[contribution] Security Pro - Querystring protection against hackers.

[designcraft]

What code did they suggest was used to action this SQL injection?

 

Quite often these scans do produce false positives.

 

 

 

I emailed Security Metrics and I am waiting to hear back from them about what code was used to action the injection. I will let you know.

[designcraft]

I emailed Security Metrics and I am waiting to hear back from them about what code was used to action the injection. I will let you know.

 

 

 

I spoke with SM and they said that when the site is scanned it is coming back with 2 different responses from the same injection. They were saying that one link is trying to access the database (403 forbidden) and another link is redirecting to the store. I hope that makes sense. They need to return the same result.

 

http://domain/shop/advanced_search.php?osC...bf+and+1%3D1%22 is the bad page (1=0)

 

"http://domain/shop/advanced_search.php?osCsid=5d37d4b431f622349a5186de3b7822bf+and+1%3D0" is the good page (1=1)

[designcraft]

I spoke with SM and they said that when the site is scanned it is coming back with 2 different responses from the same injection. They were saying that one link is trying to access the database (403 forbidden) and another link is redirecting to the store. I hope that makes sense. They need to return the same result.

 

http://domain/shop/advanced_search.php?osC...bf+and+1%3D1%22 is the bad page (1=0)

 

"http://domain/shop/advanced_search.php?osCsid=5d37d4b431f622349a5186de3b7822bf+and+1%3D0" is the good page (1=1)

\\\\

 

 

This might make more sense.

 

 

The true statement:

 

http://www.domainname.com/index.php?main_p...d=2%20and%201=0

 

Is returning a 403 Forbidden error.

 

The false statement:

 

http://www.domainname.com/index.php?main_p...d=2%20and%201=1

 

Is returning the product page.

 

In order to become compliant, both the true and false statements must return the same page whether it be the 403 error or the product page.

[alba]

Robert

 

I have just stumbled across your contribution and i must say thanks, its something ive been looking for

 

Just a question in regards to its operation does it report to a log any errors? or can it be modified to report to a log? that way we can check it and see what its breaking in a live environment (cause when i test things i often miss a few pages, processes etc)

[♥FWR Media]

Robert

 

I have just stumbled across your contribution and i must say thanks, its something ive been looking for

 

Just a question in regards to its operation does it report to a log any errors? or can it be modified to report to a log? that way we can check it and see what its breaking in a live environment (cause when i test things i often miss a few pages, processes etc)

 

Actually I have virtually no reports of things breaking .. the main one was the PROTX payment module which had to be added to exclusions.

 

There is no way to create an error log as security pro doesn't know/care what it does or doesn't break it just cleanses the querystring.

[Mildway]

Hi FWR Media,

 

i tried to install your addon but it failed.

 

When i tried to run the SecurityPro_installer.php, i got this error message:

"Fatal error: Call to a member function add_current_page() on a non-object in /home/mysite/public_html/includes/application_top.php on line 312"

 

And now i can´t access my site, always say the same "fatal error"...

 

Do you know what is? Any tips how to resolve?

 

Here is the application_top.php:

 

// navigation history
 if (tep_session_is_registered('navigation')) {
   if (PHP_VERSION < 4) {
     $broken_navigation = $navigation;
     $navigation = new navigationHistory;
     $navigation->unserialize($broken_navigation);
   }
 } else {
   tep_session_register('navigation');
   $navigation = new navigationHistory;
 }
 $navigation->add_current_page();

 

Ah, if possible, in nexts updates, please write an "manual installation instructions". Autoinstallers really "sucks".

Like my case, if was provided an manual installation instructions, i could "UN-install" it, but with autoinstaller i can´t do this.

 

PS: Running on linux server, oscommerce RC2a

 

Cheers

James

Edited June 24, 2009 by Mildway

[♥FWR Media]

Hi FWR Media,

 

i tried to install your addon but it failed.

 

When i tried to run the SecurityPro_installer.php, i got this error message:

"Fatal error: Call to a member function add_current_page() on a non-object in /home/mysite/public_html/includes/application_top.php on line 312"

 

And now i can´t access my site, always say the same "fatal error"...

 

Do you know what is? Any tips how to resolve?

