Jump to content
FWR Media

[contribution] Security Pro - Querystring protection against hackers.

Recommended Posts

Hi Robert,

 

one question. It's necessary to pass through special characters like äüöÄÜÖß posted from the search box. What's the way to do it? I've found it works if i modify the function like this:

 

function tep_clean_get__recursive($get_var)
 {
 if (!is_array($get_var))
 return preg_replace("/[^ {}a-zA-Z0-9ßäüöÄÜÖ_.-]/i", "", urldecode($get_var));

 // Add the preg_replace to every element.
 return array_map('tep_clean_get__recursive', $get_var);
 }

 

What do you think, do you see any problems? Please comment and point me in the right direction!

 

Thank you in advance

BJ

 

Yes adding limited but valid language characters is not an issue as long as you are careful not to allow in bad characters.

 

A shortened version that should work is ..

 

$get_var = preg_replace("/[^\s{}a-z0-9ßäüö_.-]/i", "", urldecode($get_var));

Share this post


Link to post
Share on other sites
Yes adding limited but valid language characters is not an issue as long as you are careful not to allow in bad characters.

 

A shortened version that should work is ..

 

$get_var = preg_replace("/[^\s{}a-z0-9ßäüö_.-]/i", "", urldecode($get_var));

 

Thank you very much!

Share this post


Link to post
Share on other sites

Great contribution! Thank you!

 

I have one problem, however, and I'm pretty sure it's SecurityPro causing it.

 

My Categories infobox has disappeared from my index page (and only from my index page). I use the ' » ' character in my categories infobox. I have tried excluding it in admin by typing in the following in the 'excude from cleansing' area:

includes/boxes/categories.php

 

but it still does not show.

 

I did not want to type in 'categories.php' because there is also a file called categories.php in admin and I only wanted to exclude the file that is in catalog/includes/boxes/.

 

How should I handle this? (And I'm really hoping that it is SecurityPro causing the prob - I installed a few security contrib's before I noticed it was missing dummy me!)

 

Thanks!

Share this post


Link to post
Share on other sites
Great contribution! Thank you!

 

I have one problem, however, and I'm pretty sure it's SecurityPro causing it.

 

My Categories infobox has disappeared from my index page (and only from my index page). I use the ' » ' character in my categories infobox. I have tried excluding it in admin by typing in the following in the 'excude from cleansing' area:

includes/boxes/categories.php

 

but it still does not show.

 

I did not want to type in 'categories.php' because there is also a file called categories.php in admin and I only wanted to exclude the file that is in catalog/includes/boxes/.

 

How should I handle this? (And I'm really hoping that it is SecurityPro causing the prob - I installed a few security contrib's before I noticed it was missing dummy me!)

 

Thanks!

 

Turn it off see what happens.

 

I'd also add that allowing a file to bypass like a plain old categories file is not in keeping with the contributions intentions.

 

You should sort out the offending file not lower your security.

Share this post


Link to post
Share on other sites

I forgot I could turn it off! LOL! I've been too busy pulling my hair...and comparing files again.

 

Anyway, I turned it off and it's still not showing, so it must be another contrib causing the problem.

 

Thank you for your quick response! It's much appreciated!

Share this post


Link to post
Share on other sites

Thanks for what looks like a great contrib... Just one question, how do I test it? I tried following the instructions on the first page (added the section to application top, excluded product_info etc), but as I use a contribution that re-writes the url to a .html url, I don't think I'm getting the results I should be. Any suggestions on what I can do to check it's working?

 

I'll continued to test, to see if any of my other files aren't working...

 

Thanks :)

Share this post


Link to post
Share on other sites

I have a question. I have installed SecurityPro and I have installed the Anti Cross Site Scripting (originally by pixclinic and then updated by someone else) as per a Tips and Tricks thread regarding securing our sites. SecurityPro seems to be working just fine. However, the anti-xss contrib is causing my 'advanced search' to stop working (taking you to a HTTP 403 page) when the 'include description' option is checked.

