Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] Security Pro - Querystring protection against hackers.


FWR Media

Recommended Posts

New version - Revision 11

 

Security Pro 2.0 r11

 

Compatibility:

 

osCommerce versions: 2.2 through 2.3.2

 

PHP versions: 4 through 5.4.4

 

Changelog:

 

Easy upgrade from r7 - overwrite one single file.

  • Code rewritten to one new class

  • Added @ to allowed characters which allows compatibility with version 2.3.2.

  • Added ability to cleanse the keys of the _GET superglobal as well as the values ( PCI reasons )

  • Added the ability to add file exclusions in application_top.php as an array: -
  • $security_pro->addExclusions( array )

  • Added the ability to chain add exclusions in application_top.php

 

$security_pro->addExclusion( 'some_file.php' )
	              ->addExclusion( 'some_other_file.php' );

 

Functionality other than this remains the same

 

Security Pro 2.0 r11 add on

Link to comment
Share on other sites

First of all thanks for making it compatible with 2.3.2, it's much appreciated. :)

 

I'd like to know where exactly in the new file do I add the following function to allow foreign characters?

 

function spro_cleanse_get_recursive( $get ) {
	/**
	* IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only
	*
	* @[member='Example Member'] $lang_additions = 'åÅäÄöÖ';
	* @var string - Valid language special characters to be added to the whitelist
	*/
	$lang_additions = ''; // Special language characters go here - see the example above
	if ( !is_array( $get ) ) {
	$banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
	// Apply the whitelist
	$pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i";
	$cleansed = preg_replace( $pattern, "", urldecode( $get ) );
	// Remove banned words
	$cleansed = preg_replace( $banned_string_pattern, '', $cleansed );
	// Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
	return preg_replace( '@[-]+@', '-', $cleansed );
	}
	// Add the preg_replace to every element.
	return array_map( 'spro_cleanse_get_recursive', $get );
 }

 

 

 

And another question, are we also meant to apply the following to the new version?

 

 

Modifying the product url code for Security Pro

 

As standard osCommerce allows a link in product info which includes a URI with forward slashes. This is stripped by Security Pro so below is revised code to restore the functionality without compromising the white list or excluding redirect.php.

 

catalog/product_info.php

 

Find ..

 

	<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td>

 

Change to ..

 

		<td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td>

 

catalog/redirect.php

 

Find ..

 

	case 'url':
  if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
	if (tep_db_num_rows($check_query)) {
	  tep_redirect('http://' . $HTTP_GET_VARS['goto']);
	}
  }
  break;

Change to ...

 

case 'url':
  if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product'  ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) {
	$url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");
	if (tep_db_num_rows($url_query)) {
	  $row = tep_db_fetch_array( $url_query );
	  tep_db_free_result( $url_query );
	  if ( tep_not_null( $row['products_url'] ) ) {
		tep_redirect('http://' . $row['products_url']);
	  }
	}
  } elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {
	$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");
	if (tep_db_num_rows($check_query)) {
	  tep_redirect('http://' . $HTTP_GET_VARS['goto']);
	}
  }
  break;

 

Excuse the lack of formatting and indentation but the forum currently breaks it.

Edited by Biancoblu

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

@@Biancoblu

 

You need to do nothing except overwrite the file as mentioned in the update instructions.

Link to comment
Share on other sites

I'm probably missing something obvious and I'm sorry for asking, but my foreign characters get cleansed in the search box, they disappear. For example "für ihn" becomes "fr ihn".

So I have disabled sec pro until I find a fix.

~ Don't mistake my kindness for weakness ~

Link to comment
Share on other sites

@@Biancoblu

 

Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters.

 

Trivial to add support though: -

 

   function cleanseValueString( $string ) {
  $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
  // Apply the whitelist
  // Multi language mod
  $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';
  $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );
  // Remove banned words
  $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );
  // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
  return preg_replace ( '@[-]+@', '-', $cleansed );  
   } // end method

 

You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc )

Link to comment
Share on other sites

  • 2 weeks later...

Hi Robert,

 

This function function cleanseValueString( $string ) {

replace the old function

function spro_cleanse_get_recursive( $get ) ?

 

???

 

when i try to search for example with a word supérieur ==> the research write suprieur with the new function

 

Thank you very for this update and your work

 

+

 

 

@@Biancoblu

 

Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters.

 

Trivial to add support though: -

 

function cleanseValueString( $string ) {
  $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
  // Apply the whitelist
  // Multi language mod
  $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';
  $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );
  // Remove banned words
  $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );
  // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
  return preg_replace ( '@[-]+@', '-', $cleansed );  
} // end method

 

You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc )


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

Link to comment
Share on other sites

Hi robert,

 

my problem is the search in french (boxe search). For example the word supérieur is rewrite suprieur. The é is deleted.

