Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

well i'm using CRE loaded so i don't know what exactly in there

 

 

Don't CRE have any security advise?

 

I mentiomed a little ealier the most important measures, make sure you complete at least those. wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Don't CRE have any security advise?

 

I mentiomed a little ealier the most important measures, make sure you complete at least those. wink.gif

 

Cre loaded don't seems to care for their customer this days. I looked at logs i think i found the guy, but still i cant see what he did. Its some sql injection of some kind but dunno what.

Share this post


Link to post
Share on other sites

Cre loaded don't seems to care for their customer this days. I looked at logs i think i found the guy, but still i cant see what he did. Its some sql injection of some kind but dunno what.

 

 

If you install what I said he wont be able to get back in. If CRE don`t support perhaps its time u changed.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

1. Thats the default behaviour for osC, you need to mod the upload class to fix:

 

   function upload($file = '', $destination = '', $permissions = '777', $extensions = '') {

 

change that as you need for your server

 

2. You have failed to run the setup file, so admin setting do not exist, run that to fix your issue.

 

3. I don't know htacces that well, but that looks incomplete to me, try:

 

RewriteCond %{HTTP_HOST} !^www\.YOURSITE\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^(.*) http://www.YOURSITE.com/$1 [L,R=301]

 

4. Sorry, don't know any, its a lot of effort to write them & their often not appreciated when you do, so many don't bother. smile.gif

Thank you so much, Spooks. I was able to change the class/upload file and it's working properly now. I also ran the setup for database backup program and it looks good too.

I must have coppied the code incorrectly to my previous message (for the htaccess), but even with the correct code you posted I still have a problem. I can get to the hompage, but everything after that times out, firefox says it is an endless loop. Regardless, I will look around a bit more and if I find an answer will post back.

Thank you again,

Harold

Share this post


Link to post
Share on other sites

If you install what I said he wont be able to get back in. If CRE don`t support perhaps its time u changed.

 

Yes you are right. I found what happened. One of the sites of my server was hacked and they get me from there.

Share this post


Link to post
Share on other sites

Hi spooks,

 

thank you for this security advice

I installed the add-on http://addons.oscommerce.com/info/6044 Anti XSS against Cross Site Scripting attacks in the original version (Protev, June 2008). I get an error in the line

 

$search .= '~`";:?+/={}[]-_|'\';

 

Should this line be like that:

 

 

$search .= '~`";:?+/={}[]-_|\\';

 

with \\ instead of '\ in the string ?

 

Thank you

 

Martin

Share this post


Link to post
Share on other sites

Hi spooks,

 

thank you for this security advice

I installed the add-on http://addons.oscommerce.com/info/6044 Anti XSS against Cross Site Scripting attacks in the original version (Protev, June 2008). I get an error in the line

 

$search .= '~`";:?+/={}[]-_|'\';

 

Should this line be like that:

 

 

$search .= '~`";:?+/={}[]-_|\\';

 

with \\ instead of '\ in the string ?

 

Thank you

 

Martin

 

Personally I only use the htaccess parts of that contrib, but your right that line is in error, reserved chars are not being escaped, it should be smthg like:

 

$search .= '~`\";:?+\/={}[]-_|\''; 


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hi spooks,

 

ok, thank you. What version of the htaccess parts of that contrib do you prefer ?

 

Martin

 

 

Its titled 'other version' in the downlod section


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Spooks.

 

I am redoing my entire site because of being hacked continually the last several weeks and am putting into place all your suggested security issues.

 

You recommended:: Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

I added just the .htaccess part as you mentioned in earlier post.

The directions on this link have a recommendation for using a different contribution http://addons.oscommerce.com/info/6546

 

Which do you suggest using?

 

Thank you.

madstarr

Share this post


Link to post
Share on other sites

Spooks.

 

I am redoing my entire site because of being hacked continually the last several weeks and am putting into place all your suggested security issues.

 

You recommended:: Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

I added just the .htaccess part as you mentioned in earlier post.

The directions on this link have a recommendation for using a different contribution http://addons.oscommerce.com/info/6546

 

Which do you suggest using?

 

Thank you.

madstarr

 

The 2nd contrib you refer to is very limited in function, all it does is clean the string at point of entry into the dbase, it perfectly feasable that an sql injection attack could have inserted code prior to that point, also if you've applied the other snippits for cleaning the GET & POST, then the string would already be cleaned by then.

The first, being htaccess, is much more powerful & comprehensive, in truth there is no contest!!smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

The 2nd contrib you refer to is very limited in function, all it does is clean the string at point of entry into the dbase, it perfectly feasable that an sql injection attack could have inserted code prior to that point, also if you've applied the other snippits for cleaning the GET & POST, then the string would already be cleaned by then.

The first, being htaccess, is much more powerful & comprehensive, in truth there is no contest!!smile.gif

 

Thanks Spooks. Working away at it. It appears that google identified malware on mine as traffcount.cn just an fyi for anybody out there.

