designcraft Posted June 8, 2009 Share Posted June 8, 2009 What code did they suggest was used to action this SQL injection? Quite often these scans do produce false positives. I emailed Security Metrics and I am waiting to hear back from them about what code was used to action the injection. I will let you know. Quote Link to comment Share on other sites More sharing options...
designcraft Posted June 10, 2009 Share Posted June 10, 2009 I emailed Security Metrics and I am waiting to hear back from them about what code was used to action the injection. I will let you know. I spoke with SM and they said that when the site is scanned it is coming back with 2 different responses from the same injection. They were saying that one link is trying to access the database (403 forbidden) and another link is redirecting to the store. I hope that makes sense. They need to return the same result. http://domain/shop/advanced_search.php?osC...bf+and+1%3D1%22 is the bad page (1=0) "http://domain/shop/advanced_search.php?osCsid=5d37d4b431f622349a5186de3b7822bf+and+1%3D0" is the good page (1=1) Quote Link to comment Share on other sites More sharing options...
designcraft Posted June 10, 2009 Share Posted June 10, 2009 I spoke with SM and they said that when the site is scanned it is coming back with 2 different responses from the same injection. They were saying that one link is trying to access the database (403 forbidden) and another link is redirecting to the store. I hope that makes sense. They need to return the same result. http://domain/shop/advanced_search.php?osC...bf+and+1%3D1%22 is the bad page (1=0) "http://domain/shop/advanced_search.php?osCsid=5d37d4b431f622349a5186de3b7822bf+and+1%3D0" is the good page (1=1) \\\\ This might make more sense. The true statement: http://www.domainname.com/index.php?main_p...d=2%20and%201=0 Is returning a 403 Forbidden error. The false statement: http://www.domainname.com/index.php?main_p...d=2%20and%201=1 Is returning the product page. In order to become compliant, both the true and false statements must return the same page whether it be the 403 error or the product page. Quote Link to comment Share on other sites More sharing options...
alba Posted June 23, 2009 Share Posted June 23, 2009 Robert I have just stumbled across your contribution and i must say thanks, its something ive been looking for Just a question in regards to its operation does it report to a log any errors? or can it be modified to report to a log? that way we can check it and see what its breaking in a live environment (cause when i test things i often miss a few pages, processes etc) Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted June 23, 2009 Author Share Posted June 23, 2009 Robert I have just stumbled across your contribution and i must say thanks, its something ive been looking for Just a question in regards to its operation does it report to a log any errors? or can it be modified to report to a log? that way we can check it and see what its breaking in a live environment (cause when i test things i often miss a few pages, processes etc) Actually I have virtually no reports of things breaking .. the main one was the PROTX payment module which had to be added to exclusions. There is no way to create an error log as security pro doesn't know/care what it does or doesn't break it just cleanses the querystring. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Mildway Posted June 24, 2009 Share Posted June 24, 2009 (edited) Hi FWR Media, i tried to install your addon but it failed. When i tried to run the SecurityPro_installer.php, i got this error message: "Fatal error: Call to a member function add_current_page() on a non-object in /home/mysite/public_html/includes/application_top.php on line 312" And now i can´t access my site, always say the same "fatal error"... Do you know what is? Any tips how to resolve? Here is the application_top.php: // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); Ah, if possible, in nexts updates, please write an "manual installation instructions". Autoinstallers really "sucks". Like my case, if was provided an manual installation instructions, i could "UN-install" it, but with autoinstaller i can´t do this. PS: Running on linux server, oscommerce RC2a Cheers James Edited June 24, 2009 by Mildway Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted June 24, 2009 Author Share Posted June 24, 2009 Hi FWR Media, i tried to install your addon but it failed. When i tried to run the SecurityPro_installer.php, i got this error message: "Fatal error: Call to a member function add_current_page() on a non-object in /home/mysite/public_html/includes/application_top.php on line 312" And now i can´t access my site, always say the same "fatal error"... Do you know what is? Any tips how to resolve? Here is the application_top.php: // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); Ah, if possible, in nexts updates, please write an "manual installation instructions". Autoinstallers really "sucks". Like my case, if was provided an manual installation instructions, i could "UN-install" it, but with autoinstaller i can´t do this. PS: Running on linux server, oscommerce RC2a Cheers James The contribution has no issues and needs no uninstaller. Fatal error: Call to a member function add_current_page() on a non-object is a known issue with oscommerce usually created by a non visible error and the session writing uncorrectly. 1) Leave the db as it is and remove the code you put in from application_top.php 2) close all your browsers to lose seesion then clear your cookies. 3) Test the site now works 4) Re add the code to application top being more careful. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Mildway Posted June 24, 2009 Share Posted June 24, 2009 The contribution has no issues and needs no uninstaller. Fatal error: Call to a member function add_current_page() on a non-object is a known issue with oscommerce usually created by a non visible error and the session writing uncorrectly. 1) Leave the db as it is and remove the code you put in from application_top.php 2) close all your browsers to lose seesion then clear your cookies. 3) Test the site now works 4) Re add the code to application top being more careful. Hi FWR Media, this error was showed when i was running the autoinstaller. After i placed the code on applicatrion_top.php and got another error, but in another line, i guess was 338 or 368, i don´t remember now.... Anyway, many thanks for information! Was what you said, just closed my browser and then worked ok, now i will test my payments modules, etc and if get problem i will post again. THANK YOU! :) Ah, about writting an installation instructions, if possible, will be very nice. I don´t know, but i´m little affraid running autoinstallers... i think is safer manually install due if you have a problem you can undo changes easy.. Best Regards James Quote Link to comment Share on other sites More sharing options...
