Jump to content

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

I can´t install Sam´s since this http://forums.oscomm...ost__p__1491051

 

 

Why not? Just because you added header tags does not mean you cannot add that, esp as most of those pages are ssl, so should not be indexed by the robots so don't nead header tags anyway.

 

What benefit would having any form page (for input) a good seo score other than to make it easy for hackers to find them? (I'm thinking of the reviews input there, common target).

 

But if you just want to add the sanitising, add the function and use the instructions for product_reviews_write.php for all those pages, of course you'll loose all the validation benefits so get some PCI scan false positives.

 

 

 

PS spotted the specific post your refering too (don't rely on forum links, they often fail) Thats talking of a totaly different contrib and product_info.php which Sam's Anti-hacker Account Mods does not touch!! (Its a non-issue too!!)


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Ok , I have renamed my files and changed permissions. Do I need to add these adds on to secure my site more?

 

Many thanks.

Share this post


Link to post
Share on other sites

Ok , I have renamed my files and changed permissions. Do I need to add these adds on to secure my site more?

 

Many thanks.

 

 

YES.

 

Renaming filemanger.php is not sufficient, it must be deleted. crying.gif

 

Renaming admin is not sufficient you must do remaining admin security steps.

 

 

You must do all steps in the OP to properly secure your site, if it was as easy as a bit of renaming & permission changes I would have said so!! ohmy.gif

 

 

If you don't believe it, get a PCI scan, or wait till the hackers find you!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thanks for getting back to me Spooks. I have deleted the file manager as well.

 

Basically I need to do put the adds on. Which adds on do you recommend?

 

Many thanks.

Share this post


Link to post
Share on other sites

 

Basically I need to do put the adds on. Which adds on do you recommend?

 

 

 

The ones I gave in my OP, still!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Does anyone have a clean OsCommerce version with all these modules updated? Is there any place where you can download the whole thing, or the only way is to manually install each security update separately?

Thanks in advance!

 

D.

Share this post


Link to post
Share on other sites

I don´t think so, if you find such a thing please tell me!!

 

Spooks, Ok then ,i will update jack´s 3.1.8 to 3.1.9 -3.2.0 an then i will apply your antihack.

 

One thing dough, and I tell this to everyone, in jack 3.2.0 one of the steps is replace /admin/includes/application_top.php so the mail.php hack is back in case you put FWR patch!!!

Share this post


Link to post
Share on other sites

Sorry being a pain but i am having error when bunkering my htaccess.

 

My actual file is like follows:

# If you are getting errors you may need to comment this out like ..
# Options +FollowSymLinks
#Options +FollowSymLinks
<IfModule mod_rewrite.c>
 RewriteEngine On

 # RewriteBase instructions
 # Change RewriteBase dependent on how your shop is accessed as below.
 # http://www.mysite.com = RewriteBase /
 # http://www.mysite.com/catalog/ = RewriteBase /catalog/ 
 # http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/

 # Change RewriteBase using the instructions above  
 RewriteBase /shop/catalog/

 RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-c-([0-9_]+).html$ index.php?cPath=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}
 # Articles contribution
 RewriteRule ^(.*)-t-([0-9_]+).html$ articles.php?tPath=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING}
 # Information pages
 RewriteRule ^(.*)-i-([0-9]+).html$ information.php?info_id=$2&%{QUERY_STRING}
 # Links contribution
 RewriteRule ^(.*)-links-([0-9_]+).html$ links.php?lPath=$2&%{QUERY_STRING}
 # Newsdesk contribution
 RewriteRule ^(.*)-n-([0-9]+).html$ newsdesk_info.php?newsdesk_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-nc-([0-9]+).html$ newsdesk_index.php?newsPath=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-nri-([0-9]+).html$ newsdesk_reviews_info.php?newsdesk_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-nra-([0-9]+).html$ newsdesk_reviews_article.php?newsdesk_id=$2&%{QUERY_STRING}
</IfModule>

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


# Block people seeing the htaccess file
<Files .htaccess>
order deny,allow
deny from all
</Files>

# Force type & prevent script execution
<Files site>
ForceType application/x-httpd-php
</Files>

# no access to htaccess files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

And i want to include this i.e.

