Security concerns

[timinark]

Hello Everybody.

 

A couple of things. Someone has been trying to find a file on my site called extras/extras/update.php. Does anybody have any idea why? This person has been fairly persistant, but since I have no such directory, they are not having much luck.

 

Next, soon after putting my site in the showcase, I had two fake orders trying to use default credit card numbers. I don't know if they were the same person ( two different IP's, which was smart) but bothersome none the less.

 

Is this a common problem with OSC sites? I did all the common sense precautions, but not any heavy duty audit. Any major exploits I should worry about?

 

Thanks all!

 

Tim

[Guest]

Next, soon after putting my site in the showcase, I had two fake orders trying to use default credit card numbers. I don't know if they were the same person ( two different IP's, which was smart) but bothersome none the less.

 

With putting your site up for review in the My Store section you will always get lots of dummy accounts and lots of test orders. It is just part of the process. It is most likely people just checking out your store. After a while they will stop and you won't get as many.

 

Is this a common problem with OSC sites? I did all the common sense precautions, but not any heavy duty audit. Any major exploits I should worry about?

Install SSL, protect the admin with a password, rename the admin directory, make sure the contributions you added are up to date and always check for updates to see if there are any security flaws that might need fixing, install the fixes for the contact_us page hackers that are going around before you get hit.

 

A couple of things. Someone has been trying to find a file on my site called extras/extras/update.php. Does anybody have any idea why? This person has been fairly persistant, but since I have no such directory, they are not having much luck.

 

Extras is a folder that comes with the basic osC install that is downloaded from this site. They are probably just seeing if it was there but since it is not you don't have anything to worry about.

[dahui]

install the fixes for the contact_us page hackers that are going around

 

this is a topic that often is discussed and many are confused by the vast amount of postings on that.

 

so what is kind of 'standard fixes' that have to be applied? obviuosly there must be seniors having shops running the do not have any spider robot hack prob.

 

enlightment appriciated on howto

 

'secure contact_us and other forms in osc against hacks'

 

dahui

[Guest]

Contact Us Spam Issue Fixes should do the trick, it is always better to be proactive than reactive so I would recomment impletmenting them even if you have not been hit by them.

[dahui]

quite new ;) thats why I diddn't find it

added th rss fed now to my bookmarks, didn'tnotice before there is a feed

 

http://www.oscommerce.com/community/contributions,3534

 

I will check the version 09/11 as the newestdl results in 404, I already informed datklings about that

 

thankx for the contrib link again

 

dahui

[Guest]

Also just to confuse you Christian's Blog

[dahui]

http://www.oscommerce.com/community/contributions,3534

 

hi Java Roasters

 

so I checked the conrtrib mentioned above version of 09/11

 

1. Verify robot.txt file:

I hope I did everything right setting up my robots.txt and spiders.txt

is there any kind of 'online-checkr' I can use to validate these files?

 

2. Contact Us Form Vunerability Fix

applied that not only to contac_us.php but as well to

catalog/checkout_payment.php

catalog/checkout_shipping.php

catalog/products_reviews_write.php

catalog/teel_a_friend.php

Again I hope thatis correct, please advice me if I shouldn't do that and apply only to contact_us.php or if other files have to be modified additional

 

3. Contact form issue/ textarea bug

applied that as well.

 

4. Validate string

That is wher I am unsure. Do I have to validate any input filed in all of the forms? and if so, does ther exist a kind of list not to miss any?

 

Finally when I have apllied everything and got it up and running, how can I test/verify that all modifications are made right and really do there job. is there a logic to try to reproduce the vulnerablities and then where to check if it went through or was handled appropriately?

 

thx gain in advance, but maybe in the end this will lead to less confusing the minority of newbies to this topic like me

 

dahui

[dahui]

addition:

 

found version 09/13 now donloadable, diddn't work before ???

 

5. Contact Us Spam bot

applied

 

6. Contact Us Spam Relay

applied

 

asI do not really understand the code and hope that modifiyng as described will be enough, I would like to know more about the point 4.) Validate string thingy, and if 5.) and 6.) do depend on that in any way

 

dahui

[dahui]

forgot to mention

 

everything can be tested on http://funjumping.de/shop

 

you know how to look at spiders.txt and robots.txt ;) if you want to

 

feel free to open account and test mails and other inputfield functionalities, or better I would appreciate the experienced to test that :blush:

 

thx dahui

[Guest]

I don't have a clue how to test it, all I can help you with is point you to the things on the forum that might be important. There are several threads that I think are linked from the contribution and that might be the best place to ask for someone who can test it for you.

 

PS I don't know what happened to Christians post but it seems to be gone now.

[TheJackal]

I read that there is a security risk with the extras folder that could be potentially hacked and leading others to scan other files in your web server. It's recommended to remove it if you don't use it.

[dahui]

I read that there is a security risk with the extras folder that could be potentially hacked and leading others to scan

thx but I do didn't upload that folder anyway

 

dahui