Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

Hello There!!

 

Great tips for securing shop, thank you very much.

 

I Got 2 little questions.

 

why would i get a SSI Error when loading my site whenever i add this to my .htaccess

 

# Deny domain access to spammers and other scumbags

 

RewriteEngine on

php_flag register_globals off

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots

Deny from env=block_bad_bots

 

i've added all of the htaccess code i found good to my htaccess and after having SSI Error, i deleted what i added 1 by 1 to see wich one was caliing error and this seems to be the code writed above.

 

For information i've had a similar error (SSI error) at first when installed my shop on my hoster, and this was coming from seo url htaccess code wich i needed to change from

 

# Ultimate SEO URLs BEGIN

Options +FollowSymLinks

RewriteEngine On

RewriteBase /

 

to

 

# Ultimate SEO URLs BEGIN

# Options +FollowSymLinks

RewriteEngine On

RewriteBase /

 

(commenting 2nd line)

 

----------------

 

Also as you may know when u install SEO url you got a bunch of bad bot blocking from seo htaccess code to add.

 

There is more in http://addons.oscommerce.com/info/6066 i've not checked the whole list since it's very long, but i saw some are already in seo htaccess code to add.

 

Any problem if one is listed 2 time in my htaccess or i should just go through whole list with a compare prog and make 1 single list, delting those who are there 2 times?

 

thank you for your time, Fabien.

Share this post


Link to post
Share on other sites

Spooks!, Do the link in this part (original input in this link) realy point at the correct place? Thanks //Dan

 

FILEMANAGER:

 

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

Share this post


Link to post
Share on other sites

Spooks!, Do the link in this part (original input in this link) realy point at the correct place? Thanks //Dan

 

FILEMANAGER:

 

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

 

It points to one of the issues with filemanager, why, what did u want it to point to? huh.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

OK, newbie here trying to make OSC secure before getting to deep into personalization. With that said, I tried to install FWR Security Pro, got the administration panel working but then I got this error "Fatal error: Call to a member function add_current_page() on a non-object in /home/chevypar/public_html/includes/application_top.php on line 341". Do I need to "UNINSTALL.sql" and if so how do I do that? Thanks for any help since I'm dead in the water now...

Share this post


Link to post
Share on other sites

OK, newbie here trying to make OSC secure before getting to deep into personalization. With that said, I tried to install FWR Security Pro, got the administration panel working but then I got this error "Fatal error: Call to a member function add_current_page() on a non-object in /home/chevypar/public_html/includes/application_top.php on line 341". Do I need to "UNINSTALL.sql" and if so how do I do that? Thanks for any help since I'm dead in the water now...

 

OK. Now it's working and I don't know exactly what I did.

Share this post


Link to post
Share on other sites

Subscribing to this thread

This has become a top priority


The Site can be viewed at www.performanceautopartsonline.com

 

The site is live (despite these minor glitches) please respect that and do not sign up etc...

 

maybe a contribution one day when I get this site the way I want it.

 

I don't make spelling mistakes! I have dyslecsic fingers.

Share this post


Link to post
Share on other sites

why would i get a SSI Error when loading my site whenever i add this to my .htaccess

 

# Deny domain access to spammers and other scumbags

 

RewriteEngine on

php_flag register_globals off

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots

Deny from env=block_bad_bots

 

Ok i found out answer for this. it seems you are not allowed to add phpflag into a .htaccess Since most time(like it's on my hoster) you already got register global option in your vhost control panel to switch on/off register global.

 

To make it work just enter this to your htaccess instead (delting php flag line)

 

# Deny domain access to spammers and other scumbags

 

RewriteEngine on

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots

Deny from env=block_bad_bots

Share this post


Link to post
Share on other sites

Hi,

 

Back to the (thorny?) subject of file and folder permissions, I have spoken to my host who say basically that I am stuck with using 777 as they do not use PHPsuExec.

 

So Im looking at moving hosts.

 

Im concious that I don't want this thread to be bombarded with Host adverts - so could anyone (UK Based) pm me with their preferred host who does use PHPsuExec (and doesnt cost the earth!)

