Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

Guest

Hi all!

 

When one apply the fixes in this topic to oscommerce ms2, is the problem spam from contact_us.php (misuse of your website) solved ?

 

Jack_mcs told me that this is already fixed in RC1/2/2a, but which fix has done it ?

 

I saw the the list ms2->rc1, rc1->rc2 and rc2->rc2a but I can't find the fix (the programs contact_us.php and email.php were not changed since ms2, so it must be a function etc.) ...

Share this post


Link to post
Share on other sites

[Anit spam

When one apply the fixes in this topic to oscommerce ms2, is the problem spam from contact_us.php (misuse of your website) solved ?

 

Jack_mcs told me that this is already fixed in RC1/2/2a, but which fix has done it ?

 

 

 

I think Jack was talking more gereally, if you want a full list of mods see Upgrading osC from 2.2 MS2 to 2.2 RC2a http://addons.oscommerce.com/info/6654

I hope your not cherry picking bits of the rc2a upgrade, you need to do it all! ohmy.gif

 

There is no anti-spam by default, its not a security issue per say, just a nuisance, try adding Capcha &/or increasing input validation. wink.gif

 

there is Anti Robot Registration Validation http://www.oscommerce.com/community/contributions,1237


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Guest

[Anit spam

 

 

I think Jack was talking more gereally, if you want a full list of mods see Upgrading osC from 2.2 MS2 to 2.2 RC2a http://addons.oscommerce.com/info/6654

I hope your not cherry picking bits of the rc2a upgrade, you need to do it all! ohmy.gif

 

There is no anti-spam by default, its not a security issue per say, just a nuisance, try adding Capcha &/or increasing input validation. wink.gif

 

there is Anti Robot Registration Validation http://www.oscommerce.com/community/contributions,1237

 

Hi Spooks,

 

Thanks for your answer.

 

I have the feeling (but maybe because English is not my native language as you guess) there is a misunderstanding.

 

I mean contact_us.php is being used by others to send mass of emails to others (not the owner of the shop), so the server has been used to send emails to others.

 

I was looking for a solution, I looked already to all the modifications from ms2->rc2a, but I can't find one which prevents this problem. Of cours there are some contributions (already since 2005) but my question was, which is the best (general question who can answer it). Or another question which of the modifications prevents this (if there is/was a modification for this problem build in oscommerce even a combination of modifications). So curiously 1) to prevent this problem 2) to learn from .. without the internet very difficult ...

Share this post


Link to post
Share on other sites

I mean contact_us.php is being used by others to send mass of emails to others (not the owner of the shop), so the server has been used to send emails to others.

 

 

 

I suspect its not contact_us.php but your admin mail.php thats being used, upgrade to rc2a & apply all the security measures detailed in the OP & you wont have an issue, do the detailed admin ones first.

 

In anycase if you bothered to do that 1st you would'nt be asking, i say again don't cherry pick bits. ohmy.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Guest

I suspect its not contact_us.php but your admin mail.php thats being used, upgrade to rc2a & apply all the security measures detailed in the OP & you wont have an issue, do the detailed admin ones first.

 

In anycase if you bothered to do that 1st you would'nt be asking, i say again don't cherry pick bits. ohmy.gif

 

Thanks Spooks but it was contact_us.php, the provider had switch it off but 3 weeks ago without informing me so I can't check it in the logs anymore.

 

No not every store can be upgraded to RC2a when they are full with modifications and layout/templates, I think the customer can't afford that and in fact I find it not really necessary, only the security things because they are important (admin login etc. is easy to build in).

 

So I go to install VVC but it is not preventing the problem, it is always possible to send emails from your webshop once at once ... but maybe your recommodations like contribution 'Security Pro' prevents this problem also ... (i am busy now with al that contributions) ...

Share this post


Link to post
Share on other sites

not every store can be upgraded to RC2a when they are full with modifications and layout/templates, I think the customer can't afford that and in fact I find it not really necessary,

 

 

Thats very short sited, in time you will have no choice as hosts upgrade and ms2 requirements like Register Globals On become unavailabe (rg on could be the root of your issue)

 

I hope you realise that should your apparent lakidasical attitude to security be discovered (compremising your customers data security) you could be found guilty of offences.

