Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

i reread my previous post and realized couldnt make my point.I am asking if there are spaces between lines and should the lines be aligned to left or is there a spaces.Generally what do i need to do after pasting the lines.thanks

 

If it was importnt the installation instructions would have said so.

 

To learn more aout php look at w3schools.com

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

The changes to secure the log on do not need to be done in 2.3.1.

 

Download and read the installation instrutoins for the contributions.

 

Then you can decide if you want to install them.

 

Cheers

 

G

 

Thanks for your response. I'll review the rest of them. I ran through the process in a previous version but have since installed the new one.

 

thanks,

Sarah

Share this post


Link to post
Share on other sites

Hello

 

I have an OSC 2.2 RC2A site installed. I'm using the Products URL field to link to pdf manuals located in another folder. Since I installed the add-ons suggested on the first page i.e. Security Pro, Site Monitor, IP Trap and Anti-XSS as well as copied the .htaccess files from OSC 2.3 and copied them to this site.

 

But after this website, visitors are unable view these pdf documents. When clicked, the link directs back to index.php instead of the pdf document. (Note from the backend admin, if you view the product and click on the link, it works.)

 

I've tested it on another installation without the add-ons and that works. Obviously, something is blocking the pdf document from being opened and kicking it back to the home page. I have removed the Anti-XSS, but that didn't help.

 

Does anyone have any ideas which of the above add-ons it could be?

 

Thanks in advance :)

Share this post


Link to post
Share on other sites

Can anyone help with this?

 

I've added multiple security features including FWR Security Pro and .htaaccess additions listed through pixclinic under ANTI Cross Site Scripting attacks, but SecurityMetrics are still flagging the following:

 

Description: CGI Generic Remote File Inclusion Synoposis: Arbitrary code may be run on the remote server. Impact: The remote web server hosts CGI scripts that fail to adequately sanitize request strings. By leveraging this issue, an attacker may be able to include a remote file from a remote server and execute arbitrary commands on the target host. See also : http://en.wikipedia.org/wiki/Remote_File_Inclusion http://projects.webappsec.org/Remote-File-Inclusion Data Received: Using the POST HTTP method, SecurityMetrics found that : + The following resources may be vulnerable to web code injection : + The 'osCsid' parameter of the /shopping_cart.php CGI : /shopping_cart.php [osCsid=http://Fh3il70z.example.com/] -------- output --------< /TR>< TR> [...] includes/languages/english/images/buttons/menu_top6.gif" alt="" width="97" height="16" /></A><A HREF="http://www.<MYSITENAME>.com/contact _us.php?osCsid=http://Fh3il70z.example.com/"><img src="includ [...]< /TR>< /TABLE></TD> ------------------------ /shopping_cart.php [action=update_product&osCsid=http://Fh3il70z.example .com/] -------- output --------< /TR>< TR> [...] includes/languages/english/images/buttons/menu_top6.gif" alt="" width="97" height="16" /></A><A HREF="http://www.<MYSITENAME>.com/contact _us.php?osCsid=http://Fh3il70z.example.com/"><img src="includ [...]< /TR>< /TABLE></TD> ------------------------ Other references : CWE:98, CWE:78, CWE:434, CWE:632, CWE:73, CWE:473, CWE:801, CWE:714, CWE:727 Resolution: Restrict access to the vulnerable application. Contact the vendor for a patch or upgrade. Risk Factor: High/ CVSS2 Base Score: 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P

 

 

Seems strange that they've never spotted anything before. Does anyone have any ideas on how to fix this?

 

Thanks,

Simon

Share this post


Link to post
Share on other sites

quick question with the ip trap.

will it ban ip's that go to ANY of the disallowed folders in robots.txt?

 

we run oscommerce alongside our normal info site, and didnt want visiters to land straight into the shop from google etc, so the whole catalog folder is in the robots.txt.

just checking im not going to end up banning all visiters :)

 

CHeers,

Sion.

Share this post


Link to post
Share on other sites

IP trap only catches visitors to

 

/personal

 

or if you have changed/renamed your admin and you have followed the instructions in the installation instructions

 

/admin

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites
Posted · Hidden by Jan Zonjee, July 30, 2013 - commercial link in first post...
Hidden by Jan Zonjee, July 30, 2013 - commercial link in first post...

After severals hack on my site I listen a friends who had tried this site for his wordpress ; webguarddog , i decide to try it with my oscommerce and it work! It's seriously worth the 27$ fees...

Share this post


Link to post

×