♥FWR Media Posted July 19, 2012 Author Share Posted July 19, 2012 New version - Revision 11 Security Pro 2.0 r11 Compatibility: osCommerce versions: 2.2 through 2.3.2 PHP versions: 4 through 5.4.4 Changelog: Easy upgrade from r7 - overwrite one single file. Code rewritten to one new class Added @ to allowed characters which allows compatibility with version 2.3.2. Added ability to cleanse the keys of the _GET superglobal as well as the values ( PCI reasons ) Added the ability to add file exclusions in application_top.php as an array: - $security_pro->addExclusions( array ) Added the ability to chain add exclusions in application_top.php $security_pro->addExclusion( 'some_file.php' ) ->addExclusion( 'some_other_file.php' ); Functionality other than this remains the same Security Pro 2.0 r11 add on Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 22, 2012 Share Posted July 22, 2012 (edited) First of all thanks for making it compatible with 2.3.2, it's much appreciated. :) I'd like to know where exactly in the new file do I add the following function to allow foreign characters? function spro_cleanse_get_recursive( $get ) { /** * IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only * * @[member='Example Member'] $lang_additions = 'åÅäÄöÖ'; * @var string - Valid language special characters to be added to the whitelist */ $lang_additions = ''; // Special language characters go here - see the example above if ( !is_array( $get ) ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist $pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i"; $cleansed = preg_replace( $pattern, "", urldecode( $get ) ); // Remove banned words $cleansed = preg_replace( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace( '@[-]+@', '-', $cleansed ); } // Add the preg_replace to every element. return array_map( 'spro_cleanse_get_recursive', $get ); } And another question, are we also meant to apply the following to the new version? Modifying the product url code for Security Pro As standard osCommerce allows a link in product info which includes a URI with forward slashes. This is stripped by Security Pro so below is revised code to restore the functionality without compromising the white list or excluding redirect.php. catalog/product_info.php Find .. <td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=' . urlencode($product_info['products_url']), 'NONSSL', true, false)); ?></td> Change to .. <td class="main"><?php echo sprintf(TEXT_MORE_INFORMATION, tep_href_link(FILENAME_REDIRECT, 'action=url&goto=product&products_id=' . (int)$HTTP_GET_VARS['products_id'], 'NONSSL', true, false)); ?></td> catalog/redirect.php Find .. case 'url': if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) { $check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1"); if (tep_db_num_rows($check_query)) { tep_redirect('http://' . $HTTP_GET_VARS['goto']); } } break; Change to ... case 'url': if ( ( isset( $HTTP_GET_VARS['goto'] ) && ( $HTTP_GET_VARS['goto'] == 'product' ) ) && ( isset( $HTTP_GET_VARS['products_id'] ) && is_numeric( $HTTP_GET_VARS['products_id'] ) ) ) { $url_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'"); if (tep_db_num_rows($url_query)) { $row = tep_db_fetch_array( $url_query ); tep_db_free_result( $url_query ); if ( tep_not_null( $row['products_url'] ) ) { tep_redirect('http://' . $row['products_url']); } } } elseif (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) { $check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1"); if (tep_db_num_rows($check_query)) { tep_redirect('http://' . $HTTP_GET_VARS['goto']); } } break; Excuse the lack of formatting and indentation but the forum currently breaks it. Edited July 22, 2012 by Biancoblu Quote ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
♥FWR Media Posted July 22, 2012 Author Share Posted July 22, 2012 @@Biancoblu You need to do nothing except overwrite the file as mentioned in the update instructions. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 22, 2012 Share Posted July 22, 2012 I'm probably missing something obvious and I'm sorry for asking, but my foreign characters get cleansed in the search box, they disappear. For example "für ihn" becomes "fr ihn". So I have disabled sec pro until I find a fix. Quote ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
♥FWR Media Posted July 22, 2012 Author Share Posted July 22, 2012 @@Biancoblu Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters. Trivial to add support though: - function cleanseValueString( $string ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist // Multi language mod $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ'; $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) ); // Remove banned words $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace ( '@[-]+@', '-', $cleansed ); } // end method You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc ) Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Biancoblu Posted July 22, 2012 Share Posted July 22, 2012 @@FWR Media Thanks very much for your help, I will try this fix and let you know. Quote ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
♥Gyakutsuki Posted July 31, 2012 Share Posted July 31, 2012 Hi Robert, This function function cleanseValueString( $string ) { replace the old function function spro_cleanse_get_recursive( $get ) ? ??? when i try to search for example with a word supérieur ==> the research write suprieur with the new function Thank you very for this update and your work + @@Biancoblu Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters. Trivial to add support though: - function cleanseValueString( $string ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist // Multi language mod $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ'; $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) ); // Remove banned words $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace ( '@[-]+@', '-', $cleansed ); } // end method You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc ) Quote Regards ----------------------------------------- Loïc Contact me by skype for business Contact me @gyakutsuki for an answer on the forum Link to comment Share on other sites More sharing options...
♥FWR Media Posted July 31, 2012 Author Share Posted July 31, 2012 @@Gyakutsuki Not sure what your question is tbh. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Gyakutsuki Posted July 31, 2012 Share Posted July 31, 2012 Hi robert, my problem is the search in french (boxe search). For example the word supérieur is rewrite suprieur. The é is deleted. If i add é in $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜé'; The research would be good, no ? function cleanseValueString( $string ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist // Multi language mod $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ'; $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) ); // Remove banned words $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace ( '@[-]+@', '-', $cleansed ); } // end method Quote Regards ----------------------------------------- Loïc Contact me by skype for business Contact me @gyakutsuki for an answer on the forum Link to comment Share on other sites More sharing options...
