Jump to content
Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

spooks

How to secure your osCommerce 2.2 site.

Recommended Posts

hi there,

 

i have installed and made most of the changes without an error but i cannot install one! the add htaccess protection http://addons.oscommerce.com/info/6066 addon.

 

i keep getting an internal error when i add the code to the .htaccess file.(i have followed the instructions down to a tee as with the others) i have also installed the fwr seo urls 5 addon installed with the rewrite option, could this be causing a conflict?

 

thanks in advanced!

 

dan

Share this post


Link to post
Share on other sites

hi there,

 

i have installed and made most of the changes without an error but i cannot install one! the add htaccess protection http://addons.oscommerce.com/info/6066 addon.

 

i keep getting an internal error when i add the code to the .htaccess file.(i have followed the instructions down to a tee as with the others) i have also installed the fwr seo urls 5 addon installed with the rewrite option, could this be causing a conflict?

 

thanks in advanced!

 

dan

 

Add any new htaccess instruction in small sections, then u can tell if a particular addition causes problems or conficts.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

hi there

 

i have narrowed it down to 2 additions to the .htaccess file that are causeing the internal error they are:

 

# Deny domain access to spammers and other scumbags

RewriteEngine on

php_flag register_globals off

SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots

Deny from env=block_bad_bots

 

 

FORCE TYPE

<Files site>

ForceType application/x-httpd-php

</Files>

 

 

the 1st one works when i remove the php_flag register_globals off line.

 

any help is welcome

dan

Share this post


Link to post
Share on other sites

 

 

 

I would refer to your host, register_globals can easily be set in php ini or elsewhere.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

I would refer to your host, register_globals can easily be set in php ini or elsewhere.

 

 

sorry can you clarify a bit? do i need to activate register globals on my server to correct the problem?

 

also if i dont include the above 2 additions will the rest of the .htaccess protection work?

 

thanks for your help spooks in the matter.

 

dan

Share this post


Link to post
Share on other sites

sorry can you clarify a bit? do i need to activate register globals on my server to correct the problem?

 

also if i dont include the above 2 additions will the rest of the .htaccess protection work?

 

thanks for your help spooks in the matter.

 

dan

 

These days most hosts have register globals disabled, that is the way you want it, you only need it enabled if you have an ms2 or ealier site that does'nt have the rg fixes.

 

The instruction you had is just making sure rg is off. You can check the current state of rg in admin, goto server info & look down the list.

 

htaccess instructions are independant of each other (mostly), so its not a problem if u miss some off.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

These days most hosts have register globals disabled, that is the way you want it, you only need it enabled if you have an ms2 or ealier site that does'nt have the rg fixes.

 

The instruction you had is just making sure rg is off. You can check the current state of rg in admin, goto server info & look down the list.

 

htaccess instructions are independant of each other (mostly), so its not a problem if u miss some off.

 

 

thanks! register_globals is indeed off on the server and have deleted the 'php_flag register_globals off' line and everything works fine!

 

thanks for the help

Share this post


Link to post
Share on other sites

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

Update Sep. 09

 

The following addresses issues that have arisen or were not mentioned since this post was placed:

 

SECURING THE ADMIN:

 

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

 

FILEMANAGER:

 

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

 

To remove filemanger:

 

Delete file_manager.php from catalog/admin

 

open admin/includes/boxes/tools.php and delete the line:

 

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

 

It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

 

BACKUPS:

 

To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

 

I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format.

 

INSTALLATION:

 

If you are unsure about installing these contributions this thread should help you.

 

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

Some of these ADD ONS sound great albeit difficult to configure. It hardly seems logical to install an add on that will damage an otherwise perfectly functioning site and that as it's quoted will cause more harm or damage than it fixes like Security Pro. Maybe I am misconstruing something in the translation but that seems to be what they are saying.

 

Jeff


LIL JEFF

Share this post


Link to post
Share on other sites

Some of these ADD ONS sound great albeit difficult to configure. It hardly seems logical to install an add on that will damage an otherwise perfectly functioning site and that as it's quoted will cause more harm or damage than it fixes like Security Pro. Maybe I am misconstruing something in the translation but that seems to be what they are saying.

 

 

 

None of these damage your site, where do you get that idea!! They just add protection against hackers that do damage it. Remember once you have been attacked, they WILL be back again to test your defenses.

 

Most of these are little routines that do little much of the time, just plug holes the hackers try to get through.

 

Security Pro is an essential, but all it does is clean the query string, it does not do damage, there are a few apps that use characters in that string that Security Pro would remove, so there are contingencies within Security Pro to allow those chars for those apps. Also note there are some here that have Security Pro to thank for protecting them against attacks they recieved, without it they would have had a nasty clean up to do.