 

Here is the application_top.php:

 

// navigation history
 if (tep_session_is_registered('navigation')) {
   if (PHP_VERSION < 4) {
     $broken_navigation = $navigation;
     $navigation = new navigationHistory;
     $navigation->unserialize($broken_navigation);
   }
 } else {
   tep_session_register('navigation');
   $navigation = new navigationHistory;
 }
 $navigation->add_current_page();

 

Ah, if possible, in nexts updates, please write an "manual installation instructions". Autoinstallers really "sucks".

Like my case, if was provided an manual installation instructions, i could "UN-install" it, but with autoinstaller i can´t do this.

 

PS: Running on linux server, oscommerce RC2a

 

Cheers

James

 

The contribution has no issues and needs no uninstaller.

 

Fatal error: Call to a member function add_current_page() on a non-object is a known issue with oscommerce usually created by a non visible error and the session writing uncorrectly.

 

1) Leave the db as it is and remove the code you put in from application_top.php

 

2) close all your browsers to lose seesion then clear your cookies.

 

3) Test the site now works

 

4) Re add the code to application top being more careful.

[Mildway]

The contribution has no issues and needs no uninstaller.

 

Fatal error: Call to a member function add_current_page() on a non-object is a known issue with oscommerce usually created by a non visible error and the session writing uncorrectly.

 

1) Leave the db as it is and remove the code you put in from application_top.php

 

2) close all your browsers to lose seesion then clear your cookies.

 

3) Test the site now works

 

4) Re add the code to application top being more careful.

 

Hi FWR Media,

 

this error was showed when i was running the autoinstaller. After i placed the code on applicatrion_top.php and got another error, but in another line, i guess was 338 or 368, i don´t remember now....

 

Anyway, many thanks for information! Was what you said, just closed my browser and then worked ok, now i will test my payments modules, etc and if get problem i will post again. THANK YOU! :)

 

Ah, about writting an installation instructions, if possible, will be very nice. I don´t know, but i´m little

affraid running autoinstallers... i think is safer manually install due if you have a problem you can undo changes easy..

 

Best Regards

James

[Mildway]

Hi,

 

When i access www(dot)myshop.com/index.php?fwrtest=[w](o)%3Cr%3Ek|i*n^g

 

i don´t get the message "working". When i access it I get redirected to my main page (index).

 

Are this ok? the addon is set ON TRUE on admin. It is working?

 

Thanks

James

[♥multimixer]

Hi Robert

 

I just installed this small wonderthing and now it works perfect, that means, I don't know if it works or not, I hope hackers will know :) Thank you very much.

 

"Fatal error: Call to a member function add_current_page() on a non-object in /home/mysite/public_html/includes/application_top.php on line 312"

 

I had the same issue, unistalled manually by deleting security.php, undoing the changes in application_top.php, and droping the lines from the database. Then I tried one more time and everything went perfect, I don't know where my mind was the first time

 

Ah, if possible, in nexts updates, please write an "manual installation instructions"

 

You can see what tables are getting created in DB reading the installation file and just drop them

[ddsavage2000]

Not understanding how to install Security Pro 1.02 to osc 2.2 rc2a. As far as I got was downloading file. Using localhost for now. Any assistance greatly appreciated. Thanks.

[spooks]

Not understanding how to install Security Pro 1.02 to osc 2.2 rc2a. As far as I got was downloading file. Using localhost for now. Any assistance greatly appreciated. Thanks.

 

How do I install a contribution http://www.oscommerce.com/forums/index.php?sho...=0#entry1432157

[ddsavage2000]

Thanks Sam. Most or all of the information provide in the link I am aware of thanks to several of your post and other like yourself that have superior knowledge this particular system. However, none of the information detailed clarifies the installation of Security Pro 1.02.

[♥FWR Media]

thanks for the contributions

this is what i was looking for

 

i installed it and see this problem

Fatal error: Call to undefined function: fwr_clean_global() in /.../includes/application_top.php on line 88

 

if i disable the line from the application top code it works fine

 

perhaps you could have a suggestion what this could be

 

thanks

valeri

 

you have not uploaded one of the required files (or perhaps put it in admin by mistake?) .. go back over the install instructions .. there aren't many.

[ddsavage2000]

What I downloaded was a zip file. If there were instructions I missed them because I never found any information specifically relating to install, and trust me I have been searching.