 

Many Thanks


Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post


Link to post
Share on other sites

Hi,

 

Back to the (thorny?) subject of file and folder permissions, I have spoken to my host who say basically that I am stuck with using 777 as they do not use PHPsuExec.

 

So Im looking at moving hosts.

 

Im concious that I don't want this thread to be bombarded with Host adverts - so could anyone (UK Based) pm me with their preferred host who does use PHPsuExec (and doesnt cost the earth!)

 

Many Thanks

What about just changing the permissions to 777 when you need to do something in admin that requires that level of permission and changing them back down to 755 afterwards? It seems my directories can run at 555 most of the time without affecting the functionality of the site, although it's a nuisance when it comes to trying to upload or edit files through ftp, so there must be at least a good chance of not needing 777 all the time?


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

Clean post arrays

 

Would there be a potential issue using the $_POST fix on pages that require a password? It's just that the most secure passwords may contain values that may be cleaned off??

 

checkout_success appears to have POST and array together? Should fix be applied on that page?

 

Sorry I missed this, been v-busy. sweatingbullets.gif

 

This little snippit will replace the previous & clean any arrays too:

 

// clean posted vars
function clean_var ($vars) {
  if (!is_array($vars)) {                          
   return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars));   
   } else { 
   return array_map('clean_var', $vars);
 }
}   
reset($_POST);      	
while (list($key, $value) = each($_POST)) {           		
  $_POST[$key] = clean_var ($_POST[$key]);            	
 }

 

I would note that the cart uses arrays for product attributes, so this is needed should you decide to add to app top.

 

 

I don't think it would be a good idea to relax security just to enable complex passwords, your only re-opening the hole!! Just inform your users what they can enter, use php & javascript to validate the inputs. wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation.

 

Excellent point, I've just downloaded and installed the 2.2rca client and have spent the best part of 2 days fixing the many Deprecated Functions error messages because I'm choosing to use the latest version of xampp. I do not except that I should trawl the internet looking for older versions of PHP etc so as to get OSC to work. Now I'm starting to work through the security issues and I'm amazed that the above add-ons haven't been added to the 2.2rca install.

 

I'm also somewhat amazed that so far as I can find there is no reasonable single installation guide or control document. As a new user of OSC I would like to see a very specific set of installation instructions in a very specific area. The "Quick install guide" and the "How do I..." are excellent documents but dont go far enough. Once a user has completed the basic install they should be directed to a specific area which contains/details of all the latest patches/add-ons which need to be installed. As it stands I'm now looking at the Security; How to secure your site topic and I see a thread 134 pages long....I've installed the Security Pro Update but strangely enough, it hasnt worked, I do not get the FWR Security Pro Option in the admin/configuration so I am not able to set it to true. Does this now mean I must trawl through the 134 pages to discover that somewhere amongst these pages there is another fix for the Security Pro Update which adds the option and if so will this also apply to all the other add-ons. I guess what I'm saying is how many of these add-on have actually been validated and if they have why then havent they been added to the 2.2rca install? It seems its quicker for one person to modify the 2.2rca install then for everyone to modify the client once they have downlaoded and installed it...

 

In truth i think I have seen enough of OSC for me now to decide not to use it. I think you guys have lost/are losing control. It seems one developer may write a add-on while someone else then adds another few lines of code to it later in the thread without any acknowledgement or amendment to the initial add-on. The amount of time I'm going to have to spend going through each thread trying to implement the latest add-on and fixes does not equate especially when you consider that I may miss one or even part of one. I also wonder what happens once I have the cart up and running with all the relevant add-ons applied...Seems you just discovered a Serious hole in OSC (http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce/) but yet the article has been posted in a discussion thread. Personally I feel such a problem as this would be better highighted if it were under a 'Alert' or 'Current Issues' forum rather than in a discussion forum!

 

Also for information I had looked at your latest 3.0 version a few months ago but again it seems you've all yet to decide if this version is currently stable or not....some say yes and some say no. I thought I could go with the 2.2rca now and then apply a upgrade package which I would presume you are looking at producing but having now seen the lack of control relating to 2.2rca I do not see how you can do this. There must be 1000's of versions of 2.2 clients out there with full fixes, part fixes and even no fixes or add-ons applied so I just do not see how its going to be possible for you to produce a workable and viable upgrade package.

