modem2.0 Posted April 6, 2010 Share Posted April 6, 2010 Hi spooks, thanks for replying. I was using the following code from FWR: /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); posted here: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__st__80__p__1467014entry1467014 but if I try www.myserver.com/admin/orders.php/login.php I can see my orders. I'm using a linux server. Link to comment Share on other sites More sharing options...
spooks Posted April 6, 2010 Share Posted April 6, 2010 but if I try I can see my orders. I'm using a linux server. Did you try his ealier code first, it always works for me on linux servers. In admin/includes/application_top.php find this code beginning around line 124: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($PHP_SELF); and change to: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($_SERVER['SCRIPT_NAME']); Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
modem2.0 Posted April 8, 2010 Share Posted April 8, 2010 No sure what do you mean exactly by "Did you try his ealier code first" but I added it to the FWR solution and it worked, although I'm almost sure I already tryed it before and it did not work... If everyone else is still looking for the right solution use the solution from FRW described in http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__st__80__p__1467014entry1467014 together with spooks configuration http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1499692. Thanks a lot spooks! Link to comment Share on other sites More sharing options...
♥FWR Media Posted April 8, 2010 Share Posted April 8, 2010 Hi spooks, thanks for replying. I was using the following code from FWR: /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); posted here: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__st__80__p__1467014entry1467014 but if I try www.myserver.com/admin/orders.php/login.php I can see my orders. I'm using a linux server. If this code is in place in the correct ADMIN/includes/application_top.php then the hack will not work. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Winterburn Posted June 14, 2010 Share Posted June 14, 2010 Hello, everyone. Due to this issue, I have searched my site for any occurrences on $_SERVER['PHP_SELF'] and came to a file named nusoap.php. This file is basically used for APIs (payment methods, waybill creation, etc.). I found the following in the script: if (isset($_SERVER)) { $PHP_SELF = $_SERVER['PHP_SELF']; } elseif (isset($HTTP_SERVER_VARS)) { $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; } else { $this->setError("Neither _SERVER nor HTTP_SERVER_VARS is available"); } Is this a hole or not? I believe nusoap.php is being called after application_top.php, and I have USU5 installed on me that has the SCRIPT_NAME fix on it. Link to comment Share on other sites More sharing options...
Solan Posted June 28, 2010 Share Posted June 28, 2010 Yes both. Hi i dont get this to work. Customer area seems alright but when i try to log on to admin area the page takes veeeery long time to load and after a loong while it says that the page couldnt be loaded.. I tried several times now without success. :blush: and when trying to ftp the old backup files i get several errors having to do with secure Pro contrib... Any idea what i could do wrong? :( Link to comment Share on other sites More sharing options...
hetmana Posted September 8, 2010 Share Posted September 8, 2010 Did you try his ealier code first, it always works for me on linux servers. In admin/includes/application_top.php find this code beginning around line 124: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($PHP_SELF); and change to: // redirect to login page if administrator is not yet logged in if (!tep_session_is_registered('admin')) { $redirect = false; $current_page = basename($_SERVER['SCRIPT_NAME']); Found and changed. (AFTER reading 8 brazillion posts about forgotten password code that isn't even IN my application_top.php) Question: Should I ALSO change: // include the language translations require(DIR_WS_LANGUAGES . $language . '.php'); $current_page = basename($PHP_SELF); to // include the language translations require(DIR_WS_LANGUAGES . $language . '.php'); $current_page = basename($_SERVER['SCRIPT_NAME']); or does that one get left as-is? Thanks! Link to comment Share on other sites More sharing options...
Guest Posted September 16, 2010 Share Posted September 16, 2010 This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such. Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi. The following is code based on that used in .. Ultimate Seo Urls 5 Ultimate Seo Urls 5 PRO and .. KiSSMT Dynamic SEO Meta Tags All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible. In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Change to .. /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); I need help. I made this change and now get the following error when I open my admin: Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/catalog/public_html/admin/includes/application_top.php on line 37. I put the original file back and now I get the same message saying line 36 has the error. This is what it is now: 32. include(includes/version.php'); 33. 34. 35. // set php_self in the local scope 36. $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); 37. 38. // Used in the "Backup Manager" to compress backups Info that could be relevant: I read recently that I should not use the filemanager so I attempted this in filezilla, which I have never done before. I opened the file in notepad and saved it to my computer. When I opened the notepad file, the lines had been taken out and everything ran together. I then opened it in notepad+++ to see the line numbers and the whole file was in line 1. I don't remember what steps I took after that but I got the lines back in order and am still getting the same error message. I have been searching this forum and others and can't seem to figure out what went wrong or what to do. Any help would be much appreciated. Link to comment Share on other sites More sharing options...
