Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

599 posts in this topic

Hey Taipo,

 

Thanks for that but Is this the same as me commented out the function # $this->postShield(); ? or is there anything new added?

Share this post


Link to post
Share on other sites

Does this add on prevent "url injection"?

 

This method was just flagged by my PCI scanning company. I previously installed code to prevent SQL injection in my input fields but didn't realize the SQL could be imbeded in the URL osCsid.

Share this post


Link to post
Share on other sites

hello, i installed osC_Sec_5.0.2 seem everything was working ok,

i have one problem with paypal IPN (PayPal IPN v2.3.4.6)

the orders go through, the payment to, but does not return the status or paypal details to OSC.

 

please let me know if you can help. thanks.

Share this post


Link to post
Share on other sites

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

 

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

 

catalog file:

// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

Share this post


Link to post
Share on other sites

hello, i installed osC_Sec_5.0.2 seem everything was working ok,

i have one problem with paypal IPN (PayPal IPN v2.3.4.6)

the orders go through, the payment to, but does not return the status or paypal details to OSC.

 

please let me know if you can help. thanks.

 

Unless I am mistaken I believe the callback from the Paypal server is a POST request. The latest version of osC_Sec as of http://pastebin.com/uqDeDR0k does not filter the POST variables at all so should not be interferring with the order callback.

Share this post


Link to post
Share on other sites

Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://forums.oscommerce.com/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something?

 

admin file:

// set php_self in the local scope
//  if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

 

catalog file:

// set php_self in the local scope
//$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
function setPhpSelf() {
  $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
  foreach ( $base as $index => $key ) {
	if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
	  if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
		preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
		if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
								  && ( substr( $matches[0], -4, 4 ) == '.php' )
								  && ( is_readable( $matches[0] ) ) ) {
		  return $matches[0];
		}
	  }
	}
  }
  return 'index.php';
} // end method

$PHP_SELF = setPhpSelf();

 

They mostly do the same thing, but you would be best to change the code to the one in osC_Sec as that is the latest code supplied by the developers of osCommerce as part of the fix to that serious security issue.

Share this post


Link to post
Share on other sites

Warning: require_once(/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php) [function.require-once]: failed to open stream: No such file or directory in /home/USER/public_html/shopping/includes/application_top.php on line 43

 

Fatal error: require_once() [function.require]: Failed opening required '/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php' (include_path='.:/usr/lib/php') in /home/USER/public_html/shopping/includes/application_top.php on line 43

 

line 43 is

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

 

if i leave this on paypal ipn wont work?

 

can advice would be great.

 

thank you

Share this post


Link to post
Share on other sites

replace:

 

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

 

with:

 

 
require_once( '/home/youruser/public_html/includes/osc_sec.php' );

 

This is so that you can use the actual file path.

 

So replace '/home/user/public_html/includes/osc_sec.php' with the actual file path to osc_sec.php

Share this post


Link to post
Share on other sites

Does using server-wide SSL create these PHP Warnings?

 

Thanks,

EricK

 

[11-Apr-2012 14:55:44] PHP Warning: file() [<a href='function.file'>function.file</a>]: Filename cannot be empty in /home/<user>/public_html/includes/osc_sec.php on line 636

 

[11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

 

[11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101

 

[11-Apr-2012 14:55:44] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in Unknown on line 0

Share this post


Link to post
Share on other sites

No, but I think if you are using IP Trap along with osC_Sec then you may get that warning. I have written up a fix for this, it will be officially posted up shortly.

Share this post


Link to post
Share on other sites

osC_Sec 5.0.3

Whats New?

- Fixed issues causing conflicts with some addons concerning the postShield() function

- Fixed issues causing conflicts with some addons concerning the ipTrap function

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/8283

Share this post


Link to post
Share on other sites

It took me a while to nail this down... but if I keep osC_Sec enabled on one of my stores, I'm unable to supply a xml feed to one of the shopping sites. The feed is being generated by a .php file and with the osC_Sec enabled, I was receiving the following error from them: Warning: extract() expects parameter 1 to be array, null given in...

 

I was receiving no emails from osC_Sec to help me nail it, despite the fact that it is enabled.

 

I was able to see the xml file in my browser just fine. To be able to supply them with the feed, I have to keep the osC_Sec disabled at the moment. Any idea please?

Share this post


Link to post
Share on other sites

Hello Taipo

 

Does osc_sec stop 2 question marks being included in the URL?

 

Google is trying to see this page *************.php?product_info.php?cPath************

 

But it is finding ***********.phpproduct_info.php?cPath************

 

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

 

Ill open a new thread

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

 

osC_Sec blacklist hex encoded query_string value is banned: %%.

What is this checking for or what could be causing it ?

 

Many Thanks

Share this post


Link to post
Share on other sites

Hello Taipo

 

Does osc_sec stop 2 question marks being included in the URL?

 

Google is trying to see this page *************.php?product_info.php?cPath************

 

But it is finding ***********.phpproduct_info.php?cPath************

 

EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens.

 

Ill open a new thread

 

Perhaps it may be linked to Security Pro as that does rewrite the $_GET global.

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban:

 

osC_Sec blacklist hex encoded query_string value is banned: %%.

What is this checking for or what could be causing it ?

 

Many Thanks

 

Can you PM me the entire email notification please.

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Sent you the email text by pm.

 

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

 

Thanks

Share this post


Link to post
Share on other sites

Taipo

 

Okay I looked into this issue again because I was not able to access the modules box in the admin

 

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! (w00t)

 

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

Share this post


Link to post
Share on other sites

Taipo

 

Okay I looked into this issue again because I was not able to access the modules box in the admin

 

I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! (w00t)

 

My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what.

 

actually, scratch that, the translation works now regardless of the htaccess, its just the modules box that is effected by the htaccess

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Sent you the email text by pm.

 

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

 

Thanks

 

osc_sec creates a trapped.txt file? if so where would I find it???

Share this post


Link to post
Share on other sites

Sorry no - the .txt file is part of the IP Trap contribution.

 

You can select OSC SEC to ban IPs be either .htaccess or by using the IP Trap as I have done.

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Sent you the email text by pm.

 

The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case.

 

Thanks

 

Try the latest update Heather

 

http://addons.oscommerce.com/info/8283

Share this post


Link to post
Share on other sites