 

Anyway its just some feedback and I hope no one takes it to heart, as individual developers your all excellent but I just dont see any evidence that your working together to any standards or controls regarding the ongoing support if OSC.

 

T

Share this post


Link to post
Share on other sites
Guest

Firstly: -

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

Share this post


Link to post
Share on other sites

Got a little question with check permission add on http://addons.oscommerce.com/info/6134

 

if i understand all of the php files should be 644

 

on this add on the default are:

Set php files NOT in ADMIN to 755

Set All other files NOT in ADMIN to (gif, jpg, etc.) 644

Set php files in ADMIN to 755

 

1st what is the difference between php files not in admin and in admin....

if i read first post it say all php files to 644....so both of this default settings are wrong (in admin and not in admin)?? should it be set to 644??

 

Thank you

Share this post


Link to post
Share on other sites

... I added the code that you have mentioned to every file containing $_POST vars.

 

 

How can I add my language characters to the code? I mean something like š etc. All those characters get omitted in every form now.

 

 

I needed some modifications in the code to make it work in a language with some special characters (otherwise they were omitted which proves the code is working :thumbsup:;-) ):

 

This line

 

return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars));

 

was changed to this

 

return preg_replace("/[^a-zA-Z0-9а-яА-Я@ :{}_.-]/iu", "", urldecode($vars));

 

It worked for me. The characters I had added are cyrillic. Since I use UTF-8 I need "/iu" modifier instead of "/i".

Share this post


Link to post
Share on other sites

Hello spooks,

thank you for your constant support. I usually find all answers, but I am not sure this time.

 

I installed Security Pro, IP trap, Anti XSS, htaccess for renamed admin folder, I deleted file_maganer and define_language.php, and I added the code that you have mentioned to every file containing $_POST vars.

 

Can I remove the Anti XSS now when I have your code in every of those files?

 

How can I add my language characters to the code? I mean something like š etc. All those characters get omitted in every form now.

 

Should we add your code to admin part of the website too? I am asking because of this report http://secunia.com/advisories/22275/ I am sorry if it was discussed on the forum previously, I haven´t found it.

 

Thank you very much for your help

 

 

You could use this code, though I`ve not tested in other languages:

 

// clean posted vars
function clean_var ($vars) {
  if (!is_array($vars)) {                          
   return preg_replace("/[^\w@ :{}_.-]/i", "", urldecode($vars));   
   } else { 
   return array_map('clean_var', $vars);
 }
}   
reset($_POST);          
while (list($key, $value) = each($_POST)) {                     
  $_POST[$key] = clean_var ($_POST[$key]);             
 }

I have used that code on the client side application top, so avoiding modding a load of files.

 

 

 

If adding to admin you would need to allow more chars as you add html etc in admin, like:

 

// clean posted vars
function clean_var ($vars) {
  if (!is_array($vars)) {                      	
return preg_replace("/[^\/\w@ :<>{}&\"\'=_.-]/i", "", urldecode($vars));   
} else { 
return array_map('clean_var', $vars);
 }
}   
reset($_POST);      	
while (list($key, $value) = each($_POST)) {                 	
  $_POST[$key] = clean_var ($_POST[$key]);         	
 }

 

But how useful it is then would be debatable, you may need to look at the specific areas mentioned in your link


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I see the recommendation is to install the Cross Site Scripting mod, and it prevents html tags from being entered into the database. However, my item descriptions are FULL of html code. How can you have a decent site without using html code in the descriptions?

 

So, how do we prevent Cross Site Scription and at the same time use html code in the product descriptions?

 

Did I read something wrong?


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

which Cross Site Scripting mod to use

I see the recommendation is to install the Cross Site Scripting mod, and it prevents html tags from being entered into the database. However, my item descriptions are FULL of html code. How can you have a decent site without using html code in the descriptions?

 

 

1st I only use the htaccess version of that mod (called 'other version')

 

2nd code on the client side will not effect admin, htaccess will, but you will be fine with the above. wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I've installed IP Trap 4 and am having a little problem..

It seems to work in that I can get myself banned and then after editing the banned list I am free to visit the site again - however the Whitelist doesn't seem to work.. When I enter my IP on this list (after having deleted info from the banned list) I still get banned each time rather than simply being forwarded to the homepage as should happen?