 

you say

customer can't afford that and in fact I find it not really necessary
but in fact the opposite is true, you ignore these matters at your peril!! ohmy.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Guest

Thats very short sited, in time you will have no choice as hosts upgrade and ms2 requirements like Register Globals On become unavailabe (rg on could be the root of your issue)

 

I hope you realise that should your apparent lakidasical attitude to security be discovered (compremising your customers data security) you could be found guilty of offences.

 

you say but in fact the opposite is true, you ignore these matters at your peril!! ohmy.gif

 

Hi Spooks, do customers need extra functionality what is not related to security, I don't think so (it's a choice).

So I said I build all the security issues in the older shops like register globals off, your recommodated contributions, an admin login, .htacces (so 2x) etc. Did I say I don't ? So my customers have no problems anymore and if a customer want version 3 etc. that would be possible all the time if they want to spent the money for it, but the most they won't and I understand if everything goes well and are satisfied with turnovers and no 'security' problems anymore ...

 

Besides I shall not use VVC, I use Security Pro for some programs too for $_POST fields like in contact_us.php and that must solved the case I think ..

Share this post


Link to post
Share on other sites
Guest

Hi Spooks, Jack solved it for me, see a copy here from my answer (good to be a part of this topic to show the meaning of your recommended contributions ..)

 

 

Dear Jack,

 

You solved the problem with your excellent contribution 'Sitemonitor'. Very funny, you presented a list of possible hacked code and one of it was catalog/includes/languages/english/contact_us.php full with code to sent mass of emails. As you can remember from questions a month of 1,5 ago (see my name) a customers website was hacked for jp morgan bank and paypall. I think the same had changed that code in that period because they can't come in anymore now but they still try (seeing the logs). So they have a way to use contact_us.php in that time and now. But you reported more on your list and go to find out (but maybe that was not hacked).

 

Strange I checked in that period the dates of the programs and could not find changes (of course I could find the criminal programs) so maybe it is possible to change programs without changing dates ...

 

Thanks again, great contribution ...

Share this post


Link to post
Share on other sites
Guest

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

Hi Spooks,

 

After applying this I could not remove items from the shopping cart anymore, I go to find out why ... because checked fields has 0 or 1 as value ...

Share this post


Link to post
Share on other sites
Guest

Hi Spooks,

 

After applying this I could not remove items from the shopping cart anymore, I go to find out why ... because checked fields has 0 or 1 as value ...

 

In fact I did it twice for $_POST and the old $HTTP_POST_VARS, and for the shopping cart the last is still used in the code (for compatibility), so when I was using only $_POST nothing happens because the check field is an array, but when I clean also $HTTP_POST_VARS the problem is (it's an array) the field is cleaned by unset. What is the meaning here of the unset ?

 

Ok I understand now, it will be unset because when you don't expect arrays.

 

So you must be carefully to take over this exact code, so forget the last unset statement and use this cleaning only for the not array fields unless you add your own code for every array (mostly when I program check fields I don't use arrays but give them the names of e.g. product_id's and than this small contribution works for that fields too).

If you have array fields you have to program them by yourself for each array ...

Share this post


Link to post
Share on other sites

In fact I did it twice for $_POST and the old $HTTP_POST_VARS, and for the shopping cart the last is still used in the code (for compatibility), so when I was using only $_POST nothing happens because the check field is an array, but when I clean also $HTTP_POST_VARS the problem is (it's an array) the field is cleaned by unset. What is the meaning here of the unset ?

 

Ok I understand now, it will be unset because when you don't expect arrays.

 

So you must be carefully to take over this exact code, so forget the last unset statement and use this cleaning only for the not array fields unless you add your own code for every array (mostly when I program check fields I don't use arrays but give them the names of e.g. product_id's and than this small contribution works for that fields too).

If you have array fields you have to program them by yourself for each array ...

 

 

I posted revised code to deal with arrays too in this thread only a short while ago huh.gif , use that, a little searching always helps wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Guest

I posted revised code to deal with arrays too in this thread only a short while ago huh.gif , use that, a little searching always helps wink.gif

 

Hi Spooks,

 

An excellent piece of code, that simple, thank you. I know already that php can do almost everything, so again one statement more learned. For other users, you may find this piece of code just one or two pages back.

