Jump to content

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

For the .php/login bans, they will all be hack attempts. 'flush' is removed in the latest release coming out shortly.

 

Try setting everything to 0 and see if that makes a difference.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r5]

Whats New?

- Removed the referer check test for $chkPostLocation which was causing issues for sites behind https

- Removed the ban aspect of $testExpiredCookie which now calls a 403 page ban and page die

- Due to session conflicts in osCommerce versions 2.2.x and the $testExpiredCookie, osC_Sec now disables $testExpiredCookie with those versions

- Optional change in the location of the require_once() include in both application_top.php files (see readme.htm for new location) for where osC_Sec is included

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r6]

Whats New?

- Fine tuning of the postShield black list to allow for file editting via file managers and language editors.

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I am still getting the white screen when I click add to cart but only when osc-sec is enabled via application_top.php.


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

At the moment it sounds like osC_Sec is calling a page die because IP banning is disabled.

 

Can you add your email address to $youremail, switch on $banipaddress and $emailenabled which will probably then trigger a ban when you try and add something to the cart.

 

From there you will receive an email notification. Can you PM that through to me thanks, that will help me determine what is causing this in your situation.

 

In doing so your IP address will be banned, so once that happens, remove the IP address from your htaccess file and switch the settings back to their original state.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r7]

Whats New?

- Script clean up of the way osC_Sec detects the cookie settings

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r8]

Whats New?

- Add checks for servers that have register_globals enabled

- Now checks that $_GET is always an array

- Fixed an issue in the coding that caused a redirect to the index.php rather than a ban

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r9]

Whats New?

- Fix to bug in register globals code

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Just updated to the new version and I am still getting the blank screen when adding a product to the cart. See for yourself www.protoolzonline.com


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

What are the settings you are using in osc.php


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.8

Whats New?

- Fixed issues with $_GET arrays

- Cleanup readme.htm to reflect new code in osc.php

- Fixed code in email section

- Fixed bug in $chkPostLocation

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

$timestampOffset = 12; # Set the time offset from GMT, example: a setting of -10 is GMT-10 which is Tahiti, 12 is New Zealand

$nonGETPOSTReqs = 1; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is

$chkPostLocation = 0; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)

$GETcleanup = 0; # 1 = Clean up $_GET variables, 0 = don't cleanup. If you use FWR_SECURITY_PRO then you can set this to not 0.

$testExpiredCookie = 0; # 1 = Checks for an expired cookie, 0 = don't check ( only use this with oscommerce version 2.3.1 )

$banipaddress = 0; # 1 = adds ip to htaccess for permanent ban, 0 = calls a page die if injection detected

$useIPTRAP = 0; # 1 = add IPs to the IP Trap contribution, 0 = leave it off

$ipTrapBlocked = "http:// www.protoolzonline.com/blocked.php"; # Put the full URL to your blocked.php if you intend to use this option.

# Example: $ipTrapBlocked = "http:// www.protoolzonline.com/blocked.php";

 

/**

* Email settings: Don't use if your

* Web Service Provider limits how

* many emails per hour / per day

**/

 

$emailenabled = 1; # 1 = send yourself an email notification of injection attack, 0 = don't

$youremail = "sales@protoolzonline.com"; # set your email address here so that the server can send you a notification of any action taken and why

$fromemail = "securityscript@protoolzonline.com"; # set up an email like securityscript@yourdomain.com where the attack notifications will come from

 

$diagenabled = 1; # 1 = automatically send an email to the developer with the ban IP address and the reason for the ban to help improve osC_Sec, 0 = don't

$diagemail = "oscsecdiagnostic@aol.com"; # this is the email of the developer of osC_Sec.php (see readme.htm)

 

/*

* END OF SETTINGS


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

Thanks for that Matt. Try the latest version 2.8 and see if that makes a difference.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Stillnot working. It is sending emails for other known malicious ips though.


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

As soon as I comment out the line in application_top.php it works fine. But obviously I am not protected.


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

Tell me a bit more about your setup. What version of PHP is running, what version of osCommerce, is register globals on or off, what other addons are you using etc etc.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

There is something perculiar about the way products are added to the cart on your site. On most versions of osCommerce I would have expected the add to be done via a POST operation and not a GET. So I would be quite interested in what addon you are using that is causing that.

 

Other than there being something in the configuration or addons that are affecting the way osC_Sec works, you will have to try commenting out parts of osC_Sec code in order to narrow down which section is causing the issue.

 

Example: Since adding a product is a GET request, check down at line 206 in osc_sec.php for the following

 

    getShield( $_GET, $oscsec_getVar_blacklist );

 

Change this to:

 

    #getShield( $_GET, $oscsec_getVar_blacklist );

 

and see if that makes a difference.

 

There are a few functions in there that work irregardless of whether or not you have options activated in osc.php, that one is one of them.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.8[r1]

Whats New?

- Changed the way $httphost is set

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.8[r3]

Whats New?

- Removed the trim aspect of the email notification

- Added more items to GET and POST blacklist items

- Fixed an issue with $_SERVER[ "REMOTE_ADDR" ] reporting the IP address of the server in front of one the website is hosted on when hosted in server clusters.

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Found an issue with a slightly older version of osc_sec [cannot remember which revision] which stopped the status flag from setting things to inactive (banners, specials, products). Solution is to update to latest version of osc_sec.


Help shape the future of Phoenix; join the Phoenix Club

Share this post


Link to post
Share on other sites

osC_Sec 2.8[r4]

Whats New?

- Refined the code for determining the visitors IP address when the server is 'proxied' in a cluster.

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.8[r5]

Whats New?

- Further fine tuning of the code for determining the visitors IP address when the server is proxied in a cluster/cloud.

- Update to banned request_uri and query_string code

- Updated several items from the GET blacklist that can cause false positive results

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.8[r6]

Whats New?

- Updated expired cookie ini_get code

- Updated the way the visitor IP address is detected

- Updated the injection checks

- getShield now searches the Request_Uri rather than Query_String

- postShield now decodes all post inputs before testing against the blacklist

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.8[r6]

Whats New?

- Updated expired cookie ini_get code

- Updated the way the visitor IP address is detected

- Updated the injection checks

- getShield now searches the Request_Uri rather than Query_String

- postShield now decodes all post inputs before testing against the blacklist

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

 

Taipo,

 

Just wanted to pop a small message to say thanks for the application you developed. Working great

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

Great stuff, thanks for that Mike.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×