 

..anyone else had this problem.

Share this post


Link to post
Share on other sites

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

 

 

hi there,

 

i ahve successfully made all of the security changes except for the above one as i wasnt sure which one of the versions to download, can you pleaes point out the best one to use?

 

there is also an alternative as posted by steve located at: http://addons.oscommerce.com/info/6546

 

im just unsure which one to install?

 

thanks in advance

 

dan

Share this post


Link to post
Share on other sites

also would my admin directory still be vulnarable if my .passwds file is in my /admin/ directory as my host does not allow me to upload to anything but the public_html folder and does not have cpanel.

dan

Share this post


Link to post
Share on other sites

hi there,

 

i ahve successfully made all of the security changes except for the above one as i wasnt sure which one of the versions to download, can you pleaes point out the best one to use?

 

there is also an alternative as posted by steve located at: http://addons.oscommerce.com/info/6546

 

im just unsure which one to install?

 

thanks in advance

 

dan

 

 

also would my admin directory still be vulnarable if my .passwds file is in my /admin/ directory as my host does not allow me to upload to anything but the public_html folder and does not have cpanel.

dan

It has been suggest to use the one called "Other Version" which I did with good results. Others here can tell you the valid reasons for doing so.

 

No, you should be ok with your .passwds file there if you are not allowed to upload outside of your web space. Can you put the file in the same directory as the one you are trying to protect? never tried... If it doesn't work you will know why.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

also would my admin directory still be vulnarable if my .passwds file is in my /admin/ directory as my host does not allow me to upload to anything but the public_html folder and does not have cpanel.

dan

It would still be vulnerable because even if you can't upload scripts into the directory, the database can still be accessed from that directory. So long as it is called 'admin' and not password protected, there are hacks that can be exploited simply by accessing the files in that directory. It does, at the very very least, have to be hidden by changing its name from the default, and FWR's script change to application_top (mentioned in the 'Serious Hole in osCommerce' thread applied. All security measures that can be implemented should be implemented, even if .htaccess/htpasswd protection is not possible.


www.jyoshna.com. Currently using OsC with STS, Super Download Store, Categories Descriptons, Manufacturers Description, Individual Item Status, Infopages unlimited, Product Sort, Osplayer with flashmp3player, Product Tabs 2.1 with WebFx Tabpane and other bits and pieces including some I made myself. Many thanks to all whose contributions I have used!

Share this post


Link to post
Share on other sites

It has been suggest to use the one called "Other Version" which I did with good results. Others here can tell you the valid reasons for doing so.

 

No, you should be ok with your .passwds file there if you are not allowed to upload outside of your web space. Can you put the file in the same directory as the one you are trying to protect? never tried... If it doesn't work you will know why.

 

 

hi there,

 

thanks, yes the .passwds file is in the same directory as the .htaccess file would this mean the directory is secure?

 

also the admin directory has been renamed as described in the first post.

 

thanks

dan

Share this post


Link to post
Share on other sites

Got a little question with check permission add on http://addons.oscommerce.com/info/6134

 

if i understand all of the php files should be 644

 

on this add on the default are:

Set php files NOT in ADMIN to 755

Set All other files NOT in ADMIN to (gif, jpg, etc.) 644

Set php files in ADMIN to 755

 

1st what is the difference between php files not in admin and in admin....

if i read first post it say all php files to 644....so both of this default settings are wrong (in admin and not in admin)?? should it be set to 644??

 

Thank you

 

Sorry to hijack this thread.

 

Differences btween in and not in the admin directory - Nothing to my knowledge just giving you flexibility.

 

On security, I bow to Spook's superior knowledge, I believe I based it on the knowledgebase article http://www.oscommerce.info/kb/osCommerce/Installation_and_Upgrades/224, but having just read it it wasn't that.

 

Personally I tie it down as tight as possible.

 

This is open source so feel free to update the contribution to prompt with 644.

 

Cheers

 

G

 

PS If you have any questions on that contribution please post in http://forums.oscommerce.com/index.php?showtopic=311123&hl=, only stumbled on this by accident.


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

×