Jump to content

Archived

This topic is now archived and is closed to further replies.

Frey

Anti XSS

Recommended Posts

Can any one explain the 2nd step in the installation of XXS_Shield : 2) create an index_error.php file with whatever content you want to be displayed

 

I'm new to this and am following the 'How to Secure your osCommerce 2.2 steps'

I've created a .htaccess file and placed it in my root directory with the text in step 1 but having never created a php file from scratch - just modified according to instructions in the osCommerce setup - I'm a little lost.

Share this post


Link to post
Share on other sites

Can any one explain the 2nd step in the installation of XXS_Shield : 2) create an index_error.php file with whatever content you want to be displayed

 

I'm new to this and am following the 'How to Secure your osCommerce 2.2 steps'

I've created a .htaccess file and placed it in my root directory with the text in step 1 but having never created a php file from scratch - just modified according to instructions in the osCommerce setup - I'm a little lost.

 

I recall asking the same question when I installed that on my shops. What I did was simply copy an existing php file, rename it and then redo the contents by putting some html code in there telling whoever got to that page did so "in error".

 

If I recall correctly the purpose of the file was that if someone was misbehaving with code intrusions they'd end up at index_error.php and get no further.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Hello All,

 

I'm about to update for the XXS_shield, could anyone confirm for me

 

1. I add lines 4-13 to the root htaccess file.

 

2. Create the index_error.php with something on lines of "your here in error"

 

3. Upload the index_error.php file to the root

 

thanks

 

ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Hello All,

 

I'm about to update for the XXS_shield, could anyone confirm for me

 

1. I add lines 4-13 to the root htaccess file.

 

2. Create the index_error.php with something on lines of "your here in error"

 

3. Upload the index_error.php file to the root

 

thanks

 

ken

 

Ken, that's how I set up XXS_shield in my shops. That's been installed for about a year now.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Altoid, thanks will get it done.


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Altoid, thanks will get it done.

 

Ken, here's an add on that has similar coding in .htacess but then goes beyond what xxs_shield does. In part I haven't installed XXS Bad Behavior Block because the author seems to have stopped supporting it, but I been following the support thread and her concept appears to be the way to go. Just FYI


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Hello Altoid,

 

Thanks for the link, I read through the install notes & being a newbie to osc, I'm tying to ensure that I "think" I know what I'm doing before making any alterations. So if I may trouble you could you confirm -

 

1. The contribution works for V2.3.1

 

2. The notes instruct to upload one new folder, clearly I can work out which folder this is, but the notes say it contains 2 files whereas it actually contains 3, I am correct in assuming that the 2 required files are the .php & .html file

 

3. In the code to be added, the first function is conditional on a Url rewrite engine, already being on/off. I'm unsure if I have this, is there a test I can do to find out.

 

4. Does the deny statement at the end of the code require any changes ?

 

Outside of the scope of the contribution but mentioned in the install notes, I've been trying to find out if the /"renamed admin"/define_langauge.php is called by other lines elsewhere or can it simply be removed.

 

If this appears to be too many questions, just say so, I won't be offended - I've not been active on the forum long, but believe me I understand how much work you guys put in.

 

thanks

 

ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Hello Altoid,

 

Thanks for the link, I read through the install notes & being a newbie to osc, I'm tying to ensure that I "think" I know what I'm doing before making any alterations. So if I may trouble you could you confirm -

 

1. The contribution works for V2.3.1

 

2. The notes instruct to upload one new folder, clearly I can work out which folder this is, but the notes say it contains 2 files whereas it actually contains 3, I am correct in assuming that the 2 required files are the .php & .html file

 

3. In the code to be added, the first function is conditional on a Url rewrite engine, already being on/off. I'm unsure if I have this, is there a test I can do to find out.

 

4. Does the deny statement at the end of the code require any changes ?

 

Outside of the scope of the contribution but mentioned in the install notes, I've been trying to find out if the /"renamed admin"/define_langauge.php is called by other lines elsewhere or can it simply be removed.

 

If this appears to be too many questions, just say so, I won't be offended - I've not been active on the forum long, but believe me I understand how much work you guys put in.

