Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Special chars in passwords

 

Hello Sam, first I'd like to say 'thank you' for all your support in this thread.

It has been nice to read, yes I have read all 17 pages. :)

 

I have just 3 questions:

 

1.

-Is your recommendation at the begining of this thread enough

a. plus the new snippet for pages using forms

b. plus the fix from github (Jan Zoonjes link)

c. plus your new addon 'Special chars in passwords'?

 

2.

-Will you include instructions on how to allow foreign chars and other types of post codes?

 

3.

-When a customer prefer to be invoiced, I would need an extra field in the DOB-drop down, thereby requiring a valid civic number.

-Would this be problematic to implement?

 

NB With a valid civic number a customer can be checked out before accepting that customer/order

 

Many thanks for this thread and your kind support :)

 

Kind regards

Sara

Share this post


Link to post
Share on other sites

 

 

1 yes

 

2 I already gave code for that in this thread

 

3 Not a greneral requirement, so not smthg I plan to look at.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

1 yes

 

2 I already gave code for that in this thread

 

3 Not a greneral requirement, so not smthg I plan to look at.

 

1. Nice :)

2. I'll look for it again

3. I'll have to do it myself then :)

 

Thank you again.

 

Sara

Share this post


Link to post
Share on other sites
If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation.

 

I think that could be the best post in this thread, seriously, if I was to download 2.2RC2a right now, would I basically have to do all thats suggested in this thread to have a much more secure site than standard? If so, shouldn't an issue this serious have been announced and immediately fixed by the team and the store released again?

 

Or for example, if I had been running a shop for the last 3 years, but not come across this thread, how likely could it have been that I was in jeopardy if I actually had a live store? What if I never found this thread, how vulnerable (seriously) would my site be if it was live? I'm only asking because I have been playing with osC for about 2-1/2 years, but never noticed these issues till coming across this thread today, and with intention to possibly use osC for an online store one day, well, basically until this thread, I wouldnt have considered any other software, but this thread has scared me now, only because if the issue is quite serious, its disappointing we have to find out about it ourselves (in a way that many people might not) rather than have the issue fixed and implemented in a re-release or at least an official patch/fix? Especially since the issue seems quite serious with talk of customer data potentially being listed on a hacking forum for example as stated in the first post.

 

Now I might be being paranoid, basically this is why I posted, am I being too paranoid really? Is all this advice considered a "must do" ? If so, I don't think a pinned topic in the Security sub-forum is enough of a heads up for people and it seems like way to much to have to do on top of an installation in regards to something as serious as security that should be standard with something that will be receiving personal details in particular Credit card details and what not, true?

 

Dont get me wrong, I'm more than happy to make the changes personally, but I just know many people that wouldn't, couldn't, but most of all, most would simply not even know there are issues like this to fix because they would be spending time setting up there shop rather than browsing forums and unexpectedly coming across this thread because there isn't any info anywhere else.

 

Its just a bit of a disappointing shock, to me personally, to only find out about this 2-1/2 years after my first visit here, mainly because it seems like a pretty serious issue (any with possibilities of losing customer details I would say are pretty much the worst things that could happen) and then to only find it unintentionally, I would have felt better not finding this thread now.

Share this post


Link to post
Share on other sites

 

 

This point has been raised many times b4 & the reasons for the current status detailed as many times, so its not worth repeating them yet again!!

 

 

 

 

PS an rc3 release is due soon. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

foriegn chars

 

2. I'll look for it again

 

 

I`ve had a quick look again at this, the code I posted was an experamental fix, but as I got no reply saying it did'nt work with foriegn chars I assumed it was fine, (too many are'nt even polite enough to say 'thanks, that fixed it!!' mad.gif ) I assumed all was fine.

 

But the answer is, no that code won't allow foriegn, there appears to be no ideal solution, at least not till php 6, this addition should help though.

 

after:

 

 function clean_var ($vars) { 

 

add:

 

 $foriegn = 'àáâãäåçéèêëìíîïñòóôõöùúûüýÿ'; 

then replace:

 

return preg_replace("/[^a-zA-Z0-9@ :{}_.-]/i", "", urldecode($vars)); 

with:

 

return preg_replace("/[^\w\d\r".$foriegn."@ :{}_.-]/i", "", urldecode($vars)); 

 

Please say if there any additions you know to be added to the $foriegn string.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

This point has been raised many times b4 & the reasons for the current status detailed as many times, so its not worth repeating them yet again!!

 

I agree and would like to add that reading forums is educational. Besides, shop owners are most likely to "redesign" their frontends using contributions and if they "miss" basic security... well then, its a lesson to learn.

