Babel uses

 

http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.oscommerce.com%2F&lp=en_nl&btnTrUrl=Translate

 

I added % and & and = to the Secuity Pro whitelist but the translation from these pages comes back as

 

blank page for Google and with an

 

error(0) for Babel

 

Are the characters used by the translation services causing a problem?

 

If so, can you please tell me what I need to do to get them working? :unsure:

Edited by RMD27
Link to comment
Share on other sites

  • 1 month later...

Hi, very nice contribution, I only have a question. you write:

 

-----------------------

Find ...

if ($request_type == 'NONSSL') {

Add immediately ABOVE ...

// Security Pro by FWR Media

include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';

$security_pro = new Fwr_Media_Security_Pro;

// If you need to exclude a file from cleansing then you can add it like below

//$security_pro->addExclusion( 'some_file.php' );

$security_pro->cleanse( $PHP_SELF );

// End - Security Pro by FWR Media

That's it .. all installed!

------------------------

 

The question is: This contributions only works in NONSSL ? It's not necessary in the pages with SSL? Thanks for the answer. :-)

Link to comment
Share on other sites

  • 2 months later...

Just found this support topic again.

 

Sorry for the lack of replies :)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...