Latest News: (loading..)
celextel

PHP Intrusion Detection System for osCommerce

263 posts in this topic

Good evening. I've installed a clean (not upgrading) version of 1.7 for osc 2.3.1 this afternoon. With both test urls:

 

http://www.siteurl.com/&test=%22%3EXXX and

http://www.siteurl.com/?test="><script>eval(window.name)</script>

 

I receive the following:

403 Forbidden

 

You don't have permission to access / on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

  • If I remove the portion after the .com, the test site loads / functions properly.
  • The database tables have been created properly and are viewable from Php Admin.
  • I've gone through the install manual twice to verify placement of the files and code within the modified files.
  • I can add myself (ip from the Who's Online) and ban myself, and then receive the email successfully (using the contact form only).
  • Nothing is logged to the PHPIDS Log report however. Should it be when manually banning an IP?
  • The host is HostGator. Server running php 5.2.17 with PDO enabled (viewed from previous posts)
  • This is a new test site where I have been adding contributions to have as a 'master' for upgrading / creating other sites.

Is this a hosting issue? Thank you for any light anyone can shed on this. Jim

Share this post


Link to post
Share on other sites

Suggestion:

 

file: banned_ip.php

code:

$ip_check = tep_get_ip_address();

Since tep_get_ip_address() can allow either the values of the HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP header (if set) to be the ip address ahead of the dependable REMOTE_ADDR, and because it is possible to spoof both of those headers, it might be better to stick with REMOTE_ADDR as the ip address to check for banned IPs in the db. That would also be consistent with the fact that REMOTE_ADDR is used as the ip address that is banned in the banned.php file.

 

I know that where the webserver is a part of a cluster configuration, this can also cause false IP addresses to be banned, if you however depend on tep_get_ip_address() to check IPs in the db, that may allow for this addon to be completely bypassed if an attacker got to thinking about sending spoofed HTTP_X_FORWARDED or HTTP_CLIENT_IP ip addresses with their attacks.

 

code suggestion:

$ip_check = ( false !== isset( $_SERVER ) ) ? $_SERVER[ "REMOTE_ADDR" ] : getenv( "REMOTE_ADDR" );

 

Or more simply:

$ip_check = $_SERVER[ "REMOTE_ADDR" ]

Share this post


Link to post
Share on other sites

2. Unzip the zipped file and rename "phpids-0.6.4" directory as "phpids".

 

3. Make sure that this renamed directory has the following directories directly in it:

docs

lib

tests

 

 

None of these files are in any of the packages

Share this post


Link to post
Share on other sites

Maybe if it said create these 3 directories in ........

 

Cheers

 

G

FrostyFred likes this

Share this post


Link to post
Share on other sites

What is says is to:

1. Download "PHPIDS 0.6.3.1 (ZIP)" or the latest version at:

http://php-ids.org/downloads/

 

2. Unzip the zipped file and rename "phpids-0.6.3.1" directory as "phpids".

 

3. Make sure that this renamed directory has the following directories directly in it:

docs

lib

nbproject

tests

 

This site can not be reached. if you have go somewhere else to get these that are not in the packages, then it is not a complete package and should state that in the package downloads instead of saying (this is a complete package.

Share this post


Link to post
Share on other sites

getting this error 1.6 installed with latest phpids 7.0 innstalled

Fatal error: Call to a member function bindParam() on a non-object in /home/xx/public_html/xxx/includes/phpids/lib/IDS/Log/Database.php on line 272

Share this post


Link to post
Share on other sites

Can't get wishlist.php to work because POST.prod_link and REQUEST.prod_link are being detected as xss attacks:

 

 

Affected tags: xss csrf

Affected parameters: REQUEST.prod_link.0=http%3A%2F%2Fwww.domain.com%2Fstore%2Fproduct_info.php%3Fproducts_id%3D367%7B1%7D2, POST.prod_link.0=http%3A%2F%2Fwww.domain.com%2Fstore%2Fproduct_info.php%3Fproducts_id%3D367%7B1%7D2,

Request URI: /store/wishlist.php

 

I added REQUEST.prod_link and POST.prod_link to the exclusion list with no luck.

