Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] Security Pro - Querystring protection against hackers.


FWR Media

Recommended Posts

You don't need to do anything but install it and turn it on in admin. It's an easy install with no room for error.

 

Thus my quandry.

 

I installed it.

I turned it on in Admin.

I still fail PCI compliance due to XSS vulnerability

========

I really appreciate being able to talk to the man who wrote this. Thank you for your response.

 

I have just run some more experiments and using the "[w](o)%3Cr%3Ek|i*n^g" test string I can only get a cleaned ("working") result when I enter this into the credit card name field, at check out from the shopping cart. Every other entry data field I tested remains uncleaned.

 

This proves that the routine works, it just isn't being called for every input data capture.

 

My compliance test is identifying the (customer and admin) login routine for XSS vulnerability.

 

Does any of this make sense? My assumption is that it would clean more than that one field. (I have no files excluded in admin.)

 

I guess I need to dig back into the PHP code and see what is different about the CC name field that allows it to work, and everything else that doesn't? I believe there are some specialized validation routines to test CC numbers etc.

 

Thanks for any help.

 

John Roberts

Link to comment
Share on other sites

I have just run some more experiments and using the "[w](o)%3Cr%3Ek|i*n^g" test string I can only get a cleaned ("working") result when I enter this into the credit card name field, at check out from the shopping cart. Every other entry data field I tested remains uncleaned.

 

John

 

There may be a confusion between GET and POST.

 

Security pro exclusively whitelists the querystring ( GET ) it does not cleanse POST data.

 

E.g. if you access your site with index.php?hack=[w](o)%3Cr%3Ek|i*n^g

 

The GET variable "hack" will be cleansed and now contain "working".

 

Forms however use POST and this is not handled by Security Pro.

Link to comment
Share on other sites

John

 

There may be a confusion between GET and POST.

 

Security pro exclusively whitelists the querystring ( GET ) it does not cleanse POST data.

 

E.g. if you access your site with index.php?hack=[w](o)%3Cr%3Ek|i*n^g

 

The GET variable "hack" will be cleansed and now contain "working".

 

Forms however use POST and this is not handled by Security Pro.

 

I think I'm getting the picture.

 

Security pro protects GET

 

My webstore uses POST.

 

Wrong tool for my problem.

 

Thanks

 

John Roberts

Link to comment
Share on other sites

I think I'm getting the picture.

 

Security pro protects GET

 

My webstore uses POST.

 

Wrong tool for my problem.

 

 

 

 

No, you need security pro, but you must use others too to complete the picture, there is no one tool that will fix all your security & PCI issues.

 

How to secure your site: http://www.oscommerce.com/forums/index.php?showtopic=313323

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

No, you need security pro, but you must use others too to complete the picture, there is no one tool that will fix all your security & PCI issues.

 

How to secure your site: http://www.oscommerce.com/forums/index.php?showtopic=313323

 

 

Thank You Sam.. I had already made some of those patches.

 

I didn't recall seeing that _post cleaner. But I am learning as I clean....

 

I just dropped that " clean posted vars" snippet into my two login files and it looks like it is working..

 

Time for another PCI compliance scan.

 

Finally some visible progress.

 

More work to go, but thanks again..

 

John Roberts

Link to comment
Share on other sites

Thank You Sam.. I had already made some of those patches.

 

I didn't recall seeing that _post cleaner. But I am learning as I clean....

 

I just dropped that " clean posted vars" snippet into my two login files and it looks like it is working..

 

Time for another PCI compliance scan.

 

Finally some visible progress.

 

More work to go, but thanks again..

 

John Roberts

 

Just a quick follow up.. The POST cleaning snippet in Sam's link did the trick for thwarting my immediate "cross site scripting" vulnerability. My website is now passing PCI compliance tests.

 

I realize this is an ongoing process, so thank you all for the help and good info.

 

John Roberts

 

PS: I found several routines that use POST, to input data that weren't flagged as problems by the PCI scan. I went ahead and protected everything I could find.

Link to comment
Share on other sites

Just tried installing this module, Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

its not even seeing this file I get a 500 server error????

 

I have now removed it until i am able to confirm what I need to do to get past part 1.

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

Just tried installing this module, Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

its not even seeing this file I get a 500 server error????

 

I have now removed it until i am able to confirm what I need to do to get past part 1.

 

 

most likely u uploaded the file in the wrong mode, so corrupting it.

 

You must ensure you transfer your files by ftp in the correct mode http://www.oscommerce.com/forums/topic/353800-/page__view__findpost__p__1484091

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Installed now

 

Like many modules I had to switch off STS first run the file and switch sts back on.

 

that appears to be normal for me i dont know about anyone else, i had forgotten about having to switch sts off first.

 

getting late and I am tired, but with all the attempts latley I need to make sure I get everything I can done to protect.

 

Thanks

Getting better with mods but no programmer am I.

Link to comment
Share on other sites

  • 3 weeks later...

Hey Robert,

 

I really, really need your help with a problem caused by the latest version of Security Pro.

