Jump to content
FWR Media

[contribution] Security Pro - Querystring protection against hackers.

Recommended Posts

New version - Revision 11

 

Security Pro 2.0 r11

 

Compatibility:

 

osCommerce versions: 2.2 through 2.3.2

 

PHP versions: 4 through 5.4.4

 

Changelog:

 

Easy upgrade from r7 - overwrite one single file.

  • Code rewritten to one new class

  • Added @ to allowed characters which allows compatibility with version 2.3.2.

  • Added ability to cleanse the keys of the _GET superglobal as well as the values ( PCI reasons )

  • Added the ability to add file exclusions in application_top.php as an array: -
  • $security_pro->addExclusions( array )

  • Added the ability to chain add exclusions in application_top.php

 

$security_pro->addExclusion( 'some_file.php' )
	              ->addExclusion( 'some_other_file.php' );

 

Functionality other than this remains the same

 

Security Pro 2.0 r11 add on

Share this post


Link to post
Share on other sites

First of all thanks for making it compatible with 2.3.2, it's much appreciated. :)

 

I'd like to know where exactly in the new file do I add the following function to allow foreign characters?

 

function spro_cleanse_get_recursive( $get ) {
	/**
	* IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only
	*
	* @[member='Example Member'] $lang_additions = 'åÅäÄöÖ';
	* @var string - Valid language special characters to be added to the whitelist
	*/
	$lang_additions = ''; // Special language characters go here - see the example above
	if ( !is_array( $get ) ) {
	$banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
	// Apply the whitelist
	$pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i";
	$cleansed = preg_replace( $pattern, "", urldecode( $get ) );
	// Remove banned words
	$cleansed = preg_replace( $banned_string_pattern, '', $cleansed );
	// Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
	return preg_replace( '@[-]+@', '-', $cleansed );
	}
	// Add the preg_replace to every element.
	return array_map( 'spro_cleanse_get_recursive', $get );
 }

 

 

 

And another question, are we also meant to apply the following to the new version?

 

 

Modifying the product url code for Security Pro

 

As standard osCommerce allows a link in product info which includes a URI with forward slashes. This is stripped by Security Pro so below is revised code to restore the functionality without compromising the white list or excluding redirect.php.

 

catalog/product_info.php

 

Find ..

 

	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

Change to ..

 

		<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td>

 

catalog/redirect.php

 

Find ..

 

	case 'url':
  if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
	if (tep_db_num_rows($check_query)) {
	  tep_redirect('http://' . $HTTP_GET_VARS['goto']);
	}
  }
  break;

Change to ...

 

case 'url':
  if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product'  ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) {
	$url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");
	if (tep_db_num_rows($url_query)) {
	  $row = tep_db_fetch_array( $url_query );
	  tep_db_free_result( $url_query );
	  if ( tep_not_null( $row['products_url'] ) ) {
		tep_redirect('http://' . $row['products_url']);
	  }
	}
  } elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
	if (tep_db_num_rows($check_query)) {
	  tep_redirect('http://' . $HTTP_GET_VARS['goto']);
	}
  }
  break;

 

Excuse the lack of formatting and indentation but the forum currently breaks it.

Edited by Biancoblu

~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

@@Biancoblu

 

You need to do nothing except overwrite the file as mentioned in the update instructions.

Share this post


Link to post
Share on other sites

I'm probably missing something obvious and I'm sorry for asking, but my foreign characters get cleansed in the search box, they disappear. For example "für ihn" becomes "fr ihn".

So I have disabled sec pro until I find a fix.


~ Don't mistake my kindness for weakness ~

Share this post


Link to post
Share on other sites

@@Biancoblu

 

Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters.

 

Trivial to add support though: -

 

   function cleanseValueString( $string ) {
  $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
  // Apply the whitelist
  // Multi language mod
  $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';
  $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );
  // Remove banned words
  $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );
  // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
  return preg_replace ( '@[-]+@', '-', $cleansed );  
   } // end method

 

You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc )

Share this post


Link to post
Share on other sites

Hi Robert,

 

This function function cleanseValueString( $string ) {

replace the old function

function spro_cleanse_get_recursive( $get ) ?

 

???

 

when i try to search for example with a word supérieur ==> the research write suprieur with the new function

 

Thank you very for this update and your work

 

+

 

 

@@Biancoblu

 

Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters.

 

Trivial to add support though: -

 

function cleanseValueString( $string ) {
  $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
  // Apply the whitelist
  // Multi language mod
  $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';
  $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );
  // Remove banned words
  $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );
  // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
  return preg_replace ( '@[-]+@', '-', $cleansed );  
} // end method

 

You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc )



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Hi robert,

 

my problem is the search in french (boxe search). For example the word supérieur is rewrite suprieur. The é is deleted.