♥FWR Media Posted July 31, 2012 Author Share Posted July 31, 2012 @@Gyakutsuki Yes . . exactly as i told Biancoblu. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
newburns Posted August 18, 2012 Share Posted August 18, 2012 I need help. Tried to search through the pages of replies here, but no avail. What I don't want to do is add product_info.php to the exclusions. I am having problems when I add a product description that has apostrophe or quotes. I must have those because the description is for mp3 albums. Thanks Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted August 18, 2012 Author Share Posted August 18, 2012 I am having problems when I add a product description that has apostrophe or quotes. I must have those because the description is for mp3 albums. Thanks Security Pro has nothing to do with products_description .. it protects the querystring. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Juto Posted August 30, 2012 Share Posted August 30, 2012 Hello Robert and many thanks for your marvelous contributions! Two questions: 1) Do I need to apply the modification in product_info.php as stated above? 2) Do I need to have capital letters in the $lang_additions string, if I add the u modifier to the preg_replace? (My site is using UTF-8) Sara Quote Contributions: http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681 Link to comment Share on other sites More sharing options...
♥FWR Media Posted August 30, 2012 Author Share Posted August 30, 2012 Two questions: 1) Do I need to apply the modification in product_info.php as stated above? 2) Do I need to have capital letters in the $lang_additions string, if I add the u modifier to the preg_replace? (My site is using UTF-8) Sara Which modification? I don't remember one for product_info.php Re u modifier nope just include upper and lower case. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Juto Posted August 30, 2012 Share Posted August 30, 2012 @@FWR Media Robert, in your post #207 you suggested changes to product_info.php. Presumably so that the manufacturers url will work. Security Pro will otherwise strip the forward slashes: http://www.oscommerce.com/forums/topic/293326-contribution-security-pro-querystring-protection-against-hackers/page__st__200 Sara Quote Contributions: http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681 Link to comment Share on other sites More sharing options...
♥FWR Media Posted August 30, 2012 Author Share Posted August 30, 2012 (edited) @@Juto Yes I see. I can't see that code any more in product_info.php ( 2.3.3 ) but if it does exist in your code then it should be changed. same for the redirect code. Edited August 30, 2012 by FWR Media Juto 1 Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Juto Posted August 30, 2012 Share Posted August 30, 2012 @@FWR Media Thanks Robert :) It's a pitty that I can't buy you a beer... or something better, without using paypal. Sara Quote Contributions: http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681 Link to comment Share on other sites More sharing options...
steve-doherty Posted September 19, 2012 Share Posted September 19, 2012 I installed this but now the site just displays: Parse error: syntax error, unexpected T_ARRAY, expecting ')' in /-absolute path-/catalog/includes/modules/fwr_media_security_pro.php on line 64 Any idea? Thanks, Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 19, 2012 Author Share Posted September 19, 2012 @@steve-doherty Sounds like your server is running an ancient version of PHP. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
steve-doherty Posted September 19, 2012 Share Posted September 19, 2012 php 4.4.9. No good? Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 19, 2012 Author Share Posted September 19, 2012 @@steve-doherty LOL no! you are using a PHP version where support for it was discontinued 5 years ago! ( 31-12-2007 ) Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥frankl Posted October 28, 2012 Share Posted October 28, 2012 I am getting hack attempts on one of our sites using "GET /shipping.php?osCsid=999999.9+union+all+select+0x31303235343830303536-- HTTP/1.1" 302 - "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Havij" Good old Havij. It is having a minor (nuisance) effect on our database, but I thought Security Pro, which we have installed on all sites, would prevent this? Quote osCommerce user since 2003! Link to comment Share on other sites More sharing options...
RMD27 Posted November 2, 2012 Share Posted November 2, 2012 @@Biancoblu Security Pro was not designed specifically to be multi language, it was designed to accept only ASCII characters. Trivial to add support though: - function cleanseValueString( $string ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist // Multi language mod $language_characters = 'äåæðëöøßþüÿÄÅÆÐËÖØÞÜ'; $cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@$language_characters]/i", "", urldecode ( $string ) ); // Remove banned words $cleansed = preg_replace ( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace ( '@[-]+@', '-', $cleansed ); } // end method You then must save the file as the correct charset ( e.g. UTF-8 or ISO-8859-1 etc ) Hello Robert If I can add another layer of complication! This whitelisting of characters works BUT You have to get the case of the letter correct. In latin you can put a OR A and it will find A But with the whitelisting of characters it will only find ΜΠΟΥΖΙ if you write ΜΠΟΥΖΙ, Μπουζι will not work. Any ideas on how to make foreign characters work the same as latin characters? Quote Link to comment Share on other sites More sharing options...
Trentide Posted November 26, 2012 Share Posted November 26, 2012 Thanks for this cool contribution! It works great. However, I am having one issue with it. It seems to work well with any mixed characters that are entered in the search box at top, but does it protect any other input boxes on the site, such as when customers create accounts and enter email addresses and so forth? The company that does my PCI compliance says it doesn't. Please let me know if it does and I've didn't follow the install instruction or something. Thanks, Jason Quote Link to comment Share on other sites More sharing options...
alexman Posted March 28, 2013 Share Posted March 28, 2013 (edited) When I test Security Pro 2.0(r7) with the [w](o)%3Cr%3Ek|i*n^g , in the main page I receive: "Products meeting the search criteria There is no product that matches the search criteria" and in the search box remain the same caracters [w](o)%3Cr%3Ek|i*n^g ,but not become empty. That means that it works? Edited March 28, 2013 by alexman Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.