Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

  • Replies 598
  • Created
  • Last Reply

basically the same PT

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Does this add on prevent "url injection"?

 

This method was just flagged by my PCI scanning company. I previously installed code to prevent SQL injection in my input fields but didn't realize the SQL could be imbeded in the URL osCsid.

Link to comment
Share on other sites

@@walkman

 

Yes osC_Sec prevents malicious url injections.

 

I have made a small change to osC_Sec for those using IP Trap in conjunction. Here is the update. Will release it officially in a day or so.

 

http://pastebin.com/uqDeDR0k

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

hello, i installed osC_Sec_5.0.2 seem everything was working ok,

i have one problem with paypal IPN (PayPal IPN v2.3.4.6)

the orders go through, the payment to, but does not return the status or paypal details to OSC.

 

please let me know if you can help. thanks.

Link to comment
Share on other sites

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

 

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

 

catalog file:

// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

Absinthe Original Liquor Store

Link to comment
Share on other sites

hello, i installed osC_Sec_5.0.2 seem everything was working ok,

i have one problem with paypal IPN (PayPal IPN v2.3.4.6)

the orders go through, the payment to, but does not return the status or paypal details to OSC.

 

please let me know if you can help. thanks.

 

Unless I am mistaken I believe the callback from the Paypal server is a POST request. The latest version of osC_Sec as of http://pastebin.com/uqDeDR0k does not filter the POST variables at all so should not be interferring with the order callback.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

 

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

 

catalog file:

// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

 

They mostly do the same thing, but you would be best to change the code to the one in osC_Sec as that is the latest code supplied by the developers of osCommerce as part of the fix to that serious security issue.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Warning: require_once(/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php) [function.require-once]: failed to open stream: No such file or directory in /home/USER/public_html/shopping/includes/application_top.php on line 43

 

Fatal error: require_once() [function.require]: Failed opening required '/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php' (include_path='.:/usr/lib/php') in /home/USER/public_html/shopping/includes/application_top.php on line 43

 

line 43 is

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

 

if i leave this on paypal ipn wont work?

 

can advice would be great.

 

thank you

Link to comment
Share on other sites

replace:

 

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

 

with:

 

 
require_once( '/home/youruser/public_html/includes/osc_sec.php' );

 

This is so that you can use the actual file path.

 

So replace '/home/user/public_html/includes/osc_sec.php' with the actual file path to osc_sec.php

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Does using server-wide SSL create these PHP Warnings?

 

Thanks,

EricK

 

[11-Apr-2012 14:55:44] PHP Warning: file() [<a href='function.file'>function.file</a>]: Filename cannot be empty in /home/<user>/public_html/includes/osc_sec.php on line 636

 

[11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

 

[11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

 

[11-Apr-2012 14:55:44] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in Unknown on line 0

Link to comment
Share on other sites

No, but I think if you are using IP Trap along with osC_Sec then you may get that warning. I have written up a fix for this, it will be officially posted up shortly.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 5.0.3

Whats New?

- Fixed issues causing conflicts with some addons concerning the postShield() function

- Fixed issues causing conflicts with some addons concerning the ipTrap function

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email [email protected]

 

Download from: http://addons.oscommerce.com/info/8283

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

It took me a while to nail this down... but if I keep osC_Sec enabled on one of my stores, I'm unable to supply a xml feed to one of the shopping sites. The feed is being generated by a .php file and with the osC_Sec enabled, I was receiving the following error from them: Warning: extract() expects parameter 1 to be array, null given in...

 

I was receiving no emails from osC_Sec to help me nail it, despite the fact that it is enabled.

 

I was able to see the xml file in my browser just fine. To be able to supply them with the feed, I have to keep the osC_Sec disabled at the moment. Any idea please?

Absinthe Original Liquor Store

Link to comment
Share on other sites

Can you PM me the full error message thanks.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

Hello Taipo

 

Does osc_sec stop 2 question marks being included in the URL?

 

Google is trying to see this page *************.php?product_info.php?cPath************

 

But it is finding ***********.phpproduct_info.php?cPath************

 

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

 

Ill open a new thread

Link to comment
Share on other sites

Hi Taipo,

 

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

 

osC_Sec blacklist hex encoded query_string value is banned: %%.

What is this checking for or what could be causing it ?

 

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hello Taipo

 

Does osc_sec stop 2 question marks being included in the URL?

 

Google is trying to see this page *************.php?product_info.php?cPath************

 

But it is finding ***********.phpproduct_info.php?cPath************

 

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

 

Ill open a new thread

 

Perhaps it may be linked to Security Pro as that does rewrite the $_GET global.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Taipo,

 

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

 

osC_Sec blacklist hex encoded query_string value is banned: %%.

What is this checking for or what could be causing it ?

 

Many Thanks

 

Can you PM me the entire email notification please.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Taipo,

 

Sent you the email text by pm.

 

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Taipo

 

Okay I looked into this issue again because I was not able to access the modules box in the admin

 

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! (w00t)

 

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

Link to comment
Share on other sites

Taipo

 

Okay I looked into this issue again because I was not able to access the modules box in the admin

 

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! (w00t)

 

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

 

actually, scratch that, the translation works now regardless of the htaccess, its just the modules box that is effected by the htaccess

Link to comment
Share on other sites

Hi Taipo,

 

Sent you the email text by pm.

 

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

 

Thanks

 

osc_sec creates a trapped.txt file? if so where would I find it???

Link to comment
Share on other sites

Sorry no - the .txt file is part of the IP Trap contribution.

 

You can select OSC SEC to ban IPs be either .htaccess or by using the IP Trap as I have done.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi Taipo,

 

Sent you the email text by pm.

 

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

 

Thanks

 

Try the latest update Heather

 

http://addons.oscommerce.com/info/8283

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...