Jump to content
FWR Media

[contribution] Security Pro - Querystring protection against hackers.

Recommended Posts

i followed all the directions and have re-done it several times and it just isn't working. When i go to this step: Go into admin>configuration>FWR Security Pro and turn it on .. (set to true). i cannot find FWR Security Pro to turn it on...

Share this post


Link to post
Share on other sites

i followed all the directions and have re-done it several times and it just isn't working. When i go to this step: Go into admin>configuration>FWR Security Pro and turn it on .. (set to true). i cannot find FWR Security Pro to turn it on...

 

You have to run the install script as per the instructions.

Share this post


Link to post
Share on other sites

Hello,

Once again my site is failing. Security Metrics always sends me possible Blind SQL injections. Could you look at this again and let me know what may be happening? I haven't made any upgrades or added any new contributions to the store since the last time I was on this forum. Thank you!

 

Possible blind sql injection on

http://domain.com/shop/advanced_search_result.php?action=buy_now&keywords=dog+mom+long+sleeve&sort=2a'>http://domain.com/shop/advanced_search_result.php?action=buy_now&keywords=dog+mom+long+sleeve&sort=2a

wp - -bs ql

"http://domain.com/shop/advanced_search_result.php?action=buy_now&keywords =dog+mom+long+sleeve&sort=2a"

"http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D1&keywords=dog+mom+long+sleeve&sort=2a" TCP http/https 4 "http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D0&keywords=dog+mom+long+sleeve&sort=2a" cat <<EOF > bs ql.s h curl -L

"http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D1&keywords=dog+mom+long+sleeve&sort=2a"> a curl -L

"http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D0&keywords=dog+mom+long+sleeve&sort=2a"> b diff a b EOF s h bs ql.s h

 

This website may have other injection related vulnerabilities.

Share this post


Link to post
Share on other sites

Hello,

Once again my site is failing. Security Metrics always sends me possible Blind SQL injections. Could you look at this again and let me know what may be happening? I haven't made any upgrades or added any new contributions to the store since the last time I was on this forum. Thank you!

 

This is nothing to do with support of the security pro contribution.

 

 

Perhaps you should post in the general forum.

Share this post


Link to post
Share on other sites

This is where I posted last time. You can see me on page 8. I use Security Pro for protection on my website and you have helped me in the past. I will post this somewhere else. Thank you for your time.

 

lindsay

Share this post


Link to post
Share on other sites

This is where I posted last time. You can see me on page 8. I use Security Pro for protection on my website and you have helped me in the past. I will post this somewhere else. Thank you for your time.

 

lindsay

 

I may have answered "last time" but I should not have done. General posts here make it difficult for those seeking genuine support for this specific contribution difficult.

 

I have however now answered your question in the general forum .. thanks for moving it.

Share this post


Link to post
Share on other sites

Security Pro 2.0

 

A new version has been released:

Compatiblility:

PHP 4/5

osCommerce All Versions.

 

Effective Querystring Protection Against Hacking by Whitelisting

 

The first Security Pro was written back in March 2008 when it became apparent that osCommerce shops were being hacked via the querystring through badly coded contributions like testimonials.

Is it still necessary with the new 2.3.X versions of osCommerce

 

Yes it is still just as valid. The target of Security Pro is not the core osCommerce coding which we all know is good, the target is the thousands of contributions which are usually poorly written.

 

This is all new code but the concept remains the same .. with Security Pro installed it is impossible to pass bad characters through the querystring so long as the page loads application_top.php, which all osCommerce pages do.

 

The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does.

the only exeption to this that I could see was the REQUEST_METHOD and TRACE|TRACK.

 

The concept is simple but effective. It's a waste of time to try and blacklist the huge number of hacking vectors as the XSS scripts try to do .. the only answer is whitelisting and this is what Security Pro does very well.

What has Changed?

 

In operation it is pretty much the same .. except ..