[code]RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]

RewriteCond %{QUERY_STRING} tool25 [OR]

RewriteCond %{QUERY_STRING} cmd.txt [OR]

RewriteCond %{QUERY_STRING} cmd.gif [OR]

RewriteCond %{QUERY_STRING} r57shell [OR]

RewriteCond %{QUERY_STRING} c99 [OR]

 

I know is part of the basics but i don´t know how to glue it to the actual file. All i see in guides are blocks like this but not the proper logic in it. I guee i don´t need another RewriteEngine On because the XSS are working so just RewriteRule?

 

Thanks

Share this post


Link to post
Share on other sites

Solved i think , and maybe someone with usu5 will find this useful.

 

#Options +FollowSymLinks
<IfModule mod_rewrite.c>
 RewriteEngine On

 # RewriteBase instructions
 # Change RewriteBase dependent on how your shop is accessed as below.
 # http://www.mysite.com = RewriteBase /
 # http://www.mysite.com/catalog/ = RewriteBase /catalog/ 
 # http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/

 # Change RewriteBase using the instructions above  
 RewriteBase /shop/catalog/

 RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-c-([0-9_]+).html$ index.php?cPath=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-m-([0-9]+).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-pi-([0-9]+).html$ popup_image.php?pID=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-pr-([0-9]+).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-pri-([0-9]+).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}
 # Articles contribution
 RewriteRule ^(.*)-t-([0-9_]+).html$ articles.php?tPath=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-a-([0-9]+).html$ article_info.php?articles_id=$2&%{QUERY_STRING}
 # Information pages
 RewriteRule ^(.*)-i-([0-9]+).html$ information.php?info_id=$2&%{QUERY_STRING}
 # Links contribution
 RewriteRule ^(.*)-links-([0-9_]+).html$ links.php?lPath=$2&%{QUERY_STRING}
 # Newsdesk contribution
 RewriteRule ^(.*)-n-([0-9]+).html$ newsdesk_info.php?newsdesk_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-nc-([0-9]+).html$ newsdesk_index.php?newsPath=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-nri-([0-9]+).html$ newsdesk_reviews_info.php?newsdesk_id=$2&%{QUERY_STRING}
 RewriteRule ^(.*)-nra-([0-9]+).html$ newsdesk_reviews_article.php?newsdesk_id=$2&%{QUERY_STRING}
</IfModule>

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots
Deny from env=block_bad_bots
RewriteBase /shop/catalog/
RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR]
RewriteCond %{QUERY_STRING} tool25 [OR]
RewriteCond %{QUERY_STRING} cmd.txt [OR]
RewriteCond %{QUERY_STRING} cmd.gif [OR]
RewriteCond %{QUERY_STRING} r57shell [OR]
RewriteCond %{QUERY_STRING} c99 [OR]
RewriteCond %{HTTP_USER_AGENT} almaden [OR]
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]
RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]
RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]
RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DA [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]
RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} email [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]
RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]
RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]
RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]
RewriteCond %{HTTP_USER_AGENT} ^likse [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]
RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]
RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]
RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]
RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]
RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]

#<Limit GET PUT POST> 
#order allow,deny
#deny from .br.geocities.com
#deny from 62.29.0.0/17
#allow from all 
#</Limit>


# deny access to unused filetypes
<FilesMatch "\.(inc|tpl|h|ihtml|sql|ini|conf|class|bin|spd|theme|module|exe)$">
deny from all
</FilesMatch>

# no access to htaccess files
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

# no access to config files
<Files ~ "\config.php$">
deny from all
</Files>

# FORCE TYPE
<Files site>
ForceType application/x-httpd-php
</Files>

 

The # is for the future, and maybe is better simply "deny from".

Could anyone check if is ok or just crap?

 

Thanks.

Share this post


Link to post
Share on other sites

Hi guys,

 

just trying to secure my site, this is the first time I have used osCommerce (so please be gentle ;P)

 

When I try to back up my data base I get this response:

 

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/bin/gzip) is not within the allowed path(s): (/home/elitegol:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/elitegol/public_html/admin/backup.php on line 443

 

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/local/bin/zip) is not within the allowed path(s): (/home/elitegol:/usr/lib/php:/usr/local/lib/php:/tmp) in /home/elitegol/public_html/admin/backup.php on line 444

 

Any ideas?

Share this post


Link to post
Share on other sites

Warning: file_exists() [function.file-exists]: open_basedir restriction in effect. File(/usr/bin/gzip) is not within the allowed path(s):

 

 

open_basedir restriction on your server, set by your host.

