Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

I will let you know if it works

 

Hi.

 

I am still having problems with the latest $_POST cleaning code above.

 

With the code I get PayPal IPN Invalid [Completed]

 

Without the code IPN works perfectly

 

The only other problem I can see it that $HTTP_POST_VARS: is changed to HTTP_POST_VARS:

 

The ‘$’ is being stripped.

 

Could you please help me allow the $ in the expression

 

Here is my current expression

 

return preg_replace("/[^\p{L}\d\r@ :{}=_.-]/i", "", urldecode($vars));

 

Thanks

 

Ken

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply

on your favorite web browser...go to www.yourdomain.com/catalog/SecurityPro_installer.php

 

change the adress accordingly to your site, changing yourdomain.com by your actual adress...

 

I did this but got a "fatal error 500". Is there just a simple mysql script to do what this php does?

Link to comment
Share on other sites

I did this but got a "fatal error 500". Is there just a simple mysql script to do what this php does?

 

 

you would get better answers posting in the correct support thread, SecurityPro has a active & supported thread. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

OK can you tell me how to find that perticular thread please?

[contribution] Security Pro - Querystring protection against hackers

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

foriegn chars

 

 

after:

 

 function clean_var ($vars) { 

 

add:

 

 $foriegn = 'àáâãäåçéèêëìíîïñòóôõöùúûüýÿ'; 

then replace:

 

return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars)); 

with:

 

return preg_replace("/[^\w\d\r".$foriegn."@ :{}_.-]/i", "", urldecode($vars)); 

 

Please say if there any additions you know to be added to the $foriegn string.

 

Hi Spooks, thank you very much for your time.

 

I have this code in my contact_us.php and others

 

// clean posted vars
if (PHP_VERSION >= 4.1) $HTTP_POST_VARS =& $_POST;
reset($_POST);
         while (list($key, $value) = each($_POST)) {
        if (!is_array($_POST[$key])) {
                 $_POST[$key] = preg_replace("/[^ a-zA-Z0-9ěščřžýáíéäëöüďťňůŠČŘŽ@:{}_.-]/i", "", urldecode($_POST[$key]));
               } else { unset($_POST[$key]); } // no arrays expected 
         }

//end clean posted vars

 

As far as I can tell, it works.

 

If I would like to add your new code to the application_top, do I have to remove the older code from all other files? Do you recommend this solution?

 

Thank you very much.

Link to comment
Share on other sites

 

 

Hi, no its not a solution I 'recomend' its one I suggest people can do if they want a easy way to add the sanitising, however it does cause issue with some add-on/modules so is best done on a page by page bases.

 

Thats not the latest code by the way.

 

You could look at Sam's Anti-hacker Account Mods wich add's a sanitising function, then a page that accepts post only needs the lines

 

require('includes/functions/account_secure.php');
clean_post ();

 

added at the start. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi Sam

 

I could not find a support thread for Sam's anti-hacker account mods V1.4.

 

I gave up with ‘Clean post vars’ in application top and decided to install this contribution instead.

 

So I am installing in stages and so far only installed ‘contact us’

 

Contact us is working fine, however I have three on my site

 

Contact Us

Price match

Ask a Question

 

I have duplicated your ‘contact us’ code and replace all instances of FILENAME_CONTACT_US with FILENAME_ASK_A_QUESTION however I still cannot get this to work. After filling in the form and clicking ‘continue’ It is redirecting to my 404 page

 

What am I missing? I hope you can help.

 

Regards

 

Ken

Link to comment
Share on other sites

I could not find a support thread for Sam's anti-hacker account mods V1.4.

 

 

Links to the support thread are given in the doc & in the zip file & in the download!!

 

I don't know where else I can put them to make it easier to find!! Where did u look?

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

 

Does this apply to any of the forms on the standard installation of osC2.2rc2a? If so, which?

Link to comment
Share on other sites

Does this apply to any of the forms on the standard installation of osC2.2rc2a? If so, which?

 

 

Yes, most of the forms use post, I couldn't say of hand which don't

 

You could look at Sam's Anti-hacker Account Mods which includes the latest sanitising code, ensures all your account & contact pages are safe & adds many extra features (PWA, super contact us, ajax State/Province/County pull down, date pull down, post code validation etc etc).

