Jump to content
FWR Media

[contribution] Security Pro - Querystring protection against hackers.

Recommended Posts

Share this post


Link to post
Share on other sites

They sent this. What does this mean?

 

:~$ curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D1"> a

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 22118 0 22118 0 0 30199 0 --:--:-- --:--:-- --:--:-- 30199

 

:~$ curl -L -k "https://domain.com/shop/checkout_shipping.php?osCsid=78aee66e909a6dacdeb923ec74de4e5b+and+1%3D0"> b

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 22118 0 22118 0 0 32090 0 --:--:-- --:--:-- --:--:-- 32090

 

:~$ diff a b

106c106

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

Can't see any injection possibilities here with security pro enabled.

 

The proposed injection querystring: -

 

https://domain.com/s...e4e5b+and+1%3D0

 

 

becomes: -

 

[osCsid] => 78aee66e909a6dacdeb923ec74de4e5b and 10

 

the other becomes: -

 

[osCsid] => 78aee66e909a6dacdeb923ec74de4e5b and 11

Edited by FWR Media

Share this post


Link to post
Share on other sites

Do you need the actual store's domain name or does this most likely mean a false positive again? Thanks again!

 

PM me the domain .. we ought to check it.

Share this post


Link to post
Share on other sites

Do you need the actual store's domain name or does this most likely mean a false positive again? Thanks again!

 

Checked your site and it's fine.

 

1) Security Pro reduces the querystring back to harmless characters. [a-z0-9\-_\.{}]

 

2) osCommerce recognises that it is not a sane osCsid and redirects the "attacker" to index.php.

 

Nothing even mildly close to an injection happening there.

Share this post


Link to post
Share on other sites

Checked your site and it's fine.

 

1) Security Pro reduces the querystring back to harmless characters. [a-z0-9\-_\.{}]

 

2) osCommerce recognises that it is not a sane osCsid and redirects the "attacker" to index.php.

 

Nothing even mildly close to an injection happening there.

 

 

Your fast response and help is well appreciated. May I ask you what you did to check this? Thanks again. :)

Share this post


Link to post
Share on other sites

Your fast response and help is well appreciated. May I ask you what you did to check this? Thanks again. :)

 

1) Log in as a user

 

2) Add a product to cart

 

3) Proceed to checkout_shipping.php

 

4) In firefox .. view cookie and copy the osCsid VALUE

 

Modify the url in the top bar by adding

 

?osCsid=[VALUE_GOT_FROM_COOKIE]+and+1%3D1

 

So it will look something like ..

 

www.mysite.com/shop/checkout_shipping.php?osCsid=[VALUE_GOT_FROM_COOKIE]+and+1%3D1

 

Run it and you are redirected to index.php

Edited by FWR Media

Share this post


Link to post
Share on other sites

How will I know if it is bad? Will I be redirected somewhere else? Thanks again!

 

Security scanners generally only know if they have hit on a hack vector when they force the application to issue an error.

 

A possibility ( and only a possibility ) is that the scanner saw that by adding the code that it did it was served an entirely different page and took this to mean that it had "forced" the application to do something where the reality is that the script identified a bad action and redirected the "user" as a consequence.

Edited by FWR Media

Share this post


Link to post
Share on other sites

So I wouldn't be able to see it only the security scanners? If there is an error, then some code needs adjusting? I know its not that easy but I just want to understand this a bit more. Thanks again!

Share this post


Link to post
Share on other sites

So I wouldn't be able to see it only the security scanners? If there is an error, then some code needs adjusting? I know its not that easy but I just want to understand this a bit more. Thanks again!

 

I added to the post above yours which you probably haven't seen. I really can't tell you any more at this stage, but no .. the scanner sees nothing you don't to my knowledge.

Edited by FWR Media

Share this post


Link to post
Share on other sites

Oh I see. :) Well thank you so much for your quick responses to everything. If there is anything that I could help you out with I would be more than happy to. Have a great weekend. :)

Share this post


Link to post
Share on other sites

Is it possible to change the search query "/" to a blank space. I found that if a search is made like "product/ab" aka "product%2Fab" it will not show the product, if you search for "product ab" aka "product+ab" it returns the correct product with its name of "product/ab". Other than excluding the search results page would this make sense to adjust? Is there another way? I understand the need to not weaken the security, although I've been unable to locate any modification to the code like suggested.

 

Thanks in advance, appreciate any help.

 

 

It's written in the instructions .. security pro zealously restricts the values obtained from the querystring to ..

 

\s{}a-zA-Z0-9_.-

 

Anything other than that will be stripped.

