Jump to content

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

Not sure what is causing that. If it interferes too much with the way your site runs then change

 

$GETcleanup = 1;

 

to

 

$GETcleanup = 0;

 

in osc.php as it is not a crucial function of osC_Sec. The crucial aspects are not optional for users to switch on and off.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec_2.5[r7] Updated

Whats New?

- Removed htaccess warning when htaccess file is not writable.

- Added blacklist items to the GET request list

- Changed the IP address locator to http://en.utrace.de/whois/

- Added more Paypal IP addresses to the whitelist

- Allowed OPTIONS request type in the requests whitelist

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download package from: http://www.oscommerce.com/community/contributions,7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Not sure what is causing that. If it interferes too much with the way your site runs then change

 

$GETcleanup = 1;

 

to

 

$GETcleanup = 0;

 

in osc.php as it is not a crucial function of osC_Sec. The crucial aspects are not optional for users to switch on and off.

 

I do not want to disable GET cleanup, instead of this i have made a little modification at scrubster's preg_replace - add russain alphabet symbols:

$nodes = preg_replace('/[^а-яА-Я\w\s\p{L}\d\r?,Ђ=@%:{}\/.-]/i', '', urldecode( $nodes ) );

Share this post


Link to post
Share on other sites

Taipo, line 371 of osc_sec.php may generate E_NOTICE - bad practice.

Maybe it's better to write it as

 if (isset($hasHexvars) && $hasHexvars ) {

Share this post


Link to post
Share on other sites

I do not want to disable GET cleanup, instead of this i have made a little modification at scrubster's preg_replace - add russain alphabet symbols:

$nodes = preg_replace('/[^а-яА-Я\w\s\p{L}\d\r?,Ђ=@%:{}\/.-]/i', '', urldecode( $nodes ) );

 

Maybe we make that the official patch for the Russian version: (for future reference)

 

 /** 
 * Clean up GET request vars 
 * as well as multidimensional arrays 
 */ 
 function scrubster( $nodes ) { 
    if ( is_array( $nodes ) ) { 
         foreach( $nodes as $key=>$value ) { 
               if ( is_array( $value ) ) { 
                     scrubster( $value ); 
               } elseif (is_string( $nodes ) ) { 
                     $nodes = preg_replace('/[^а-яА-Я\w\s\p{L}\d\r?,Ђ=@%:{}\/.-]/i', '', urldecode( $nodes ) );                } 
         } 
    } else { 
         $nodes = preg_replace('/[^а-яА-Я\w\s\p{L}\d\r?,Ђ=@%:{}\/.-]/i', '', urldecode( $nodes ) );
   } 
   return $nodes; 
 }


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Taipo, line 371 of osc_sec.php may generate E_NOTICE - bad practice.

Maybe it's better to write it as

 if (isset($hasHexvars) && $hasHexvars ) {

 

It shouldn't because it has been defined on line 32 of the latest version that came out earlier today. Although it doesn't hurt to still ask the question, has it been set.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

TIP:

 

Maximizing server resources:

Once you have set up osC_Sec and it is sending you email notifications, once you are happy that your site is now protected against the base attacks being levelled at your site, it is probably time to switch off email notifications and just let osC_Sec do its thing.

 

If you choose to not use the $banipaddress function it is also a good idea not to use email notifications at all. Because the IP is not banned, the attack tool being levelled at your site is free to repeat its request in a hammering motion, which is fine if all osC_Sec is doing is killing the page load and sending a 403 header response (which is what it does when $banipaddress is disabled), however it gets a little resource intensive if you are receiving an email notification of every attack attempt.

 

The notifications should only be used initially so that you know that your site is being protected. If your site is heavily attacked daily, that is more a reason to disable email notifications and take some of the strain off your webserver so that it does not have to email out on every detected attack.

 

To disable email notifications:

 

Open catalog/includes/osc.php

 

Find

$emailenabled = 1;

Set to

$emailenabled = 0;

Find

$diagenabled = 1;

Set to

$diagenabled = 0;


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.6 - The Big Shakeup

Whats New?

- Set $banipaddress and $emailenabled in osc.php by default to disabled.

- Fix up of scrubster function

- Added feature to test post strings in reverse against the blacklist

- Removed the REQUEST filtering as this is aptly covered in POST and GET

- Rewrite of much of the main sections moving much of the code into functions

- Removed the emtee() function as it is not needed

- osC_Sec now checks for reversed malicious GET request strings

- Further refinement of the GET filtering (based closer the FWR_MEDIAs concept with additions)

- Fine tuning of the way $PHP_SELF is set.

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

This will be the final update for osC_Sec (barring any discovered bugs)

 

Download from: http://www.oscommerce.com/community/contributions,7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.6[r1]

Whats New?

- Fixed an issue where the phpSelfFix function might interfere with some (mis-) configurations of SEO URLs.

