Jump to content
puggybelle

Hack attempt - is there a way to prevent this?

Recommended Posts

@puggybelle

I had an attack on one of my sites yesterday ...

I also have a Keyword Search Report on this site. I hadn't checked it in a while, but after reading your post, I went to check it out. Guess what? Same thing here ...

34848730_ScreenCapture-05-18-2019.jpg.74f38283c8efcb74649832e102e8e639.jpg

That's just part of one page! There are over 20 pages of this!

Thank you for reporting this ... I wouldn't have thought to look at this.

Malcolm


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites
2 hours ago, ArtcoInc said:

Thank you for reporting this ... I wouldn't have thought to look at this. 

What did you check in your database?  I really didn't know what else to look at, other than make sure the 'search_queries' table was empty after deleting the report.

Then, of course, I put the maxlength limit on the search field here, there and everywhere.  Now I'm thinking it should be even shorter than what I assigned.

My keyword report resembled yours.  I had one entry, though, that was probably eight lines of code alone.

Should I check anything else?  This stuff always shakes me up.

- Andrea

Share this post


Link to post
Share on other sites

Is there anyway we can turn off the search queries being saved to our databases?

Share this post


Link to post
Share on other sites
1 hour ago, pete2007 said:

Is there anyway we can turn off the search queries being saved to our databases?

It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers.

Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db.

Reviews is another one that is targeted by hackers.


 

Share this post


Link to post
Share on other sites
29 minutes ago, JcMagpie said:

It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers.

Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db.

Reviews is another one that is targeted by hackers.

Thank you for your reply, where about's can I limit the text for the search?

Share this post


Link to post
Share on other sites
Posted (edited)

As the input filed is controled by function html_output.php we can not control directly. So in the template file of the search simply add a bit of js to limit input.

<script>
  $("input").attr("maxlength", 20)
  </script>

You should let your customers know a limit is set.

image.thumb.png.085ddbd5daecf220f19b63f816d1ac1f.png

Edited by JcMagpie

 

Share this post


Link to post
Share on other sites

@ArtcoIncThe r87 dot com is a site on godaddy. You could report it as a spammer and/or block its IP's. Although the whois for it lists quite a few similar names so I suspect this guy wouldn't be easily stopped.

13 hours ago, puggybelle said:

Should I check anything else?  This stuff always shakes me up.

Limiting the search string probably won't make a difference since they can type directly into the url. Many times the hackers will enter some invalid command so that an error is displayed that gives them more details about the database. You can test your site here to see if that is the case. Also be sure that anything entered in the search does not show up on the page after the search. This doesn't occur with the CE version but might with older versions. 

If your search doesn't require any special characters, then I suggest you change this code in the advanced_search_result.php file

    if (isset($_GET['keywords'])) {
      $keywords = tep_db_prepare_input($_GET['keywords']);
    }

to this

    if (isset($_GET['keywords'])) {
      $keywords = preg_replace('/[^\w]/', '', $_GET['keywords']);
      $keywords = tep_db_prepare_input($keywords);
    }

That will remove everything from the search string other than letters and numbers.

Share this post


Link to post
Share on other sites

@pete2007

11 hours ago, pete2007 said:

Is there anyway we can turn off the search queries being saved to our databases?

Out of the box, osC does not save search queries in the database. I'm using an add-on called SmartSuggest that, amongst other things, creates a new database table and saves the search queries. I find this important since I can now see what people are searching for, and use that information to either adjust the text on my site, or adjust my product lines (if I sell apples, and people are searching for oranges ... ).

M


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

A simple string scrubbing function using, https://www.php.net/manual/en/function.preg-replace.php

function ScrubInput($input)
{
  // allow only letters
  //$scrub = preg_replace("/[^a-zA-Z]/", "", $input);
  
  // allow only letters and numbers
  //$scrub = preg_replace("/[^a-zA-Z0-9]/", "", $input);

  //  allow only letters, numbers, and whitespace
  $scrub = preg_replace("/[^a-zA-Z0-9\s]/", "", $input);
  
  // Let's get rid of all CAPS
  $scrub = strtolower($scrub);
  
  // limit input to 40 chars
  $scrub = substr($scrub, 0, 40);

  // Let's get rid of all CAPS
  $scrub = strtolower($scrub);


  return $scrub;
}

// test the function
echo ScrubInput("iaja this 1237412~! is  @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\"");

?>

Result:

iaja this 1237412 is how it works ok


 

Share this post


Link to post
Share on other sites

@ArtcoInc I think the link to your review is very relevant to the thread - and the threat of this hack attempt (I can’t recall the level of detail in your review but maybe you’d update to include this potential risk). 

Share this post


Link to post
Share on other sites

@Jack_mcs @JcMagpie

Any way to keep apostrophes, quotation marks, dashes, letters and numbers?  LOL.

My buyers really need to use quotation marks in some circumstances, in order to find the exact name or phrase. 

When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe. 