Mildway Posted June 24, 2009 Share Posted June 24, 2009 Hi, When i access www(dot)myshop.com/index.php?fwrtest=[w](o)%3Cr%3Ek|i*n^g i don´t get the message "working". When i access it I get redirected to my main page (index). Are this ok? the addon is set ON TRUE on admin. It is working? Thanks James Quote Link to comment Share on other sites More sharing options...
♥multimixer Posted July 13, 2009 Share Posted July 13, 2009 Hi Robert I just installed this small wonderthing and now it works perfect, that means, I don't know if it works or not, I hope hackers will know :) Thank you very much. "Fatal error: Call to a member function add_current_page() on a non-object in /home/mysite/public_html/includes/application_top.php on line 312" I had the same issue, unistalled manually by deleting security.php, undoing the changes in application_top.php, and droping the lines from the database. Then I tried one more time and everything went perfect, I don't know where my mind was the first time Ah, if possible, in nexts updates, please write an "manual installation instructions" You can see what tables are getting created in DB reading the installation file and just drop them Quote My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
ddsavage2000 Posted September 21, 2009 Share Posted September 21, 2009 Not understanding how to install Security Pro 1.02 to osc 2.2 rc2a. As far as I got was downloading file. Using localhost for now. Any assistance greatly appreciated. Thanks. Quote Link to comment Share on other sites More sharing options...
spooks Posted September 21, 2009 Share Posted September 21, 2009 Not understanding how to install Security Pro 1.02 to osc 2.2 rc2a. As far as I got was downloading file. Using localhost for now. Any assistance greatly appreciated. Thanks. How do I install a contribution http://www.oscommerce.com/forums/index.php?sho...=0#entry1432157 Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
ddsavage2000 Posted September 21, 2009 Share Posted September 21, 2009 Thanks Sam. Most or all of the information provide in the link I am aware of thanks to several of your post and other like yourself that have superior knowledge this particular system. However, none of the information detailed clarifies the installation of Security Pro 1.02. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 21, 2009 Author Share Posted September 21, 2009 thanks for the contributionsthis is what i was looking for i installed it and see this problem Fatal error: Call to undefined function: fwr_clean_global() in /.../includes/application_top.php on line 88 if i disable the line from the application top code it works fine perhaps you could have a suggestion what this could be thanks valeri you have not uploaded one of the required files (or perhaps put it in admin by mistake?) .. go back over the install instructions .. there aren't many. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
ddsavage2000 Posted September 21, 2009 Share Posted September 21, 2009 What I downloaded was a zip file. If there were instructions I missed them because I never found any information specifically relating to install, and trust me I have been searching. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 21, 2009 Author Share Posted September 21, 2009 What I downloaded was a zip file. If there were instructions I missed them because I never found any information specifically relating to install, and trust me I have been searching. There is only one file to upload (after running the installer) catalog/includes/functions/security.php just upload the missing file. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
danny1977 Posted October 16, 2009 Share Posted October 16, 2009 i installed security pro on a hardly modded site. when i try to test my site as explained on first page nothing happened.(nothing printed on screen) so i tried everything i could with my little web knowledge .(set register globals off, erase http access, upgrade to php 5, tried to change variables at application top :) ...nothing worked ) when i search for how to make xss attack to prevent my site, i found this: when you navigate your site with this : http:// yoursite dot com/contact_us.php?&name=1&email=1&enquiry=[XSS%%FC%F0i%FE%DC()] ----------------------- if you enable security pro it writes XSSi in contact us if you disable it: [XSS%üğişÜ()] is written. i think a very good way to test the script. hope this helps someone... thanks for the author of this wonderful contrib.i think a must for every oscommerce site. cheers gokhan Quote Link to comment Share on other sites More sharing options...