 

I am no good with PHP or any coding for that matter and have no idea what to do. blush.gif

 

If I turn on Security Pro my search function no longer works properly.

 

It will find a word search of the product (product name) such as Ford, but any form of searching for the product model fails. Such as: AMT/604 or AMT 604 or AMT or 604.

 

With it turned off my search functions just fine. I can search for and find any combination of the product model #, product name, description, etc...

 

I really do need the search function working as normal as a lot of my customers search by product #.

 

I tried adding the search pages to the exclusion list in admin but that didn't help.

 

Any thoughts or ideas as to what edits need to be done to what files would be truely appreciated.

- :: Jim :: -

- My Toolbox ~ Adobe Web Bundle, XAMPP & WinMerge | Install ~ osC v2.3.3.4 -

Link to comment
Share on other sites

  • 1 month later...

Robert,

a couple pages earlier the question about cyrilic and greek characters were asked. There were no answer. SO, again. Should I modify Security Pro adding all possible national characters (incredible in some cases) or there is another way?

Link to comment
Share on other sites

  • 2 months later...

Installed now

 

Like many modules I had to switch off STS first run the file and switch sts back on.

 

that appears to be normal for me i dont know about anyone else, i had forgotten about having to switch sts off first.

 

getting late and I am tired, but with all the attempts latley I need to make sure I get everything I can done to protect.

 

Thanks

 

What does STS mean??

I'm having the same problem as you were - when I try and browse to the security pro install, it just comes up with the following:

____________________________________________

Not Found

 

The requested URL /catalog/SecurityPro_installer.php was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

____________________________________________

I don't know what i'm doing wrong :( :( :(

Please help. What do you mean by STS and how do you turn it off??? I'm working on a Mac.

 

Thank you so much!

xx

Link to comment
Share on other sites

  • 3 weeks later...

Hey Robert,

 

I really, really need your help with a problem caused by the latest version of Security Pro.

 

I am no good with PHP or any coding for that matter and have no idea what to do. blush.gif

 

If I turn on Security Pro my search function no longer works properly.

 

It will find a word search of the product (product name) such as Ford, but any form of searching for the product model fails. Such as: AMT/604 or AMT 604 or AMT or 604.

 

With it turned off my search functions just fine. I can search for and find any combination of the product model #, product name, description, etc...

 

I really do need the search function working as normal as a lot of my customers search by product #.

 

I tried adding the search pages to the exclusion list in admin but that didn't help.

 

Any thoughts or ideas as to what edits need to be done to what files would be truely appreciated.

 

This is the exact problem that I am having.

 

With Security Pro "off" the search box works, but with Security Pro "on" the search box does not work, it just says no products were found.

 

I read through this thread but did not see any solution to this.

 

What should I do to fix this?

Link to comment
Share on other sites

This is the exact problem that I am having.

 

With Security Pro "off" the search box works, but with Security Pro "on" the search box does not work, it just says no products were found.

 

I read through this thread but did not see any solution to this.

 

What should I do to fix this?

 

Anyone??

Link to comment
Share on other sites

Hi,

 

Decided to add this cont to a heavily modified site, first time round it didn't work. Un-Install didn't work in SQL so had to do it manually. I have however missed something as I now get the following error any ideas?

 

***********

Configuration key values FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON are installed

Configuration key values FWR_SECURITY_PRO_FILE_EXCLUSIONS are installed

 

You need to DROP the above installed configuration values before I can continue

***********

 

King Regards

Fazer 101

Link to comment
Share on other sites

Anyone??

 

It's written in the instructions .. security pro zealously restricts the values obtained from the querystring to ..

 

\s{}a-zA-Z0-9_.-

 

Anything other than that will be stripped.

 

If your code is passing other characters you should modify it so that it no longer does.

 

Your only other option is to weaken the security, which I don't recommend.

Link to comment
Share on other sites

Hi,

 

Decided to add this cont to a heavily modified site, first time round it didn't work. Un-Install didn't work in SQL so had to do it manually. I have however missed something as I now get the following error any ideas?

 

***********

Configuration key values FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON are installed

Configuration key values FWR_SECURITY_PRO_FILE_EXCLUSIONS are installed

 

You need to DROP the above installed configuration values before I can continue

***********

 

King Regards

Fazer 101

 

any ideas?

 

Sure you have tried to manually remove the correctly installed database entries and not succedded in doing so. The values that were originally added are in the file SecurityPro_installer.php.

 

What do you mean "it didn't work" there is nothing there to not work.

Edited by FWR Media
Link to comment
Share on other sites

Sure you have tried to manually remove the correctly installed database entries and not succedded in doing so. The values that were originally added are in the file SecurityPro_installer.php.

 

What do you mean "it didn't work" there is nothing there to not work.

 

Sorry, worked it out just a case of me being knackered and having a dead line of tomorrow to finish the site.

 

When I navigated to www.name.co.uk/SecurityPro_installer.php the first time it didn't fully load. But it had added some bits to the Database, if I had been a little more awake I would have noticed that there was a second page or rows for my 'config' database. Deleted the two that had been installed. Re-installed, first time with no errors.

