cgutzmer Posted March 5, 2011 Share Posted March 5, 2011 I have the same issue as starcarlton above so I dont know how to verify its working. I dont think it does.... I enter ©essna a common search term on my site and expect the () to get filtered out. The search box is left blank but looking in the URL of my site www dot ecardmodels dot com the url at the top shows ©essna and i expect it to just read cessna. My site has been defaces a couple times now and I suspect sql injection of some sort... any suggestions greatly appreciated Thanks in advance! Chris Quote Chris Gutzmer Link to comment Share on other sites More sharing options...
♥FWR Media Posted March 5, 2011 Author Share Posted March 5, 2011 I have the same issue as starcarlton above so I dont know how to verify its working. I dont think it does.... If you installed it correctly then it works, neither of you have "an issue". The contents of the URL bar in the browser is irrelevent as it contains the original query. The server populates the _GET superglobal with the parsed representation of the URL then Security Pro cleanses it at source ( early in the bootstrap/application_top.php ). Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
cgutzmer Posted March 5, 2011 Share Posted March 5, 2011 Super :) thanks thats all the confirmation I need! its just hard to tell since the given test didnt give the results expected. Great contribution! Quote Chris Gutzmer Link to comment Share on other sites More sharing options...
Cheepnis Posted March 21, 2011 Share Posted March 21, 2011 I've downloaded the contrib tonight and installed it correctly (file uploaded to correct path, code inserted as instructed). I did not have any errors. I closed my browser and reopened the store and did an advanced search (and looking in description) on the term: [w](o)%3Cr%3Ek|i*n^g The response was "no product found" and the characters remained in the search box, without anything stripped. When I do an advance search (and looking in description) on the term "working" I get several results as expected. It appears to me that this isn't working. Did I miss something? Here's the snippet from includes/application_top: // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media if ($request_type == 'NONSSL') { define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG); } else { define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG); } Quote Link to comment Share on other sites More sharing options...
Cheepnis Posted March 21, 2011 Share Posted March 21, 2011 I've downloaded the contrib tonight and installed it correctly (file uploaded to correct path, code inserted as instructed). I did not have any errors. I closed my browser and reopened the store and did an advanced search (and looking in description) on the term: [w](o)%3Cr%3Ek|i*n^g The response was "no product found" and the characters remained in the search box, without anything stripped. When I do an advance search (and looking in description) on the term "working" I get several results as expected. It appears to me that this isn't working. Did I miss something? Nevermind. I applied the patch below and every tests fine now. Thanks! In (catalog)/includes/functions/compatibility.php Find .. // $HTTP_xxx_VARS are always set on php4 if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array(); if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array(); if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array(); Replace with .. if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; $HTTP_COOKIE_VARS =& $_COOKIE; $HTTP_SESSION_VARS =& $_SESSION; $HTTP_POST_FILES =& $_FILES; $HTTP_SERVER_VARS =& $_SERVER; } else { if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array(); if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array(); if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array(); } Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted March 21, 2011 Author Share Posted March 21, 2011 Hi, First of all, thanks a lot for sharing this, it seems to be a very useful and important contribution. I just installed this in my test site, and it seems to work but I'm not sure. If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off. When switched on, the shop returns the product found correctly, and the search box shows "C65" without the dangerous characters. When switched off, it returns "no such product found" qnd the search box shows the full string with all the characters. I understand this is OK and the way it's supposed to work. OTOH, I have tried this: But it simply returns the shop's normal start page, both with the contrib switched on or off. Is this normal or am I missing something? It looks to me as if it's ignoring the "fwrtest=..." parameter. TIA for your time. Hi Daniel You are taking testing a little too far than you need I think. Your first example of: - If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off. is a perfect test as it uses the osCommerce search system and proves that Security PRO is working as intended. The second test will never do anything unless you code into the site the _GET array to be printed out.. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
samwoods Posted March 31, 2011 Share Posted March 31, 2011 Hi there, Firstly, thanks for the contrib! I have downloaded and installed this module and it all seems to work when tested. The only conflict I am having is with my payment module. I have added the filename (cc_via_migs.php) in the exclude list and I am assuming this is the correct file as it is the only one that references the payment gateway in the includes/module folder. Unfortunately there is still a conflict even when I exclude the file. If you could let me know if there is any other area that I need to look at then your help would be much appreciated. Regards, Sam Quote Link to comment Share on other sites More sharing options...
