Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PHP Intrusion Detection System for osCommerce


celextel

Recommended Posts

Hi,

 

I have installed the PHPIDS version 1.6, when I have finished

installation and can't entry in my website.

It display the next message:

"

This page is not redirecting properly

Firefox has detected that the server is redirecting the request to this address in a way that will never end.

This problem is sometimes caused by disabling or refusing the receipt of cookies.

"

When I set to False the option 'PHPIDS Module' I work fine.

That is, that I can go to my website.

Why?

 

Thanks!!

 

Rafa Alepuz

 

PHPIDS dies not do any redirection. Perhaps your server is not configured properly for executing certain requests of PHPIDS. Enable error reporting in your index file and see as to what error message you are getting. [refer to our earlier post]

Edited by celextel
Link to comment
Share on other sites

How do I enable error reporting?

In Firebug I do not get any error.

You can test, now. My website is http://www.quanamcosmetics.com

The PHPIDS Module is enabled.

Thanks!

 

 

Solved.

Documentation in the step D: Catalog( D:\Rafa\Webs\quanam\oscommerce\contribuciones\SEGURIDAD\PHPIDS_for_osCommerce_1_6\PHPIDS_for_osCommerce_1_6\Read_Me.htm ) there is an error. At the point 2, missing closing parenthesis while.

Bye! :)

Link to comment
Share on other sites

Is there a way to change the notification email address? Our set up has one manager for store/inventory info and another for admin/database functions.

 

Thanks

 

Find the following code in includes/modules/banned_ip.php file:

$mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS, SEND_EXTRA_ORDER_EMAILS_TO);

You could modify this code either as:

$mail_recipient = STORE_OWNER_EMAIL_ADDRESS;

or as:

$mail_recipient = SEND_EXTRA_ORDER_EMAILS_TO;

as required by you.

Link to comment
Share on other sites

Find the following code in includes/modules/banned_ip.php file:

$mail_recipient = array(STORE_OWNER_EMAIL_ADDRESS, SEND_EXTRA_ORDER_EMAILS_TO);

You could modify this code either as:

$mail_recipient = STORE_OWNER_EMAIL_ADDRESS;

or as:

$mail_recipient = SEND_EXTRA_ORDER_EMAILS_TO;

as required by you.

 

I could not find the code you specified in the banned_ip.php file, but did see it in the osc_phpids.php file.

 

I made the changes to that file and all works as expected.

 

Thanks for your time and information.

Link to comment
Share on other sites

I could not find the code you specified in the banned_ip.php file, but did see it in the osc_phpids.php file.

 

I made the changes to that file and all works as expected.

 

Thanks for your time and information.

 

Sorry, we meant osc_phpids.php file. By mistake we had mentioned as banned_ip.php.

 

Thanks.

Link to comment
Share on other sites

Seems we have it installed fine but when we test with:

?id=1&test=">XXX

we get the proper result at the top of the page

but when we test with:

?test="><script>eval(window.name)</script>

we get nothing at all at the top of the page (otherwise page looks normal and unchanged)

 

This is in chrome and firefox, in internet explorer we get the correct result on the first and on the second we get "modified page to prevent cross scripting attacks"

 

Could you please tell us why this second test in your instructions is not getting the said results?, thank you

Link to comment
Share on other sites

Seems we have it installed fine but when we test with:

?id=1&test=">XXX

we get the proper result at the top of the page

but when we test with:

?test="><script>eval(window.name)</script>

we get nothing at all at the top of the page (otherwise page looks normal and unchanged)

 

This is in chrome and firefox, in internet explorer we get the correct result on the first and on the second we get "modified page to prevent cross scripting attacks"

 

Could you please tell us why this second test in your instructions is not getting the said results?, thank you

 

Enable error reporting in your index file and see as to what error message you are getting.

 

If you get the following error message:

Exception: PDOException: could not find driver

 

Then PDO driver file is missing in the configuration. You have to request the web hosting provider to enable this.

 

Info regarding this are at the following URL:

http://forum.php-ids.org/comments.php?DiscussionID=284

http://dev.mysql.com/tech-resources/articles/mysql-pdo.html

Link to comment
Share on other sites

  • 2 weeks later...

Can you shed some light on this please.

 

I have installed and everything is running fine. If i try an attack the site I get redirected to the banned page and my IP is logged and blocked.