I placed this code just before Security Pro because that contribution is using $_POST.

Share this post


Link to post
Share on other sites
Guest

Hi Spooks, Jack solved it for me, see a copy here from my answer (good to be a part of this topic to show the meaning of your recommended contributions ..)

 

 

Dear Jack,

 

You solved the problem with your excellent contribution 'Sitemonitor'. Very funny, you presented a list of possible hacked code and one of it was catalog/includes/languages/english/contact_us.php full with code to sent mass of emails. As you can remember from questions a month of 1,5 ago (see my name) a customers website was hacked for jp morgan bank and paypall. I think the same had changed that code in that period because they can't come in anymore now but they still try (seeing the logs). So they have a way to use contact_us.php in that time and now. But you reported more on your list and go to find out (but maybe that was not hacked).

 

Strange I checked in that period the dates of the programs and could not find changes (of course I could find the criminal programs) so maybe it is possible to change programs without changing dates ...

 

Thanks again, great contribution ...

 

Yes I checked the dates on the old server, and contact_us.php was changed but the date of the folder (containg contact_us.php) was earlier, so it is possible to change a program (and change date) while the folders change date does not change ...

Share this post


Link to post
Share on other sites
Guest

I posted revised code to deal with arrays too in this thread only a short while ago huh.gif , use that, a little searching always helps wink.gif

 

Hi Spooks,

 

But have to say this works only for one-dimensional arrays (as is most with screenfields) so it does not work for two or more dimensional arrays (array_map), in that case you have to program it by yourself or extend this solution. But probably you get an error in that case (to replace a whole array with one value) , so it warns itselves.

Share this post


Link to post
Share on other sites

After reading a lot of $POST cleaning answer in that topic, im still not sure about few things.

 

That revised code you posted (quote below) should be inserted just b4 closing tag of app_top? (adding the correct version if catalog or admin side)

Then i have no other modification in other files with that revised code?

(like it was supposed with first code version where u needed to add code in each page that got $POST. adding old code after... require application top)

 

lastly what you mean exactly with not tested in other language? that some may need addind more chars? like language that doesn't have "occidental char"s language ie: russian, chinese etc..?

French/English shop should be ok then? what should i look for to see if i've it running ok? things like able to add to cart, with attributes ect...if contrin using post still working ..ie: anti robot..?

 

Thank you for your time and answers.

Sorry if im beeing stupid about this "issue", but someone who never ask stay stupid, the one who does is stupid once but doesn't stay ignorent :D

 

You could use this code, though I`ve not tested in other languages:

 

// clean posted vars

function clean_var ($vars) {

if (!is_array($vars)) {

return preg_replace("/[^\w@ :{}_.-]/i", "", urldecode($vars));

} else {

return array_map('clean_var', $vars);

}

}

reset($_POST);

while (list($key, $value) = each($_POST)) {

$_POST[$key] = clean_var ($_POST[$key]);

}

 

 

I have used that code on the client side application top, so avoiding modding a load of files.

 

 

 

If adding to admin you would need to allow more chars as you add html etc in admin, like:

 

// clean posted vars

function clean_var ($vars) {

if (!is_array($vars)) {

return preg_replace("/[^\/\w@ :<>{}&\"\'=_.-]/i", "", urldecode($vars));

} else {

return array_map('clean_var', $vars);

}

}

reset($_POST);

while (list($key, $value) = each($_POST)) {

$_POST[$key] = clean_var ($_POST[$key]);

}

 

 

 

But how useful it is then would be debatable, you may need to look at the specific areas mentioned in your link

Share this post


Link to post
Share on other sites

I am having trouble with the add-on, Backup of all store files in zip. There is no operational support thread, so I thought I would post here. I get an error when trying to initiate the download of: Fatal error: Allowed memory size of 33554432 bytes exhausted (tried to allocate 91782402 bytes) in /home/*****/******/catalog/admin/backup_store_files.php on line 62. Any ideas? I do have a limit of something around 32MB or 64MB from my host. Am I just out of luck using this backup feature? Does this add-on backup files in the download folder? If so, I have a lot of MP3 files in the download folder that I do not have to backup, so if there is a way to exclude folders to backup I would like to hear about it.

 

Thanks and Happy New Year!