 

My question is does the anti-xss contribution do the same as the SecurityPro contribution? So that I can remove the .htaccess file (or at least the part that's breaking my advanced search)? I have deducted that it is pixclinic's part of the htaccess file that is breaking my advanced search.

 

For more info, here is a thread I had started about this before I had figured out exactly what was causing the problem:

 

http://forums.oscommerce.com/index.php?showtopic=324462

 

I know absolutely nothing about htaccess files and so don't know what to change or add to fix the problem. And if this contrib's purpose is being served with SecurityPro anyway, I'd like to remove it.

 

Thanks!

Share this post


Link to post
Share on other sites
I have a question. I have installed SecurityPro and I have installed the Anti Cross Site Scripting (originally by pixclinic and then updated by someone else) as per a Tips and Tricks thread regarding securing our sites. SecurityPro seems to be working just fine. However, the anti-xss contrib is causing my 'advanced search' to stop working (taking you to a HTTP 403 page) when the 'include description' option is checked.

 

My question is does the anti-xss contribution do the same as the SecurityPro contribution? So that I can remove the .htaccess file (or at least the part that's breaking my advanced search)? I have deducted that it is pixclinic's part of the htaccess file that is breaking my advanced search.

 

For more info, here is a thread I had started about this before I had figured out exactly what was causing the problem:

 

http://forums.oscommerce.com/index.php?showtopic=324462

 

I know absolutely nothing about htaccess files and so don't know what to change or add to fix the problem. And if this contrib's purpose is being served with SecurityPro anyway, I'd like to remove it.

 

Thanks!

It is really up to you which contributions you add, and any questions related to the individual contributions should be directed at the relevant support thread.

 

I am happy to support security pro but other contributions are outside of the scope of support here.

Share this post


Link to post
Share on other sites

Hi! I completely understand where you are coming from :) ...I was just wondering if SecurityPro already performs the task that the Anti-XSS (htaccess file) is performing.

Share this post


Link to post
Share on other sites
Hi! I completely understand where you are coming from :) ...I was just wondering if SecurityPro already performs the task that the Anti-XSS (htaccess file) is performing.

 

fair enough :)

 

All I will say is that security pro (used correctly) secures your querystring. There is no need to my mind (other than standard vigilence to user input) to use more (related ONLY to querystring)

Edited by FWR Media

Share this post


Link to post
Share on other sites

Thank you so much for your input! It's greatly appreciated! I can stop banging my head now. :)

 

I think you've saved both my hair and my head in this thread!

 

:lol:

Share this post


Link to post
Share on other sites
Are there any known issues of using this with STS?

 

Thanks

 

Installed last night and everything seems to be working great. Thanks!

Share this post


Link to post
Share on other sites
Installed last night and everything seems to be working great. Thanks!

 

Pleasure.

Share this post


Link to post
Share on other sites

Hello,

 

thank you for the contribution. I wanted to install, however I'm unable to find the code mentioned in application_top.php:

// set the application parameters
$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
while ($configuration = tep_db_fetch_array($configuration_query)) {
define($configuration['cfgKey'], $configuration['cfgValue']);
}

 

Where can I insert your code if the above is missing from my application_top.php?

 

I have this version: 2.2-MS2


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

OK, my mistake, that code was replaced by this:

// set application wide parameters
// Configuration Cache modification start
 require ('includes/configuration_cache_read.php');
// Configuration Cache modification end

Could it cause any harm if I place your code just underneath the code above?


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites
OK, my mistake, that code was replaced by this:

// set application wide parameters
// Configuration Cache modification start
 require ('includes/configuration_cache_read.php');
// Configuration Cache modification end

Could it cause any harm if I place your code just underneath the code above?

 

No that is the correct location.

Share this post


Link to post
Share on other sites

Has anyone had problems with their payment modules after installing Security Pro (even though those payment modules are excluded in admin)?