 

If i add é in $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜé';

The research would be good, no ?

 

 

 

function cleanseValueString( $string ) {

$banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';

// Apply the whitelist

// Multi language mod

$language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';

$cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );

// Remove banned words

$cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );

// Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing

return preg_replace ( '@[-]+@', '-', $cleansed );

} // end method



Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Share this post


Link to post
Share on other sites

@@Gyakutsuki

 

Yes . . exactly as i told Biancoblu.

Share this post


Link to post
Share on other sites

I need help. Tried to search through the pages of replies here, but no avail.

What I don't want to do is add product_info.php to the exclusions.

I am having problems when I add a product description that has apostrophe or quotes. I must have those because the description is for mp3 albums.

Thanks

Share this post


Link to post
Share on other sites

I am having problems when I add a product description that has apostrophe or quotes. I must have those because the description is for mp3 albums.

Thanks

 

Security Pro has nothing to do with products_description .. it protects the querystring.

Share this post


Link to post
Share on other sites

Hello Robert and many thanks for your marvelous contributions!

 

Two questions:

 

1) Do I need to apply the modification in product_info.php as stated above?

 

2) Do I need to have capital letters in the $lang_additions string, if I add the u modifier to the preg_replace?

 

(My site is using UTF-8)

 

Sara

Share this post


Link to post
Share on other sites

Two questions:

 

1) Do I need to apply the modification in product_info.php as stated above?

 

2) Do I need to have capital letters in the $lang_additions string, if I add the u modifier to the preg_replace?

 

(My site is using UTF-8)

 

Sara

 

Which modification? I don't remember one for product_info.php

 

Re u modifier nope just include upper and lower case.

Share this post


Link to post
Share on other sites

@@FWR Media

Robert, in your post #207 you suggested changes to product_info.php. Presumably so that the manufacturers url will work. Security Pro will otherwise strip the forward slashes:

 

http://forums.oscommerce.com/topic/293326-contribution-security-pro-querystring-protection-against-hackers/page__st__200

 

Sara

Share this post


Link to post
Share on other sites

@@Juto

 

Yes I see.

 

I can't see that code any more in product_info.php ( 2.3.3 ) but if it does exist in your code then it should be changed.

 

same for the redirect code.

Edited by FWR Media

Share this post


Link to post
Share on other sites

I installed this but now the site just displays:

Parse error: syntax error, unexpected T_ARRAY, expecting ')' in

/-absolute path-/catalog/includes/modules/fwr_media_security_pro.php on line 64

 

Any idea?

Thanks,

Share this post


Link to post
Share on other sites

@@steve-doherty

 

Sounds like your server is running an ancient version of PHP.

Share this post


Link to post
Share on other sites

@@steve-doherty

 

LOL no! you are using a PHP version where support for it was discontinued 5 years ago! ( 31-12-2007 )

Share this post


Link to post
Share on other sites

I am getting hack attempts on one of our sites using

 

"GET /shipping.php?osCsid=999999.9+union+all+select+0x31303235343830303536-- HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij"

 

Good old Havij.

 

It is having a minor (nuisance) effect on our database, but I thought Security Pro, which we have installed on all sites, would prevent this?


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites

@@Biancoblu

 

Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters.

 

Trivial to add support though: -

 

function cleanseValueString( $string ) {
 $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
 // Apply the whitelist
 // Multi language mod
 $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';
 $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );
 // Remove banned words
 $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );
 // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
 return preg_replace ( '@[-]+@', '-', $cleansed );
} // end method

 

You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc )

 

Hello Robert

 

If I can add another layer of complication!

 

This whitelisting of characters works BUT

 

You have to get the case of the letter correct.

 

In latin you can put a OR A and it will find A

 

But with the whitelisting of characters it will only find ΜΠΟΥΖΙ if you write ΜΠΟΥΖΙ, Μπουζι will not work.

 

Any ideas on how to make foreign characters work the same as latin characters?

Share this post


Link to post
Share on other sites

Thanks for this cool contribution! It works great. However, I am having one issue with it. It seems to work well with any mixed characters that are entered in the search box at top, but does it protect any other input boxes on the site, such as when customers create accounts and enter email addresses and so forth? The company that does my PCI compliance says it doesn't. Please let me know if it does and I've didn't follow the install instruction or something.

 

Thanks,

 

Jason

Share this post


Link to post
Share on other sites

When I test Security Pro 2.0(r7) with the [w](o)%3Cr%3Ek|i*n^g , in the main page I receive:

"Products meeting the search criteria

 

There is no product that matches the search criteria"

 

and in the search box remain the same caracters [w](o)%3Cr%3Ek|i*n^g ,but not become empty.

 

That means that it works?

Edited by alexman

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×