vakondweb Posted April 1, 2011 Share Posted April 1, 2011 I installed the security pro, it works, but it is too good :) The problem it also removes the special hungarian characters, so customers can not search words which contain: őŐűŰöÖóÓéeÉeúÚáÁíÍüÜ characters. How can I enable these special characters? Thank you in advance! Laci from Hungary Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted April 1, 2011 Author Share Posted April 1, 2011 I installed the security pro, it works, but it is too good :) The problem it also removes the special hungarian characters, so customers can not search words which contain: őŐűŰöÖóÓéeÉeúÚáÁíÍüÜ characters. How can I enable these special characters? Thank you in advance! Laci from Hungary Hi Laci Read back a bit in this support thread. You can add valid special language characters to the whitelist. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
vakondweb Posted April 1, 2011 Share Posted April 1, 2011 Hi Laci Read back a bit in this support thread. You can add valid special language characters to the whitelist. Thank you very much, I did not found it first. Now it is perfect! :thumbsup: Quote Link to comment Share on other sites More sharing options...
here2learn Posted April 11, 2011 Share Posted April 11, 2011 I see the latest Security Pro version (2.0) was released in 23 Dec 2010 i.e. after osC 2.31 came out. Will it (Security Pro 2.0) work with my osC 2.2 RC2 or should I download the Security Pro 1.02, released in 2008 which was especifically for osC 2.2x? Another question. How do I add these characters to be allowed: àÀ áÁ ãà â äÄ èÈ éÉ êÊ ëË ìÌ íÍ ïÏ òÒ óÓ õÕ ôÔ öÖ ùÙ úÚ üÜ çÇ @ <-- for email purpose My language is portuguese so all the characters above may be used. Quote Link to comment Share on other sites More sharing options...
here2learn Posted April 13, 2011 Share Posted April 13, 2011 (edited) Nobody? I just want to know if the latest version of Security Pro works with osC 2.2 RC2 and how to add the letters above to the list of allowed characters. I am not asking how to install it. As far as I understood, Security Pro latest version is for osC 2.31 and if this is really the case, then I am not sure whether I will be protected since like I said before I am using osC 2.2 RC2, and thus I could be fooled into believing everything is ok while my site is vulnerable to hackers. Edited April 13, 2011 by here2learn Quote Link to comment Share on other sites More sharing options...
here2learn Posted April 15, 2011 Share Posted April 15, 2011 (edited) Has anyone heard of HTML Purifier? http://htmlpurifier.org/ A better way to whitelist, since it doesn't remove characters as far as I understood. Interesting that I stay hours awake, searching for things like this, but have very little acknowledge on how to implement it. I will continue with my search, because I want to retain the maximum characters possible, including latin1 ones, while knowing I am safe. Maybe I will start a thread about this later. Edited April 15, 2011 by here2learn Quote Link to comment Share on other sites More sharing options...
Guzappum Posted August 19, 2011 Share Posted August 19, 2011 Greetings, I applied this very useful contribution and have special language characters in product names so made the required modifications from: #198 -Modification for Languages that have Special Characters Everything works fine now, thanks for this modification to Robert. I was just wondering about the solution: In the spirit of the-smaller-whitelist-the-better couldn't the special characters be replaced with their "normal" counterparts (example: ö to o)? That way no expansion of the whitelist would be necessary as OsC search brings up products with specials if searched for the normal counterpart. What do you think and how could one do this? Quote Link to comment Share on other sites More sharing options...
cornishpirate Posted September 29, 2011 Share Posted September 29, 2011 In the UK, Streamline, now part of Worldpay, are pushing hard for PCI DSS compliance. They've teamed up with TrustWave and we've been encouraged to use their TrustKeeper IP Scanning system for vulnerabilities. The only item my site is failing on is XSS, despite the magnificent presence of Security Pro 2!! URL: ....../product_info.php?products_id=%3Cscript%3Ealert%28TK00000004%29%3C%2Fscript%3E Body matches: Vulnerability type: Reflected Cross-Site Scripting Vulnerable input type: URL Query Parameter Vulnerable input name: products_id This may be a very dubious failure, but many of us will have to deal with it. Any thoughts? Quote Link to comment Share on other sites More sharing options...
midijay Posted November 12, 2011 Share Posted November 12, 2011 I've installed version 2.0 and nothing seems to have change, if I search using the string "[w](o)%3Cr%3Ek|i*n^g" then I get this in my URL: advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&search_in_description=1 So looks like it's not working? I'm running 2.2 RC2a with STS, and it wasn't totally clear if 2.0 of this contrib was suitable for 2.2 or just limited to 2.3, so I went ahead and instaled version 1.0.2 of the contrib....and still no change. Any thoughts anyone? I know a lot of contributions need to work differently when STS is installed but I got the idea this worked fine with STS. Quote Link to comment Share on other sites More sharing options...