 

An important matter to consider too, if/when you get attacked the hackers will access your dbase & customer data as well as mess your site files, it is your legal responsibilty to secure that data & take all steps to ensure un-authorised persons do not access it. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Here is an interesting one...have any of you ran into this....

 

Customer places and order for $260.00 say.

They hit check out confirmation and within about 10 seconds or less I have an IPN email that says the transaction was completed. But....the amount is only $.03. I have had this 2 times now and it has been from the same guy twice. It's like he's hacking something in between when it gets transfered over to paypal. I'm using IPN.

Share this post


Link to post
Share on other sites

Does this only happen to this particular customer? If you do a test transaction, does it happen to you? Did you check your paypal balance and transaction list? If it only happens when this person does it, I would say that either he's hacking something, or some astronomical force in the universe has selected him to be the beneficiary of this 1-in-a-million occurance.

I would make sure to REFUND his three cents back to his PP account (a pain, I know, but keeps a frauder from having any kind of case), and cancel his order. I would not ship a 260.00 order when it is so grossly underpaid. I'm sure you already know this. :)

 

If it happens frequently to other customers, or when you do your test transaction, I would likely say its a problem with the module or your settings.

Share this post


Link to post
Share on other sites

Does this only happen to this particular customer? If you do a test transaction, does it happen to you? Did you check your paypal balance and transaction list? If it only happens when this person does it, I would say that either he's hacking something, or some astronomical force in the universe has selected him to be the beneficiary of this 1-in-a-million occurance.

I would make sure to REFUND his three cents back to his PP account (a pain, I know, but keeps a frauder from having any kind of case), and cancel his order. I would not ship a 260.00 order when it is so grossly underpaid. I'm sure you already know this. :)

 

If it happens frequently to other customers, or when you do your test transaction, I would likely say its a problem with the module or your settings.

 

Yeah it's just the one guy, so I kind of have a good idea he is hacking. I tried matching all his info and running and order the same and couldnt do it so he's def hacking. I reported it to paypal see if they can look into his account.

Share this post


Link to post
Share on other sites

Hello Spooks, Hello everybody.

 

Here is the frenchy speaking again...

 

I read your first post...

Do I have to do all the securisation recommanded on this post?


Sorry for my bad english...

;)

 

Configuration:

Vista Service pack 1

OVH

OSC=V2.2 RC1

mail @laposte.net

Réglé en smpt

Contrib:

Colissimo

Share this post


Link to post
Share on other sites

Hello Spooks, Hello everybody.

 

Here is the frenchy speaking again...

 

I read your first post...

Do I have to do all the securisation recommanded on this post?

 

 

The additions mentioned in the september update are essential, as is setting permissions. I consider Security Pro and htaccess protection essential too

the rest are advisable but could be left for a while if needed.

 

Les additions mentionnées dans la mise à jour de septembre sont essentielles, de même que les permissions d'arrangement. Je considère la Security Pro et de htaccess protection essentielle aussi le repos sont recommandé mais pourraient être partis pendant un moment si nécessaire. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Yeah it's just the one guy, so I kind of have a good idea he is hacking. I tried matching all his info and running and order the same and couldnt do it so he's def hacking. I reported it to paypal see if they can look into his account.

 

Sounds like he is manipulating the data when its sent to PayPal. Don't know why these idiots think we are stupid enough to fall for that.

I'd ban his IP if you have it, and delete his account. 5 years in Loss Prevention has taught me that a customer isn't a customer once they start stuffing merchandise down their pants.

Share this post


Link to post
Share on other sites

 

The additions mentioned in the september update are essential, as is setting permissions.

 

Sorry for the dumb question, but where exactly do you find the September updates?

Share this post


Link to post
Share on other sites

Sorry for the dumb question, but where exactly do you find the September updates?

 

 

The first post of this topic. wink.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

The first post of this topic. wink.gif

Oh "last" September, yea I already have those. I thought you meant there were some new ones around page 9 :lol:

Thank You

 

edit: oh yes, the ones labeled,

Update Sep. 09

 

The following addresses issues that have arisen or were not mentioned since this post was placed:

 

:D ..don't mind me, I'm slow, but I finish!

Share this post


Link to post
Share on other sites

Hello, and thank you to the OP as this information, no doubt, saves all of us a lot of time and research. Now that I have all of the recomended modifications made, I have a couple of quick questions as well:

1) Installing the permissions contribution has enlightened me to the fact that all of the images I upload (product, category, etc) are all automatically set to 777. I understand this to be bad? Why is this happening?

2) "Auto Backup Install v3" (the one for backing up the DB) creates a backup while I am logged into my admin (or otherwised named ;) ) panel. However, it seems it creates a backup everytime I click on a different page? In less than an hour, I accumulated 15 backups! Is this normal behavior? And, if so, is there a way to automatically delete some of these backups?

