Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

599 posts in this topic

Ok I will take a look at it and pop out an update shortly.

 

The update took care of the site monitor issue. All's good. Thanks again for your support!

Share this post


Link to post
Share on other sites

You're welcome Steve. Seems the issue was actually with something I did in the previous update, not so much an issue with any changes in Site Monitor.

Share this post


Link to post
Share on other sites

Hi - this is an FYI...

 

Loaded the latest version of osc_sec. We use IP_Trap. Noticed osc_sec it was not sending emails any longer. Looks like there needs to be a change in the email send function as it checks if banipaddress is set as well as send email but not if IP_Trap is set. made the following change and it now works ....

 

    # send the notification
    if ( (( false !== ( bool )$this->_banipaddress ) || (false !== ( bool )$this->_useIPTRAP )) && ( false !== ( bool )$this->_emailenabled ) ) {

P

 

Peter

Share this post


Link to post
Share on other sites

sorry I'm a beginner,my website was just hacked.

I've finished the install instructions.

then from where I know that the plugin is installed or not?

 

sorry for this stupid question, please help.

 

thanks

Share this post


Link to post
Share on other sites

osC_Sec 4.2[r7]

 

Whats New?

- Removed double up entries in the bypass function

- Added a filter to look specifically for osCommerce admin login bypass attempts. Unlike other filters, no requests or files are exempt from this filter.

- (re)Added a x_powered_by() function to overwrite the apache response header with a custom string to prevent automated attacks from identifying what version of PHP your site is hosted on if expose_php is enabled in the php.ini

- Added an option to disable the tell_a_friend.php page and therefore prevent it from being used to send spam (see readme.htm).

- Fixed issue with the emailer when IP Trap is enabled (thanks to Peter for pointing this out).

- Optional code additions for htaccess to further harden the security of your website.

- Added a check for the multi-byte GBK character

- Added a Local File Inclusion filter to prevent PHP stream php://filter LFI exploit attempts

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: Replace both the osc_sec.php and osc.php files in your website /includes/ directory with the osc_sec.php and osc.php files in the includes directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834

Share this post


Link to post
Share on other sites

osC_Sec 4.2[r8]

 

Unless any other issues arise, this is the final update for osC_Sec.

 

Whats New?

- Update to additional htaccess code to catch local file includes and session hijacking attempts

- Update to getShield and databaseShield filter lists

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

If you are upgrading from version 4.2[r6] and earlier then please replace both the osc_sec.php and osc.php files in your website /includes/ directory with the osc_sec.php and osc.php files in the includes directory of this zip file.

If updating from 4.2[r7] then all you need do is replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834

ctec2001 likes this

Share this post


Link to post
Share on other sites

Since this addon has significantly changed since it began, like other addon makers, I have reuploaded osC_Sec to a new location with a greatly expanded description.

 

New Download Location: http://addons.oscommerce.com/info/8283

 

Has a small change in it to the previous upload but nothing serious enough that needs updating, but feel free to though.

 

Final release: osC_Sec 5.0.0 Final

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Thanks for the continued development of this great enhancement.

 

I have been trying to install the .htaccess hardening portion of the mod, but using the following gives me a 500 error

 

Options +FollowSymlinks

 

Looking on various forums, some say this is required within .htaccess, and some say that it is not.

 

Why would that line of code give me a 500 error?

Is it required?

 

Many Thanks

Share this post


Link to post
Share on other sites

Chances are your webhost has blocked the use of +FollowSymlinks in htaccess.

 

If this is not already somewhere at the top of your htaccess file, use this instead

 

Options +SymLinksIfOwnerMatch

 

However if you are using one of the SEO mods you may find this is already at the top of your htaccess file so no need to add it twice.

 

Also remember that code in the htaccess file in the extras directory is more for test purposes than to be used on a working site.

 

If you are familiar with htaccess and are comfortable with what the code in there is trying to achieve then by all means try it out.

 

However just a friendly reminder that it is a rather hardcore method of preventing malicious requests from being executed.

Share this post


Link to post
Share on other sites

Thanks Taipo,

 

I may just "cherry pick" some of the code from the .htaccess hardening as I don't have a lot of attack attempts on my stores.

 

I have read that a good way to stop access attempts to the admin section is to have a dedicated IP address for your ISP connection and to ban all but this IP address via .htaccess.

 

However, I (like a lot of people Im sure) connect via a dynamic IP address which changes with each connection to the internet.

 

However, the first two numbers of my IP address are always the same - Is there a way to write this into the .htaccess file to only allow IPs that commence with the two numbers to connect to admin (using wildcards?)

 

I know that this would only block IPs from outside my region / country? but I think that would be a useful additional security addition - as most of the attempted attacks are, in my case, non-UK in their origin.

 

Many Thanks

Share this post


Link to post
Share on other sites

Off the top of my head it would look something like this in your admin .htaccess file.

 

 

order deny,allow
deny from all
allow from 123.123

Share this post


Link to post
Share on other sites

Thank you for a great contribution.

 

I added the latest version (5) tp a site today, on Fedora Core 10, Apache 2.1.4, PHP 5.2.9, OSC 2.2-MS2. After installation, the apache server began throwing segmentations faults in the child processes. Within a few minutes the server load had increased significantly to the point of slowdown. Fedora was unable to kill the fault processes. Restarting httpd solved the problem for a few minutes, but as soon as any hits started on that site, the segmentation faults began again and overloading soon occurred.