Guest Posted September 17, 2010 Share Posted September 17, 2010 I need help. I made this change and now get the following error when I open my admin: Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/catalog/public_html/admin/includes/application_top.php on line 37. I put the original file back and now I get the same message saying line 36 has the error. This is what it is now: 32. include(includes/version.php'); 33. Should be include('includes/version.php'); Link to comment Share on other sites More sharing options...
Guest Posted September 17, 2010 Share Posted September 17, 2010 Should be include('includes/version.php'); That did it, thank you so much! I know that I did not remove the ' from the original file, so I am confused as to why it was missing. Could Notepad+++ have caused the problem? Should I use another editor or stick with the filemanager? Link to comment Share on other sites More sharing options...
Guest Posted September 17, 2010 Share Posted September 17, 2010 That did it, thank you so much! I know that I did not remove the ' from the original file, so I am confused as to why it was missing. Could Notepad+++ have caused the problem? Should I use another editor or stick with the filemanager? I'm happy with Notepad++ Link to comment Share on other sites More sharing options...
Guest Posted September 17, 2010 Share Posted September 17, 2010 I'm happy with Notepad++ Thanks, I'll give it another try. Link to comment Share on other sites More sharing options...
tigergirl Posted October 16, 2010 Share Posted October 16, 2010 Having looked myself, I can assure baddog that multimixer is correct! The admin directory name can be seen in the message headers, and therefore changing it doesn't protect it from people who receive mails sent through admin. I came across another thread proposing a fix and wondered if any of the PHP Guru's could make comment on it? Will it remove the offending admin name from email headers? X-PHP-Script fix I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
Mort-lemur Posted October 21, 2010 Share Posted October 21, 2010 I came across another thread proposing a fix and wondered if any of the PHP Guru's could make comment on it? Will it remove the offending admin name from email headers? X-PHP-Script fix Like Tigergirl - I would like to know more about this as well - any views? Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
imefisto Posted November 17, 2010 Share Posted November 17, 2010 If this code is in place in the correct ADMIN/includes/application_top.php then the hack will not work. That's correct. It works well. Thank you very much! Saludos! Link to comment Share on other sites More sharing options...
zinor Posted February 23, 2011 Share Posted February 23, 2011 does anyone know how hackers could be damage for the previous mode of $PHP_SELF; ? Link to comment Share on other sites More sharing options...
kenkja Posted February 26, 2011 Share Posted February 26, 2011 Hello all, I'm new to osc and have managed to deal with all of the issues in post 1 of the security forum in an osc V2.3.1 install, but I have to be honest this thread or actually the fixes are bit much for me to undertstand at the moment. So first question is - Is this an issue in v2.3.1 ? thanks Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Xpajun Posted February 27, 2011 Share Posted February 27, 2011 Hello all, I'm new to osc and have managed to deal with all of the issues in post 1 of the security forum in an osc V2.3.1 install, but I have to be honest this thread or actually the fixes are bit much for me to undertstand at the moment. So first question is - Is this an issue in v2.3.1 ? thanks Ken Ken, By reading the thread it wasn't a issue on the last release of 2.2 let alone 2.3 ;) My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
zinor Posted March 4, 2011 Share Posted March 4, 2011 Hello All can anyone tell me why this topic told ? i mean how they can abuse and attack us with previous kind of $PHP_SELF; ? Link to comment Share on other sites More sharing options...