3) On the contribution with the htaccess codes, all the codes work but this one:

RewriteCond %{HTTP_HOST} ^YOURSITE.COM [NC]

RewriteRule ^(.*)$ http://www.YOURSITE.COM/$1 [L,R=301]

(yes I entered my site). I didn't see a help forum and did a bit of searching, but thought I would ask here.

4) I've seen recomendations to password protect the admin (or otherwise named, ;) ) from the cpanel which would make me have to log in twice. I understand there is a way to configure it so that you would only have to log in once. I found a link to a code from Mr. De Leon, but I'm affraid I didn't understand it that well. Can someone point me in the direction of a tutorial for this. Is this "highly" reccomended?

I want to thank you in advance for any suggestions and please excuse my spelling as the checker doesn't seem to be on,

Harold

Share this post


Link to post
Share on other sites

hello Spooks,

Thanks for the answer.

Do you confirme that this line must be deleted in /admin/includes/boxes/tools.php

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>'


Sorry for my bad english...

;)

 

Configuration:

Vista Service pack 1

OVH

OSC=V2.2 RC1

mail @laposte.net

Réglé en smpt

Contrib:

Colissimo

Share this post


Link to post
Share on other sites

hello Spooks,

Thanks for the answer.

Do you confirme that this line must be deleted in /admin/includes/boxes/tools.php

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a>
'

 

 

Yes, as well as deleting file manager.


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Hello, and thank you to the OP as this information, no doubt, saves all of us a lot of time and research. Now that I have all of the recomended modifications made, I have a couple of quick questions as well:

1) Installing the permissions contribution has enlightened me to the fact that all of the images I upload (product, category, etc) are all automatically set to 777. I understand this to be bad? Why is this happening?

2) "Auto Backup Install v3" (the one for backing up the DB) creates a backup while I am logged into my admin (or otherwised named wink.gif ) panel. However, it seems it creates a backup everytime I click on a different page? In less than an hour, I accumulated 15 backups! Is this normal behavior? And, if so, is there a way to automatically delete some of these backups?

3) On the contribution with the htaccess codes, all the codes work but this one:

RewriteCond %{HTTP_HOST} ^YOURSITE.COM [NC]

RewriteRule ^(.*)$ http://www.YOURSITE.COM/$1 [L,R=301]

(yes I entered my site). I didn't see a help forum and did a bit of searching, but thought I would ask here.

4) I've seen recomendations to password protect the admin (or otherwise named, wink.gif ) from the cpanel which would make me have to log in twice. I understand there is a way to configure it so that you would only have to log in once. I found a link to a code from Mr. De Leon, but I'm affraid I didn't understand it that well. Can someone point me in the direction of a tutorial for this. Is this "highly" reccomended?

I want to thank you in advance for any suggestions and please excuse my spelling as the checker doesn't seem to be on,

Harold

 

 

1. Thats the default behaviour for osC, you need to mod the upload class to fix:

 

   function upload($file = '', $destination = '', $permissions = '777', $extensions = '') {

 

change that as you need for your server

 

2. You have failed to run the setup file, so admin setting do not exist, run that to fix your issue.

 

3. I don't know htacces that well, but that looks incomplete to me, try:

 

RewriteCond %{HTTP_HOST} !^www\.YOURSITE\.com [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^(.*) http://www.YOURSITE.com/$1 [L,R=301]

 

4. Sorry, don't know any, its a lot of effort to write them & their often not appreciated when you do, so many don't bother. smile.gif


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

okey my site was hacked twice this month and its up from a year no one hacked it before. Admin folder is renamed, password protected new admin folder, remote sql is only by my ip accessible. File premissions are ok. No edited files (by date). and both hacks are automated. Hacks are similar, probably some sql injection, coz the only thing they change is some parameters in database. both times they change languages_id so its probably something with that. Anyone can help how to solve this and find the problem?

Share this post


Link to post
Share on other sites

okey my site was hacked twice this month and its up from a year no one hacked it before. Admin folder is renamed, password protected new admin folder, remote sql is only by my ip accessible. File premissions are ok. No edited files (by date). and both hacks are automated. Hacks are similar, probably some sql injection, coz the only thing they change is some parameters in database. both times they change languages_id so its probably something with that. Anyone can help how to solve this and find the problem?

 

 

Which of the security contribs detailed here do you have?

 

Do you have any hackable contribs, like early testimonials?


Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Share this post


Link to post
Share on other sites

Which of the security contribs detailed here do you have?

 

Do you have any hackable contribs, like early testimonials?

 

well i'm using CRE loaded so i don't know what exactly in there

Share this post


Link to post
Share on other sites

×