 

If i add é in $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜé';

The research would be good, no ?

 

 

 

function cleanseValueString( $string ) {

$banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';

// Apply the whitelist

// Multi language mod

$language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';

$cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );

// Remove banned words

$cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );

// Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing

return preg_replace ( '@[-]+@', '-', $cleansed );

} // end method


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Link to comment
Share on other sites

Link to comment
Share on other sites

  • 3 weeks later...

I need help. Tried to search through the pages of replies here, but no avail.

What I don't want to do is add product_info.php to the exclusions.

I am having problems when I add a product description that has apostrophe or quotes. I must have those because the description is for mp3 albums.

Thanks

Link to comment
Share on other sites

I am having problems when I add a product description that has apostrophe or quotes. I must have those because the description is for mp3 albums.

Thanks

 

Security Pro has nothing to do with products_description .. it protects the querystring.

Link to comment
Share on other sites

  • 2 weeks later...

Hello Robert and many thanks for your marvelous contributions!

 

Two questions:

 

1) Do I need to apply the modification in product_info.php as stated above?

 

2) Do I need to have capital letters in the $lang_additions string, if I add the u modifier to the preg_replace?

 

(My site is using UTF-8)

 

Sara

Link to comment
Share on other sites

Two questions:

 

1) Do I need to apply the modification in product_info.php as stated above?

 

2) Do I need to have capital letters in the $lang_additions string, if I add the u modifier to the preg_replace?

 

(My site is using UTF-8)

 

Sara

 

Which modification? I don't remember one for product_info.php

 

Re u modifier nope just include upper and lower case.

Link to comment
Share on other sites

@@FWR Media

Robert, in your post #207 you suggested changes to product_info.php. Presumably so that the manufacturers url will work. Security Pro will otherwise strip the forward slashes:

 

http://www.oscommerce.com/forums/topic/293326-contribution-security-pro-querystring-protection-against-hackers/page__st__200

 

Sara

Link to comment
Share on other sites

@@Juto

 

Yes I see.

 

I can't see that code any more in product_info.php ( 2.3.3 ) but if it does exist in your code then it should be changed.

 

same for the redirect code.

Edited by FWR Media
Link to comment
Share on other sites

  • 3 weeks later...

@@steve-doherty

 

Sounds like your server is running an ancient version of PHP.

Link to comment
Share on other sites

@@steve-doherty

 

LOL no! you are using a PHP version where support for it was discontinued 5 years ago! ( 31-12-2007 )

Link to comment
Share on other sites

  • 1 month later...

I am getting hack attempts on one of our sites using

 

"GET /shipping.php?osCsid=999999.9+union+all+select+0x31303235343830303536-- HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij"

 

Good old Havij.

 

It is having a minor (nuisance) effect on our database, but I thought Security Pro, which we have installed on all sites, would prevent this?

osCommerce user since 2003! :thumbsup:

Link to comment
Share on other sites

@@Biancoblu

 

Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters.

 

Trivial to add support though: -

 

function cleanseValueString( $string ) {
 $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i';
 // Apply the whitelist
 // Multi language mod
 $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ';
 $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) );
 // Remove banned words
 $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed );
 // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing
 return preg_replace ( '@[-]+@', '-', $cleansed );
} // end method

 

You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc )

 

Hello Robert

 

If I can add another layer of complication!

 

This whitelisting of characters works BUT

 

You have to get the case of the letter correct.

 

In latin you can put a OR A and it will find A

 

But with the whitelisting of characters it will only find ΜΠΟΥΖΙ if you write ΜΠΟΥΖΙ, Μπουζι will not work.

 

Any ideas on how to make foreign characters work the same as latin characters?

Link to comment
Share on other sites

  • 4 weeks later...

Thanks for this cool contribution! It works great. However, I am having one issue with it. It seems to work well with any mixed characters that are entered in the search box at top, but does it protect any other input boxes on the site, such as when customers create accounts and enter email addresses and so forth? The company that does my PCI compliance says it doesn't. Please let me know if it does and I've didn't follow the install instruction or something.

 

Thanks,

 

Jason

Link to comment
Share on other sites

  • 4 months later...

When I test Security Pro 2.0(r7) with the [w](o)%3Cr%3Ek|i*n^g , in the main page I receive:

"Products meeting the search criteria

 

There is no product that matches the search criteria"

 

and in the search box remain the same caracters [w](o)%3Cr%3Ek|i*n^g ,but not become empty.

 

That means that it works?

Edited by alexman
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...