FrankCRFG Posted April 10, 2015 Share Posted April 10, 2015 Ok, it is working. I was thinking of blocking ip address ranges for entire countries that have no business accesssing my site. Any down sides? Link to comment Share on other sites More sharing options...
Taipo Posted April 10, 2015 Author Share Posted April 10, 2015 It wont stop determined people from accessing your website and could block legitimate customers. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted April 10, 2015 Author Share Posted April 10, 2015 Glad it works for you. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
InfoPulse Posted May 4, 2015 Share Posted May 4, 2015 Hi Taipo, I added your contribution osC_Sec 5.1.4 and followed the directions for installing it. However, I ran into this error: Fatal error: Cannot instantiate non-existent class: arrayiterator in /home/virtual/site1/fst/var/www/html/catalog/includes/osc_sec.php on line 1230 I have no idea what to do about this. My version of osC is very old -- it's the multi-store contribution by Ryan Hobbes with a date of 2003, if this helps, that has been heavily customized. Many thanks, Lee Link to comment Share on other sites More sharing options...
Taipo Posted May 4, 2015 Author Share Posted May 4, 2015 I think the problem may be more that the version of PHP your webserver has installed is too old. I will see if I can rewrite it without the use of the PHP ArrayIterator class. This may fix this issue, but you may find other parts of the code incompatible with the version of PHP installed. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
InfoPulse Posted May 4, 2015 Share Posted May 4, 2015 We're using PHP version 4.3.9, if that helps. A thousand thanks for your quick response! Link to comment Share on other sites More sharing options...
Taipo Posted May 5, 2015 Author Share Posted May 5, 2015 I have made a few changes to osC_Sec http://addons.oscommerce.com/info/8929 Whats New?- Updated blacklists- Update fix_server_vars- Added x_secure_headers- Replaced ArrayIterator in getRealIP with backward compatible code- Updated check_ip This 'may' fix your issues but I would highly recommend as usual that you do update to a newer version of both PHP and of osCommerce. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted May 5, 2015 Author Share Posted May 5, 2015 Reuploaded due to a small non-critical bug in my coding. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Roaddoctor Posted May 5, 2015 Share Posted May 5, 2015 Taipo, I tried moving 5.14 to 5.17 on my 2.3.4 shop and when I did all text fields on the admin side were suddenly broken, like language files were all missing. fyi -Dave Link to comment Share on other sites More sharing options...
InfoPulse Posted May 5, 2015 Share Posted May 5, 2015 Hi Taipo, Thank you, I've uploaded the new version and for the /catalog directory it works fine (after a fashion -- it gets hung up on the language stuff as this is a multi-stores mod, I assume, but it's good enough to protect that directory I hope). At any rate, I still cannot add it to the /catalog/admin application_top because I get the following error: Fatal error: Call to undefined function: hextoascii() in /home/virtual/site1/fst/var/www/html/catalog/includes/osc_sec.php on line 537 Thank you! Lee Link to comment Share on other sites More sharing options...
Taipo Posted May 5, 2015 Author Share Posted May 5, 2015 I've uploaded an update which should address that issue. Sorry, I rushed that update yesterday, fixed that hextoascii bug and also reset the error reporting back to production server mode. http://addons.oscommerce.com/info/8929 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
InfoPulse Posted May 5, 2015 Share Posted May 5, 2015 Thank you -- I'll get it and upload it now and let you know how it goes. Link to comment Share on other sites More sharing options...
InfoPulse Posted May 5, 2015 Share Posted May 5, 2015 Okay, I applied the latest version and /catalog works just fine -- much better! However, adding it to application_top 1) does this to the login box labels: TEXT_INFO_USER_NAME TEXT_INFO_PASSWORD and 2) does NOT log you in to the admin panel. I know one of the instructions for old installations is to find $redirect = true; } After, add the following: if ( !isset( $login_request ) || isset( $HTTP_GET_VARS[ 'login_request' ] ) || isset( $HTTP_POST_VARS[ 'login_request' ] ) || isset( $HTTP_COOKIE_VARS[ 'login_request' ] ) || isset( $HTTP_SESSION_VARS[ 'login_request' ] ) || isset( $HTTP_POST_FILES[ 'login_request' ] ) || isset( $HTTP_SERVER_VARS[ 'login_request' ]) ) { $redirect = true; } Lastly open catalog/admin/login.php and find the following line: Released under the GNU General Public License */ After, add the following: $login_request = true; However, even though I have a login, I do not have $redirect = true; in my /admin/application_top -- I've attached my version of /admin/application_top (I have the multi-stores version of osCommerce) Many thanks! Lee application_top-in-admin.txt Link to comment Share on other sites More sharing options...