 

For some reason when I see people hit the banned page in the log their IP is never blocked. For example you can see this person browsing the toys section then they get redirected to the banned page. Their IP is not in the banned log

 

82.68.80.163 12 2010-12-04 21:13:20 REQUEST.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/toys/

82.68.80.163 7 2010-12-04 21:13:20 REQUEST.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/toys

82.68.80.163 12 2010-12-04 21:13:20 COOKIE.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/toys/

82.68.80.163 7 2010-12-04 21:13:20 COOKIE.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/toys/

82.68.80.163 5 2010-12-04 21:13:50 REQUEST.s_pers s_favsn_paypalglobal_1=2782966209980|1587930315487; gpv_pn=www.dell.co.uk/|1285416012293; /catalog/banned.php

82.68.80.163 12 2010-12-04 21:13:50 REQUEST.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/banned.php

82.68.80.163 7 2010-12-04 21:13:50 REQUEST.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/banned.php

82.68.80.163 12 2010-12-04 21:13:50 COOKIE.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/banned.php

82.68.80.163 7 2010-12-04 21:13:50 COOKIE.s_sess s_cc=true; s_refresh=NGXO%3ARYP; s_sq=paypalglobal%3D%2526pid%253DNGXO%25253ARYP%2526pidt%253D1%2526oid%253DContinue%2526oidt%253D3%2526ot%253DSUBMIT; /catalog/banned.php

82.68.80.163 5 2010-12-04 21:13:50 REQUEST.s_pers s_favsn_paypalglobal_1=2782966209980|1587930315487; gpv_pn=www.dell.co.uk/|1285416012293; /catalog/banned.php

82.68.80.163 12 2010-12-04 21:13:50 REQUEST.CoreM_State 62~-1~-1~-1~-1~3~3~5~3~3~7~7~|~826AE09E~|~~|~~|~0|||||| /catalog/banned.php

 

Are they side stepping the IP block somehow.

 

Thanks

Gary

Link to comment
Share on other sites

Can you shed some light on this please.

 

I have installed and everything is running fine. If i try an attack the site I get redirected to the banned page and my IP is logged and blocked.

 

For some reason when I see people hit the banned page in the log their IP is never blocked. For example you can see this person browsing the toys section then they get redirected to the banned page. Their IP is not in the banned log

 

Are they side stepping the IP block somehow.

 

Thanks

Gary

 

We have also noticed this. Some IPs are not logged under banned IPs. We do not know the reason for this. We could ban them by entering those IPs.

Link to comment
Share on other sites

We have also noticed this. Some IPs are not logged under banned IPs. We do not know the reason for this. We could ban them by entering those IPs.

 

Do you think it could be down to trying to grab the IP by using the Oscommerce tep_get_ip_address() function. If its an automated script or something clever to try and hide who they are do you think something simpler like this may be better at catching the IP

 

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

 

Cheers

Gary

Link to comment
Share on other sites

Hi Celextel,

 

Hope all is excellent with you and Thank You for the high quality

approach to this aspect of website protection.

 

using localhost, xxamp, php5.3, PHPIDS v1.6 and phpids-0.6.5

 

prior to installing PHPIDS v1.6 was using IP trap and XSS shield

as well as Security Pro which was moved as per the instructions

have removed IP trap code from Catalog/includes/application_top.php

and commented out XSS shield code in .htaccess

 

with installation completed

the results of test 1

(http://www.localdev.com/public_html/?id=1&test=%22%3EXXX)

 

Total impact: 94

Affected tags: xss, csrf, id, rfe, lfi, sqli

 

Variable: REQUEST.test | Value: ">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: REQUEST.cart | Value: a:1:{i:13;a:1:{s:3:"qty";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: REQUEST.wish | Value: a:1:{s:9:"1{4}2{3}5";a:2:{i:0;s:9:"1{4}2{3}5";s:10:"attributes";a:2:{i:4;s:1:"2";i:3;s:1:"5";}}}

Impact: 18 | Tags: xss, csrf, sqli, id, lfi, rfe

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: COOKIE.cart | Value: a:1:{i:13;a:1:{s:3:\"qty\";i:1;}}

Impact: 25 | Tags: xss, csrf, sqli, id, lfi, rfe

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: COOKIE.wish | Value: a:1:{s:9:\"1{4}2{3}5\";a:2:{i:0;s:9:\"1{4}2{3}5\";s:10:\"attributes\";a:2:{i:4;s:1:\"2\";i:3;s:1:\"5\";}}}

Impact: 31 | Tags: xss, csrf, sqli, id, lfi, rfe

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Centrifuge detection data

Threshold: 3.49

Ratio: 2.2708333333333

 

upon setting admin/configuration - Show Intrusion Result to False

(http://www.localdev.com/public_html/index.php)

 

Result:

The page isn't redirecting properly

 

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

* This problem can sometimes be caused by disabling or refusing to accept

cookies.