 

* Total rewrite using more modern code ( albeit PHP4 compatible )

* Added to security stregnth by adding some string exclusions like GLOBALS, _REQUEST, base64_encode, UNION

* Fixed a hole where a clever hacker could gain a dangerous double hyphen.

* The XSS .htaccess contribution now has nothing to offer over Security Pro.

* Simplified KISS installation with no database additions required.

 

Installation

 

This has been rewritten as KISS contribution ( Keep It Simple Stupid ) so is extremely quick and easy to install.

Share this post


Link to post
Share on other sites

Robert, one question -

 

 

Very occasionally there may be a file that genuinely needs to pass via the querystring characters that are disallowed. This tends to be payment modules like Sage Pay ( formerly PROTX ).

 

 

Is there a list of known files that have this problem, especially payment modules?


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Robert, one question -

 

 

 

Is there a list of known files that have this problem, especially payment modules?

 

No .. the only one I ever actually heard about was the PROTX one.

Share this post


Link to post
Share on other sites

No .. the only one I ever actually heard about was the PROTX one.

 

 

I don't mean to hijack your support forum... I just wanted to take a moment and say; Thank you Robert for all the diligent work you have done on this (and your other) great contribution/s.

I really like your newer release of Security Pro (2.0 ( r7 ) I was unable to use your older release of security pro... as it conflicted with some of my custom code I use. It is nice to see the simplicity of your updated contribution. This new one works fine and the extra "peace of mind" added security provides is priceless. Thank you!

Kind regards,

Debs

Edited by Debs

Share this post


Link to post
Share on other sites

I don't mean to hijack your support forum... I just wanted to take a moment and say; Thank you Robert for all the diligent work you have done on this (and your other) great contribution/s.

I really like your newer release of Security Pro (2.0 ( r7 ) I was unable to use your older release of security pro... as it conflicted with some of my custom code I use. It is nice to see the simplicity of your updated contribution. This new one works fine and the extra "peace of mind" added security provides is priceless. Thank you!

Kind regards,

Debs

 

Thanks is never a hijack :)

Share this post


Link to post
Share on other sites

Here's a bit of fun to try on a fresh osCommerce 2.3.1

 

An expanded bad search term ..

 

[w](o)%3C<r>%3Ek|i*n^g 

 

If you put this in the search box and search.

 

It actually returns a product :)

 

Matrox G200 MMX

 

Security Pro reduces the search term to "working" and that product has that word in its description

Share this post


Link to post
Share on other sites

I use Security Pro 2.0 and I have a problem.

 

When I want test it is working - "Put in a bad character good character mix like [w](o)%3Cr%3Ek|i*n^g"

 

http://www.autodrive.pl/advanced_search_result.php?keywords=[w](o)%3Cr%3Ek|i*n^g

 

it change to:

 

http://www.autodrive.pl/advanced_search_result.php?keywords=[w](o)<<r>>k|i*n^g

 

It should read "working" not "[w](o)<<r>>k|i*n^g" - what is wrong ??

Share this post


Link to post
Share on other sites

I use Security Pro 2.0 and I have a problem.

 

When I want test it is working - "Put in a bad character good character mix like [w](o)%3Cr%3Ek|i*n^g"

 

http://www.autodrive...t.php?keywords=[w](o)%3Cr%3Ek|i*n^g

 

it change to:

 

http://www.autodrive...t.php?keywords=[w](o)<<r>>k|i*n^g

 

It should read "working" not "[w](o)<<r>>k|i*n^g" - what is wrong ??

 

a] Have you installed it correctly?

 

b] Which version of osCommerce are you on?

 

c] ( related to b] ) is compatibility.php called before the security pro code?

  require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

d] If c] is correct does includes/functions/compatibility.php contain the following code?