 

That creates a sanitising function that could be used on any page you needed.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Security and PCI Compliance

 

We have recently been through the PCI Compliance process for our site http://www.abbeybook.com - it was difficult, but we finally got it done.

 

Our experience may help others running osCommerce 2.2rc2a with SSL who want to accept credit cards securely on the site itself, in addition to PayPal and other proxy methods. Note that our site is hosted by pair.com running *nix and not on our own UK-based Windows 2000 server, which had to be scanned separately.

 

First I want to thank the main contributors whose work was essential for our cleaning up of the website:

 

spooks - for his original post in this thread, which provided links to security measures mentioned below, and sound guidance on folder permissions and removing Filemanager from admin

 

FWR Media - for Security Pro, preventing injection attacks (with very few problems), http://addons.oscommerce.com/info/5752

 

pixclinic - for Anti XSS addition to htaccess, to stop Cross Site Scripting attacks, http://addons.oscommerce.com/info/6044

 

Jan Zonjee - for renaming/protecting admin folder + other hints, http://www.oscommerce.com/forums/index.php?showtopic=340995

 

The first scan of our website by SecurityMetrics came up with a list of vulnerabilities as long as your arm, including 12 Risks in red ranging from level 4 to level 8. In the first iteration, with help from SecurityMetrics shift-working staff, we took all the measures recommended in the contributions mentioned above. We then checked that the site was still operating corectly - which it was.

 

The next scan showed we had got rid of the most serious Risks in the red list, but not 2 at level 5 which had versions of this:

 

Synopsis : The remote web server contains a PHP script that is prone to an information disclosure attack. Description : Many PHP installation tutorials instruct the user to create a PHP file that calls the PHP function 'phpinfo()' for debugging purposes. Various PHP applications may also include such a file. By accessing such a file, a remote attacker can discover a large amount of information about the remote web server, including : - The username of the user who installed php and if they are a SUDO user. - The IP address of the host. - The version of the operating system. - The web server version. - The root directory of the web server. - Configuration information about the remote PHP installation. Solution: Remove the affected file(s). Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)

 

It took 3 further iterations to remove these exceptions and get the site PCI Certificate. First we took out all instances of phpinfo.php which we could find. Then we removed server.info - which includes phpinfo() - and code references to it in other admin files. Then at last we found a file called info.php - also with phpinfo() - which I had used a long time ago to get the php version. At a quarter to midnight, we passed the test - Bingo!

 

In all of this I would echo Deborah's 2008 comment:

 

It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable. Never hurts to alert you to vulnerabilities.

 

I love the Security Pro. I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*. Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file. That may not be the best way to do it, but it's what I've got for now.

 

Hope this helps others tackle what can be a rather daunting task. Comments welcome from more experienced contributors, particularly if I have got any of this wrong.

 

John

Link to comment
Share on other sites

Security and PCI Compliance

 

It took 3 further iterations to remove these exceptions and get the site PCI Certificate. First we took out all instances of phpinfo.php which we could find. Then we removed server.info - which includes phpinfo() - and code references to it in other admin files. Then at last we found a file called info.php - also with phpinfo() - which I had used a long time ago to get the php version. At a quarter to midnight, we passed the test - Bingo!

 

Thanks for the informative post.

I'd be interested to know exact steps taken here as my host seems to think it's fine to keep leaving a php.info file for all to view on the server when they are problem solving (creating). I removed server.info a long time ago and the link to it in admin - is there something else I need to do? Which code references in admin do I need to remove?

 

Cheers

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

I got a question about the htaccess protection scripts found at the start of this tread. Where or what htaccess files should those be in? There are a lot of folders within OsCommerce that have htaccess files and I need to know which ones I should be modifying or if some of the mods even are applicable to be within some folders. Thanks. I would like to get these done before my site goes live.

Link to comment
Share on other sites

Where or what htaccess files should those be in?

 

 

.htaccess esp security should generally be placed in the root, if it needs to be placed elsewhere the add-on will say so.

 

if you need more try google http://www.google.co.uk/search?ie=UTF-8&q=htaccess%20made%20easy

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I just renamed the admin but now I can't access it.

 

So from domain.com/store/admin to domain.com/store/bingo

 

But when I access the latter site to login, it doesn't work. Any help is appreciated.

Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller

Link to comment
Share on other sites

I just renamed the admin but now I can't access it.

