Jump to content

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

In that case not only set $arbitrarysession_block = 0;

but also make sure that the appropriate https addresses have been set in the admin/includes/configure.php

Also since changing $arbitrarysession_block to zero, are you still experiencing those other header modification errors?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo & Bill,

 

I tried changing $arbitrarysession_block to zero. I also checked and re-checked the application_top.php files I modified--but I couldln't find any discrepancies. My store is running on OsC 2.2-MS2 and I have a security certificate. When I go to lisasstitchingpost.com/admin, I am still on http. When I try to log in using https://etc., the URL changes back to http://etc. Is it possible I'm receiving that warning message because I'm not using a secure connection?

 

I also should've mentioned my browser is IE9. Could that be causing this issue?

 

Thank you again,

Lisa

 

Lisa,

 

:thumbsup: This doesn't have anything to do with osc_sec but it still needs to be done: Change the name of your admin folder to something other than admin!! Most of the osCommerce exploits are looking for the admin folder. Keep in mind, that once you rename the admin folder, you will also need to change the admin references in both of the configure.php files.

 

Regarding the header not sent error message, look for any white space that occures after the very last ?> in any of the php files that you may have altered.


Bill Kellum

 

Sounds Good Productions

STS Tutorials & more: STSv4.6, STS Add-ons (STS Power Pack), STS V4 Forum STS Forum FREE TEMPLATE

Share this post


Link to post
Share on other sites

osC_Sec 2.4.[r7] updated

- added blacklist items

- improved whitelist filtering of multimensional arrays

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo,

 

I have installed your osc_sec some time ago and today I installed SEO URLS 5, and upon installation I was required to replace this line in includes/application_top.php:

 

// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

With this:

 

/**
 * ULTIMATE Seo Urls 5 PRO by FWR Media
 * function to return the base filename 
 */
 function usu5_base_filename() {
   // Probably won't get past SCRIPT_NAME unless this is reporting cgi location
   $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) );
   while ( $base->valid() ) {
     if ( array_key_exists(  $base->current(), $_SERVER ) && !empty(  $_SERVER[$base->current()] ) ) {
       if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) {
         preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches );
         if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                   && ( substr( $matches[0], -4, 4 ) == '.php' )
                                   && ( is_readable( $matches[0] ) ) ) {
           return $matches[0];
         } 
       } 
     }
     $base->next();
   }
   // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php
   if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) {
     return 'index.php';
   }
   // Return the standard RC3 code 
   return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] );
 } // End function
// set php_self in the local scope
 $PHP_SELF = usu5_base_filename();

 

 

However, the original lines were modified during the installation of your osc_sec. Your install guide ask exactly to:

 

Find: (line may be longer depending on which version of oscommerce you have)

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

IMPORTANT: Remove the above line from both application_top.php files and replace entire line with:

 

// set php_self in the local scope

if ( empty( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

 

 

In short, the original lines were:

 

// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

Which upon installing your osc_sec I replaced with:

 

// set php_self in the local scope
if ( empty( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

 

And today I had to replace it again, removing the modified code given by your installation guide, and replace it with SEO's.

 

Hopefully I am not compromised and your osc_sec will still work with this modification.

Share this post


Link to post
Share on other sites

The code from USU5 will not interfere with the way osC_Sec works as both addons contain the patch to the security hole that is in osCommerce 2.2.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

The code from USU5 will not interfere with the way osC_Sec works as both addons contain the patch to the security hole that is in osCommerce 2.2.

 

Just what I thought - thank you.

Share this post


Link to post
Share on other sites

Hi,

Really appreciate your help with security. I had to remove this contrib from two of my websites as it caused issues.

The first was it would not let customers complete the order process for a first time order. On the other site it prevented the search box from functioning as every search word was returned as not available.

 

I also have the KISS debug mod added and your coding pulls alot of errors for code issues.

Thanks

Matt


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

Any idea what those error messages actually were that you experienced?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Yes please do, especially if you come across any errors of conflicts with other addons as its best I make this as cross compatible as possible so its important that if there are errors that people send the actual error message if they can.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi,

 

Appreciate adding security for older version:)

 

I uploaded the file but could not get it to work.

 

when I add

 

require(DIR_FS_CATALOG . 'includes/osc_sec.php');

 

to the catalog/application_top.php

 

it says there is no such directly. It says like this

 

 

Warning: require(/hsphere/local/home/******/mydomain.com/catalogincludes/osc_sec.php): failed to open stream:

 

so it is missing / between the directly. when I add / before includes to the line like this

 

require(DIR_FS_CATALOG . '/includes/osc_sec.php');

 

now it says

 

Content Encoding Error

 

The page you are trying to view cannot be shown because it uses an invalid or unsupported form of compression.

 

Is there anything else I can try?

 

Thank you for your help!

Share this post


Link to post
Share on other sites

If all else fails you could just hard code the require:

require('/hsphere/local/home/******/mydomain.com/catalog/includes/osc_sec.php');

 

I cannot think of anything that could be causing the compression error as osC_Sec does not deal with compressing files. What other addons are you currently using?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites
so it is missing / between the directly....