 

for what's it's worth

I have found that by removing catalog/includes/modules/banned_ip.php

(yes I know it defeats the purpose but troubleshooting to isolate the point where it goes belly up)

 

it redirects to

(http://www.localdev.com/public_html/banned.php)

 

Page Display:

Banned

Your IP Address, 127.0.0.1 has been reported for site violations.

 

If you feel you have reached this page in error, please Contact Us and provide your IP Address.

------ end of page display ------------

 

Does any of this suggest a cause and solution?

 

Thanks for any helpful feedback,

jk

Link to comment
Share on other sites

Do you think it could be down to trying to grab the IP by using the Oscommerce tep_get_ip_address() function. If its an automated script or something clever to try and hide who they are do you think something simpler like this may be better at catching the IP

 

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

 

Cheers

Gary

 

We have not done much modification to banned.php as that contribution is of someone else. Your following suggestion seems to be a better option:

$ip_2ban_address = $_SERVER['REMOTE_ADDR'];

in lieu of

$ip_2ban_address = tep_get_ip_address();

We would also use this modified code in our websites. Hope this solves that issue. Thanks for your suggestion.

Link to comment
Share on other sites

Hi Celextel,

 

Hope all is excellent with you and Thank You for the high quality

approach to this aspect of website protection.

 

using localhost, xxamp, php5.3, PHPIDS v1.6 and phpids-0.6.5

 

prior to installing PHPIDS v1.6 was using IP trap and XSS shield

as well as Security Pro which was moved as per the instructions

have removed IP trap code from Catalog/includes/application_top.php

and commented out XSS shield code in .htaccess

 

with installation completed

the results of test 1

(http://www.localdev.com/public_html/?id=1&test=%22%3EXXX)

 

Total impact: 94

Affected tags: xss, csrf, id, rfe, lfi, sqli

 

Variable: REQUEST.test | Value: ">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: REQUEST.cart | Value: a:1:{i:13;a:1:{s:3:"qty";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: REQUEST.wish | Value: a:1:{s:9:"1{4}2{3}5";a:2:{i:0;s:9:"1{4}2{3}5";s:10:"attributes";a:2:{i:4;s:1:"2";i:3;s:1:"5";}}}

Impact: 18 | Tags: xss, csrf, sqli, id, lfi, rfe

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: COOKIE.cart | Value: a:1:{i:13;a:1:{s:3:\"qty\";i:1;}}

Impact: 25 | Tags: xss, csrf, sqli, id, lfi, rfe

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: COOKIE.wish | Value: a:1:{s:9:\"1{4}2{3}5\";a:2:{i:0;s:9:\"1{4}2{3}5\";s:10:\"attributes\";a:2:{i:4;s:1:\"2\";i:3;s:1:\"5\";}}}

Impact: 31 | Tags: xss, csrf, sqli, id, lfi, rfe

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects classic SQL injection probings 1/2 | Tags: sqli, id, lfi | ID: 42

Description: Detects classic SQL injection probings 2/2 | Tags: sqli, id, lfi | ID: 43

Description: Detects basic SQL authentication bypass attempts 3/3 | Tags: sqli, id, lfi | ID: 46

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Centrifuge detection data

Threshold: 3.49

Ratio: 2.2708333333333

 

upon setting admin/configuration - Show Intrusion Result to False

(http://www.localdev.com/public_html/index.php)

 

Result:

The page isn't redirecting properly

 

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

* This problem can sometimes be caused by disabling or refusing to accept

cookies.

 

for what's it's worth

I have found that by removing catalog/includes/modules/banned_ip.php

(yes I know it defeats the purpose but troubleshooting to isolate the point where it goes belly up)

 

it redirects to

(http://www.localdev.com/public_html/banned.php)

 

Page Display:

Banned

Your IP Address, 127.0.0.1 has been reported for site violations.

 

If you feel you have reached this page in error, please Contact Us and provide your IP Address.

