Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

Ok, it is working.

I was thinking of blocking ip address ranges for entire countries that have no business accesssing my site.

Any down sides?

Share this post


Link to post
Share on other sites

It wont stop determined people from accessing your website and could block legitimate customers.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Glad it works for you.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo,

 

I added your contribution osC_Sec 5.1.4 and followed the directions for installing it. However, I ran into this error:

 

Fatal error: Cannot instantiate non-existent class: arrayiterator in /home/virtual/site1/fst/var/www/html/catalog/includes/osc_sec.php on line 1230

 

I have no idea what to do about this. My version of osC is very old -- it's the multi-store contribution by Ryan Hobbes with a date of 2003, if this helps, that has been heavily customized.

 

Many thanks,

Lee

Share this post


Link to post
Share on other sites

I think the problem may be more that the version of PHP your webserver has installed is too old.

 

I will see if I can rewrite it without the use of the PHP ArrayIterator class. This may fix this issue, but you may find other parts of the code incompatible with the version of PHP installed.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I have made a few changes to osC_Sec

http://addons.oscommerce.com/info/8929

 

Whats New?
- Updated blacklists
- Update fix_server_vars
- Added x_secure_headers
- Replaced ArrayIterator in getRealIP with backward compatible code
- Updated check_ip
 

This 'may' fix your issues but I would highly recommend as usual that you do update to a newer version of both PHP and of osCommerce.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Reuploaded due to a small non-critical bug in my coding.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Taipo, I tried moving 5.14 to 5.17 on my 2.3.4 shop and when I did all text fields on the admin side were suddenly broken, like language files were all missing. fyi


-Dave

Share this post


Link to post
Share on other sites

Hi Taipo,

 

Thank you, I've uploaded the new version and for the /catalog directory it works fine (after a fashion -- it gets hung up on the language stuff as this is a multi-stores mod, I assume, but it's good enough to protect that directory I hope).

 

At any rate, I still cannot add it to the /catalog/admin application_top because I get the following error:

 

Fatal error: Call to undefined function: hextoascii() in /home/virtual/site1/fst/var/www/html/catalog/includes/osc_sec.php on line 537

 

Thank you!

Lee

 

Share this post


Link to post
Share on other sites

I've uploaded an update which should address that issue. Sorry, I rushed that update yesterday, fixed that hextoascii bug and also reset the error reporting back to production server mode.

 

http://addons.oscommerce.com/info/8929


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Okay, I applied the latest version and /catalog works just fine -- much better!

 

However, adding it to application_top 1) does this to the login box labels:

TEXT_INFO_USER_NAME  TEXT_INFO_PASSWORD   

 

 

and 2) does NOT log you in to the admin panel.

 

I know one of the instructions for old installations is to find

  $redirect = true;
}
After, add the following:
    if ( !isset( $login_request ) || isset( $HTTP_GET_VARS[ 'login_request' ] ) || isset( $HTTP_POST_VARS[ 'login_request' ] ) || isset( $HTTP_COOKIE_VARS[ 'login_request' ] ) || isset( $HTTP_SESSION_VARS[ 'login_request' ] ) || isset( $HTTP_POST_FILES[ 'login_request' ] ) || isset( $HTTP_SERVER_VARS[ 'login_request' ]) ) {
      $redirect = true;
    }
Lastly open catalog/admin/login.php and find the following line:
 Released under the GNU General Public License
*/
After, add the following:
    $login_request = true;

However, even though I have a login, I do not have $redirect = true; in my /admin/application_top -- I've attached my version of /admin/application_top (I have the multi-stores version of osCommerce)

 

Many thanks!

Lee

 

application_top-in-admin.txt

Share this post


Link to post
Share on other sites

Try this:

in application_top.php you have the following:

// set php_self in the local scope
$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

Add the include under that section

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

The reason is, there is a problem with the way $PHP_SELF is set which is actually fixed in osC_Sec.

 

Do this in at least the catalog side of your store. If it doesnt interfere with the customer logins, then also add it to the admin includes/application_top.php too - which by the way is the more critical part.

 

On the admin side you would be better to add htaccess protection though to end any attempts to exploit 2.2

 

As for the rest of the changes, they are option, so just leave them and see if that works.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Also I found one of the headers in osC_Sec might also be causing some conflicts, so have removed it in the latest update 5.1.9


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi, first of all, thank you for keeping this updated! I have just updated to the latest 5.1.9 and I'm unable to login into my admin - FF is giving me the page isn't redirecting properly message.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

The issue is that the $PHP_SELF is not being set properly I think...Uploaded 5.2.0 with a fix that may help that login.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Could it be caused by the osc_sec.php that I am now unable to load the page without SSL? I mean when I type http://www.originalabsinthe.com it always redirects to https despite these settings in configure.php:

  define('HTTP_SERVER', 'http://www.originalabsinthe.com');
  define('HTTPS_SERVER', 'https://www.originalabsinthe.com');
  define('ENABLE_SSL', true);

Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

OK, I have noticed another issue: when I go to product page, for example http://www.originalabsinthe.com/absinthe-liquor-absinth-king-spirits-gold-p-56.html  I am unable to purchase the item, after I hit Add to Cart button, I receive an error that the page is not redirecting properly - This web page has a redirect loop error message in Chrome. Works fine in v 5.1.4._1.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

I think they are both the same problem, and probably not related to osc_sec. At a guess it would most likely be SEO related, and isnt that the point of ENABLE_SSL setting, to force HTTPS? 

 

There should be nothing in osc_sec that affects https settings though.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

OK, my apologies, the first issue is sorted, my browser was behaving funny. However the second issue still remains and it is osc_sec related because it works fine in previous version 5.1.4._1. If I load that version, button Add to Cart works fine, if I load the new version, loop error, page is nod redirecting properly. Can you please have a look at it


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Firstly try this:

 

find:

header( 'strict-transport-security: max-age=31536000; includeSubDomains' );
header( 'access-control-allow-methods: POST, GET' );
header( 'x-frame-options: SAMEORIGIN' );
header( 'x-xss-protection: 1; mode=block' );

Go through each one, one at a time and place a hash in front of them, like this

 

#header( 'strict-transport-security: max-age=31536000; includeSubDomains' );
header( 'access-control-allow-methods: POST, GET' );
header( 'x-frame-options: SAMEORIGIN' );
header( 'x-xss-protection: 1; mode=block' );
header( 'strict-transport-security: max-age=31536000; includeSubDomains' );
#header( 'access-control-allow-methods: POST, GET' );
header( 'x-frame-options: SAMEORIGIN' );
header( 'x-xss-protection: 1; mode=block' );
etc and test for the loop until you have tested all 4 headers (more than one could be causing problems).

 

If the problem is not there, then let me know and we can try something else.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I've been disabling one by one and still the same result, product is added to basket but loop error. I've also disabled all four at once and same result I'm afraid - The page isn't redirecting properly. I have noticed that the URL after I click the button is not correct. It should stay the same but it is changed to http://www.originalabsinthe.com/index.php?products_id=70which is obviously wrong.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Next step is to do the same thing but with the following found throughout the first section of the code:

        fix_server_vars();

        $this->_REQUEST_Shield();

        $this->dbShield();

        $this->getShield();

        $this->postShield();

        $this->cookieShield();

        $this->checkReqType();

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×