 

  if (PHP_VERSION >= 4.1) {
$HTTP_GET_VARS =& $_GET;
$HTTP_POST_VARS =& $_POST;
$HTTP_COOKIE_VARS =& $_COOKIE;
$HTTP_SESSION_VARS =& $_SESSION;
$HTTP_POST_FILES =& $_FILES;
$HTTP_SERVER_VARS =& $_SERVER;
 } else {
if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array();
if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array();
if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array();
 }

Edited by FWR Media

Share this post


Link to post
Share on other sites

I just updated, meaning installed your lated secuirity pro. but although spent now 2 hours checking why, it'w not working. here what i did:

 

uploaded the new files in the modules folder and inserted the code above the ssl thing (please check code provided below). Then i deleted in application_top the old security pro entry and finally deleted the database entries of the confiration.

 

well its not working. any sugesstions or what shall i provide you with in order to help us?

 

Greetings

 

// define the project version

define('PROJECT_VERSION', 'osCommerce 2.2-MS2');

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

// Security Pro by FWR Media

include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';

$security_pro = new Fwr_Media_Security_Pro;

// If you need to exclude a file from cleansing then you can add it like below

//$security_pro->addExclusion( 'some_file.php' );

$security_pro->cleanse( $PHP_SELF );

// End - Security Pro by FWR Media

 

if ($request_type == 'NONSSL'){

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

Share this post


Link to post
Share on other sites

I just updated, meaning installed your lated secuirity pro. but although spent now 2 hours checking why, it'w not working. here what i did:

 

uploaded the new files in the modules folder and inserted the code above the ssl thing (please check code provided below). Then i deleted in application_top the old security pro entry and finally deleted the database entries of the confiration.

 

well its not working. any sugesstions or what shall i provide you with in order to help us?

 

Greetings

 

// define the project version

define('PROJECT_VERSION', 'osCommerce 2.2-MS2');

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

// Security Pro by FWR Media

include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';

$security_pro = new Fwr_Media_Security_Pro;

// If you need to exclude a file from cleansing then you can add it like below

//$security_pro->addExclusion( 'some_file.php' );

$security_pro->cleanse( $PHP_SELF );

// End - Security Pro by FWR Media

 

if ($request_type == 'NONSSL'){

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

Try reading the post 2 above.

Share this post


Link to post
Share on other sites

Try reading the post 2 above.

you mean about the compatiblity? yes, but here the

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

is after the new security pro code in aplication_top.

 

However i just checked my compatibility.php and it doens't have your code in it. Can you please advise where to add it?

 

 

Thanks in advance.

 

here my compatibility.php:

 

<?php
/*
 $Id: compatibility.php,v 1.19 2003/04/09 16:12:54 project3000 Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License

 Modified by Marco Canini, <m.canini@libero.it>
 - Fixed a bug with arrays in $HTTP_xxx_VARS
*/

////
// Recursively handle magic_quotes_gpc turned off.
// This is due to the possibility of have an array in
// $HTTP_xxx_VARS
// Ie, products attributes
 function do_magic_quotes_gpc(&$ar) {
   if (!is_array($ar)) return false;

   while (list($key, $value) = each($ar)) {
     if (is_array($value)) {
       do_magic_quotes_gpc($value);
     } else {
       $ar[$key] = addslashes($value);
     }
   }
 }

// $HTTP_xxx_VARS are always set on php4
 if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array();
 if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array();
 if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array();

// handle magic_quotes_gpc turned off.
 if (!get_magic_quotes_gpc()) {
   do_magic_quotes_gpc($HTTP_GET_VARS);
   do_magic_quotes_gpc($HTTP_POST_VARS);
   do_magic_quotes_gpc($HTTP_COOKIE_VARS);
 }

 if (!function_exists('array_splice')) {
   function array_splice(&$array, $maximum) {
     if (sizeof($array) >= $maximum) {
       for ($i=0; $i<$maximum; $i++) {
         $new_array[$i] = $array[$i];
       }
       $array = $new_array;
     }
   }
 }

 if (!function_exists('in_array')) {
   function in_array($lookup_value, $lookup_array) {
     reset($lookup_array);
     while (list($key, $value) = each($lookup_array)) {
       if ($value == $lookup_value) return true;
     }

     return false;
   }
 }

 if (!function_exists('array_reverse')) {
   function array_reverse($array) {
     for ($i=0, $n=sizeof($array); $i<$n; $i++) $array_reversed[$i] = $array[($n-$i-1)];

