Jump to content
Latest News: (loading..)
FWR Media

[contribution] Security Pro - Querystring protection against hackers.

Recommended Posts

When I test Security Pro 2.0(r7) with the [w](o)%3Cr%3Ek|i*n^g , in the main page I receive:

"Products meeting the search criteria

 

There is no product that matches the search criteria"

 

and in the search box remain the same caracters [w](o)%3Cr%3Ek|i*n^g ,but not become empty.

 

That means that it works?

Edited by alexman

Share this post


Link to post
Share on other sites

@@alexman

That means it is not working.

Try the test here, and see the results

http://mtrosemedia.tk/store/

 

On another note @@FWR Media

I am having issues with characters appearing as strange symbols. Mainly the apostrophe and Quotations in my Product Description.

example: http://mtrosemedia.tk/store/product_info.php/the-father-wants-you-home-p-58

Those should be quotes or apostrophes

I have product tabs and product info box installed

Share this post


Link to post
Share on other sites

@@alexman

That means it is not working.

Try the test here, and see the results

http://mtrosemedia.tk/store/

 

On another note @@FWR Media

I am having issues with characters appearing as strange symbols. Mainly the apostrophe and Quotations in my Product Description.

example: http://mtrosemedia.tk/store/product_info.php/the-father-wants-you-home-p-58

Those should be quotes or apostrophes

I have product tabs and product info box installed

 

Thx for answer. Now I think is ok even I cannot return at the last page. I suppose is important to get that "working" , and in main page is normal to receive the message:

 

Products meeting the search criteria

 

There is no product that matches the search criteria.

Edited by alexman

Share this post


Link to post
Share on other sites

I hope that this add-on is still being supported here, since I don't see any activity in this thread in the last year. Maybe that's a good thing B)

 

I am currently using the KissER add-on to assist in tracking down code errors, and have been pleased with it. Now, it's time to turn my attention to security ...

 

I am looking at both your Security Pro add-on:

 

http://addons.oscommerce.com/info/7708

 

and the osC_Sec add-on by another contributor:

 

http://addons.oscommerce.com/info/8929

 

At the risk of being rude, may I ask what yours does better, or that the other doesn't do?

 

Thank you in advance!

 

Malcolm

Edited by ArtcoInc

If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get the latest community-supported responsive "Frozen" release here

Share this post


Link to post
Share on other sites

hi Robert @ FWR Media,

Thank you very much for your great addon.

I just installed the PHPIDS on the BS-Edge version, and then your Security Pro.

Has problem to run the phpids_installer.php so have to mannually run the sql to create 3 tables for phpids.

Everything works ok, using the example [w](o)%3Cr%3Ek|i*n^g  you gave on the installation document,

[w](o)%3Cr%3Ek|i*n^ is still working, but if i search with [w](o)%3Cr%3Ek|i*n^g,

then i got this message said:

Exception: 42S02, 1146, Table 'catalogue.phpids_intrusions' doesn't exist

but i am very sure that phpids_instrusions has created in my database.

Can you please explain the problem and how can i resolve it?

 

Many thanks in advance.

 

Lyn

 

Share this post


Link to post
Share on other sites

@ce7 Robert no longer posts here Lyn.

Double check you have that table installed (and the spelling is correct!)


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites

Hi,

I could not find any forum on here that deals specifically with MySQL security. And, since I do have this add-on installed, I figured I would ask here.  My site is an older version MS2.2

I recently noticed the STORE_ZONE field in MySQL was altered. The hack came from outside the site’s admin panel. I have several security layers to secure access to that admin area.

The added entry was not a selection from the drop-down menu used to edit that field, which is based on my country’s code. I’m now looking for a solution to patch that hole.

So,.. I thought about revoking the rights to insert, update, delete that configuration table from the public. However, I am not sure if that will be enough or the right way to go, or if there is a better alternative.  

I’d love to know how the hack was executed and if I missed securing a form or some other entry point. However, at this time I think blocking all write access to that configuration table would likely work. Any help on this would be greatly appreciated.

 

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×