Jump to content

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

I had a further sweep through the code differences in the latest release and found another little bug. So try the latest release 5.2.1 and hopefully that has fixed it.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Thats great news.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

There was however one BIG advantage with the version 5.2.0, I have "star product" contribution installed on the home page (where the image of King Gold is) and there is a Add to Cart button. It works fine, however after adding the product to cart, the page redirects to product_info.php page with Product Not Found title. Same for module Specials that is on the same page... There was no redirection with v 5.2.0, product was added to cart and page remained same. Would you please perhaps have a solution that would cure this Product Not Found redirection?


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

I am not able to replicate this issue. When I add to the cart it appears to work fine for me.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Try any product in the bottom box called Specials for May please, I have changed the code for buy now in the Star box but if you hoover above it it doesn't seem right even if it works.


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Which version of star product as you using?

 

Also, try going through the same test you ran earlier commenting out these, one at a time.

fix_server_vars();

$this->_REQUEST_Shield();

$this->dbShield();

$this->getShield();

$this->postShield();

$this->cookieShield();

$this->checkReqType();

Let me know if one of those is the cause.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

OK, I've disabled all of those lines, one by one and no change, products is added to cart and redirect follows to product_info.php with title Item Not Found. Just to avoid confusion, same behavior in v 5.1.4._1, it was only working as expected in v.5.2.0.

 

With regards to star product, it is rather old version 1.6 I believe and since it was edited, and it is rather short code, I post it:

<?php
//REMOVE THIS LINES IF YOU DON'T WANT TO SHOW THE HEADER
//  $header_star_product = array();
//  $header_star_product[] = array('align' => 'center', 'text' => sprintf(STAR_TITLE));
//  new contentBoxHeading($header_star_product);
//END OF -REMOVE THIS LINES IF YOU DON'T WANT TO SHOW THE HEADER-

  function tep_star_product_with_attributes($products_id) {
  $attributes_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_ATTRIBUTES . " where products_id = '" . (int)$products_id . "'");
  $attributes = tep_db_fetch_array($attributes_query);

  if ($attributes['count'] > 0) {
    return true;
  }
  else {
    return false;
    }
  }
  
  $star_products_query = tep_db_query("select substring(pd.products_description, 1, 598) as products_description, p.products_id, p.products_image, p.manufacturers_id, p.products_price, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price, p.products_tax_class_id, sp.product_id from ( " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_STAR_PRODUCT . " sp ) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_id = pd.products_id and p.products_status = '1' and pd.products_description != '' and p.products_id=sp.product_id and pd.language_id = '" . $languages_id . "'");
  $star_products = tep_db_fetch_array($star_products_query);
  $star_products['products_name'] = tep_get_products_name($star_products['products_id']);
/*  $evita_cortar_palabras = explode( ' ',  $star_products["products_description"] );
array_pop( $evita_cortar_palabras );
$star_products["products_description"]  = implode( ' ', $evita_cortar_palabras );
*/
//if (tep_star_product_with_attributes($star_products['products_id'])) {
 if (MODULE_ORDER_TOTAL_SHIPPING_FREE_SHIPPING == 'true') { 
  $star_products["0"] = array('align' => 'center',
				      'params' => 'width="100%" valign="top"',
                                      'text' => '<tr>
						   <td align="center" width="100%"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . tep_image(DIR_WS_IMAGES . $star_products['products_image'], $star_products['products_name'], STAR_IMAGE_WIDTH, STAR_IMAGE_HEIGHT, 'hspace="0" vspace="0"') . '</a></td>
						 </tr>
						 <tr>
				      	   <td width="100%" class="star-product-title">' . $star_products['products_name'] . '</td>
						 </tr>
						 <tr>
						   <td width="100%" class="star-product-price" align="center">' . STAR_PRICE .
$products_price = $currencies->display_price($star_products['final_price'], tep_get_tax_rate($star_products['products_tax_class_id'])) . '</td>
						 </tr>
						 <tr>
						 <td class="main" align="center">' . STAR_FREE_SHIPPING . '</td>
						 </tr>
						 <tr>
						   <td width="100%" class="star-product" align="center"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . STAR_READ_MORE . '</a>  |  <a href="' . tep_href_link(FILENAME_HOME, tep_get_all_get_params(array('action')) . 'action=buy_now&products_id=' . $star_products['products_id'], 'NONSSL') . '">' . STAR_ADD . '</a><br /><br />					    
						   </td>
						 </tr>');
$star_products_output = array_slice($star_products, sizeof($star_products)-1);
new productListingBox($star_products_output);
}
else {
  $star_products["0"] = array('align' => 'center',
				      'params' => 'width="100%" valign="top"',
                                      'text' => '<tr>
				      		   <td align="center" width="100%"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . tep_image(DIR_WS_IMAGES . $star_products['products_image'], $star_products['products_name'], STAR_IMAGE_WIDTH, STAR_IMAGE_HEIGHT, 'hspace="0" vspace="0"') . '</a></td>
						 </tr>
						 <tr>
				      	   <td width="100%" class="star-product-title">' . $star_products['products_name'] . '</td>
						 </tr>
						 <tr>
						   <td width="100%" class="star-product" align="center">' . STAR_PRICE_OLD . $products_price = $currencies->display_price($star_products['products_price'], tep_get_tax_rate($star_products['products_tax_class_id'])) . '</td>
						 </tr>
						 <tr>
						   <td width="100%" class="star-product-price" align="center">' . STAR_PRICE .
$products_price = $currencies->display_price($star_products['final_price'], tep_get_tax_rate($star_products['products_tax_class_id'])) . '</td>
						 </tr>
						 <tr>
						   <td width="100%" class="star-product" align="center"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . STAR_READ_MORE . '</a>  |  <a href="' . tep_href_link(FILENAME_HOME, tep_get_all_get_params(array('action')) . 'action=buy_now&products_id=' . $star_products['products_id'], 'NONSSL') . '">' . STAR_ADD . '</a><br /><br />					    
						   </td>
						 </tr>');
$star_products_output = array_slice($star_products, sizeof($star_products)-1);
new productListingBox($star_products_output);
}
?>