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://www.oscommerce.com/community/contributions,7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

While working in my admin I was abruptly shut out with a 403 page saying I didn't have the correct permissions. I noticed that it had added my ip address to the .htaccess file. I changed the deny to allow but it added it again. I have the latest revision installed.


If the only tool you have is a hammer, all your problems look like nails

Share this post


Link to post
Share on other sites

If you have email enabled you will receive an email with the details of the ban. Email it me if you like and I will have a look to see what could be causing the issue. rohepotae@gmail.com


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.6[r2]

Whats New?

- Repaired an issue with the way the email notification reported the hack attempts.

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I would like to say thank you for such a great contribution. I am using oscommerce 2.3.1 and have installed a few contributions including this one. My question is, How does one test to see if this contribution is working correctly? I had version 2.4[r9] upgraded to 2.6[r2]. I have iptrap installed as well. I use to be able to type in the admin folder and I would get banned, now since this upgrade it redirects me to the home page of my site with no banning of my ip address. Is this correct? I have the $useIPTRAP = 1;, $emailenabled = 1; I don't get any errors so I am guessing that is a good thing. But what about the IP Banning.

 

Any help will be greatly appreciated.

 

Thank you in advance,

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

If you have IP trap enabled then you just need to trigger a ban to see if the IP address is added into the IP trap banned/IP_Trapped.txt file.

 

A quick way to test would be to use one of the banned requests like www.yourdomain.com/yourstore/index.php/login.php

 

You should get an email notification of the ban from osC_Sec and also you should see the banned IP address in the IP_Trapped.txt file.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.6[r3]

Whats New?

- Added most POST and GET blacklist items

- Fixed the way getShield deals with base64 encoded items

- Removed items from the POST blacklist that could potential result in an incorrect ban

- Fixed postShield issue when hex code is found in post data but is not on the blacklist

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

If you have IP trap enabled then you just need to trigger a ban to see if the IP address is added into the IP trap banned/IP_Trapped.txt file.

 

A quick way to test would be to use one of the banned requests like www.yourdomain.com/yourstore/index.php/login.php

 

You should get an email notification of the ban from osC_Sec and also you should see the banned IP address in the IP_Trapped.txt file.

 

Taipo,

 

I had to remove my ip from the white list in order to test the IPTrap. It worked and blocked my ip. I also tried the index.php/login.php and that worked as well, I did get an email from osc_sec.

 

My question is when my ip was blocked by ip trap or osc_sec it did not allow me access the site, which I am very grateful for. One thing that I don't understand is that when I am blacklisted, I only get a blank page when I try to access the site. Is this normal?

 

Thank for your help,

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

Hmm ok that probably means that osC_Sec is sending a 403 header instead of allowing IP Trap to redirect to the blocked.php page...

 

Try this. In osC_Sec.php around line 541 is this section:

   function tinoRahui() {
     global $banipaddress, $htaccessfile, $useIPTRAP, $ipTrappedURL;
         if ( ( $banipaddress )  && ( hCoreFileChk( $htaccessfile ) ) ) {
                //add ip to htaccess
                htaccessban( $_SERVER[ "REMOTE_ADDR" ] );
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( hCoreFileChk( $ipTrappedURL ) ) ) {
           // if IP Trap and writable and threshold
                ipTrapban( $_SERVER[ "REMOTE_ADDR" ] );
                send403Header( );
         } elseif ( ( $banipaddress ) && ( !hCoreFileChk( $htaccessfile ) ) ) {
           // if threshold and banip and non-wrtiable htaccess then kill page exec
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( !hCoreFileChk( $ipTrappedURL ) ) ) {
           // if threshold and IP Trap, and not writable, then kill page exec
                send403Header( );
         } elseif ( ( !$banipaddress ) && ( !$useIPTRAP ) ) {
           // if threshold and no banip or iptrap then just kill page exec
                send403Header( );
         }
   }

 

Replace that with:

 

   function tinoRahui() {
     global $banipaddress, $htaccessfile, $useIPTRAP, $ipTrappedURL;
         if ( ( $banipaddress )  && ( hCoreFileChk( $htaccessfile ) ) ) {
                //add ip to htaccess
                htaccessban( $_SERVER[ "REMOTE_ADDR" ] );
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( hCoreFileChk( $ipTrappedURL ) ) ) {
           // if IP Trap and writable and threshold
                ipTrapban( $_SERVER[ "REMOTE_ADDR" ] );
        } elseif ( ( $banipaddress ) && ( !hCoreFileChk( $htaccessfile ) ) ) {
           // if threshold and banip and non-wrtiable htaccess then kill page exec
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( !hCoreFileChk( $ipTrappedURL ) ) ) {
           // if threshold and IP Trap, and not writable, then kill page exec
         } elseif ( ( !$banipaddress ) && ( !$useIPTRAP ) ) {
           // if threshold and no banip or iptrap then just kill page exec
                send403Header( );
         }
   }

 

That should allow the redirect to the blocked.php page. Let me know if it doesn't


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I must add a point that the only drawback with the way osC_Sec currently interacts with IP Trap is that osC_Sec has not yet been coded to deal with the IP Trap whitelist. But other than that it works pretty well with IP Trap.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.6[r4]

Whats New?