[♥FWR Media]

What I downloaded was a zip file. If there were instructions I missed them because I never found any information specifically relating to install, and trust me I have been searching.

 

There is only one file to upload (after running the installer)

 

catalog/includes/functions/security.php

 

just upload the missing file.

[danny1977]

i installed security pro on a hardly modded site. when i try to test my site as explained on first page nothing happened.(nothing printed on screen)

so i tried everything i could with my little web knowledge .(set register globals off, erase http access, upgrade to php 5, tried to change variables at application top :) ...nothing worked )

when i search for how to make xss attack to prevent my site, i found this:

 

when you navigate your site with this :

 

http:// yoursite dot com/contact_us.php?&name=1&email=1&enquiry=[XSS%%FC%F0i%FE%DC()]

-----------------------

if you enable security pro it writes

 

XSSi

 

in contact us

 

if you disable it:

 

[XSS%üğişÜ()]

 

is written.

 

i think a very good way to test the script.

hope this helps someone...

 

 

 

thanks for the author of this wonderful contrib.i think a must for every oscommerce site.

cheers

gokhan

[♥multimixer]

one question. It's necessary to pass through special characters like äüöÄÜÖß posted from the search box. What's the way to do it? I've found it works if i modify the function like this:

 

function tep_clean_get__recursive($get_var)
 {
 if (!is_array($get_var))
 return preg_replace("/[^ {}a-zA-Z0-9ßäüöÄÜÖ_.-]/i", "", urldecode($get_var));

 // Add the preg_replace to every element.
 return array_map('tep_clean_get__recursive', $get_var);
 }

 

What do you think, do you see any problems? Please comment and point me in the right direction!

Yes adding limited but valid language characters is not an issue as long as you are careful not to allow in bad characters.

 

A shortened version that should work is ..

 

$get_var = preg_replace("/[^\s{}a-z0-9ßäüö_.-]/i", "", urldecode($get_var));

 

 

Our osComerce default language is Traditional Chinese, hence, we have to exclude advanced_search.php & advanced_search_result.php so that the search box works.

Can hackers inject malicious codes via the search box? If so, do you have any suggestions? Thank you in advance.

As standard osCommerce uses input filtering.

As long as you are using the RC2a versions of these files you should be fine .. it uses ..

 

tep_db_prepare_input

tep_db_input

 

And type casting on all user input added to the query.

 

Hope that helps.

 

Hi Robert

 

I was having an issue with search in Greek and Cyrillic characters. The search term (ie ελλαδα) was not included into the query.

 

Right now I have advanced_search_results.php excluded from cleansing via admin.

 

I just wonder, what is better to do, to keep this file excluded or to add Greek and Cyrillic characters to security.php?

[dodiewayne]

How do I install a contribution http://www.oscommerce.com/forums/index.php?sho...=0#entry1432157

 

I am also trying to install this - I have done all steps stated in the instructions included with the add on, except this one: "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

 

Ok, I am not finding this file: am I overlooking this? I have found admin/configuration/but no FWR Security Pro? did I do something wrong?

[♥FWR Media]

I am also trying to install this - I have done all steps stated in the instructions included with the add on, except this one: "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

 

Ok, I am not finding this file: am I overlooking this? I have found admin/configuration/but no FWR Security Pro? did I do something wrong?

 

You haven't run the database installer SecurityPro_installer.php

[dodiewayne]

You haven't run the database installer SecurityPro_installer.php

 

I have tried to "run" the installer - I guess I am just going about this all wrong. I have followed each and every step given:

 

Firstly: -

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

Secondly:-

Upload security.php to catalog/includes/functions/

 

Finally:-

catalog/includes/application_top.php

 

 

 

Find ...

 

 

 

// set the application parameters

$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);

while ($configuration = tep_db_fetch_array($configuration_query)) {

define($configuration['cfgKey'], $configuration['cfgValue']);

}

 

 

 

Add directly BELOW ...

 

 

 

// FWR Media Security Pro

if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {

$fwr_security_excludes = array();

if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' )

$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);

if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) )

include('includes/functions/security.php');

}

if ( function_exists('tep_clean_get__recursive') ) {

// Recursively clean $HTTP_GET_VARS and $_GET

// There is no legitimate reason for these to contain anything but ..

