Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] Security Pro - Querystring protection against hackers.


FWR Media

Recommended Posts

Install Security Pro, test your payment system.

 

Any problems you can add the payment system file to the file excludes as per the instructions.

 

Hello again,

 

Just uploaded to 'includes/modules', although not currently ready to test payment system yet. Checking the KISS document, I note this;

 

 

catalog/includes/application_top.php

 

Find ...

if ($request_type == 'NONSSL') {

 

Add immediately ABOVE ...

// Security Pro by FWR Media

include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';

$security_pro = new Fwr_Media_Security_Pro;

// If you need to exclude a file from cleansing then you can add it like below

//$security_pro->addExclusion( 'some_file.php' );

$security_pro->cleanse( $PHP_SELF );

// End - Security Pro by FWR Media

 

That's it .. all installed!

 

Have found this line of code, but did not see any mention of FWR in the application_top.php file (should I)? Do I have to activate the Security Plus code using another method (thought it was automatic)? Thought I had followed the install advice corectly - have I? Sorry about the confusion here :'(

Kind regards,

 

Peter...

Link to comment
Share on other sites

Hello again,

 

Just uploaded to 'includes/modules', although not currently ready to test payment system yet. Checking the KISS document, I note this;

 

 

catalog/includes/application_top.php

 

Find ...

if ($request_type == 'NONSSL') {

 

Add immediately ABOVE ...

// Security Pro by FWR Media

include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';

$security_pro = new Fwr_Media_Security_Pro;

// If you need to exclude a file from cleansing then you can add it like below

//$security_pro->addExclusion( 'some_file.php' );

$security_pro->cleanse( $PHP_SELF );

// End - Security Pro by FWR Media

 

That's it .. all installed!

 

Have found this line of code, but did not see any mention of FWR in the application_top.php file (should I)? Do I have to activate the Security Plus code using another method (thought it was automatic)? Thought I had followed the install advice corectly - have I? Sorry about the confusion here :'(

 

This is how it will be after you have added it


 // Security Pro by FWR Media
 include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
 $security_pro = new Fwr_Media_Security_Pro;
 // If you need to exclude a file from cleansing then you can add it like below
 //$security_pro->addExclusion( 'some_file.php' );
 $security_pro->cleanse( $PHP_SELF );
 // End - Security Pro by FWR Media
 if ($request_type == 'NONSSL') {

Link to comment
Share on other sites

Peter;

 

Add this:

 

// Security Pro by FWR Media
include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
$security_pro = new Fwr_Media_Security_Pro;
// If you need to exclude a file from cleansing then you can add it like below
//$security_pro->addExclusion( 'some_file.php' );
$security_pro->cleanse( $PHP_SELF );
// End - Security Pro by FWR Media

 

ABOVE this existing line of code:

 

if ($request_type == 'NONSSL') {

 

 

Hello Burt,

 

Many thanks for this and thanks to all for your patience.

 

Have added the code, will test out asap - fingers crossed!

Kind regards,

 

Peter...

Link to comment
Share on other sites

Hello Burt,

 

Many thanks for this and thanks to all for your patience.

 

Have added the code, will test out asap - fingers crossed!

 

 

Hello Burt / all,

 

Update. Tested two test sites this morning. Purchased items / refunded monies / appeared to be redirected to correct pages - fingers crossed, but up to now, things appear to still be working correctly.

 

I did notice something prior to beginning the tests, but that may not be associated with the installation of Security Plus? Initially, found it difficult to access the site (s) and in one case did not need to enter my password to access the admin section (which I had renamed and password protected). These issues have since disappeared? Strange?

 

Anyway, I shall stop talking and get on with the next security 'patch' installation.

 

Many thanks guys.

Kind regards,

 

Peter...

Link to comment
Share on other sites

I installed Security Pro 2.0 ( r7 ) and everything seems to be working fine except now the link (For more information, please visit this products "webpage".) on the products pages. When clicked it takes you to index.htm, does not go to the url I entered. I uninstalled Security Pro 2.0 ( r7 ) and all that link works again.

 

Any ideas?