In my case the return code is not handled properly and you go back to the payment page (Credit Card Error is at the top of the page) instead of checkout success. The module reads the return code as an error when security pro is on, no error when security pro is off.


The Coopco Underwear Shop

 

If you live to be 100 years of age, that means you have lived for 36,525 days. Don't waste another, there aren't many left.

Share this post


Link to post
Share on other sites

I've installed Security Pro with Ip Trap and Site Monitor as suggested in an attempt to make my site secure... and my osC Paypal IPN is now not working as it should. The store goes to the Paypal screen... the payment is made but somehow eventough on screen, it comes back to my checkout_success page... my order in my admin shows as if the payment hasn't complete when it actually did complete.

 

I saw the note that i needed to be careful with my payment options and to test which I did. I've been searching the forum for the last 2 days to find how to correct the issue I have and tried everything I could find including excluding some pages through admin and nothing works. Either I'm excluding the wrong pages or I missed something or I'm too dumb to breathe.

 

I've searched thsi entire thread... I've also read the entire How To Secure my site in Tips... I've searched the forum through the search engine of the forum and moved on to searching the entire forum through Google... and I'm not finding a fix for this.

 

I really need some help with this because after reading all that I've read I still can't figure out how and after 2 days of this, it's creating issues that I can't see my way out of.

 

Any help would be truly appreciated... a link to where the info might be found... or a hint to what I'm overlooking... anything adn everything would be much appreciated. Thanks

Share this post


Link to post
Share on other sites

I decided to retrace my steps by removing everything in the order I had added. The first thing I removed was the Ip Trap contrib and everything is now working for the Security Pro and Site Monitor in relation to Paypal IPN...

 

My apologies... on my way to look elsewhere for my answer.

Share this post


Link to post
Share on other sites

Thank you for your great contribution.

 

Our osComerce default language is Traditional Chinese, hence, we have to exclude advanced_search.php & advanced_search_result.php so that the search box works.

 

Can hackers inject malicious codes via the search box? If so, do you have any suggestions? Thank you in advance.

Share this post


Link to post
Share on other sites
Thank you for your great contribution.

 

Our osComerce default language is Traditional Chinese, hence, we have to exclude advanced_search.php & advanced_search_result.php so that the search box works.

 

Can hackers inject malicious codes via the search box? If so, do you have any suggestions? Thank you in advance.

 

As standard osCommerce uses input filtering.

 

As long as you are using the RC2a versions of these files you should be fine .. it uses ..

 

tep_db_prepare_input

tep_db_input

 

And type casting on all user input added to the query.

 

Hope that helps.

Share this post


Link to post
Share on other sites
As standard osCommerce uses input filtering.

 

As long as you are using the RC2a versions of these files you should be fine .. it uses ..

 

tep_db_prepare_input

tep_db_input

 

And type casting on all user input added to the query.

 

Hope that helps.

 

Thank you for your prompt reply. I've just learnt from an online article that the only real way to defend against all malicious code injection attacks is to validate every input from every user and the correct way to validate input is to start with a whitelist. So we'd definitely install your contribution on every osCommerce web site that we develop.

Share this post


Link to post
Share on other sites

I installed SecurityPro a couple of months back and my PCI scan passed with flying colors. But recently a new scan went through and now I am receiving an error message saying, "Possible Blind SQL injection on....." The pages that are listed are my product_info.php pages. Why is this happening now? I installed everything correctly and I just double checked the code about a half hour ago. Any suggestions? I am using version 2rc2a. Thanks!!

Share this post


Link to post
Share on other sites
I installed SecurityPro a couple of months back and my PCI scan passed with flying colors. But recently a new scan went through and now I am receiving an error message saying, "Possible Blind SQL injection on....." The pages that are listed are my product_info.php pages. Why is this happening now? I installed everything correctly and I just double checked the code about a half hour ago. Any suggestions? I am using version 2rc2a. Thanks!!

 

What code did they suggest was used to action this SQL injection?

 

Quite often these scans do produce false positives.

Edited by FWR Media

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×