 

This should fix things:

 

admin/includes/application_top.php (42):

 

// Used in the "Backup Manager" to compress backups

define('LOCAL_EXE_GZIP', '/usr/bin/gzip');

define('LOCAL_EXE_GUNZIP', '/usr/bin/gunzip');

define('LOCAL_EXE_ZIP', '/usr/local/bin/zip');

define('LOCAL_EXE_UNZIP', '/usr/local/bin/unzip');

 

replace with:

 

 

// Used in the "Backup Manager" to compress backups

define('LOCAL_EXE_GZIP', 'gzip');

define('LOCAL_EXE_GUNZIP', 'gunzip');

define('LOCAL_EXE_ZIP', 'zip');

define('LOCAL_EXE_UNZIP', 'unzip');

 

 


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Thank you Soooo much Sam :D

 

Could you help me with another problem I have??

 

I am going through your steps to secure the Site. I have change all the permissions and deleted the filemanager. However, I am trying to change the admin folders name to somethign else.

 

I have read various other thread on how to do this, but whenever I do I get this error message when logging in:

 

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mydbpassword'@'localhost' (using password: YES) in /path_to_admin_directory/newadminname/includes/functions/database.php on line 19

Unable to connect to database server!

 

I had a look at line 19 on database.php but wasn't surprised when I realised I had no clue as to what the problem was :P

 

Thanks in advance again ;)

 

Chris

Share this post


Link to post
Share on other sites

I am trying to change the admin folders name to somethign else.

 

I have read various other thread on how to do this, but whenever I do I get this error message when logging in:

 

 

 

It would help if you said exactly what you have done, ie have you set configure.php correctly.

 

You would be best posting in Jan's thread on this, as that's where most solutions for this issue are found.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

It would help if you said exactly what you have done, ie have you set configure.php correctly.

 

You would be best posting in Jan's thread on this, as that's where most solutions for this issue are found.

 

 

Hi Sam, I did leave a post in another thread related to this but no one got back to me. And you seem pretty active, and good at this :D

 

Just incase you can help me this is what I have done.

 

I changed my configure.php folder so that the lines:

 

define('DIR_WS_ADMIN', '/.//admin/');

define('DIR_FS_ADMIN', '/home/my_site/public_html/.//admin/');

 

read

 

define('DIR_WS_ADMIN', '/.//new_name/');

define('DIR_FS_ADMIN', '/home/my_site/public_html/.//new_name/');

 

I then saved and uploaded the new configure.php file to my server.

 

I then accessed my server (i use cPanel to do this) and renamed the admin file to the new_name.

 

Then when I tried to log back into my admin section I got that error

 

Cheers

 

Chris (really do appreciate your help)

Share this post


Link to post
Share on other sites

 

I changed my configure.php folder so that the lines:

 

define('DIR_WS_ADMIN', '/.//admin/');

define('DIR_FS_ADMIN', '/home/my_site/public_html/.//admin/');

 

read

 

define('DIR_WS_ADMIN', '/.//new_name/');

define('DIR_FS_ADMIN', '/home/my_site/public_html/.//new_name/');

 

 

Those look wrong.

 

CATALOG/ADMIN/INCLUDES/CONFIGURE.PHP  
define('HTTP_SERVER', 'http://www.my-site.co.uk');
 define('HTTP_CATALOG_SERVER', 'http://www.my-site.co.uk');
 define('HTTPS_CATALOG_SERVER', 'http://www.my-site.co.uk');
 define('DIR_WS_HTTP_CATALOG', '/servername/catalog/');
 define('DIR_WS_HTTPS_CATALOG', '/servername/catalog/');
 define('ENABLE_SSL_CATALOG', 'false');
 define('DIR_FS_DOCUMENT_ROOT', '/home/servername/public_html/catalog/');
 define('DIR_WS_ADMIN', '/catalog/admin/');
 define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/admin/');
 define('DIR_WS_CATALOG', '/catalog/');
 define('DIR_FS_CATALOG', '/home/servername/public_html/catalog/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

 

 

 

The other thing is did you check you were editing your current configure file, remember in the install osc sets the dbase setting in the file, so your file version will differ to your site one unless you download it after install.

 

If you have overwritten the old dbase setting like that, just get them from the client side configure file.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

When I installed osCommerce I did i through cPanel because my host provides it in their software tab.

 

All I did then was compress the files, download them and edit them in my text editor.