 

Sonny

Link to comment
Share on other sites

I installed Security Pro 2.0 ( r7 ) and everything seems to be working fine except now the link (For more information, please visit this products "webpage".) on the products pages. When clicked it takes you to index.htm, does not go to the url I entered. I uninstalled Security Pro 2.0 ( r7 ) and all that link works again.

 

Any ideas?

 

Sonny

 

Please read this support thread.

Link to comment
Share on other sites

I tried both methods to fix my problem with the link not working (For more information, please visit this products "webpage".) on the products pages:

 

---------------------------

 

#1) Excluding Certain Files from Cleansing

 

var $excluded_from_cleansing = array( 'protx_process.php', 'redirect.php' );

 

And

 

#2) Modifying the product url code for Security Pro

 

catalog/product_info.php

 

Find:

 

<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

Change to:

 

<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td>

 

----------------

 

catalog/redirect.php

 

Find:

 

case 'url':

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {

$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");

if (tep_db_num_rows($check_query)) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

}

break;

 

Change to:

 

case 'url':

if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product' ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) {

$url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");

if (tep_db_num_rows($url_query)) {

$row = tep_db_fetch_array( $url_query );

tep_db_free_result( $url_query );

if ( tep_not_null( $row['products_url'] ) ) {

tep_redirect('http://' . $row['products_url']);

}

}

} elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {

$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");

if (tep_db_num_rows($check_query)) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

}

break;

 

Both work, but chose to use Modifying the product url code for Security Pro because the installation file states:

 

A word of warning:

 

Try your hardest not to exclude files in this manner. If they are payment or shipping files then fine .. but not for badly written contributions, in these cases the contribution should be modified so that it no longer passes bad characters.

 

Also never be tempted to weaken Security Pro by adding characters to the whitelist, you will restrict the scripts ability to do its job.

 

Hope I made the better choice!!!

 

Thank you for the contribution FWR Media.

 

Best Regards,

Sonny

Link to comment
Share on other sites

Hope I made the better choice!!!

 

Thank you for the contribution FWR Media.

 

Best Regards,

Sonny

 

You did indeed.

Link to comment
Share on other sites

I have a question on what version of security pro to install on a new site.

I notice that SecurityPro_1.0.2 has an installer.php script.

2.0 only has fwr_media_security_pro.

Should I install 1.0.2.first then upgrade??

 

I tried reading here first but didn"t find anything.

Thank You

DWP

Link to comment
Share on other sites

I have a question on what version of security pro to install on a new site.

I notice that SecurityPro_1.0.2 has an installer.php script.

2.0 only has fwr_media_security_pro.

Should I install 1.0.2.first then upgrade??

 

I tried reading here first but didn"t find anything.

Thank You

DWP

 

2.0 is a full product and needs no database install.

Link to comment
Share on other sites

Hi,

I added the latest version of Security Pro and it works for the english version of my site.

My site also has Greek language installed. When I add the edit for special characters I get

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/**/includes/modules/fwr_media_security_pro.php:1) in /home/*/includes/functions/sessions.php on line 98

 

I used notepad to save the file. My charset on the site is 'CHARSET', 'iso-8859-7'. The choices on notepad are ANSI, unicode, unicode big endian and UTF-8. I used UTF-8.

I now someone had a similar problem and you said it this usually means a space or BOM before the opening <?php tab. There is no space, and I'm not sure what a BOM is.

 

I also read that someone used

$cleansed = preg_replace( "/[^\s{}a-z0-9äüöéèê_\.\-]/i", "", urldecode( $get ) );

 

So my question is if I just add the Greek letters small and capital in the code above is it the same or just as good as trying to get the code below to work?

Am I saving it in the wrong charset?

 

Any help is greatly appreciated.

Thank you in advance.

 

I am adding the edit I made in case I made a mistake:

 

 

function spro_cleanse_get_recursive( $get ) {

/**

* IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only

*

* @example $lang_additions = 'åÅäÄöÖ';

* @var string - Valid language special characters to be added to the whitelist

*/

$lang_additions = 'αβγ'; // Special language characters go here - see the example above

if ( !is_array( $get ) ) {

$banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';

// Apply the whitelist

$pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i";

$cleansed = preg_replace( $pattern, "", urldecode( $get ) );

// Remove banned words

$cleansed = preg_replace( $banned_string_pattern, '', $cleansed );

// Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing

return preg_replace( '@[-]+@', '-', $cleansed );

}

// Add the preg_replace to every element.

return array_map( 'spro_cleanse_get_recursive', $get );

}

/**

* Security Pro Querystring whitelist protection against hacking.