------ end of page display ------------

 

Does any of this suggest a cause and solution?

 

Thanks for any helpful feedback,

jk

 

We have not tested this in the localhost. Please test this in a web server where you have your osCommerce.

 

Test-1 result shown by you is different from the one shown by us. Try without public_html/ in the URL.

 

We do not see the REQUEST.cart, REQUEST.wish, COOKIE.cart and COOKIE.wish values in our tests.

Link to comment
Share on other sites

We have not tested this in the localhost. Please test this in a web server where you have your osCommerce.

 

Test-1 result shown by you is different from the one shown by us. Try without public_html/ in the URL.

 

We do not see the REQUEST.cart, REQUEST.wish, COOKIE.cart and COOKIE.wish values in our tests.

 

Hi Celextel,

 

Thanks for your response. REQUEST.cart and REQUEST.wish are likely part of 2 contributions,

5368 Request Product Info V 1.2 and 1682 Wishlist v5.

 

Results of tests on hosted site:

 

1. http://www.jkafka.com/?id=1&test=%22%3EXXX

(after removing items from cart and wishlist)

Page displays this code at top with the homepage below:

 

Total impact: 32

Affected tags: xss, csrf, id, rfe, lfi

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Centrifuge detection data

Threshold: 3.49

Ratio: 3.1428571428571

=================================================

 

2. http://www.jkafka.com/faq.php

Page displays this code at top with the faq page below:

Total impact: 24

Affected tags: xss, csrf, id, rfe, lfi

 

Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Centrifuge detection data

Threshold: 3.49

Ratio: 3.1428571428571

===========================================

 

3. http://www.jkafka.com/product_info.php?cPath=13&products_id=8

Page displays this code ON LEFT but NO Product Info Page

Total impact: 24

Affected tags: xss, csrf, id, rfe, lfi

 

Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Centrifuge detection data

Threshold: 3.49

Ratio: 3.1428571428571

==========================================

 

4. http://www.jkafka.com/hewlett-packard-laserjet-1100xi-p-27.html

Page displays this code at top with the product info page below:

Total impact: 24

Affected tags: xss, csrf, id, rfe, lfi

 

Variable: REQUEST.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Variable: COOKIE.cart | Value: a:1:{i:27;a:1:{s:3:\"qty\";i:1;}}

Impact: 12 | Tags: xss, csrf, id, rfe, lfi

Description: Detects self-executing JavaScript functions | Tags: xss, csrf | ID: 8

Description: Detects unknown attack vectors based on PHPIDS Centrifuge detection | Tags: xss, csrf, id, rfe, lfi | ID: 67

 

Centrifuge detection data

Threshold: 3.49

Ratio: 3.1428571428571

=====================================

 

With Show Intrusion Result false

Pages display EXCEPT when clicking on products in categories menu like

http://www.jkafka.com/product_info.php?cPath=13&products_id=8

which displays a blank page

However clicking on a product image

http://www.jkafka.com/youve-got-mail-p-7.html

DOES produce the product info page

 

Lastly trying to add a product to the cart:

http://www.jkafka.com/youve-got-mail-p-7.html?action=add_product

produces a blank page

 

Hope this provides enough info to identify the snafu.

Thank you for your patience and expertise.

jk

Link to comment
Share on other sites

Hi Celextel,

 

Thanks for your response. REQUEST.cart and REQUEST.wish are likely part of 2 contributions,

5368 Request Product Info V 1.2 and 1682 Wishlist v5.

 

Add the following values under exclusions and then do the tests again:

REQUEST.cart

REQUEST.wish

COOKIE.cart

COOKIE.wish

 

To find out as to why you are getting a blank page, enable error reporting in those files [index file or so] and see as to what error message you are getting.

Link to comment
Share on other sites

Add the following values under exclusions and then do the tests again:

REQUEST.cart

REQUEST.wish

COOKIE.cart

COOKIE.wish

 

To find out as to why you are getting a blank page, enable error reporting in those files [index file or so] and see as to what error message you are getting.

 

 

Hi,

 

Thanks for replying.