     return $array_reversed;
   }
 }

 if (!function_exists('constant')) {
   function constant($constant) {
     eval("\$temp=$constant;");

     return $temp;
   }
 }

 if (!function_exists('is_null')) {
   function is_null($value) {
     if (is_array($value)) {
       if (sizeof($value) > 0) {
         return false;
       } else {
         return true;
       }
     } else {
       if (($value != '') && ($value != 'NULL') && (strlen(trim($value)) > 0)) {
         return false;
       } else {
         return true;
       }
     }
   }
 }

 if (!function_exists('array_merge')) {
   function array_merge($array1, $array2, $array3 = '') {
     if (empty($array3) && !is_array($array3)) $array3 = array();
     while (list($key, $val) = each($array1)) $array_merged[$key] = $val;
     while (list($key, $val) = each($array2)) $array_merged[$key] = $val;
     if (sizeof($array3) > 0) while (list($key, $val) = each($array3)) $array_merged[$key] = $val;

     return (array) $array_merged;
   }
 }

 if (!function_exists('is_numeric')) {
   function is_numeric($param) {
     return ereg('^[0-9]{1,50}.?[0-9]{0,50}$', $param);
   }
 }

 if (!function_exists('array_slice')) {
   function array_slice($array, $offset, $length = 0) {
     if ($offset < 0 ) {
       $offset = sizeof($array) + $offset;
     }
     $length = ((!$length) ? sizeof($array) : (($length < 0) ? sizeof($array) - $length : $length + $offset));
     for ($i = $offset; $i<$length; $i++) {
       $tmp[] = $array[$i];
     }

     return $tmp;
   }
 }

 if (!function_exists('array_map')) {
   function array_map($callback, $array) {
     if (is_array($array)) {
       $_new_array = array();
       reset($array);
       while (list($key, $value) = each($array)) {
         $_new_array[$key] = array_map($callback, $array[$key]);
       }
       return $_new_array;
     } else {
       return $callback($array);
     }
   }
 }

 if (!function_exists('str_repeat')) {
   function str_repeat($string, $number) {
     $repeat = '';

     for ($i=0; $i<$number; $i++) {
       $repeat .= $string;
     }

     return $repeat;
   }
 }

 if (!function_exists('checkdnsrr')) {
   function checkdnsrr($host, $type) {
     if(tep_not_null($host) && tep_not_null($type)) {
       @exec("nslookup -type=$type $host", $output);
       while(list($k, $line) = each($output)) {
         if(eregi("^$host", $line)) {
           return true;
         }
       }
     }
     return false;
   }
 }
?>

Share this post


Link to post
Share on other sites

you mean about the compatiblity? yes, but here the

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

is after the new security pro code in aplication_top.

 

However i just checked my compatibility.php and it doens't have your code in it. Can you please advise where to add it?

 

 

Please don't post complete files .. it makes the thread impossible to read.

 

Find ..

// $HTTP_xxx_VARS are always set on php4
 if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array();
 if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array();
 if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array();

 

Replace with ..

 

  if (PHP_VERSION >= 4.1) {
$HTTP_GET_VARS =& $_GET;
$HTTP_POST_VARS =& $_POST;
$HTTP_COOKIE_VARS =& $_COOKIE;
$HTTP_SESSION_VARS =& $_SESSION;
$HTTP_POST_FILES =& $_FILES;
$HTTP_SERVER_VARS =& $_SERVER;
 } else {
if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array();
if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array();
if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array();
 }

 

you really should update your files, you are running extremely old and insecure code.

Edited by FWR Media

Share this post


Link to post
Share on other sites

Great, working now. Really appreciated your help. I know, we really should update, but honetly no idea where to begin :(.

 

One little addtional question: we have a 4 languages store so i modified this string in order to keep search resulst o.k. Do you think its risky for security resons? those letters are really often used.