 

Sorry for wasting you time.

 

Regards

 

Fazer 101

Link to comment
Share on other sites

It's written in the instructions .. security pro zealously restricts the values obtained from the querystring to ..

 

\s{}a-zA-Z0-9_.-

 

Anything other than that will be stripped.

 

If your code is passing other characters you should modify it so that it no longer does.

 

Your only other option is to weaken the security, which I don't recommend.

 

So can I just add the ' character to the allowed list? If so, how would I do that?

 

Because apparently that is the only character that I am experiencing a problem with.

Link to comment
Share on other sites

So can I just add the ' character to the allowed list? If so, how would I do that?

 

Because apparently that is the only character that I am experiencing a problem with.

 

 

As I said you can lessen the security .. but you shouldn't .. there is no reason whatsoever for a single quote to be in the querystring.

Link to comment
Share on other sites

  • 2 weeks later...

Hi Robert,

 

As Spooks seems to have left the building, I'm hoping you can help with something he'd mentioned in his popular 'How to secure your site' thread.

 

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

 

 

add:

 

 

// clean posted vars

reset($_POST);

while (list($key, $value) = each($_POST)) {

if (!is_array($_POST[$key])) {

$_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));

} else { unset($_POST[$key]); } // no arrays expected

}

 

 

 

This does not allow for arrays, additional code is needed if they are used.

 

With a new domain I'm again getting these PCI errors that I'm not exactly sure how I fixed the first time around:

MySQL Database Error Disclosure Vulnerability, Potentially Exploitable Database Error Message

 

 

McAfee tells me that it's a legitimate error since if I enter http://www.my-domain.com/?cPath=21&sort=2a&max=x' it'll output a 1064 error and a long message.

 

Security Pro has worked great for me, but I can't figure out these errors and so I'm hoping this extra code may help. Could you elaborate on Spook's addendum? Or specifically for non-coders like myself, is there a short list of files that should have this modification (create_account, contact_us, etc)? Or should I try to install Spook's anti-hacker account mods, which looks like it'll be a nightmare to set up properly?

 

Thanks for the help,

 

Nick

Edited by longhorn1999
Link to comment
Share on other sites

Hi Robert,

 

As Spooks seems to have left the building, I'm hoping you can help with something he'd mentioned in his popular 'How to secure your site' thread.

 

 

 

With a new domain I'm again getting these PCI errors that I'm not exactly sure how I fixed the first time around:

MySQL Database Error Disclosure Vulnerability, Potentially Exploitable Database Error Message

 

 

McAfee tells me that it's a legitimate error since if I enter http://www.my-domain.com/?cPath=21&sort=2a&max=x' it'll output a 1064 error and a long message.

 

Security Pro has worked great for me, but I can't figure out these errors and so I'm hoping this extra code may help. Could you elaborate on Spook's addendum? Or specifically for non-coders like myself, is there a short list of files that should have this modification (create_account, contact_us, etc)? Or should I try to install Spook's anti-hacker account mods, which looks like it'll be a nightmare to set up properly?

 

Thanks for the help,

 

Nick

 

Hi Nick

 

This is the support thread for Security Pro I answer issues related to the installation of this contribution and its usage here.

 

Perhaps you should post this in the general forum.

Link to comment
Share on other sites

Hi Nick

 

This is the support thread for Security Pro I answer issues related to the installation of this contribution and its usage here.

 

Perhaps you should post this in the general forum.

 

 

Sorry Robert...I thought I'd ask here since it tangentially pertains to Security Pro, but I'll repost it in the general forum.

Link to comment
Share on other sites

Hello,

I have had Security Pro installed on my site for well over a year now and recently I received a failing scan due to possible SQL injections. Do I need to have them make it a false positive again? This seems to happen a lot. I use Security Metrics. Thank you for help!

Link to comment
Share on other sites

Hello,

I have had Security Pro installed on my site for well over a year now and recently I received a failing scan due to possible SQL injections. Do I need to have them make it a false positive again? This seems to happen a lot. I use Security Metrics. Thank you for help!

 

Hi

 

Security Pro ensures that your query string is totally clean .. this does not mean that badly coded contributions are totally invulnerable.

 

Example: -

 

The other day someone reported a similar issue to yours whereby SQL could be forced into declaring an error.

 

the querystring however was clean like ..

 

?a_really_clean_querystring&max=x

 

Now to Security Pro that querystring is fine .. and it is .. BUT ..

 

The contribution applied $_GET['max'] directly to a query without sanitisation or type casting .. like ..

 

$query = "SELECT FROM SOME_TABLE WHERE SOMETHING = 'SOMETHING_ELSE' LIMIT 0, " . $_GET['max'] . "";

 

SQL expects the second parameter of LIMIT to be an integer but we just passed in "x" therefore SQL threw a tantrum and an error was output to screen.

 

There was nothing Security Pro could do as the querystring was clean.

 

So .. my answer is .. we would need to see how Security Metrics achieved this supposed injection .. all of the good scanning services provide the querystring leading to the proposed vulnerability.

 

Hope that helps.

Edited by FWR Media
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...