Share this post


Link to post
Share on other sites

 

 

Please try reading the docs that come with add-ons b4 making false statements! mad.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

which Cross Site Scripting mod to use

 

1st I only use the htaccess version of that mod (called 'other version')

 

Do you mean just do:

# 1) add these lines to your .htaccess file

and skip this part?

# 2) create an index_error.php file with whatever content you want to be displayed.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

I'm sure that this has probably been answered somewhere, but please answer again:

 

I just input the php files and code for Security Pro. The read me file says:

 

Firstly: -

 

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

 

Where do I browse to it? Do I go to CPanel, Admin,? I don't know where to browse to it.

Share this post


Link to post
Share on other sites

I'm sure that this has probably been answered somewhere, but please answer again:

 

I just input the php files and code for Security Pro. The read me file says:

 

Firstly: -

 

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

 

Where do I browse to it? Do I go to CPanel, Admin,? I don't know where to browse to it.

 

on your favorite web browser...go to www.yourdomain.com/catalog/SecurityPro_installer.php

 

change the adress accordingly to your site, changing yourdomain.com by your actual adress...

Share this post


Link to post
Share on other sites

on your favorite web browser...go to www.yourdomain.com/catalog/SecurityPro_installer.php

 

change the adress accordingly to your site, changing yourdomain.com by your actual adress...

 

Thanks Fabien. Part 1 done.

Share this post


Link to post
Share on other sites
Guest

I am trying to install XSS Shield (6044) "the other version".

I had problems with it before, but since we just restored the site (got hacked with the spam emails)

I'm checking all of the security updates.

 

When I install the following lines in .htaccess the site goes beserk. The images are missing, all of the fonts, backgrounds, etc. are gone. It's completely unformatted. This is a SSL secured site. Any ideas? Any help would be appreciated.

 

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

Also, what needs to go in index_error.php?

 

Thanks! :rolleyes:

Share this post


Link to post
Share on other sites

 

 

Likely you are making errors editing your htaccess file.

 

You can put whatever u want in your error pages.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Most pages that use forms use the post method, some simply add this snippit to application top to cover all, but remember some add-ons use arrays that this would delete & some (mainly payment modules) use characters that this would remove.

 

This little snippit will replace the previous & clean any arrays too:

 

// clean posted vars

function clean_var ($vars) {

if (!is_array($vars)) {

return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars));

} else {

return array_map('clean_var', $vars);

}

}

reset($_POST);

while (list($key, $value) = each($_POST)) {

$_POST[$key] = clean_var ($_POST[$key]);

}

 

I would note that the cart uses arrays for product attributes, so this is needed should you decide to add to app top.

 

Firstly, I must apologise for being absent from the thread - xmas got on top of me...

 

Obviously I need to clean the $_POST but am rather nervous I break something if I add your new snippet to application_top. You mention payment modules being affected - I have paypal ipn, sage pay server & cheque modules active - are they likely to break? God I hate those blooming hackers!

 

Is it safest to add this code to the individual files instead of application_top?


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

Sam, wouldn't it have been easier to just answer the questions? I still have the same questions. What false statements am I relating?? Look, I try to look up things and read through forums before I post anything, and the last two times I had to ask you something you assumed that I couldn't read or follow instructions which is irritating and just wastes more of my time rechecking myself. I did help to solve the issue with your mulit-images add-on with the STS add-on that has since helped a lot of people with the same issue I had. The support thread listed in your Backup all files in Zip contribution, http://forums.oscommerce.com/topic/346592, only takes me to the Oscommerce general forms page. I searched and didn't find anything by searching the Oscommerce site. So, if you know of a support thread or where I can find more information about the contribution, I would be happy to go there.

 

I did read within the backup_store_files.php that I could increase the file limit beyond the 32MB within the file, but my issue is above the 64MB limit imposed by my web host, so I was asking if I could omit some folders like the download folder that contains many large MP3 files, and image files that I do not need to backup. My site only has about 50 products so far. Otherwise, maybe I will just have to FTP the entire catalog folder to my local drive for backups?

 

Thanks, and please lighten up and smile. ;)

 

Please try reading the docs that come with add-ons b4 making false statements! mad.gif

Share this post


Link to post
Share on other sites

×