Jump to content

Archived

This topic is now archived and is closed to further replies.

Taipo

Oscommerce Security - Osc_Sec.php

Recommended Posts

Hi.

I am going to set up a new store.

I dont know yet if i will go for 2.2. or 2.3.

If i go with 2.2 i will install this addons.

 

How will i install best?

Just download the last version or will i have to download the first release and then update?

 

Thanks!

Share this post


Link to post
Share on other sites

The latest version is the full fileset.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

I had upgraded to 2.7 but I had to downgrade to 2.6[r9a], which is why it is working again. The checkout is a commercial package from dynamoeffects.com. Here are the settings from osc.php:

 

$timestampOffset = -1; # Set the time offset from GMT, example: a setting of -10 is GMT-10 which is Tahiti

$httphost = "www.mysite.com"; # enter your site host without http:// using this format www.yourwebsite.com

$nonGETPOSTReqs = 0; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is

$chkPostLocation = 0; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)

$GETcleanup = 1; # 1 = Clean up $_GET variables, 0 = don't cleanup. Set this to 0 if this causes errors (for example with another addon)

$testExpiredCookie = 1; # 1 = Checks to see if the browser understands what to do with an expired cookie, 0 = don't check

$arbitrarysession_block = 0; # 1 = Prevents arbitrary session injections, 0 = leave it as it is

 

/**

* This section of settings is to allow osC_Sec.php

* to ban an IP address if it breaks the rules

*

* Choose either $banipaddress to add to htaccess

* or $useIPTRAP if you are using the IP Trap addon

**/

 

$banipaddress = 0; # 1 = adds ip to htaccess for permanent ban, 0 = calls a page die if injection detected

$htaccessfile = $dirFScatalog . ".htaccess"; # remember to change the write access of .htaccess to a writable setting

 

$useIPTRAP = 0; # 1 = add IPs to the IP Trap contribution, 0 = leave it off

$ipTrappedURL = $dirFScatalog . "banned/IP_Trapped.txt"; # If you are using IP Trap make sure this is pointing to the IP_Trapped.txt file

 

I'm also using security pro, seo url (from chemo's branch), bad behavior block, kiss filesafe, kiss meta tags, and some others on the admin side. Maybe its just a conflict with the checkout system. I'm pretty sure it has something to do with cookies or sessions because sometimes if I would clear my browser cache it would work again but for the most part it wouldn't function with 2.7.

 

I like to feel that my site is secure, which is why I am using osc sec even on my 2.3.1 site. Thanks for your quick reply and if all else fails I will just stick with 2.6[r9a].

 

A couple of questions for you to assist me.

 

1/ What is the URL to download the dynamo effects addon so I can take a look at it?

2/ Are you using 2.69a or 2.7 of osC_Sec?

3/ What settings do you have enabled in the osc.php file?

4/ What other addons are you using?


Matt

Share this post


Link to post
Share on other sites

Hi

 

First thank you for this add-on it works very well.

 

Up until 2.6[r9a] I had no problems, after I upgraded I have a problem entering my admin area.

I have a .htacces password on the admin and after typing this it looks like it is loading but after some time firefox will say that it looks like the site is looping in the load. I can then type the adress again and no problem.

The only change I have made to the site is upgrade of Osc_Sec. Any idea as to why this happens...

 

Kind Regards

Jesper

Share this post


Link to post
Share on other sites

Matt

 

The GETcleanup is the only section that had code changes made to it.

 

Disable GETcleanup and see if that sorts the issue. That section is basically covered by FWR_SECURITY_PRO anyhow.

 

It shouldn't be an issue of cookies since none of the code is any different between the two versions.

 

If all else fails use 2.6[r9a] as there is very little difference between the two.

 

Let me know though if disabling GETcleanup made any difference.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

...it looks like it is loading but after some time firefox will say that it looks like the site is looping in the load. I can then type the adress again and no problem.

The only change I have made to the site is upgrade of Osc_Sec. Any idea as to why this happens...

 

Are you able to get this looping error everytime or did it just happen the once after upgrading?


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Are you able to get this looping error everytime or did it just happen the once after upgrading?

 

I get it every time. Just tried at work and IE7 is the same.

Share this post


Link to post
Share on other sites

In osc.php try switching anything set to 1 to 0, one at a time and see if that loop goes away. If it does let me know which one of those settings was the cause.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

In osc.php try switching anything set to 1 to 0, one at a time and see if that loop goes away. If it does let me know which one of those settings was the cause.

 

I'm away the next couple of days but will try and return.

Share this post


Link to post
Share on other sites

In the install instructions, it states to replace the following in the application_top.php files:

// set php_self in the local scope
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

With this code below:

// set php_self in the local scope
if( !isset( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); 

 

However, it appears that my application_top.php file has already been amended as follows:

// set php_self in the local scope
//  $PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);
// Code below replaces code above to prevent hacking
/**
* Reliably set PHP_SELF as a filename .. platform safe
*/
   function setPhpSelf() {
     $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) );
     foreach ( $base as $index => $key ) {
       if ( array_key_exists(  $key, $_SERVER ) && !empty(  $_SERVER[$key] ) ) {
         if ( false !== strpos( $_SERVER[$key], '.php' ) ) {
           preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches );
           if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )
                                     && ( substr( $matches[0], -4, 4 ) == '.php' )
                                     && ( is_readable( $matches[0] ) ) ) {
             return $matches[0];
           }
         }
       }
     }
     return 'index.php';
   } // end method

   $PHP_SELF = setPhpSelf();
// EOF set php_self in the local scope

 

What do I do? Will the replacement code already in place suffice? Or, should the current replacement code be overwritten with the code listed in the install instructions of the 2.7 version of the contribution?