 

I just did a fresh install (on my test site) and downloaded the configure.php file from my admin/includes folder

 

this is whats in it

 

<?php

define('HTTP_SERVER', 'http://my_site.co.uk');

define('HTTP_CATALOG_SERVER', 'http://my_site.co.uk');

define('HTTPS_CATALOG_SERVER', 'http://my_site.co.uk');

define('ENABLE_SSL_CATALOG', 'false');

define('DIR_FS_DOCUMENT_ROOT', '/home/my_site/public_html/osc');

define('DIR_WS_ADMIN', '/osc/admin/');

define('DIR_FS_ADMIN', '/home/my_site/public_html/osc/admin/');

define('DIR_WS_CATALOG', '/osc/');

define('DIR_FS_CATALOG', '/home/my_site/public_html/osc/');

define('DIR_WS_IMAGES', 'images/');

define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');

define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');

define('DIR_WS_INCLUDES', 'includes/');

define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');

define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');

define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');

define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');

define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');

define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');

define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

define('DB_SERVER', 'localhost');

define('DB_SERVER_USERNAME', 'my_site_osc1');

define('DB_SERVER_PASSWORD', 'xxxxxxxx');

define('DB_DATABASE', 'my_site_osc1');

define('USE_PCONNECT', 'false');

define('STORE_SESSIONS', 'mysql');

?>

 

 

Am I correct in thinking that until I get this sorted my site is at risk??

Share this post


Link to post
Share on other sites

Hello I'm a newbie to os commerce, I have just read this thread & have a few questions.

 

1. Is there a specific order that the add ons mentioned in post 1 should be added.

 

2. I intend to use Paypal & netbanx as my checkout methods, should their add ons be uploaded pre or post the security add ons.

 

3. I've not yet chosen a webserver and many of the posts refer to issues with the server & also that windows servers appear to be more difficult. Obviously I will choose a server which claims to be os commerce compatible, but are some more compatible than others.

 

4. I've set up os-commerce through xampp on pc acting as a local server, with the aim of trying to build site before uploading to server. If I add security add ons to local install, will it have to be done again to suit the server finally chosen. I don't mind if it does - just trying to give myself a timescale/workplan

 

5. I've struggled to find how to change permissions as the majority of posts on this and other threads assume I'll have a server c/panel. Pc runs Vista 32 home edition, so I know I can change attributes to read only & have done so but os commerce still sees files as writeable - any clues ?

 

thanks in advance

 

ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Hello I'm a newbie to os commerce, I have just read this thread & have a few questions.

 

1. Is there a specific order that the add ons mentioned in post 1 should be added.

 

2. I intend to use Paypal & netbanx as my checkout methods, should their add ons be uploaded pre or post the security add ons.

 

3. I've not yet chosen a webserver and many of the posts refer to issues with the server & also that windows servers appear to be more difficult. Obviously I will choose a server which claims to be os commerce compatible, but are some more compatible than others.

 

4. I've set up os-commerce through xampp on pc acting as a local server, with the aim of trying to build site before uploading to server. If I add security add ons to local install, will it have to be done again to suit the server finally chosen. I don't mind if it does - just trying to give myself a timescale/workplan

 

5. I've struggled to find how to change permissions as the majority of posts on this and other threads assume I'll have a server c/panel. Pc runs Vista 32 home edition, so I know I can change attributes to read only & have done so but os commerce still sees files as writeable - any clues ?

 

thanks in advance

 

ken

 

 

1. The most important security issues to address are admin access protection and vunerability removal, input sanitising (cleaning) with security pro & methods for the post vars , htaccess & XSS prevention, then the rest. smile.gif

 

2. Don't matter

 

3. Do not use a windows server, use unix/linux, some things used in osC (with add-ons) wont work in windows. biggrin.gif

 

4. No, just copy across. smile.gif

 

5. Windows issue (same for windows server) you cannot do that under windows, like quite a few other things!!. wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

1. The most important security issues to address are admin access protection and vunerability removal, input sanitising (cleaning) with security pro & methods for the post vars , htaccess & XSS prevention, then the rest. smile.gif

 

2. Don't matter

 

3. Do not use a windows server, use unix/linux, some things used in osC (with add-ons) wont work in windows. biggrin.gif

 

4. No, just copy across. smile.gif

 

5. Windows issue (same for windows server) you cannot do that under windows, like quite a few other things!!. wink.gif

 

Spooks, thank you


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

open_basedir restriction on your server, set by your host.