 

If I have a number of items on wishlist, the total impact bans me...Any ideas?

Share this post


Link to post
Share on other sites

Hello, good evening

 

I’m trying to instal a clean (not upgrading) version of 1.7 for osc 2.2rc2a.

 

At “Step-B: Admin” point 5 states:

 

Find the following code in admin/includes/boxes/tools.php file:

 

Array {

‘code’ => FILENAME_ACTION_RECORDER,

‘title’ => BOX_TOOLS_ACTION_RECORDER,

‘link’ => tep_href_link (FILENAME_ACTION_RECORDER)

},

 

Though that array is not in my “tools.php” file. The whole content of my file is:

 

<?php

/*

$Id: tools.php 1739 2007-12-20 00:52:16Z hpdl $

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

Copyright © 2002 osCommerce

Released under the GNU General Public License

*/

?>

<!-- tools //-->

<tr>

<td>

<?php

$heading = array();

$contents = array();

$heading[] = array('text' => BOX_HEADING_TOOLS,

'link' => tep_href_link(FILENAME_BACKUP, 'selected_box=tools'));

if ($selected_box == 'tools') {

$contents[] = array('text' => '<a href="' . tep_href_link(FILENAME_BACKUP) . '" class="menuBoxContentLink">' . BOX_TOOLS_BACKUP . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_BANNER_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_BANNER_MANAGER . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_CACHE) . '" class="menuBoxContentLink">' . BOX_TOOLS_CACHE . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_DEFINE_LANGUAGE) . '" class="menuBoxContentLink">' . BOX_TOOLS_DEFINE_LANGUAGE . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_MAIL) . '" class="menuBoxContentLink">' . BOX_TOOLS_MAIL . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_NEWSLETTERS) . '" class="menuBoxContentLink">' . BOX_TOOLS_NEWSLETTER_MANAGER . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' .

'<a href="' . tep_href_link('csv_import.php') . '" class="menuBoxContentLink">Importar CSV de Excel/OOCalc</a><br>' .

'<a href="' . tep_href_link(FILENAME_WHOS_ONLINE) . '" class="menuBoxContentLink">' . BOX_TOOLS_WHOS_ONLINE . '</a>');

}

$box = new box;

echo $box->menuBox($heading, $contents);

?>

</td>

</tr>

<!-- tools_eof //-->

 

Please, can anyone tell me where insert the following required code or if lacks some code in my file?

The code to insert is:

 

array(

'code' => FILENAME_PHPIDS,

'title' => BOX_TOOLS_PHPIDS,

'link' => tep_href_link(FILENAME_PHPIDS)

),

array(

'code' => FILENAME_BANNED_IP,

'title' => BOX_TOOLS_BANNED_IP,

'link' => tep_href_link(FILENAME_BANNED_IP)

),

 

Thank you for any help you can give me.

Angel Barros

Share this post


Link to post
Share on other sites

Hi

 

Just add a line after

 

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

 

and change the words in capitals to those for the contibution you are trying to add.

 

HTH

 

G

Share this post


Link to post
Share on other sites

Hi, Let me apologise first in case this problem has already been posted, but its late now and I cant find anything similar.

 

I am hoping you can help me with this error :-

 

1146 - Table 'a4993375_msc.TABLE_BANNED_IP' doesn't exist

 

select ip_address from TABLE_BANNED_IP where ip_status='0'

 

[TEP STOP]

 

when I try to access the shop, http://mywebsite/catalog/index.php. This occured when trying the test http://mywebsite/catalog/index.php.?id=1&test=">XXX. Prior to this test I could access the site easily.

 

I am running oscommerce 2.3.1 on win xp64 with phpids 1.7 installed. Given that I am fairly new to php, can you point me to where I have went wrong. There are no entries in the PHPIDS log and no entries in the banned IP section.

Edited by DougieMac

Share this post


Link to post
Share on other sites

Hi, Let me apologise first in case this problem has already been posted, but its late now and I cant find anything similar.