- Fixed issues with the way osC_Sec interacts with IP Trap

- osC_Sec diagnostic email will now only send if you have either IP Trap or htaccess banning enabled. This is to reduce the amount of repeat emails I receive.

- Added the server request uri and request method to the dianostic email.

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hmm ok that probably means that osC_Sec is sending a 403 header instead of allowing IP Trap to redirect to the blocked.php page...

 

Try this. In osC_Sec.php around line 541 is this section:

   function tinoRahui() {
     global $banipaddress, $htaccessfile, $useIPTRAP, $ipTrappedURL;
         if ( ( $banipaddress )  && ( hCoreFileChk( $htaccessfile ) ) ) {
                //add ip to htaccess
                htaccessban( $_SERVER[ "REMOTE_ADDR" ] );
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( hCoreFileChk( $ipTrappedURL ) ) ) {
           // if IP Trap and writable and threshold
                ipTrapban( $_SERVER[ "REMOTE_ADDR" ] );
                send403Header( );
         } elseif ( ( $banipaddress ) && ( !hCoreFileChk( $htaccessfile ) ) ) {
           // if threshold and banip and non-wrtiable htaccess then kill page exec
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( !hCoreFileChk( $ipTrappedURL ) ) ) {
           // if threshold and IP Trap, and not writable, then kill page exec
                send403Header( );
         } elseif ( ( !$banipaddress ) && ( !$useIPTRAP ) ) {
           // if threshold and no banip or iptrap then just kill page exec
                send403Header( );
         }
   }

 

Replace that with:

 

   function tinoRahui() {
     global $banipaddress, $htaccessfile, $useIPTRAP, $ipTrappedURL;
         if ( ( $banipaddress )  && ( hCoreFileChk( $htaccessfile ) ) ) {
                //add ip to htaccess
                htaccessban( $_SERVER[ "REMOTE_ADDR" ] );
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( hCoreFileChk( $ipTrappedURL ) ) ) {
           // if IP Trap and writable and threshold
                ipTrapban( $_SERVER[ "REMOTE_ADDR" ] );
        } elseif ( ( $banipaddress ) && ( !hCoreFileChk( $htaccessfile ) ) ) {
           // if threshold and banip and non-wrtiable htaccess then kill page exec
                send403Header( );
         } elseif ( ( $useIPTRAP ) && ( !hCoreFileChk( $ipTrappedURL ) ) ) {
           // if threshold and IP Trap, and not writable, then kill page exec
         } elseif ( ( !$banipaddress ) && ( !$useIPTRAP ) ) {
           // if threshold and no banip or iptrap then just kill page exec
                send403Header( );
         }
   }

 

That should allow the redirect to the blocked.php page. Let me know if it doesn't

 

Taipo,

 

I have replace the code as you instructed but it still give a blank page and not a redirect to the blocked.php.

 

Does it matter if my store is not in the root, but rather www.nameofsite.com/store?

Also if I have renamed the Admin Folder, does that matter?

 

Maybe that is a way to use the absolute path to the blocked.php page.

 

I am just throwing out some suggestions.

 

Thanks for your help,

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

The best way to test this would be to take osC_Sec out of the loop and see if IP Trap blocked page loads correctly. Once thats established then we know for sure it is something osC_Sec is doing.

 

If you have already done that, then include osC_Sec again into the application_top.php and disable $useIPTRAP in osc.php and see if you can trigger the IP Trap ban via the normal methods of triggering, i.e. going to a banned directory. Let me know how that goes.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

The best way to test this would be to take osC_Sec out of the loop and see if IP Trap blocked page loads correctly. Once thats established then we know for sure it is something osC_Sec is doing.

 

If you have already done that, then include osC_Sec again into the application_top.php and disable $useIPTRAP in osc.php and see if you can trigger the IP Trap ban via the normal methods of triggering, i.e. going to a banned directory. Let me know how that goes.

 

Taipo,

 

I have removed the osc_sec from the application_top.php in both places. I did not disable the &useIPTRAP in osc.php. I did trigger the ban and it brought the blocked.php page up. I attempted to go back into the store and it brought the blocked.php page up again.

 

I have removed my ip address from the banned directory and now can access the store.

 

Any other suggestions that I may attempt to use? Thank you as always,

 

Mike


Do or Do Not, there is no try.

Share this post


Link to post
Share on other sites

Not sure what was the outcome of the last bit. To put osC_Sec back into the loop again and disable $useIPTRAP ($useIPTRAP = 0;) and repeat the ban attempt you did earlier to see if you can trigger the blocked.php page.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×