 

Greetings

 

$cleansed = preg_replace( "/[^\s{}a-z0-9äüöéèê_\.\-]/i", "", urldecode( $get ) );

Share this post


Link to post
Share on other sites

Great, working now. Really appreciated your help. I know, we really should update, but honetly no idea where to begin :(.

 

One little addtional question: we have a 4 languages store so i modified this string in order to keep search resulst o.k. Do you think its risky for security resons? those letters are really often used.

 

Greetings

 

$cleansed = preg_replace( "/[^\s{}a-z0-9äüöéèê_\.\-]/i", "", urldecode( $get ) );

 

They are just language characters so you'll be fine.

 

You may want to add the capitals as well as the i modifier will not work for special characters.

Edited by FWR Media

Share this post


Link to post
Share on other sites

Modification for Languages that have Special Characters

 

This change is optional and only relevant for languages which have special language characters.

What does it do?

 

You can add your language special characters to a variable, these characters will then be ignored by the whitelist. This is essential for e.g. search functionality to work with such languages.

 

Open up ..

 

catalog/includes/modules/fwr_media_security_pro.php

 

Find the COMPLETE function spro_cleanse_get_recursive()

 

Change it to ..

 

  function spro_cleanse_get_recursive( $get ) {
/**
* IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only
* 
* @example $lang_additions = 'åÅäÄöÖ';
* @var string - Valid language special characters to be added to the whitelist
*/
$lang_additions = ''; // Special language characters go here - see the example above
if ( !is_array( $get ) ) {
 	$banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
 	// Apply the whitelist
 	$pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i";
 	$cleansed = preg_replace( $pattern, "", urldecode( $get ) );
 	// Remove banned words
 	$cleansed = preg_replace( $banned_string_pattern, '', $cleansed );
 	// Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
 	return preg_replace( '@[-]+@', '-', $cleansed );
}
// Add the preg_replace to every element.
return array_map( 'spro_cleanse_get_recursive', $get );
 }

 

 

Obviously the ..

 

$lang_additions = 'åÅäÄöÖ';

 

 

Can contain any language special characters that you wish, this should NOT be used to gimp the whitelist.

 

IMPORTANT:

This file now MUST be saved as the correct charset, it can no longer be saved as a standard ASCII file.

Edited by FWR Media

Share this post


Link to post
Share on other sites

Hi,

 

Is this fix in application_top.php still valid with Security Pro?

 

 /** 
 * Reliably set PHP_SELF as a filename .. platform safe 
 */ 
 function setPhpSelf() { 
   $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); 
   foreach ( $base as $index => $key ) { 
     if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) { 
       if ( false !== strpos( $_SERVER[$key], '.php' ) ) { 
         preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); 
         if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) 
                                   && ( substr( $matches[0], -4, 4 ) == '.php' ) 
                                   && ( is_readable( $matches[0] ) ) ) { 
           return $matches[0]; 
         }  
       }  
     } 
   }  
   return 'index.php'; 
 } // end method  

 $PHP_SELF = setPhpSelf();

 

Many thank! BTW, I've been enjoying your contributions very much.

Share this post


Link to post
Share on other sites

Hi,

 

Is this fix in application_top.php still valid with Security Pro?

 

 /** 
 * Reliably set PHP_SELF as a filename .. platform safe 
 */ 
 function setPhpSelf() { 
   $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); 
   foreach ( $base as $index => $key ) { 
     if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) { 
       if ( false !== strpos( $_SERVER[$key], '.php' ) ) { 
         preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); 
         if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) 
                                   && ( substr( $matches[0], -4, 4 ) == '.php' ) 
                                   && ( is_readable( $matches[0] ) ) ) { 
           return $matches[0]; 
         }  
       }  
     } 
   }  
   return 'index.php'; 
 } // end method  

 $PHP_SELF = setPhpSelf();

 

Many thank! BTW, I've been enjoying your contributions very much.

 

Security Pro has nothing to do with base file names it cleanses the querystring.

 

If you have already installed USU5 or USU5 PRO then this has already been done.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×