Edited by artstyle
Link to comment
Share on other sites

I used notepad to save the file. My charset on the site is 'CHARSET', 'iso-8859-7'. The choices on notepad are ANSI, unicode, unicode big endian and UTF-8. I used UTF-8.

I now someone had a similar problem and you said it this usually means a space or BOM before the opening <?php tab. There is no space, and I'm not sure what a BOM is.

 

If you are adding special language characters to a file then the file has to be saved as the correct charset ( in this case ISO-8859-7 ) and no UTF-8 is a different charset.

 

Try using a more capable flat file editor .. although I don't use it notepad++ gets a lot of good reviews and it's free.

 

notepad++ has an option to save without BOM, which should always be the case with PHP files.

Edited by FWR Media
Link to comment
Share on other sites

Hello,

 

Do I need to install the full Security Pro 1.02 and THEN upgrade to 2.0?

 

The instructions for 2.0 are very simple and dont mention that anything from 1.02 is required.

 

I installed 2.0 and added the additions to application_top.php and copied over the security_pro.php file to catalog/includes/modules but it doesn't seem to work when I apply the

test string [w](o)%3Cr%3Ek|i*n^g in the search box. I get the following result in my url:

 

http://www.mydomain.com/advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&x=33&y=8

 

Thank-you in advance for instrucitons on how to get this great contribution to work.

 

Regards,

 

Sam

Link to comment
Share on other sites

Hello,

 

Do I need to install the full Security Pro 1.02 and THEN upgrade to 2.0?

 

The instructions for 2.0 are very simple and dont mention that anything from 1.02 is required.

 

I installed 2.0 and added the additions to application_top.php and copied over the security_pro.php file to catalog/includes/modules but it doesn't seem to work when I apply the

test string [w](o)%3Cr%3Ek|i*n^g in the search box. I get the following result in my url:

 

http://www.mydomain....*n%5Eg&x=33&y=8

 

Thank-you in advance for instrucitons on how to get this great contribution to work.

 

Regards,

 

Sam

 

Please see post #237

 

What's in the URL is unimportant. What is in _GET and HTTP_GET_VARS is what matters.

Link to comment
Share on other sites

Hi Robert

 

Is Security Pro compatible with this contribution?

 

http://addons.oscommerce.com/info/5390

 

I have no clue about php blush.gif and I saw you write this

"The concept here (not a new one) is to totally sanitise the incoming ($_GET/$HTTP_GET_VARS) at source (the top of catalog/includes/application_top.php) then to sanitise $_REQUEST by $_REQUEST = $_GET + $_POST (Yes we lost $_COOKIE)."

and it made me wonder if it would disable the contribution Cart Cookie?

Link to comment
Share on other sites

Hello all,

 

Having installed Security Pro in the last few weeks, is there a very simple way for me to test that it is actually working, without my causing too much damage to my current test site >_<

 

Well on a standard osCommerce you would put the test code in the search box and press return. When you look again at the search box it should have been reduced to just "working".

Link to comment
Share on other sites

Hi all,

 

Many thanks for the swift response! Have just cut and pasted the '[w](o)%3Cr%3Ek|i*n^g' characters into the search box and it came back with 'working'. All ok?

 

Yup

Link to comment
Share on other sites

I have installed security pro file

fwr_media_security_pro

 

into this folder per the instructions

 

includes/modules/

 

Then made the changes in application_top.php

 

but when I put the query in my site's search bar:

[w](o)%3Cr%3Ek|i*n^g

 

it did not say "working"

it just shows nothing.

 

rc2a version

 

any ideas?

Link to comment
Share on other sites

Just installed on a test site and got the following error:

 

Fatal error: Call to a member function cleanse() on a non-object in /home/username/public_html/includes/application_top.php on line 57

 

The compatibility functions are called after this, so I'm not sure where to proceed. Any help would be appreciated.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...