 

Ok, tried adding those to exclusions yesterday with localhost

just to let you know I went through the instructions

 

Anyway here are the exclusions on hosted site admin

in case something is missing or in an improper order

REQUEST.__utmz, COOKIE.__utmz, REQUEST.custom, POST.custom, REQUEST.osCsid, COOKIE.osCsid, REQUEST.verify_sign, POST.verify_sign, REQUEST.s_pers, COOKIE.s_pers, REQUEST.enquiry, POST.enquiry, REQUEST.cart, REQUEST.wish, COOKIE.cart, COOKIE.wish

 

added this to index.php:

// DEBUGGING

error_reporting(E_ALL);

// DEBUGGING

echo '<pre>';

// DEBUGGING

print_r($_REQUEST);

// DEBUGGING

echo '</pre>';

ini_set('display_errors',1);

 

Test 1

Result on home page:

Array

(

[id] => 1

[test] => \">XXX

[cookie_test] => ThankYou

[osCsid] => a long string

[osC_AutoCookieLogin] => a long string

[wish] => a:0:{}

)

 

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Home page underneath

===============================

Test 1 with faq.php

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

FAQ Page underneath

==================================

Test 1 with click on category menu - Hardware

Array

(

[cPath] => 1

[id] => 1

[test] => \">XXX

[cookie_test] => ThankYou

[osCsid] => a long string

[osC_AutoCookieLogin] => a long string

[wish] => a:0:{}

)

 

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

===============================

 

Finally

just clicking on a product in the category menu

Blank page

in this case the URL ends with

product_info.php?cPath=10&products_id=9

 

I wonder if its related to this line the htaccess

RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING}

 

Thanks again for your suggestions

jk

Link to comment
Share on other sites

Hi,

 

Thanks for replying.

 

Ok, tried adding those to exclusions yesterday with localhost

just to let you know I went through the instructions

 

I wonder if its related to this line the htaccess

RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING}

 

Thanks again for your suggestions

jk

 

Exclusions are in order.

 

You could change the following code:

RewriteRule ^(.*)-p-([0-9]+).html$ product_info.php?products_id=$2&%{QUERY_STRING}

to

RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}

and then try.

 

If you still have problem, you have to enable error reporting in product_info.php and then find out as to what is wrong.

 

Remove error reporting codes after checking.

Link to comment
Share on other sites

additional testing

trying to add to cart

URL ends with

dvd-movies-action-c-3_10.html?action=add_product&sort=3a&test=XXX&id=1

 

Result:

Array

(

[cPath] => 3_10

[action] => add_product

[sort] => 3a

[test] => XXX

[id] => 1

[cart_quantity] => 1

[products_id] => 11

[x] => 46

[y] => 12

[cookie_test] => ThankYou

[osCsid] => long string

[osC_AutoCookieLogin] => long string

[wish] => a:0:{}

)

 

Nothing else on Page besides that

product not added to cart

 

using rc2a if that is relevant

 

when clicking on a product image

URL ending with

/fire-down-below-p-11.html?id=1&test=">XXX

 

Result:

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Product Info Displays below

 

seems like the only times not working are when URL ends in:

1. /product_info.php?cPath=13&products_id=8 (any number for cPath and products_id)

2. /fire-down-below-p-11.html?action=add_product (any product not just that one)

 

hope this will at least narrow it down

jk

Link to comment
Share on other sites

more info...

URL ending in:

product_info.php?cPath=12&products_id=7&id=1&test=">XXX

 

Result: (white page)

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

the reason the page is otherwise blank is because it doesn't return

to product_info.php

after the

require application_top.php;

otherwise it would have printed out this debugging array

// DEBUGGING

error_reporting(E_ALL);

// DEBUGGING

echo '<pre>';

// DEBUGGING

print_r($_REQUEST);

// DEBUGGING

echo '</pre>';

ini_set('display_errors',1);

 

which was immediately after the require

prior to moving it below the require

the debugging array was above it and displayed:

Array

(

[cPath] => 12

[products_id] => 7

[id] => 1

[test] => \">XXX

[cookie_test] => ThankYou

[osCsid] => long string

[osC_AutoCookieLogin] => long string

[wish] => a:1:{i:7;a:1:{i:0;s:1:\"7\";}}

[cart] => a:1:{i:11;a:1:{s:3:\"qty\";i:1;}}

)

 

Total impact: 8

Affected tags: xss, csrf

 

Variable: REQUEST.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

 

Variable: GET.test | Value: \">XXX

Impact: 4 | Tags: xss, csrf

Description: finds html breaking injections including whitespace attacks | Tags: xss, csrf | ID: 1

===============================

 

doesn't appear to show any errors

next stop - application_top

 

jk

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...