Taipo Posted May 6, 2015 Author Share Posted May 6, 2015 Try this: in application_top.php you have the following: // set php_self in the local scope $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); Add the include under that section require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' ); The reason is, there is a problem with the way $PHP_SELF is set which is actually fixed in osC_Sec. Do this in at least the catalog side of your store. If it doesnt interfere with the customer logins, then also add it to the admin includes/application_top.php too - which by the way is the more critical part. On the admin side you would be better to add htaccess protection though to end any attempts to exploit 2.2 As for the rest of the changes, they are option, so just leave them and see if that works. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted May 6, 2015 Author Share Posted May 6, 2015 Also I found one of the headers in osC_Sec might also be causing some conflicts, so have removed it in the latest update 5.1.9 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 6, 2015 Share Posted May 6, 2015 Hi, first of all, thank you for keeping this updated! I have just updated to the latest 5.1.9 and I'm unable to login into my admin - FF is giving me the page isn't redirecting properly message. Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 6, 2015 Author Share Posted May 6, 2015 The issue is that the $PHP_SELF is not being set properly I think...Uploaded 5.2.0 with a fix that may help that login. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 9, 2015 Share Posted May 9, 2015 Could it be caused by the osc_sec.php that I am now unable to load the page without SSL? I mean when I type http://www.originalabsinthe.com it always redirects to https despite these settings in configure.php: define('HTTP_SERVER', 'http://www.originalabsinthe.com'); define('HTTPS_SERVER', 'https://www.originalabsinthe.com'); define('ENABLE_SSL', true); Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 9, 2015 Share Posted May 9, 2015 OK, I have noticed another issue: when I go to product page, for example http://www.originalabsinthe.com/absinthe-liquor-absinth-king-spirits-gold-p-56.html I am unable to purchase the item, after I hit Add to Cart button, I receive an error that the page is not redirecting properly - This web page has a redirect loop error message in Chrome. Works fine in v 5.1.4._1. Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 10, 2015 Author Share Posted May 10, 2015 I think they are both the same problem, and probably not related to osc_sec. At a guess it would most likely be SEO related, and isnt that the point of ENABLE_SSL setting, to force HTTPS? There should be nothing in osc_sec that affects https settings though. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 10, 2015 Share Posted May 10, 2015 OK, my apologies, the first issue is sorted, my browser was behaving funny. However the second issue still remains and it is osc_sec related because it works fine in previous version 5.1.4._1. If I load that version, button Add to Cart works fine, if I load the new version, loop error, page is nod redirecting properly. Can you please have a look at it Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 11, 2015 Author Share Posted May 11, 2015 Firstly try this: find: header( 'strict-transport-security: max-age=31536000; includeSubDomains' ); header( 'access-control-allow-methods: POST, GET' ); header( 'x-frame-options: SAMEORIGIN' ); header( 'x-xss-protection: 1; mode=block' ); Go through each one, one at a time and place a hash in front of them, like this #header( 'strict-transport-security: max-age=31536000; includeSubDomains' ); header( 'access-control-allow-methods: POST, GET' ); header( 'x-frame-options: SAMEORIGIN' ); header( 'x-xss-protection: 1; mode=block' ); header( 'strict-transport-security: max-age=31536000; includeSubDomains' ); #header( 'access-control-allow-methods: POST, GET' ); header( 'x-frame-options: SAMEORIGIN' ); header( 'x-xss-protection: 1; mode=block' ); etc and test for the loop until you have tested all 4 headers (more than one could be causing problems). If the problem is not there, then let me know and we can try something else. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 11, 2015 Share Posted May 11, 2015 I've been disabling one by one and still the same result, product is added to basket but loop error. I've also disabled all four at once and same result I'm afraid - The page isn't redirecting properly. I have noticed that the URL after I click the button is not correct. It should stay the same but it is changed to http://www.originalabsinthe.com/index.php?products_id=70which is obviously wrong. Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 11, 2015 Author Share Posted May 11, 2015 Next step is to do the same thing but with the following found throughout the first section of the code: fix_server_vars(); $this->_REQUEST_Shield(); $this->dbShield(); $this->getShield(); $this->postShield(); $this->cookieShield(); $this->checkReqType(); - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 11, 2015 Share Posted May 11, 2015 No, I'm afraid not. Still the same result. Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.