Smart buyers are going to include the apostrophe...get no search results...and leave.  These edits are only making search more difficult.

And after viewing my keywords search report for months now....buyers need all the help they can get!

Is there a way to sanitize against the inclusion of weird characters that always accompany a malicious code string, but preserve the other ones I mentioned?

- Andrea

 

 

Share this post


Link to post
Share on other sites

It will depend on your osCommerce version, and what add-ons you have that put stuff to database, but any decent DB code should disable (usually escape, not removal) any special characters that might be interpreted as database commands. That way, the string content can't be used to run commands, but it still might interfere with searches. For example, escaping an apostrophe so that it can't be used to end a field and add SQL commands (change it to a literal apostrophe, not a delimiter for SQL commands), might prevent searching for "A Bug's Life", but I'm not sure in this code. I haven't looked lately, but there may be ways around that problem.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

just put the chars you want to not remove in the [] and you be fine , see i have added ' and - after the 9

$scrub = preg_replace("/[^a-zA-Z0-9'-\w\ ]/", "", $input);

this will give

Result:

iaja'-'- this 1237412 is @^*() how -=+_

from

echo ScrubInput("iaja'-'- this 1237412~! is  @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\"");

Please check before using on live site. only tested in sandbox.


 

Share this post


Link to post
Share on other sites
6 hours ago, puggybelle said:

Any way to keep apostrophes, quotation marks, dashes, letters and numbers?  LOL.

For the code I posted, use

     $keywords = preg_replace('/[^ \w-\'\"]/', '', $_GET['keywords']);
 

 

Share this post


Link to post
Share on other sites
14 hours ago, puggybelle said:

When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe.

I don't think this has anything to do with the edits as on a stock osC you still will get no results! Try your self on a clean BS4 in stall

https://www.jcmagpie.com/advanced_search_result.php?keywords=A+Bugs+Life

 

image.thumb.png.9998955389f911075e788f1885c11d4e.png

Compare that to a google search box output

image.thumb.png.c9178ac592a4cf6dc504d1e0391604b4.png

and you get a result every time, try it your self. https://www.justfastfood.com/

image.png.debcef8a03ff059c82ec192ec9c4c945.png


 

Share this post


Link to post
Share on other sites

Just checked on official osC and it's the same result nothing found, can you spot the irony of the image below?

image.png.bf83e7a5a68d0d78301352afcf904560.png


 

Share this post


Link to post
Share on other sites

Well, you could always replace your osC search with Google (with the term site:yoursite.com) or some other well-known search engine. (Are there any others left these days?) You will likely lose any storage of search terms, although there's no reason you couldn't save a search string (suitably sanitized, first) in your database before passing it on to Google. I'm assuming that there is no problem with sessions, etc. if you pop out to an external search engine from a logged-in store, so check out that early in the process.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
On 1/8/2019 at 6:00 PM, puggybelle said:

Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC

So going back to the original post of what if some one uses a form to inject script into the db? Look's like no cleaning is done before input is saved to db in official osC or CE.

Script used in create account form is simply passed over to each page and saved into db.

image.png.2f5c75c7fbf70ac90eafe615315da14c.png

No scrubing is done when it is pulled out to display,

image.png.001d7c43e1607ae6b3377091c4943606.png

And db is just taking the data presented to it.

image.png.c99ef19849d6b014d063efecc8959f55.png

The test script used was the one origionaly posted and used as a test ( can do no harm as it not active on it's own) Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC

So looks like some method of scrubing all forms and input boxes is needed not just the search. Or have I missed somthing?


 

Share this post


Link to post
Share on other sites

malicious/problematic code has already been filtered out in this example:

Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC
244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_

 

Share this post


Link to post
Share on other sites

@raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)?

And if so... is it enough? This is definitely out of my skill range - it really is just a question.

Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars?

Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form

Share this post


Link to post
Share on other sites

how would it handle stuff like

&lt;script src=&quot;google.com&quot;&gt;

and

&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x22;&#x67;&#x6f;&#x6f;&#x67;&#x6c;&#x65;&#x2e;&#x63;&#x6f;&#x6d;&#x22;&#x3e;

 

Share this post


Link to post
Share on other sites
Posted (edited)
45 minutes ago, greasemonkey said:

@raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)?

And if so... is it enough? This is definitely out of my skill range - it really is just a question.

Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars?

Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form

I guess this input example has been cleaned with: tep_db_prepare_input:

  function tep_db_prepare_input($string) {
    if (is_string($string)) {
      return trim(tep_sanitize_string(stripslashes($string)));
    } elseif (is_array($string)) {
      foreach($string as $key => $value) {
        $string[$key] = tep_db_prepare_input($value);
      }
      return $string;
    } else {
      return $string;
    }
  }

which uses tep_sanitize_string:

  function tep_sanitize_string($string) {
    $patterns = array ('/ +/','/[<>]/');
    $replace = array (' ', '_');
    return preg_replace($patterns, $replace, trim($string));
  }

If it is enough I do not know neither.

Edited by raiwa

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×