 

Personally I have spent quite some hours to secure my site and get it w3c-compliant (both front- and backend) plus have a basic look and feel,

before I bother "go alive". As someone said... "You will not get a second chance to make a first impression".

 

Of course I have discovered "oddities" and made som changes to the code :)

 

Sara

 

-One day, I will find time to become smart...-

Share this post


Link to post
Share on other sites

Nice! :)

 

-how about capital letters?

 

for exampel å-Å, ä-Ä, ö-Ö ?

 

come to think of it, could it be possible to use the locale: setlocale(LC_TIME, 'sv_SE.ISO_8859-1'); somehow?

Noticed that they are country specific.

 

I have to rush of, I'll be back in about an hour or so.

 

Thanks again, Sam.

 

Sara

Share this post


Link to post
Share on other sites

So...

 

(i) Could I do the admin folder name change and .htaccess permission BEFORE I upload for the first time? Will osC install properly with the name change already done locally?

 

(ii) Could I even work in the Security Pro, Site Manager, IP Trap, etc, add-ons before I upload? Or at least one of them (and if so, which?) I do understand that they might be better done one by one in terms of making mistakes and troubleshooting.

 

I'm sorry, but you can see how reading this thread is a bit daunting to a newb, it sounds like my (test) shop will be immediately attacked before I can even do the add-ons and ascertain whether they've broken anything.

 

(iii)

PS an rc3 release is due soon. smile.gif

Don't suppose there's any point in asking when is soon? :blush:

 

 

 

In summary, bloody Russians :angry: or Turks, or whoever they are. It's all a bit scary.

Share this post


Link to post
Share on other sites

 

 

1 u could, but no hasle to do it after.

 

htaccess folder protection is best done through cpanel, you cant do that b4 u make the folder.

 

2 there is no massive hurry to add the protection, if you havent published the site yet then hackers cant find it to attack, if you really concerned, redirect all domain visitors to a 'under construction' page.

 

3 hpdl said in about a week! (most updates for security)

 

 


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

So...

 

(i) Could I do the admin folder name change and .htaccess permission BEFORE I upload for the first time? Will osC install properly with the name change already done locally?

 

I would htaccess protect my entire site before I uploaded it. Not just the admin directory.

 

Do all your add ons, all your security patches, more htaccess to admin directory, everything you want. Then when it is all ready just remove the htaccess on the catalog root directory.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

The answer to (i) was NO, in fact.

 

I got a small handful of install errors when renaming the admin folder (and reflecting that change in renamed_admin/includes/configure.php) before uploading.

 

 

.

Share this post


Link to post
Share on other sites

Hello,

 

I'm not that type of guy who are bumping theards or posts. But on this security issue, i'd love to have an answer/confirmation to this if you mind, beacause it's an important security hole.

 

Thank you in advance.

 

After reading a lot of $POST cleaning answer in that topic, im still not sure about few things.

 

That revised code you posted (quote below) should be inserted just b4 closing tag of app_top? (adding the correct version if catalog or admin side)

Then i have no other modification in other files with that revised code?

(like it was supposed with first code version where u needed to add code in each page that got $POST. adding old code after... require application top)

 

lastly what you mean exactly with not tested in other language? that some may need addind more chars? like language that doesn't have "occidental char"s language ie: russian, chinese etc..?

French/English shop should be ok then? what should i look for to see if i've it running ok? things like able to add to cart, with attributes ect...if contrin using post still working ..ie: anti robot..?

 

Thank you for your time and answers.

Sorry if im beeing stupid about this "issue", but someone who never ask stay stupid, the one who does is stupid once but doesn't stay ignorent :D

Share this post


Link to post
Share on other sites

Latest $_POST cleaning code.

 

To answer the various questions, the following snippit will clean the $_POST and allow for anything that can be regarded as a letter, though it may be necessary for some to change the character class.

 

 

////
// Clean post vars 
function clean_var ($vars) { 
 if (!is_array($vars)) {                          	
 return preg_replace("/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars)); 
 } else { 	
 return array_map('clean_var', $vars); 
 }
} 


  if (PHP_VERSION >= 4.1) $HTTP_POST_VARS =& $_POST; 
 reset($_POST);      	
 while (list($key, $value) = each($_POST)) {                    	
 $_POST[$key] = clean_var ($_POST[$key]);    	
 } 

I advise adding at the start of any pages accept $_POST vars

 

 

If adding to application top, add after:

 

 

// set the application parameters
$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
while ($configuration = tep_db_fetch_array($configuration_query)) {
define($configuration['cfgKey'], $configuration['cfgValue']);
}

 

or immediatly after the security pro code, if added (strongly advise that you do)

 

I feel there is little point in adding to admin, as you would have to allow so much that the code becomes irrelavent.