Share this post


Link to post
Share on other sites

 

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

I just wondered the quickest way to check which files I may need to add this code to? Is there a file checker/ search programme that can go through the folders? Am I looking for $_POST or $HTTP_POST_VARS & tep_draw_form as well?

 

Thanks


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

I just wondered the quickest way to check which files I may need to add this code to? Is there a file checker/ search programme that can go through the folders? Am I looking for $_POST or $HTTP_POST_VARS & tep_draw_form as well?

 

Thanks

 

 

Most pages that use forms use the post method, some simply add this snippit to application top to cover all, but remember some add-ons use arrays that this would delete & some (mainly payment modules) use characters that this would remove.

 

Sorry not the precise answer you wanted!

 

 

PS osC uses $HTTP_POST_VARS, but add-ons may use $_POST, the 2 are interchangable, though $HTTP_POST_VARS is deprecated in php 5


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Most pages that use forms use the post method, some simply add this snippit to application top to cover all, but remember some add-ons use arrays that this would delete & some (mainly payment modules) use characters that this would remove.

 

Sorry not the precise answer you wanted!

 

 

PS osC uses $HTTP_POST_VARS, but add-ons may use $_POST, the 2 are interchangable, though $HTTP_POST_VARS is deprecated in php 5

Where would you recommend as the best spot to insert the snippet if you were going to put it in app_top.php? Right before everything else?

 

Thanks! :D

Share this post


Link to post
Share on other sites

Where would you recommend as the best spot to insert the snippet if you were going to put it in app_top.php? Right before everything else?

 

Thanks! biggrin.gif

 

 

No, maybe at the end, but I think the best place would be just b4 the cart functions, ie just b4

switch ($HTTP_GET_VARS['action']) {


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

Thanks for the last reply. I'm looking at account_edit.php first off. It has $HTTP_POST_VARS so I added the above code. But email address has @ so should that character be added to preg_replace ? The word array appears in the file - will this make a difference? How do I test if it's working?

I have anti-robot registration installed.

 

I'm unsure about this and a little nervous I break something.


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

Thanks for the last reply. I'm looking at account_edit.php first off. It has $HTTP_POST_VARS so I added the above code. But email address has @ so should that character be added to preg_replace ? The word array appears in the file - will this make a difference? How do I test if it's working?

I have anti-robot registration installed.

 

I'm unsure about this and a little nervous I break something.

 

 

If you look the @ is already there in that string.

 

osC uses array a lot, but arrays within post vars very rarely and not within account_edit.php, just test to see if any entered data is lost where the form action includes the add_multi param.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

If you look the @ is already there in that string.

 

OOPS! Perhaps I should have gone to the optician first! Sorry about that! Double DOH! In account_edit I put this for customer name : [w](o)%3Cr%3Ek|i*n^g but it still says [w](o)%3Cr%3Ek|i*n^g . Shouldn't is say "working"? Or did I test it wrongly?


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

OOPS! Perhaps I should have gone to the optician first! Sorry about that! Double DOH! In account_edit I put this for customer name : [w](o)%3Cr%3Ek|i*n^g but it still says [w](o)%3Cr%3Ek|i*n^g . Shouldn't is say "working"? Or did I test it wrongly?

 

 

Likely your server is treating $_POST & $HTTP_POST_VARS seperatly.

 

 

 

Near the start of application_top.php add:

 

if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; }

 

 


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Likely your server is treating $_POST & $HTTP_POST_VARS seperatly.

 

Near the start of application_top.php add:

 

if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; }

 

Thank you Sam, it is now "working" so I will go and do the other files. Should we do the admin side as well?


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

Would there be a potential issue using the $_POST fix on pages that require a password? It's just that the most secure passwords may contain values that may be cleaned off??

 

checkout_success appears to have POST and array together? Should fix be applied on that page?


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

Hello spooks,

thank you for your constant support. I usually find all answers, but I am not sure this time.

 

I installed Security Pro, IP trap, Anti XSS, htaccess for renamed admin folder, I deleted file_maganer and define_language.php, and I added the code that you have mentioned to every file containing $_POST vars.

 

Can I remove the Anti XSS now when I have your code in every of those files?

 

How can I add my language characters to the code? I mean something like š etc. All those characters get omitted in every form now.

 

Should we add your code to admin part of the website too? I am asking because of this report http://secunia.com/advisories/22275/ I am sorry if it was discussed on the forum previously, I haven´t found it.

 

Thank you very much for your help

Share this post


Link to post
Share on other sites

My first post here.

 

I just wanted to thank spooks and others for saving our bacon.

 

We were on our third day of fighting off hackers and somehow I stumbled on this site. A couple of the "patches" stopped the jealous idiot in his tracks.

 

THANKS!! :D

Share this post


Link to post
Share on other sites

×