 

This should fix things:

 

admin/includes/application_top.php (42):

 

// Used in the "Backup Manager" to compress backups

define('LOCAL_EXE_GZIP', '/usr/bin/gzip');

define('LOCAL_EXE_GUNZIP', '/usr/bin/gunzip');

define('LOCAL_EXE_ZIP', '/usr/local/bin/zip');

define('LOCAL_EXE_UNZIP', '/usr/local/bin/unzip');

 

replace with:

 

 

// Used in the "Backup Manager" to compress backups

define('LOCAL_EXE_GZIP', 'gzip');

define('LOCAL_EXE_GUNZIP', 'gunzip');

define('LOCAL_EXE_ZIP', 'zip');

define('LOCAL_EXE_UNZIP', 'unzip');

 

I just want to add my thanks to "spooks" for the above fix, -worked brilliantly on my database backup.

Share this post


Link to post
Share on other sites

Maybe i need to up my security has I have had several attempts, or at least I belive so.

 

The following ips I caught a few moments ago:-

 

according to whois:-

91.213.174.123

//admin/file_manager.php/login.php?action=save

 

222.240.224.43 this one trying to install myphpadmin or something cant remember the exact path(trying to get at my database I think).

 

how easy is it to go through and check attempts, i only potted these two as I was logged on the computer at the time.

 

Thanks


Getting better with mods but no programmer am I.

Share this post


Link to post
Share on other sites

Maybe i need to up my security has I have had several attempts, or at least I belive so.

 

The following ips I caught a few moments ago:-

 

according to whois:-

91.213.174.123

//admin/file_manager.php/login.php?action=save

 

222.240.224.43 this one trying to install myphpadmin or something cant remember the exact path(trying to get at my database I think).

 

how easy is it to go through and check attempts, i only potted these two as I was logged on the computer at the time.

 

Thanks

 

I would shut your site now, looks like someone is intending on the base64hack (nasty) thier trying access phpadmin to see you dbase. Why have you not deleted file_manager.php already, renamed admin.

 

Once hacked (if not already) the work is massive compared to whats was required to secure b4!! huh.gif

 

Have you backed up!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I would shut your site now, looks like someone is intending on the base64hack (nasty) thier trying access phpadmin to see you dbase. Why have you not deleted file_manager.php already, renamed admin.

 

Once hacked (if not already) the work is massive compared to whats was required to secure b4!! huh.gif

 

Have you backed up!!

 

LOL I have implimented many of the security mods hence why they werent succesful, renamed admin that is and the htaccess, site security pro last night and previously site monitor etc, didnt delete the file manager and the define language until I saw the attempt, which have now been removed, thats the first time I have seen an attack on that particular domain being attempted and its been around a while.

 

I am guessing the attempt was made as they knew it was an osc site and know about the vunerability.

 

Dont know what I was doing at the time in admin, but I occassionally look at whosonline, and thats when i saw the attempts from different ips going to places they shouldnt be going/ dont even exist yet, was aware of the admin/filemanager issue and became concerned about whether other urls where attempts to exploit my osc installation. However if I can isolate these attempts it may highlight security issues with ceratin mods I have not yet installed but the hacker is aware of and trying to exploit.

 

I want to make sure I have all the necessary security features now as its obvious that attacks are going to be more frequent than they used to be.

 

 

Thanks


Getting better with mods but no programmer am I.

Share this post


Link to post
Share on other sites

 

I want to make sure I have all the necessary security features now as its obvious that attacks are going to be more frequent than they used to be.

 

 

 

The OP details the steps, for the admin hack read jan's post, but FWR's fix is best to close the specific vunerability your hacker used (as well as rename, hataccess pw etc etc)

 

FWR code change:

 

In admin/includes/application_top.php find this code beginning around line 124:

 

 

// redirect to login page if administrator is not yet logged in  
if (!tep_session_is_registered('admin')) {	
$redirect = false;	
$current_page = basename($PHP_SELF);

and change to:

 

 

// redirect to login page if administrator is not yet logged in  
if (!tep_session_is_registered('admin')) {	
$redirect = false;	
$current_page = basename($_SERVER['SCRIPT_NAME']);

 

for the post issue the best option is now: Anti-hacker Account Mods http://addons.oscommerce.com/info/7202

 

 


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

×