Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

658 posts in this topic

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

Update Sep. 09

 

The following addresses issues that have arisen or were not mentioned since this post was placed:

 

SECURING THE ADMIN:

 

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

 

FILEMANAGER:

 

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

 

To remove filemanger:

 

Delete file_manager.php from catalog/admin

 

open admin/includes/boxes/tools.php and delete the line:

 

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

 

It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

 

BACKUPS:

 

To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

 

I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format.

 

INSTALLATION:

 

If you are unsure about installing these contributions this thread should help you.

 

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

John202, Biancoblu, Follkes and 2 others like this

Share this post


Link to post
Share on other sites

Thanks Sam,

 

there were a couple of tips in there that had passed me by...

 

Cheers

 

Dave

Share this post


Link to post
Share on other sites

It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable. Never hurts to alert you to vulnerabilities.

 

I love the Security Pro. I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*. Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file. That may not be the best way to do it, but it's what I've got for now.

Share this post


Link to post
Share on other sites

When you say...

 

Permissions on folders should be no higher than 755.

 

... I assume you mean all except:

 

/catalog/images

/catalog/admin/backups

/catalog/admin/images/graphs

 

I get errors when I drop the permissions below 777 on those folders.

Share this post


Link to post
Share on other sites
Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

Read it once again!

Share this post


Link to post
Share on other sites
Read it once again!

 

Thank you for your enlightened reply. However, it is osCommerce, not the host that requires that those folders be world writable. The docs and the knowledgebase both state that they should be left at 777. If there is a way to secure them while still keeping osCommerce happy please let me know how to do so.

Share this post


Link to post
Share on other sites

I believe 777 is only vulnerable if the server itself is vulnerable i.e. not set up securely. You cannot upload and execute a file remotely as far as I'm aware - the attack would need to come from within. Although this post is quite old, I think it makes interesting reading. Irrespective, always chmod to the most secure settings that still allow your site to run:

 

http://www.simplemachines.org/community/in...hp?topic=2987.0

Share this post


Link to post
Share on other sites
Not one of my folders has permissions 777, everything works fine.

 

With /catalog/images set below 777, all is fine with the store. When I then enter admin, everything is still fine untill I click on products/catalog. At this point, osc sees that it is unable to write to the images directory (and therefore unable to upload images for new products, etc via admin) and therefore generates an error that is listed at the top of the screen.

 

Since I ftp images up anyway this isn't a big issue but the /catalog/admin/backups and /catalog/admin/images/graphs have a similar problem. if they aren't world-writable, they cannot work as intended. Unless of course there is more to it tht I am unaware of. That's why I asked the initial question.

 

As to it really being a security issue, I agree. I think a properly configured server manages the risk. However, it could be a bandwidth issue. Someone could use your world-writable directory as a warez file depository and post on warez boards where to get them. Suddenly, you could see a huge jump in bandwidth which could be costly if you have to pay for use beyond your allowance.

Share this post


Link to post
Share on other sites

This seems a little confusing here.

 

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

 

I guess the questions are this..

a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?

B) If so, maybe one can setup an .htaccess file to block write access this way?

Share this post


Link to post
Share on other sites
This seems a little confusing here.

 

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

 

I guess the questions are this..

a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?

B) If so, maybe one can setup an .htaccess file to block write access this way?

 

 

Add a .htaccess including the following code.

 

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

 

Not my code. Was suggested to me by BL4CK from thedefaced[d0t]org security group, and I can see the benefit.

 

Wont work with suexec but a php.ini version would suffice.

Share this post


Link to post
Share on other sites
This seems a little confusing here.

 

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

 

I guess the questions are this..

a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?

B) If so, maybe one can setup an .htaccess file to block write access this way?

 

Its not osCommerce that requires it. It is the config of the server. On the host I use I have to set the configure.php set to 0444 to get the I can write error to go away so my image folder goes no higher then 0755

Share this post


Link to post
Share on other sites
Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation.

Share this post


Link to post
Share on other sites

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

 

example:

Time: Sun Sep 7 18:16:39 2008 +0100

IP: 193.xx.xxx.xxx (country name)

Failures: 1 (mod_security)

Interval: 215 seconds

Blocked: Yes

 

Log entries:

 

[sun Sep 07 18:16:35 2008] [error] [client 193.xx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:goto. [id "950006"] [msg "System Command Injection. Matched signature </mail>"] [severity "CRITICAL"] [hostname "domain name"] [uri "/admin/file_manager.php?goto=/home/user_name/public_html//images/mail"] [unique_id "dvZTxFXqk2sAAH@an4YAAAAE"]

Share this post


Link to post
Share on other sites
very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

 

example:

 

Server set up is no replacement at all for code side input/output escaping, server security is a totally different animal addressing totally different needs.

Share this post


Link to post
Share on other sites

Thanks for the list, Sam, and thanks Deborah for that hint regarding PCI compliance. You're right on.

 

Right now my compliance people are failing me due to apparent vulnerability to cross-site scripting, so this thread came at just the right time.

 

~Wendy

Share this post


Link to post
Share on other sites

Hi

 

I am looking at the install instructions for Anti XSS and do not understand how it can write to a file called iplog.txt?

 

Nowhere in the .htaccess code is there are reference to ip address being written to the .txt file.

 

Am I missing code here?

 

=======

 

Also I have installed Secure your site with an IP trap http://addons.oscommerce.com/info/5914.

 

The add-on successfully blocks you but when it write the IP address to a text file alled IP_trapped.txt the blocked IP address is written as an invisible line. Also when the program writes an email to you again the IP address is not shown/invisible.

 

Does any one know how to make the IP address visible?

 

Thank You

 

TMM

Share this post


Link to post
Share on other sites

Hi

 

I have installed security pro latest version but get the follwoing error after entire add-on installation:

 

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MAX_RANDOM_SELECT_NEW' at line 1

 

select products_id, products_image, products_tax_class_id, products_price from products where products_status = '1' order by products_date_added desc limit MAX_RANDOM_SELECT_NEW

 

 

Can anyone please suggest what to do here?

 

Thanka

 

Bal

Share this post


Link to post
Share on other sites

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.

Share this post


Link to post
Share on other sites
Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.

 

 

Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

 

Please explain

 

 

Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix.

 

 

Thanks

 

B

Share this post


Link to post
Share on other sites
Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

 

Please explain

 

 

Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix.

 

 

Thanks

 

B

 

 

Hi this issue is fixed - I accidentall commented something out.

 

 

 

On another note - does anyone have any test cases to test all the contributions in this thread?

 

Many Thanks

 

B

Share this post


Link to post
Share on other sites

I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this?

Share this post


Link to post
Share on other sites

When i tried install the AntiXSS.. o had an error>>>>>>>>>

 

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/factoryr/public_html/includes/functions/general.php on line 39

 

Can somebody help me please..

 

Thank you

 

Rafael

Share this post


Link to post
Share on other sites
Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

How do I install addons. I know this is probably a thread elsewhere but for the life of me, I cannot find it. Can someone please tell me where I can learn or get a tutorial as to how to install addons? I really feel lost with phps. I also have a question as to how to find php pages in my store/catalog that appear in my index. If I look at my index page live on the web and look at the source, there is more info there than is found on my index.php. I know these may seem like basic questions and you all may think...my god, they should know how to do this but I do not. So, even if there is a tutorial that can help. I can use it!

 

Thanks,

Kelly

Share this post


Link to post
Share on other sites