 

I am hoping you can help me with this error :-

 

1146 - Table 'a4993375_msc.TABLE_BANNED_IP' doesn't exist

 

select ip_address from TABLE_BANNED_IP where ip_status='0'

 

[TEP STOP]

 

when I try to access the shop, http://mywebsite/catalog/index.php. This occured when trying the test http://mywebsite/catalog/index.php.?id=1&test=">XXX. Prior to this test I could access the site easily.

 

I am running oscommerce 2.3.1 on win xp64 with phpids 1.7 installed. Given that I am fairly new to php, can you point me to where I have went wrong. There are no entries in the PHPIDS log and no entries in the banned IP section.

 

 

Ok, fresh look at the forum this morning and I found the solution. Doh! Apologies.

Share this post


Link to post
Share on other sites

Hello,

 

I'm building a new shop using oscommerce 2.3.1 and I added this contrib, but when I do the 2 suggested tests I get the following error:

 

Exception: PDOException: SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: NO)

I'm building it on my windows PC using WAMP, so I'm wondering if this is the problem...

 

I have it running correctly on my old oscommerce 2.2 shop...

 

Any idea?

Share this post


Link to post
Share on other sites

I found the issue of my problem... My Wamp MySQL server is not running on the default port, and the script is not using the OSC configuration. Once I changed the port on osc_phpids.php in the modules folder it worked flawlessly.

Share this post


Link to post
Share on other sites

Hi,

 

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750

But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

 

Is there a way to fix this?

Share this post


Link to post
Share on other sites

Hi,

 

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750

But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

 

Is there a way to fix this?

Anyone??

Share this post


Link to post
Share on other sites

Hi,

I have just discovered that my installation of phpids, was causing a problem with my paypal IPN notifications. Sometimes they were getting sent, sometimes not and checking the error logs on the server for paypals ipn notification url (173.0.81.1) I found

 

[Wed May 23 06:18:54 2012] [error] [client 173.0.81.1] PHP Fatal error: Class 'PDO' not found in /home/****/public_html/includes/phpids/lib/IDS/Log/Database.php on line 172

 

I have disabled phpids for a while and ipn notifications are now ok. I use paypal standard module for payments.

 

I see there is an option in admin phpids, for variable exclusions and thinking that maybe there is something I can enter there that might stop phpids blocking paypal ipns. The ipn notification script in my oscommerce is at /ext/modules/payment/paypal/standard_ipn.php

 

I could post that page if someone may be able to tell me whether there is a variable there i could exclude? What do you think?

Share this post


Link to post
Share on other sites

Did you ever get this fixed?

Never.

 

But now I also have the PDO issue in the create account...

Edited by modem2.0

Share this post


Link to post
Share on other sites

Hi there,

 

I had installed this addon, till step E Test, TEST-1, I got a warning as below:

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /includes/modules/osc_phpids.php:199) in /includes/functions/sessions.php on line 102

 

And the TEST-2, I did not see any test result, the page just showed HTTP 406 Not Acceptable.

 

Is it normal or what I did wrong?

 

Many thanks in advance.

 

Lyn

Share this post


Link to post
Share on other sites

kept getting a "missing table" error in my admin after correct installation....uninstalled after reading about all the issues and scripts built specifically for this addon...

Share this post


Link to post
Share on other sites

Hi, I just got an attack:

 

IP: 184.82.78.125

Date: 2012-11-08T10:12:16+11:00

Impact: 14

Affected tags: xss csrf id rfe lfi

Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,

Request URI: /mg/product_info.php?products_id=212/trackback

 

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

 

Lyn

Share this post


Link to post
Share on other sites

Hi, I just got an attack:

 

IP: 184.82.78.125

Date: 2012-11-08T10:12:16+11:00

Impact: 14

Affected tags: xss csrf id rfe lfi

Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,

Request URI: /mg/product_info.php?products_id=212/trackback

 

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

 

Lyn

 

I've got it to. For different IPs it started to send notifications somewhere about 21 december, almost 100 per day. What to do now? Is it a hack attack on shop?

 

Entering PHPLDS plugin in Admin Panel gives popup with "9537246810"...

Edited by LeanderPL

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now