midijay Posted November 12, 2011 Share Posted November 12, 2011 I've installed version 2.0 and nothing seems to have change, if I search using the string "[w](o)%3Cr%3Ek|i*n^g" then I get this in my URL: advanced_search_result.php?keywords=%5Bw%5D%28o%29%253Cr%253Ek%7Ci*n%5Eg&search_in_description=1 So looks like it's not working? I'm running 2.2 RC2a with STS, and it wasn't totally clear if 2.0 of this contrib was suitable for 2.2 or just limited to 2.3, so I went ahead and instaled version 1.0.2 of the contrib....and still no change. Any thoughts anyone? I know a lot of contributions need to work differently when STS is installed but I got the idea this worked fine with STS. sincere apologies, I was expecting the URL to look clean but in fact I had not properly read the simple instructions which state: Do the search then look back at the search box which should have been repopulated with the cleansed value. It should read "working". so yes, my search box read "working", where as without the contrib it would read the full crazy string. Quote Link to comment Share on other sites More sharing options...
fotomedia Posted November 16, 2011 Share Posted November 16, 2011 Hi all I install everything, but when I try if I search using the string "[w](o)%3Cr%3Ek|i*n^g" I get "wo3Cr3Eking" Also not working search in my language (Slovenian). I use $lang_additions ... What I'm doing wrong? Quote Link to comment Share on other sites More sharing options...
sarahw167 Posted January 30, 2012 Share Posted January 30, 2012 Is Security Pro 2.0 ( r7 ) the full contribution? kind regards, Sarah Quote Link to comment Share on other sites More sharing options...
Guest Posted January 30, 2012 Share Posted January 30, 2012 Is Security Pro 2.0 ( r7 ) the full contribution? kind regards, Sarah Yes it is, Chris Quote Link to comment Share on other sites More sharing options...
sarahw167 Posted January 30, 2012 Share Posted January 30, 2012 Yes it is, Chris Thanks for your response. Quote Link to comment Share on other sites More sharing options...
tgely Posted February 11, 2012 Share Posted February 11, 2012 (edited) I installed security pro and works perfect. I found a little problem with exact search. ("Exact matches can be searched for by enclosing keywords in double-quotes.") Tested on oscommerce 2.3.1 shop. Search "Speed 2" without security pro results 1 record with security pro results 3 record I need some help. Thank you in advance! is it good? change: "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i" to: '/[^\s{}a-z0-9_\.\-"' . $lang_additions . "]/i" Gergely Edited February 11, 2012 by Gergely Quote osCommerce based shop owner with minimal design and focused on background works. When the less is more.Email managment with tracking pixel, package managment for shipping, stock management, warehouse managment with bar code reader, parcel shops management on 3000 pickup points without local store. Link to comment Share on other sites More sharing options...
RMD27 Posted March 1, 2012 Share Posted March 1, 2012 (edited) Hello Robert, I left a message on the osc_sec thread to see if the contribution could be causing a problem with translation. http://www.oscommerce.com/forums/topic/373777-oscommerce-security-osc-secphp/page__st__420__p__1625068#entry1625068 Here is what I wrote Hi Taipo Google & Babel translate do not work on my site anymore, could the OSC SEC contirbution be stopping it from working? I also have Security Pro 2.0 installed. These are the characters Google uses http://translate.google.com/translate?hl=en&sl=en&tl=sq&u=http%3A%2F%2Fwww.oscommerce.com%2F And this is what Babel uses http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.oscommerce.com%2F&lp=en_nl&btnTrUrl=Translate I added % and & and = to the Secuity Pro whitelist but the translation from these pages comes back as blank page for Google and with an error(0) for Babel Are the characters used by the translation services causing a problem? If so, can you please tell me what I need to do to get them working? :unsure: Edited March 1, 2012 by RMD27 Quote Link to comment Share on other sites More sharing options...
alfredor Posted April 27, 2012 Share Posted April 27, 2012 Hi, very nice contribution, I only have a question. you write: ----------------------- Find ... if ($request_type == 'NONSSL') { Add immediately ABOVE ... // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media That's it .. all installed! ------------------------ The question is: This contributions only works in NONSSL ? It's not necessary in the pages with SSL? Thanks for the answer. :-) Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted July 8, 2012 Author Share Posted July 8, 2012 Just found this support topic again. Sorry for the lack of replies :) Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.