Taipo Posted March 7, 2011 Share Posted March 7, 2011 The basis of the admin exploit in earlier versions of oscommerce stems from the way it used to try and set the $PHP_SELF Since then there are several fixes that have come out, one is in the latest osc 2.3.1 as below $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']); Robert Fishers function (FWR Media) also achieves the same outcome real well /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); You can overwrite the PHP_SELF line in both application tops with either of those, anything is better than what is currently in the earlier versions of oscommerce. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tom172 Posted August 23, 2011 Share Posted August 23, 2011 This seems to be going on and on and deviating from what will stop the hack, the key hole was that PHP_SELF is unreliable and oscommerce does not check it as such. Very early on I mentioned that SCRIPT_NAME is a more reliable option .. and it is .. it is not truly transportable though as SCRIPT_NAME can sometimes return the phpcgi. The following is code based on that used in .. Ultimate Seo Urls 5 Ultimate Seo Urls 5 PRO and .. KiSSMT Dynamic SEO Meta Tags All of these have undergone extensive testing on both WinDoze and *nix servers. I have backwards developed the code to be php4 compatible. In application_top.php where PHP self is set .. // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; Change to .. /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); I read through the tread and am still confused, well actually even more confused than before:) So, to make it simple: in Catalog/includes/application_top.php I have ULTIMATE Seo Urls 5 PRO by FWR Media´s code in place => question 1: That should do, right? in Admin/includes/application_top.php I have Taipo´s osc_sec code in place: // BOF 7834 OSC_SEC // set php_self in the local scope if( !isset( $PHP_SELF ) ) { if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); } // EOF 7834 OSC_SEC => question 2: That should cover it also, right? Both questions refer to a 2.2rca shop. Link to comment Share on other sites More sharing options...
Tom172 Posted August 23, 2011 Share Posted August 23, 2011 To make my point more clear: should I expect any unwanted result as I use two different approaches to solve one problem? Link to comment Share on other sites More sharing options...
Taipo Posted August 23, 2011 Share Posted August 23, 2011 in Catalog/includes/application_top.php I have ULTIMATE Seo Urls 5 PRO by FWR Media´s code in place=> question 1: That should do, right? To save the confusion just use the code from osC_Sec to replace the $PHP_SELF code in both application_top.php files. // set php_self in the local scope if( !isset( $PHP_SELF ) ) { if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); } should I expect any unwanted result as I use two different approaches to solve one problem? I believe there is an update to the Ultimate SEO URLS 5 code, the one above is a little out of date. But again, just use the adaption of the RC3 code from osC_Sec. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tom172 Posted August 23, 2011 Share Posted August 23, 2011 To save the confusion just use the code from osC_Sec to replace the $PHP_SELF code in both application_top.php files. If I may add some extra confusion ;) now this part of catalog/includes/application_top.php looks like the following. It does work as far as I can see now, however one thing just looks strange to me: I have two replacements for the "// set php_self in the local scope" part. One by fwr and ultimate seo urls pro, and another from osc_sec. Again, it looks like evereything works ... jus clicked around a bit for now. /// following section replaced for 7704 ultimate seo urls pro // set php_self in the local scope /** if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];**/ // End replacement // BOF 7704 ultimate seo urls pro /** * ULTIMATE Seo Urls 5 PRO by FWR Media * function to return the base filename */ function usu5_base_filename() { // Probably won't get past SCRIPT_NAME unless this is reporting cgi location $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) ); while ( $base->valid() ) { if ( array_key_exists( $base->current(), $_SERVER ) && !empty( $_SERVER[$base->current()] ) ) { if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } $base->next(); } // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) { return 'index.php'; } // Return the standard RC3 code return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] ); } // End function // set php_self in the local scope $PHP_SELF = usu5_base_filename(); // BOF 7834 OSC_SEC // set php_self in the local scope if( !isset( $PHP_SELF ) ) { if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); } // EOF 7834 OSC_SEC // EOF 7704 ultimate seo urls pro // BOF 5752 Security Pro 2.0.7 Maybe that is how it should look like. I don´t know. It just looks a bit strange to someone who is usually only doing some copy and paste ;) Link to comment Share on other sites More sharing options...
Taipo Posted August 23, 2011 Share Posted August 23, 2011 Its a bit of a double up, but it will work fine. Be sure to at least have the following in your admin/includes/application_top.php file to replace the original faulty code. // set php_self in the local scope if( !isset( $PHP_SELF ) ) { if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER; $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); } - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.