Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

Update Sep. 09

 

The following addresses issues that have arisen or were not mentioned since this post was placed:

 

SECURING THE ADMIN:

 

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

 

FILEMANAGER:

 

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

 

To remove filemanger:

 

Delete file_manager.php from catalog/admin

 

open admin/includes/boxes/tools.php and delete the line:

 

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

 

It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

 

BACKUPS:

 

To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

 

I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format.

 

INSTALLATION:

 

If you are unsure about installing these contributions this thread should help you.

 

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply

It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable. Never hurts to alert you to vulnerabilities.

 

I love the Security Pro. I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*. Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file. That may not be the best way to do it, but it's what I've got for now.

Link to comment
Share on other sites

When you say...

 

Permissions on folders should be no higher than 755.

 

... I assume you mean all except:

 

/catalog/images

/catalog/admin/backups

/catalog/admin/images/graphs

 

I get errors when I drop the permissions below 777 on those folders.

Link to comment
Share on other sites

Read it once again!

 

Thank you for your enlightened reply. However, it is osCommerce, not the host that requires that those folders be world writable. The docs and the knowledgebase both state that they should be left at 777. If there is a way to secure them while still keeping osCommerce happy please let me know how to do so.

Link to comment
Share on other sites

I believe 777 is only vulnerable if the server itself is vulnerable i.e. not set up securely. You cannot upload and execute a file remotely as far as I'm aware - the attack would need to come from within. Although this post is quite old, I think it makes interesting reading. Irrespective, always chmod to the most secure settings that still allow your site to run:

 

http://www.simplemachines.org/community/in...hp?topic=2987.0

up the down escalator..........

Link to comment
Share on other sites

Not one of my folders has permissions 777, everything works fine.

 

With /catalog/images set below 777, all is fine with the store. When I then enter admin, everything is still fine untill I click on products/catalog. At this point, osc sees that it is unable to write to the images directory (and therefore unable to upload images for new products, etc via admin) and therefore generates an error that is listed at the top of the screen.

 

Since I ftp images up anyway this isn't a big issue but the /catalog/admin/backups and /catalog/admin/images/graphs have a similar problem. if they aren't world-writable, they cannot work as intended. Unless of course there is more to it tht I am unaware of. That's why I asked the initial question.

 

As to it really being a security issue, I agree. I think a properly configured server manages the risk. However, it could be a bandwidth issue. Someone could use your world-writable directory as a warez file depository and post on warez boards where to get them. Suddenly, you could see a huge jump in bandwidth which could be costly if you have to pay for use beyond your allowance.

Link to comment
Share on other sites

This seems a little confusing here.

 

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

 

I guess the questions are this..

a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?

B) If so, maybe one can setup an .htaccess file to block write access this way?

Link to comment
Share on other sites

This seems a little confusing here.

 

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

 

I guess the questions are this..

a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?

B) If so, maybe one can setup an .htaccess file to block write access this way?

 

 

Add a .htaccess including the following code.

 

php_flag engine off
<Files ~ "\.(php*|s?p?html|cgi|pl)$">
deny from all
</Files>

 

Not my code. Was suggested to me by BL4CK from thedefaced[d0t]org security group, and I can see the benefit.

 

Wont work with suexec but a php.ini version would suffice.

Link to comment
Share on other sites

This seems a little confusing here.

 

OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777.

 

I guess the questions are this..

a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it?

B) If so, maybe one can setup an .htaccess file to block write access this way?

 

Its not osCommerce that requires it. It is the config of the server. On the host I use I have to set the configure.php set to 0444 to get the I can write error to go away so my image folder goes no higher then 0755

Link to comment
Share on other sites

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation.

No Links To My Website Here!

Link to comment
Share on other sites

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

 

example:

Time: Sun Sep 7 18:16:39 2008 +0100

IP: 193.xx.xxx.xxx (country name)

Failures: 1 (mod_security)

Interval: 215 seconds

Blocked: Yes

 

Log entries:

 

[sun Sep 07 18:16:35 2008] [error] [client 193.xx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:goto. [id "950006"] [msg "System Command Injection. Matched signature </mail>"] [severity "CRITICAL"] [hostname "domain name"] [uri "/admin/file_manager.php?goto=/home/user_name/public_html//images/mail"] [unique_id "dvZTxFXqk2sAAH@an4YAAAAE"]

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list.

 

example:

 

Server set up is no replacement at all for code side input/output escaping, server security is a totally different animal addressing totally different needs.

Link to comment
Share on other sites

Thanks for the list, Sam, and thanks Deborah for that hint regarding PCI compliance. You're right on.

 

Right now my compliance people are failing me due to apparent vulnerability to cross-site scripting, so this thread came at just the right time.

 

~Wendy

Link to comment
Share on other sites

Hi

 

I am looking at the install instructions for Anti XSS and do not understand how it can write to a file called iplog.txt?

 

Nowhere in the .htaccess code is there are reference to ip address being written to the .txt file.

 

Am I missing code here?

 

=======

 

Also I have installed Secure your site with an IP trap http://addons.oscommerce.com/info/5914.

 

The add-on successfully blocks you but when it write the IP address to a text file alled IP_trapped.txt the blocked IP address is written as an invisible line. Also when the program writes an email to you again the IP address is not shown/invisible.

 

Does any one know how to make the IP address visible?

 

Thank You

 

TMM

Whats the point of a signature?

Link to comment
Share on other sites

Hi

 

I have installed security pro latest version but get the follwoing error after entire add-on installation:

 

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MAX_RANDOM_SELECT_NEW' at line 1

 

select products_id, products_image, products_tax_class_id, products_price from products where products_status = '1' order by products_date_added desc limit MAX_RANDOM_SELECT_NEW

 

 

Can anyone please suggest what to do here?

 

Thanka

 

Bal

Whats the point of a signature?

Link to comment
Share on other sites

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly.

 

 

Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

 

Please explain

 

 

Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix.

 

 

Thanks

 

B

Whats the point of a signature?

Link to comment
Share on other sites

Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder

 

Please explain

 

 

Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix.

 

 

Thanks

 

B

 

 

Hi this issue is fixed - I accidentall commented something out.

 

 

 

On another note - does anyone have any test cases to test all the contributions in this thread?

 

Many Thanks

 

B

Whats the point of a signature?

Link to comment
Share on other sites

  • 2 weeks later...

I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this?

Link to comment
Share on other sites

When i tried install the AntiXSS.. o had an error>>>>>>>>>

 

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/factoryr/public_html/includes/functions/general.php on line 39

 

Can somebody help me please..

 

Thank you

 

Rafael

OScommerce Rocks!

Link to comment
Share on other sites

  • 1 month later...
Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

How do I install addons. I know this is probably a thread elsewhere but for the life of me, I cannot find it. Can someone please tell me where I can learn or get a tutorial as to how to install addons? I really feel lost with phps. I also have a question as to how to find php pages in my store/catalog that appear in my index. If I look at my index page live on the web and look at the source, there is more info there than is found on my index.php. I know these may seem like basic questions and you all may think...my god, they should know how to do this but I do not. So, even if there is a tutorial that can help. I can use it!

 

Thanks,

Kelly

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...