Replacing FILENAME_PRODUCT_INFO with FILENAME_HOME helps to avoid the same issue I'm having with Specials box. However it doesn't seem right...


Absinthe Original Liquor Store

Share this post


Link to post
Share on other sites

Yeah it would have worked in 5.2.0 because it was malfunctioning...

 

Other thing is to test disabling 

$this->setGlobals();

On the off chance this has some affect.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Lastly try commenting out

$PHP_SELF = $this->phpSelfFix();

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Well that pretty much disables everything osC_Sec does. So I am stumped as to what could be the cause.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hello Taipo,

 

I'm running OSC 2.3.4 with Ultimate SEO URLs. PHP 5.3.29. Now my question:

 

1.) I modified the application_top.php in the admin/includes section like this:

 

// some code to solve compatibility issues
  require(DIR_WS_FUNCTIONS . 'compatibility.php');
  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

// set php_self in the local scope
  $req = parse_url($HTTP_SERVER_VARS['SCRIPT_NAME']);
  $PHP_SELF = substr($req['path'], ($request_type == 'SSL') ? strlen(DIR_WS_HTTPS_ADMIN) : strlen(DIR_WS_ADMIN));
 
// set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }
 

 

2.) The application_top.php in the catalog/includes folder like:

 

// some code to solve compatibility issues
  require(DIR_WS_FUNCTIONS . 'compatibility.php');
  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

// set the type of request (secure or not)
  $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';


/**
  * ULTIMATE Seo Urls 5 PRO by FWR Media
  * function to return the base filename
  */
  function usu5_base_filename() {
    // Probably won't get past SCRIPT_NAME unless this is reporting cgi location
    $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) );
    while ( $base->valid() ) {
      if ( array_key_exists(  $base->current(), $_SERVER ) && !empty(  $_SERVER[$base->current()] ) ) {
        if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) {
          preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches );
          if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                    && ( substr( $matches[0], -4, 4 ) == '.php' )
                                    && ( is_readable( $matches[0] ) ) ) {
            return $matches[0];
          }
        }
      }
      $base->next();
    }
    // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php
    if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) {
      return 'index.php';
    }
    // Return the standard RC3 code
    return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] );
  } // End function

// set php_self in the local scope
  $PHP_SELF = usu5_base_filename();
 
// set php_self in the local scope
  if( !isset( $PHP_SELF ) ) {
    if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;
    $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );
  }
 

Does it work, and does it make sense to set the if causes and leave the originals? Your help would be appreciated. Thank you in advance,

 

stefan

Share this post


Link to post
Share on other sites

osC_Sec was coded to address security issues in earlier versions of osCommerce.

 

For 2.3.4, the following code inclusion is enough.

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

Leave the other changes, they are only if you are still using 2.2 versions


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

 

Sorry I missed this. If you are using Oscommerce. 2.2 then you should probably also install osC_Sec.

 

As to the 404s, they aren't really a security issue, its just some misconfigured cache breaking attempt of a crawler that is probably using proxy servers.

 

The urls you should focus on are the ones that return a 200 ;) which is what osC_Sec deals with.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec was coded to address security issues in earlier versions of osCommerce.

 

For 2.3.4, the following code inclusion is enough.

require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );

Leave the other changes, they are only if you are still using 2.2 versions

 

Thank you very much for your reply.

stefan

Share this post


Link to post
Share on other sites

Taipo,

 

coming up with another question.

 

In default is:

HTTP Errors you want to exclude any ban 400,401,403,404,405,408,415,416,417,500,501,502,503,504,505

 

The help says:

The HTTP Errors that you want to exclude being banned
Seperate by a comma .... example 401,403,404 etc I suggest you only ban 404, and possibly 403.

 

As I'm only a user, I do not understand clearly - should I leave the default, or is your suggestion only to put 404 and 403 in the list?

 

Thank's again for your reply.

stefan

Share this post


Link to post
Share on other sites

Perhaps you are referring to another addon other than osC_Sec?

 

Are you also using IP_Trap?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Shame on me - you're right! I mixed up your addon and Linuxuk http and IP Trap. I'm sorry that I have bothered you, won't happen again.

 

stefan

Share this post


Link to post
Share on other sites

Hey no problem.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi  Taipo

 

Running a security patched ms2.2 version  what version of osc_sec would work please and what is the best way to test it, I have install osc_sec and set it to work with ip trap but it does not seems to trigger ip trap when I test it.

 

Many Thanks


Using Bootstrap 8-)

Share this post


Link to post
Share on other sites

Sorry must learn to read is there a link to your Ip trap using the wrong one lol


Using Bootstrap 8-)

Share this post


Link to post
Share on other sites

×