 

This code will work for standard osC and nearly all add-ons, there are a few that it will create issues for, so make sure you test your site fully if adding this to application top, in anycase always test after adding to any page.

 

Remember, as with any code on this forum, no warantee is given or implied.

 

 

 

Keep your site safe. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Latest $_POST cleaning code.

 

Hi Sam

 

Thanks for the code

 

I added this code to application top butI think it is causing a problem with Paypal Updating customers accounts.

 

The = (equals) sign is being stripped and this is causing a Paypal Invalid Process

 

Could this code be causing this?

 

Regards

 

Ken

Share this post


Link to post
Share on other sites

The = (equals) sign is being stripped and this is causing a Paypal Invalid Process

 

 

 

I suspect your issue is with security pro, paypal communicates via the query string (I've not checked all modules) and security pro cleans that, in either case simply add = to the alloed list, or with security pro add the module to the exlude list.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I suspect your issue is with security pro

 

Hi Sam

 

My site works fine with Security Pro

 

It was only after installing the code above that the problem occurred. I have now commented out the $_POST cleaning code and my site is working OK again.

 

Here is the email I got from my site after installing the $_POST cleaning code

(XXX added to hide identities)

 

PayPal IPN Invalid Process

$HTTP_POST_VARS:

mc_gross=158.00
invoice=1942
protection_eligibility=PartiallyEligible
address_status=unconfirmed
payer_id=R5CH3YKXXX95U
tax=0.00
address_street=71 CornXXXus Drive
payment_date=13:02:30 Jan 25 2010 PST
payment_status=Completed
charset=windows-1252
address_zip=WXXXal
first_name=JXXXs
mc_fee=5.57
address_country_code=GB
address_name=JXXXs BroXXXill
notify_version=2.9
custom=543
payer_status=unverified
business=camXXXe@hotmail.com
address_country=United Kingdom
address_city=MeXXXyside
quantity=1
verify_sign=AQU0e5vuZCvSg-XJploSa.sGUDXXXlpQEhIEt0bbVb.JDQqwKDwo2oiA
payer_email=jimiXXXepub@hotmail.com
txn_id=6F8409XXXH649511R
payment_type=instant
last_name=BroXXXill
address_state=MeXXXyside
receiver_email=cameXXXe@hotmail.com
payment_fee=
receiver_id=3SMKPXXXV5VL
txn_type=web_accept
item_name=CaXXXa CeXXXe
mc_currency=GBP
item_number=
residence_country=GB
receipt_id=3675-0XXX-784-188
handling_amount=0.00
transaction_subject=543
payment_gross=
shipping=0.00

$HTTP_GET_VARS:

 

 

 

I am not very good with regx expressions. I tried

 

return preg_replace(="/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars));

 

But then the email address in ‘contact us’ became invalid. Does the ‘=’ need adding at a certain position?

 

Regards

 

Ken

Share this post


Link to post
Share on other sites

 

I am not very good with regx expressions. I tried

 

return preg_replace(="/[^\p{L}\d\r@ :{}_.-]/i", "", urldecode($vars));

 

But then the email address in ‘contact us’ became invalid. Does the ‘=’ need adding at a certain position?

 

 

Yes, position is critical, you made an invalid expression,

 

 

should be:

 

return preg_replace("/[^\p{L}\d\r@ :{}=_.-]/i", "", urldecode($vars));


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Yes, position is critical, you made an invalid expression,

 

Hi Sam

 

WOW, that was quick, Thank You.

 

I have added the $_POST cleaning code back with the new expression

 

I will let you know if it works

 

Thanks again

 

Ken

Share this post


Link to post
Share on other sites

Hiya,

 

Is renaming the admin folder as easy as it sounds? Can I just change the name in FTP or do I need to do something more complex? I am just thinking it might cause problems with the operation of osC.

Share this post


Link to post
Share on other sites

Hiya,

 

Is renaming the admin folder as easy as it sounds? Can I just change the name in FTP or do I need to do something more complex? I am just thinking it might cause problems with the operation of osC.

You will also have to change the paths in the configure.php file(s) and any reference to the admin folder in any .htaccess files.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites
Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

Header Tags Controller has a file that is 755 - is this a security problem?

 

Also, the Anti-Xss "other version" - applied to my route Htaccess - will that cover everything below including my Test site which is in a folder in route? Or do I need to put the code in the htaccess file on the Test website Htaccess file as well?


I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Share this post


Link to post
Share on other sites

×