 

Here are a few lines from the httpd error_log

[Mon Jan 02 03:05:20 2012] [notice] child pid 3192 exit signal Segmentation fault (11)

[Mon Jan 02 03:06:00 2012] [notice] child pid 3194 exit signal Segmentation fault (11)

[Mon Jan 02 03:07:21 2012] [notice] child pid 3191 exit signal Segmentation fault (11)

I tried stopping zend eaccelerator which was not the problem. I reset the .htaccess back to what it was before which was not the problem. I tried commenting out the require line first in the catalog and then in the admin, neither stopped the segmentation faults but they slowed. Finally I commented it out in both and the segmentation faults stopped. It seems something in the code itself is causing the faults.

 

I also have another site on a Centos 5 server, Apache 2.2.3, PH 5.1.6, OSC v2.2 RC2a so added it there. I got the same errors:

 

[Mon Jan 02 04:14:17 2012] [notice] child pid 20825 exit signal Segmentation fault (11)

[Mon Jan 02 04:15:11 2012] [notice] child pid 21063 exit signal Segmentation fault (11)

[Mon Jan 02 04:17:03 2012] [notice] child pid 21033 exit signal Segmentation fault (11)

On the Centos server, it handled the faults better and was able to kill then with SIGTERM. Again, the faults stopped when I commented out the osc_sec required lines in both application_top.php files.

 

Any ideas about what may be wrong? Thanks for any help you can give.

 

Richard

Share this post


Link to post
Share on other sites

I think many segfault issues have been cleaned up in later versions of PHP however I have endevored to make osC_Sec backward compatible with earlier versions so would be keen to find out which part of the code is causing the error notices to be issued.

 

To bug fix the code to see which section is causing the conflict, try the following.

 

1/ set all the settings in osc.php to 0 and see if the errors stop

 

2/ if the error notices continue, try commenting out these in osc_sec.php, one at a time.

 

fix_server_vars();

@x_powered_by();

$this->chkSetup();

$PHP_SELF = $this->phpSelfFix();

$this->osCAdminLoginBypass();

$this->disable_tellafriend();

$this->dbShield();

$this->getShield();

$this->postShield();

$this->cookieShield();

 

They are what triggers the various sections in osC_Sec

Share this post


Link to post
Share on other sites

Hi Taipo,

 

I upgraded to the latest version of OSC_SEC last night for a client, and today they had problems accessing some of the pages in their admin panel. I started commenting out the osc_sec.php lines as per the post 418, and I found that the culprit was the line "$this->dbShield();"

 

In post 418 you said you were keen to know what was causing the error. I know that my issue might not relate in any way to the issue you were addressing at the time, but I also know that the server that I have the site on is running old version of PHP so I thought I would give you the details.

 

Firstly, the server that is hosting the site is running the following:

PHP version 5.2.0-8+etch16

 

The client is running on version 2.2 RC2 of osCommerce.

 

The majority of the clients admin pages worked ok. The following pages would return errors saying that the connection could not be made (default browser error message). I have changed the clients URL and renamed ADMIN folders for security reasons.

 

https://www.clientURL.com.au/###ADMIN###/orders.php?page=1&oID=567&action=edit'>https://www.clientURL.com.au/###ADMIN###/orders.php?page=1&oID=567&action=edit

https://www.clientURL.com.au/###ADMIN###/configuration.php?gID=1&selected_box=configuration

 

The page https://www.clientURL.com.au/###ADMIN###/orders.php?page=1&oID=567 worked fine, but to try to edit it added the "&action=edit" to the end of the URL which it didn't like.

 

Additional information....

I have the following setting turned on in the osc.php file.

$nonGETPOSTReqs = 1;

$spiderBlock = 1;

$disable_tellafriend = 1;

 

$banipaddress = 0;

$useIPTRAP = 0;

$ipTrapBlocked = "";

 

$emailenabled = 1;

 

Please let me know if there is any additional information you require.

 

Please note, I have posted this primarily to give you information on what might be a compatibility issue with an older version of php. If you can find a solution to the dbshield() issue then Great, but that is not a big concern for me.

 

Thanks

 

Simon

Share this post


Link to post
Share on other sites

What you can do to get an accurate report on what is causing the issue, and this will result in osC_Sec banning your ip address, which you can easily unban, is to set $banipaddress = 1 and go back and edit that order, which will cause osC_Sec ban your ip address and more importantly, to send you an email with a report of the ban. PM that report through to me privately and I will help you fix this issue.

 

To unban yourself merely go to the .htaccess file in your root directory and remove the line... 'deny from youipaddress'

Share this post


Link to post
Share on other sites

Hi Te Taipo,

 

I uncommented the code, changed the $banipaddress and clicked on the Edit button and got the same error message.

 

However, when I check the htaccess file, my IP address has not been added to the file, and I didn't receive any email notification.

 

Thanks

 

Simon

Share this post


Link to post
Share on other sites

My apologees, I had assumed that the browser error you were receiving as the 403 access denied error. If it had, then your ip would have been banned. If you are unable to get a better idea of what the browser error is then we will have to tackle this another way. Firstly what are the other addons that you are using?

Share this post


Link to post
Share on other sites

my site 2.2RC2 just hacked. The hacker deleted my admin accout. and created 3 new admin accounts.

One of the accounts is called admincrash.

 

I have installed this now. Changed all passwords. what is the next thing to do now?

Share this post


Link to post
Share on other sites

Now you have to find any infected files and how they got in.

 

Some basic steps on how to do this can be found in my profile.

 

Also links to some other actions you need to do such as renameing admin dir and ....

 

HTH

 

G

Share this post


Link to post
Share on other sites