Contributions

Windows IIS 7,7.5,8 Image Dir Hack Protection

Download unzip and place the web.config file in your oscommece image directory to block files such as .php. To add additonal extensions add additional lines to the code.

<add fileExtension=".ADDext" allowed="false" />

web.config file source code:

<configuration>
<system.webServer>
<security>
<requestFiltering>
<fileExtensions allowUnlisted="true">
<add fileExtension=".inc" allowed="false" />
<add fileExtension=".php" allowed="false" />
<add fileExtension=".htaccess" allowed="false" />
<add fileExtension=".htpasswd" allowed="false" />
<add fileExtension=".js" allowed="false" />
<add fileExtension=".ini" allowed="false" />
<add fileExtension=".phps" allowed="false" />
<add fileExtension=".fla" allowed="false" />
<add fileExtension=".psd" allowed="false" />
<add fileExtension=".log" allowed="false" />
<add fileExtension=".sh" allowed="false" />
<add fileExtension=".pl" allowed="false" />
<add fileExtension=".cgi" allowed="false" />
<add fileExtension=".jsp" allowed="false" />
<add fileExtension=".sql" allowed="false" />
<add fileExtension=".txt" allowed="false" />
</fileExtensions>
</requestFiltering>
</security>
</system.webServer>
</configuration>

After bumping my head against the wall I finally figured that this is the problem with Fancybox.

You want to protect the image directory from intrusion with other file types, but this Add-On is incorrect. Use the new .htaccess files/text in the .htaccess files of the image directories, both admin and catalog.

http://www.oscommerce.info/confluence/display/OSCOM23/%28AC%29+%28UP%29+Add+htaccess+Protection+to+the+Images+Directory

This link leads to a v2.3.0 documentation but should be solid to v2.2, etc.

The code is posted here for convenience:

# $Id$
#
# This is used to restrict access to this folder to anything other
# than images

# Prevents any script files from being accessed from the images folder
<FilesMatch ".(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">
Order Deny,Allow
Deny from all
</FilesMatch>

Easier way to do it :)

Just add the following to your .htaccess in any directory that may be writable (not that public writable directories are encouraged, but for those with no choice... at the very least protect them :)

Feel free to specify additional extensions between pipe symbols.



<FilesMatch ".(htaccess|htpasswd|js|ini|phps|php|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>

A simple htaccess file to help protect against unwanted files being executed in/from the images folder.

This is a very simple file and is welcome to updates etc.