 

So from domain.com/store/admin to domain.com/store/bingo

 

But when I access the latter site to login, it doesn't work. Any help is appreciated.

Did you change the configure.php file also, or just rename the folder?

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

Did you change the configure.php file also, or just rename the folder?

 

Oh I just renamed the folder.

 

Can you tell me in what directory the configure.php file is and what should I change there? (I have a configuration.php file, not sure if its the same).

 

EDIT: I found the file and have updated everything. All is in order, thanks.

Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller

Link to comment
Share on other sites

My post should have said server_info.php in admin, not server.info - sorry if this gave you a wrong trail. But for security/PCI compliance purposes I think it is only necessary to remove from the accessible code any instance of phpinfo(). We did not find any admin instances other than in server_info.php (file_manager.php needs to be removed for other reasons). We got rid of references to that and to server_info elsewhere in admin simply for tidiness.

 

You are right to point out that problems can be caused by host technical staff leaving phpinfo files around when they try to be helpful.

 

John

 

Thanks for the informative post.

I'd be interested to know exact steps taken here as my host seems to think it's fine to keep leaving a php.info file for all to view on the server when they are problem solving (creating). I removed server.info a long time ago and the link to it in admin - is there something else I need to do? Which code references in admin do I need to remove?

 

Cheers

Link to comment
Share on other sites

Then we removed server.info - which includes phpinfo() - and code references to it in other admin files. Then at last we found a file called info.php - also with phpinfo() - which I had used a long time ago to get the php version. At a quarter to midnight, we passed the test - Bingo!In all of this I would echo Deborah's 2008 comment:Hope this helps others tackle what can be a rather daunting task. Comments welcome from more experienced contributors, particularly if I have got any of this wrong.John

 

I have two server_info.php files. One is in admin and the other is in admins/includes/languages/english. Should both of these files be deleted? I don't see anything names info.php.

Link to comment
Share on other sites

I have two server_info.php files. One is in admin and the other is in admins/includes/languages/english. Should both of these files be deleted?

 

1) Remove this code in admin/includes/boxes/tools.php:

'<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' .

 

2) remove the files:

admin/includes/languages/english/server_info.php

admin/server_info.php

 

3) Maybe people want to do the same with define_language.php as I don't think that's in this thread already? It's a bit like "file_mangler".

 

I don't see anything names info.php.

 

4) The file is called phpinfo.php and could be placed above the route or in route, just delete and check regulary that host hasn't put another somewhere. I imagine if server is hacked and this is above route it's still a potential security hole on a shared server.

 

5) @acropolis - is that all you did - don't get what you mean "all accessible instances of phpinfo()"

 

6) Don't put the name of your admin folder in robots.txt

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

1) Remove this code in admin/includes/boxes/tools.php:

'<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' .

 

2) remove the files:

admin/includes/languages/english/server_info.php

admin/server_info.php

 

3) Maybe people want to do the same with define_language.php as I don't think that's in this thread already? It's a bit like "file_mangler".

 

 

 

4) The file is called phpinfo.php and could be placed above the route or in route, just delete and check regulary that host hasn't put another somewhere. I imagine if server is hacked and this is above route it's still a potential security hole on a shared server.

 

Thank you, I deleted those two files & the reference. I had already done the define_language. I don't see a file called phpinfo.php. I do have one called phplot.php. That's as close as I've seen. Is this a file that is always there (phpinfo) or is it something that some web hosts add?

Link to comment
Share on other sites

Is this a file that is always there (phpinfo) or is it something that some web hosts add?

 

phpinfo.php is not part of osc. Hosts often add it so they can gather info about your installation to help them solve problems. Sometimes they don't bother to remove it and it can be browsed to by anyone giving away details about your setup that could be used maliciously. It's another good reason to have site monitor but that only checks files/ folders below where it is installed so if phpinfo.php is above route on server I think it may still be a hole if server hacked - maybe some experts can comment on that? I find it quite troublesome that some hosts don't take security seriously. I would change them if I knew I'd be better off elsewhere.

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Is it possible to have Spooks chime in on whether the server_info.php and phpinfo files should indeed be removed and if so, I think the original post should be amended to include this.

Contributions installed: Purchase without Account / STS/ All Products/ Header Tags Controller

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...