 

If your code is passing other characters you should modify it so that it no longer does.

 

Your only other option is to weaken the security, which I don't recommend.

Edited by normanlamps

Share this post


Link to post
Share on other sites

Is it possible to change the search query "/" to a blank space. I found that if a search is made like "product/ab" aka "product%2Fab" it will not show the product, if you search for "product ab" aka "product+ab" it returns the correct product with its name of "product/ab". Other than excluding the search results page would this make sense to adjust? Is there another way? I understand the need to not weaken the security, although I've been unable to locate any modification to the code like suggested.

 

Thanks in advance, appreciate any help.

 

 

 

 

If you want to weaken security you can .. in my opinion there is no need or reason to include / in a search querystring.

 

Yes what you suggest could be done if isolated to that particular file .. but Security Pro is global so makes no concessions for individual files. Being a "whitelist" is its power.

Share this post


Link to post
Share on other sites

Unfortunately almost all of our products have a "/" in their name.

 

Is there any particular code we can modify to simply fix the problem, or is excluding the file the only option. We don't want to exclude the file, we only want to know what codes need to be changed as you suggested. We wouldn't know where to begin with actually modifying the site. We assume it would be a modification to the search tool itself.

 

Security Pro seems to be helping a lot and is a very useful add-on, although its difficult to justify its use when so many customers search queries contain "/" and no results show.

 

Again we certainly do appreciate any help that you may offer, Thank you.

Share this post


Link to post
Share on other sites

Unfortunately almost all of our products have a "/" in their name.

 

Is there any particular code we can modify to simply fix the problem, or is excluding the file the only option. We don't want to exclude the file, we only want to know what codes need to be changed as you suggested. We wouldn't know where to begin with actually modifying the site. We assume it would be a modification to the search tool itself.

 

Security Pro seems to be helping a lot and is a very useful add-on, although its difficult to justify its use when so many customers search queries contain "/" and no results show.

 

Again we certainly do appreciate any help that you may offer, Thank you.

 

It shouldn't be hard to justify its use .. it's obvious .. it whitelists the characters allowed in the querystring which especially is essential with the plethora of badly coded contributions for osCommerce.

 

If you want to introduce banned characters then you have to exclude the file and do the security checks yourself in that file.

Share this post


Link to post
Share on other sites

Nice work!

 

Another one for the excludes list - redirect.php.

 

Product urls to external sites break with SecurityPro on but the passed url is checked by redirect.php against the legitimate url for the product so redirect.php can be safely excluded.

 

HTH

 

Chris

Hi Chris

 

Thanks for putting this info up, exactly what I was looking for! :thumbsup:

Share this post


Link to post
Share on other sites

After installing SecurityPro and carefully following all instructions I get the following error, either when trying to run/install the SecurityPro_install.php file or just when I try to acces my oscommerce store:

 

Fatal error: Call to a member function add_current_page() on a non-object in /home/graficai/public_html/estore/includes/application_top.php on line 332

 

Line 332 reads as follows:

 

$navigation->add_current_page();

 

Any help will be appreciated.

 

TIA

Share this post


Link to post
Share on other sites

After installing SecurityPro and carefully following all instructions I get the following error, either when trying to run/install the SecurityPro_install.php file or just when I try to acces my oscommerce store:

 

Fatal error: Call to a member function add_current_page() on a non-object in /home/graficai/public_html/estore/includes/application_top.php on line 332

 

Line 332 reads as follows:

 

$navigation->add_current_page();

 

Any help will be appreciated.

 

TIA

 

$navigation->add_current_page();

 

Is a osCommerce issue not one of Security Pro.

 

Just close all browser windows and then open a new one browsing directly to the install file.

Share this post


Link to post
Share on other sites

$navigation->add_current_page();

 

Is a osCommerce issue not one of Security Pro.

 

Just close all browser windows and then open a new one browsing directly to the install file.

 

Thanks, I might have done that inadvertently because all of a "sudden" it works.

 

Thanks for clearing things up.

Share this post


Link to post
Share on other sites

In the contribution it says:

your querystring should be safe as long as the contribution/code calls application_top.php

 

I checked and found a few files that don't have

 

require('includes/application_top.php');

 

Presumably one needs to add this? Can it basically go in any file or would it just be files in the route? Is is as simple as just adding that inside php tags at the top of the file?

 

Also, I noticed one file has

require("includes/application_top.php");

is that the same as

require('includes/application_top.php');

 

Just curious to ensure I'm catching everything.....

Edited by tigergirl

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×