// A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space

$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);

$_GET = tep_clean_get__recursive($_GET);

$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.

fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value

}

// END - FWR Media Security Pro

 

 

 

Go into admin>configuration>FWR Security Pro and turn it on .. (set to true).

 

 

 

PLEASE NOTE: You MUST delete the install file catalog/SecurityPro_installer.php after use!

 

 

 

The main problem I am having is this: This installation was done via Fantastico so everything was basically installed for me. I tried to install Oscommerce via manually and got frustrated and quit. I just ordered new hosting that came with the script basically pre - installed. Ok - now I am trying to do this but I find no catalog file. Now in the one I did manually I did have a catalog file but in this one I do not find one. I have ran a search for the file and there is no such file. SO I installed Securtiy Pro installer php under public html/admin and security.php to public html /admin/includes/functions/ and admin/includes/application_top.php I find nothing that installed. I cannot continue onto the part where I am suppose to "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)" because I still cannot find it. I am told that I did not run the installer...how do I do this. I am so sorry this sounds awful but I am new at this and appreciate any help.

[♥FWR Media]

I am so sorry this sounds awful but I am new at this and appreciate any help.

 

no no that's fine .. we all started somewhere.

 

About the "catalog" thing we use "catalog" as a standard term meaning the root of your site.

 

Some people have the site running from..

 

www.mysite.com

 

Some ..

 

www.mysite.com/catalog/

 

Some ..

 

www.mysite.com/catalog/shop/

 

When we say catalog we are just referring to where the root files are like product_info.php.

 

The installer goes there then you browse to it.

 

The security.php file goes in

<root of site>includes/functions/

Edited December 29, 2009 by FWR Media

[jada14]

I have tried to "run" the installer - I guess I am just going about this all wrong. I have followed each and every step given:

 

Firstly: -

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

Secondly:-

Upload security.php to catalog/includes/functions/

 

Finally:-

catalog/includes/application_top.php

 

 

 

Find ...

 

 

 

// set the application parameters

$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);

while ($configuration = tep_db_fetch_array($configuration_query)) {

define($configuration['cfgKey'], $configuration['cfgValue']);

}

 

 

 

Add directly BELOW ...

 

 

 

// FWR Media Security Pro

if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {

$fwr_security_excludes = array();

if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' )

$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);

if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) )

include('includes/functions/security.php');

}

if ( function_exists('tep_clean_get__recursive') ) {

// Recursively clean $HTTP_GET_VARS and $_GET

// There is no legitimate reason for these to contain anything but ..

// A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space

$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);

$_GET = tep_clean_get__recursive($_GET);

$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.

fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value

}

// END - FWR Media Security Pro

 

 

 

Go into admin>configuration>FWR Security Pro and turn it on .. (set to true).

 

 

 

PLEASE NOTE: You MUST delete the install file catalog/SecurityPro_installer.php after use!

 

 

 

The main problem I am having is this: This installation was done via Fantastico so everything was basically installed for me. I tried to install Oscommerce via manually and got frustrated and quit. I just ordered new hosting that came with the script basically pre - installed. Ok - now I am trying to do this but I find no catalog file. Now in the one I did manually I did have a catalog file but in this one I do not find one. I have ran a search for the file and there is no such file. SO I installed Securtiy Pro installer php under public html/admin and security.php to public html /admin/includes/functions/ and admin/includes/application_top.php I find nothing that installed. I cannot continue onto the part where I am suppose to "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)" because I still cannot find it. I am told that I did not run the installer...how do I do this. I am so sorry this sounds awful but I am new at this and appreciate any help.

 

did anyone respond directly to this query, i am having the same issue and cannot find the FWR security Pro file under admin, getting a bit frustrated help please

[♥FWR Media]

did anyone respond directly to this query, i am having the same issue and cannot find the FWR security Pro file under admin, getting a bit frustrated help please

 

Which bit of the installation are you confused with?

 

1) Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

2) Upload security.php to catalog/includes/functions/

 

or ..

 

3) Adding the code block to catalog/includes/application_top.php

[jada14]

thanks for the prompt response,

 

I am unsure about number 1 , when you say browse to it , do you mean via the file manager or ftp, i have tried both any nothing seems to change, as a result i get no

FWR Security Pro option to turn on in my admin>configuration> as i think the installation is not installed correctly.