Share this post


Link to post
Share on other sites

Just place the code in the next line after the last line in that piece.

 

// EOF set php_self in the local scope


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hi Taipo

 

Discovered a new problem today that I hope you have some insight on.

After reading a bit on the forum I decided to enable force cookies, and the site seemed to work, but when a costumer pays with credit card they can complete the order, but no data is written to the database.

I have tried disabling force cookies and OSC on everything is fine.

Force cookies on and OSC off, everything is fine... Tested with ver. 2.6 and 2.69a

 

I have had to go back to ver. 2.6 because otherwise I would get a "Failed to notify callbackurl" from my CC module because of some looping.

 

I'm going to test the looping later today and get back on that.

 

Kind regards

Jesper

Share this post


Link to post
Share on other sites

That function is probably best left off. In future versions it is going to be removed.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

That function is probably best left off. In future versions it is going to be removed.

 

Hi

 

Think I got it written wrong. It is in my osc backend I enanbled force cookies, admin->sessions. My settings for osc_sec are:

 

$httphost = "www.mysite.com"; # enter your site host without http:// using this format www.yourwebsite.com

$nonGETPOSTReqs = 1; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is

$chkPostLocation = 0; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)

$GETcleanup = 1; # 1 = Clean up $_GET variables, 0 = don't cleanup. Set this to 0 if this causes errors (for example with another addon)

$testExpiredCookie = 1; # 1 = Checks to see if the browser understands what to do with an expired cookie, 0 = don't check

$arbitrarysession_block = 1;

 

/Jesper

Share this post


Link to post
Share on other sites

Change $arbitrarysession_block to $arbitrarysession_block = 0;


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Change $arbitrarysession_block to $arbitrarysession_block = 0;

 

Thank you for your time. That solved my looping problem, I still cant force cookies admin->sessions but thats probably not that big a problem.

 

I'm running version v2.2 RC2a is there something else I could do block that hole other then running "Ultimate SEO Urls 5 Pro" by FWR media?

Share this post


Link to post
Share on other sites

The two functions basically do the same thing, so if forcing cookies causes a loop, $arbitrarysession_block will too.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

If you are concerned about someone rebuilding an admin session and getting access, they would need a legitimate admin session hash to begin with. Other than that, an attacker could attempt to coerce a site admin to login via a fake hash code, but that is easily defeated by just ignoring any link anyone sends you that brings up your admin section. Also having htpasswd protection on your admin directory also helps emensely.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Taipo thank you for your time.

For now I will just set it to 0, I also found out that my CC-module has a problem with cookies so that should probably get fixed before I try my hands on this again.

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r1]

Whats New?

- Added a section in osc.php to put the full address to the blocked.php if you use $useIPTRAP. If you use ipTrap then you need to configure this in osc.php in order for osC_Sec to work correctly with ipTrap.

- Removed $abitrarysession_block section because it caused too many errors on sites with certain configurations

- osC_Sec now checks in both upper and lower case for attack vectors

- Optional: Updated the way $PHP_SELF is set in the application_top.php (see readme.htm)

 

NOTE: With this upgrade you WILL need to update both osc.php and osc_sec.php.

 

Download full package from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hey Taipo great addon really appreciate your work.

 

But recently ive been trying to add a new product and I keep getting this error message "Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/clients/client1/web1/web/includes/osc_sec.php on line 908".

 

It works if I either dont include a description for the product or only a brief one. Im currently using FCKeditor.

 

Cheers

Share this post


Link to post
Share on other sites

Probably the combination of the editor and the length of post might push the execution time to the limit.

 

This can also happen when a server (especially a shared server) is lagging from congestion.

 

If you have access to the php.ini of the webserver then add these lines somewhere near the top:

 

max_input_time = 60
max_execution_time = 300

 

You may find they are already resident in php.ini, if so then up the execution times as above. 300 may seem excessive, but apache has its own timeout which is by default set to 300 anyways.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

osC_Sec 2.7[r2]

Whats New?

- Fixed the test cookie function. It now bans correctly if an expired cookie is returned.

 

A note about this cookie function. If activating this function causes session errors to appear on your site then disable it.

 

Its purpose is to catch bots often used to havest information from websites that will later be used to exploit those sites.

 

Although most reputable search spiders are programmed in a way that emulated a web browser so therefore will not return an expired cookie as a proper web browser should act, it is still possible to catch some legitimate web spider servers in this net.

 

No legitimate site visitors will be banned though since all web browsers with cookies activated are set to not return an expired cookie.

 

Update Instructions: copy the osc_sec.php file to your includes directory and overwrite the current file. No need to update the settings file osc.php

 

Install instructions: see the readme.htm

 

Download full package from: http://addons.oscommerce.com/info/7834


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×