 

thanks

 

ken

 

Ken, as noted in my signature I am not an expert in this stuff but if I can help out I will.

 

It appears you are trying to address security, and that is good.

 

Anyway I have not installed this on my 2.3.1 shop yet, so I am not sure. When I do install that I will do some testing after the install to make sure everything works otherwise. It should is my hunch.

 

Because I haven't installed I don't have experience with it to answer the other questions related to that. However if you read the support thread, there is much positive feed back on the add on, so that's why I mentioned it.

 

Regarding..../"renamed admin"/define_langauge.php .....

 

That issue is discussed alot in the security forms, along with file_manager.php. I have completely removed these from my 2.2 stores. I beleive the security issues related to those files have been addressed in 2.3.1, meaning I don't see them in the package anymore.

 

Hope that helps.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Altoid,

 

I'll back up, give it go & let you know what happens.

 

ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Altoid,

 

I'll back up, give it go & let you know what happens.

 

ken

 

Thanks Ken, take note of what the author (Debbs) said about how "captured" bad behavior IPs are added to .htaccess.

 

What I intended to do was use Debbs add on in combination with Fimble's IP trap. It's a bit cumbersome but what I'd do is copy over to the blocked IP list of IP Trap, if for no other reason to consolidate them.

 

There's some debate among forum members over white listing vs black listing, and I can see both sides of the issue but from my point of view, capturing a misbehaving IP and logging it is for me, at my stage of the game, validation that at least the block is working.

 

Your install and evaluation will help me make some decisions, so I appreciate that.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

Steve

 

Define_language.php was in my v2.3.1 install, decided to take the plunge and just delete it anyway. It doesn't seem to have had any detrimental effects as yet, but I'm nowhere near having a fully functioning store yet.

 

I've had another look at the suggested XXS contribution but I don't think this can be done with the post 1 IP trap in place.

 

In Debbs notes she instructs to remove from htaccess any lines of code which would be duplicated by her code, effectively this would remove all the re-write conditions from IP trap, so it won't work anymore.

 

Perhaps what could be done is add lines 7,12 & 13 which are additional re-write conditions to the IP trap code, also lines 19&20 might need to be included and ammended, but to be honest its way beyond me.

 

ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Sorry ignore my last post, the code lines removed are those from XXS_Shield not IP Trap.

 

So I think its a case of having XXX_shield or Bad_behavior_block but not both

 

Ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Steve

 

Define_language.php was in my v2.3.1 install, decided to take the plunge and just delete it anyway. It doesn't seem to have had any detrimental effects as yet, but I'm nowhere near having a fully functioning store yet.

 

I've had another look at the suggested XXS contribution but I don't think this can be done with the post 1 IP trap in place.

 

In Debbs notes she instructs to remove from htaccess any lines of code which would be duplicated by her code, effectively this would remove all the re-write conditions from IP trap, so it won't work anymore.

 

Perhaps what could be done is add lines 7,12 & 13 which are additional re-write conditions to the IP trap code, also lines 19&20 might need to be included and ammended, but to be honest its way beyond me.

 

ken


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

1. Bad_behavior_block works very well on 2.3.1 - actually it works very well with everything you may have on your site whether it is osC, word press, any forum and that is the beauty of it

 

 

2. the 3 files are .htaccess, ban.php and data.html (.htaccess protects the folder)

 

3. Mostly the rewrite engine is on - especially when you have other .htaccess protection (having the line written again would be the same as switching on a switch that was already on an unnecessary procedure that wastes a bit of time but nothing else)

 

4. your last statement should read:

 

<Files 403.shtml>
order allow,deny
allow from all
</Files>

 

You'll find on initial installation (at least on a well known site) a high amount of hacking attempts that die off over the space of a month as the hackers get the message


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Had a digital hickup a couple minutes ago with an attempted post..but anyway.

 

Seeing Xpajun's comment is helpful.

 

Ken, regarding that define_language.php issue, removing that from 2.2 was strongly recommmended, but perhaps it's been corrected in 2.3.1. Maybe that's why it's still there.

 

See this post about that, especially MrPhil's comment.

 

I think I am going to move installing Debb's contribution up on my "too do" list.


I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Share this post


Link to post
Share on other sites

×