 

More likely DIR_FS_CATALOG in your configure.php file is missing an ending '/'

 

  define('DIR_FS_CATALOG', /home/user/public_html/catalog/');

 

Instead of

 

  define('DIR_FS_CATALOG', /home/user/public_html/catalog');

 

Either way hard coding the file path should fix that issue if adding the extra forward slash to the 'DIR_FS_CATALOG' in both configure.php files creates additional errors on your site. In that case you would have to also hard code the 'DIR_FS_CATALOG' references also in osc_sec.php settings area.

 

  $htaccessfile = DIR_FS_CATALOG . ".htaccess";
 $ipTrappedURL = DIR_FS_CATALOG . "banned/IP_Trapped.txt";

 

However it is much easier just to add the extra forward slash in the configure.php files in both your includes directories.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi,

 

Thank you for quick reply:)

I have this in my configure.php

 

define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));

 

Do I need to change this to what you mentioned?

 

Thank you again!!

Share this post


Link to post
Share on other sites

Hi,

 

Thank you for quick reply:)

I have this in my configure.php

 

define('DIR_FS_CATALOG', dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']));

 

Do I need to change this to what you mentioned?

 

Thank you again!!

 

I would be interested in what version of osCommerce you are using. I have a few versions installed here to test on and none of them have the dir_fs_catalog defined in that manner (just for my testing purposes).

 

So in that case I would leave that as it is and change the require in both includes/application_top.php files to the actual file path, as well as the two references in osc_sec.php

 

That still does not address the file compression issue which sounds like it is a conflict with another addon that backs up files maybe?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Oh, and I had another question.

 

Does this work as same as this contribution??

 

That addon is trying to achieve the same outcome and on a great majority of webservers it would patch the admin bypass exploit aspect the range of problems with the earlier versions of oscommerce, but on some servers where PHP is configured differently that patch alone will break the $current_page code. However it is certainly better than nothing. The best patch though is the one in Oscommerce 2.3.1 which has been copied into osC_Sec along with a few other backup methods of achieving the same result.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.4[r8] update

Whats New?

- fixed write access message so that it no longer displays the root path on install

- added a whitelist for IP addresses to protect from accidentally banning 3rd party payment callbacks like Paypal

- added more blacklist items

- developed out method 2 of the php_self check

 

Download from: http://www.oscommerce.com/community/contributions,7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

That addon is trying to achieve the same outcome and on a great majority of webservers it would patch the admin bypass exploit aspect the range of problems with the earlier versions of oscommerce, but on some servers where PHP is configured differently that patch alone will break the $current_page code. However it is certainly better than nothing. The best patch though is the one in Oscommerce 2.3.1 which has been copied into osC_Sec along with a few other backup methods of achieving the same result.

 

Thank you Taipo.

I tried to find out what version I am using but I could not find that info.

It has 2003 in it so it is pretty old for sure, but it has been heavily modified and I have not taken time to upgrade whole store...

I love this community. I learned so much from people like you. I had no knowledge when I started.

 

I will have to play around some more what works with my store.

 

Thank you again!!

Share this post


Link to post
Share on other sites

I did manage to test osC_Sec on one of the earlier versions of osCommerce and it seemed to work ok, however I assume that it will be an addon that is causing that error in question, something associated with backing up the site using gzip.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec_2.4[r9] Updated

Whats new?

- improved the way the phpSelf function checks for faulty $PHP_SELF results

- fixed issues with the banning of directly viewing osC_Sec.php

 

Download from: http://www.oscommerce.com/community/contributions,7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec_2.4[r9] Updated

Hiya! I really appreciate all the work you put into this. Osc Sec is a vital add-on, and you're doing a great job!

 

I was wondering, though, if you would consider putting the settings in a separate file? This would make it easier to install new updates.

 

Cheers!

Share this post


Link to post
Share on other sites

Actually thats a good suggestion, thanks for that. I will set that up for the next update which will be version 2.5

 

Currently 2.4[r9a] is the latest which has a number of little comment removals in it that I missed in revision 9.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

This is just an observation on my part so don't anyone take this the wrong way.

 

I'm not "poking holes in" or trying to detract from anyone's great work.

 

As I said - this is just an observation.

 

It looks like it hasn't come up yet but this code in the contribution:

 

  } elseif ( strtolower( $_SERVER[ "HTTPS" ] ) != "on" ) {
       $oscsecHTTP = "http://";
 }

Will not accurately determine if SSL is active or not on every server.

 

$_SERVER[ "HTTPS" ] is undefined on some servers even if SSL is active.

 

On some servers it's not set to "on" when active.

 

For example on 1AND1 Hosting you have to use this to detect SSL:

 

getenv('HTTPS') == '1'

Given the things I've had to have store owners change in the SSL Implementation Help support thread to get SSL to be detected by the store.

 

$_SERVER[ "HTTPS" ] is supposed to work (it even says that on the php.net site) but it doesn't on every site that uses SSL.

 

If you already have SSL installed and working on your site, check your /catalog/includes/application_top.php for what it uses to successfully detect SSL.

 

The default code is this:

 

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

If you have something else other than that to detect SSL you'll probably have to integrate whatever you use into the Osc_Sec file.

 

As far as I know there is no "Holy Grail" piece of code that will detect SSL 100% all the time on every server.

 

That part of the reason I started the SSL implementation help thread.


If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Share this post


Link to post
Share on other sites

Good point. Unfortunately I have yet to rip that section out of osC_Sec which is why it is still there. But its on the list for removal as it is not as needed as I first envisaged when I first began looking for security holes in osCommerce. Probably in the next release it will be gone.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×