♥multimixer Posted November 26, 2009 Share Posted November 26, 2009 one question. It's necessary to pass through special characters like äüöÄÜÖß posted from the search box. What's the way to do it? I've found it works if i modify the function like this: function tep_clean_get__recursive($get_var) { if (!is_array($get_var)) return preg_replace("/[^ {}a-zA-Z0-9ßäüöÄÜÖ_.-]/i", "", urldecode($get_var)); // Add the preg_replace to every element. return array_map('tep_clean_get__recursive', $get_var); } What do you think, do you see any problems? Please comment and point me in the right direction! Yes adding limited but valid language characters is not an issue as long as you are careful not to allow in bad characters. A shortened version that should work is .. $get_var = preg_replace("/[^\s{}a-z0-9ßäüö_.-]/i", "", urldecode($get_var)); Our osComerce default language is Traditional Chinese, hence, we have to exclude advanced_search.php & advanced_search_result.php so that the search box works. Can hackers inject malicious codes via the search box? If so, do you have any suggestions? Thank you in advance. As standard osCommerce uses input filtering. As long as you are using the RC2a versions of these files you should be fine .. it uses .. tep_db_prepare_input tep_db_input And type casting on all user input added to the query. Hope that helps. Hi Robert I was having an issue with search in Greek and Cyrillic characters. The search term (ie ελλαδα) was not included into the query. Right now I have advanced_search_results.php excluded from cleansing via admin. I just wonder, what is better to do, to keep this file excluded or to add Greek and Cyrillic characters to security.php? Quote My community profile | Template system for osCommerce - New: Responsive | Feedback channel Link to comment Share on other sites More sharing options...
dodiewayne Posted December 29, 2009 Share Posted December 29, 2009 How do I install a contribution http://www.oscommerce.com/forums/index.php?sho...=0#entry1432157 I am also trying to install this - I have done all steps stated in the instructions included with the add on, except this one: "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)." Ok, I am not finding this file: am I overlooking this? I have found admin/configuration/but no FWR Security Pro? did I do something wrong? Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 29, 2009 Author Share Posted December 29, 2009 I am also trying to install this - I have done all steps stated in the instructions included with the add on, except this one: "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)." Ok, I am not finding this file: am I overlooking this? I have found admin/configuration/but no FWR Security Pro? did I do something wrong? You haven't run the database installer SecurityPro_installer.php Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
dodiewayne Posted December 29, 2009 Share Posted December 29, 2009 You haven't run the database installer SecurityPro_installer.php I have tried to "run" the installer - I guess I am just going about this all wrong. I have followed each and every step given: Firstly: - Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings. Secondly:- Upload security.php to catalog/includes/functions/ Finally:- catalog/includes/application_top.php Find ... // set the application parameters $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION); while ($configuration = tep_db_fetch_array($configuration_query)) { define($configuration['cfgKey'], $configuration['cfgValue']); } Add directly BELOW ... // FWR Media Security Pro if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) { $fwr_security_excludes = array(); if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' ) $fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS); if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) ) include('includes/functions/security.php'); } if ( function_exists('tep_clean_get__recursive') ) { // Recursively clean $HTTP_GET_VARS and $_GET // There is no legitimate reason for these to contain anything but .. // A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space $HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS); $_GET = tep_clean_get__recursive($_GET); $_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed. fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value } // END - FWR Media Security Pro Go into admin>configuration>FWR Security Pro and turn it on .. (set to true). PLEASE NOTE: You MUST delete the install file catalog/SecurityPro_installer.php after use! The main problem I am having is this: This installation was done via Fantastico so everything was basically installed for me. I tried to install Oscommerce via manually and got frustrated and quit. I just ordered new hosting that came with the script basically pre - installed. Ok - now I am trying to do this but I find no catalog file. Now in the one I did manually I did have a catalog file but in this one I do not find one. I have ran a search for the file and there is no such file. SO I installed Securtiy Pro installer php under public html/admin and security.php to public html /admin/includes/functions/ and admin/includes/application_top.php I find nothing that installed. I cannot continue onto the part where I am suppose to "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)" because I still cannot find it. I am told that I did not run the installer...how do I do this. I am so sorry this sounds awful but I am new at this and appreciate any help. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 29, 2009 Author Share Posted December 29, 2009 (edited) I am so sorry this sounds awful but I am new at this and appreciate any help. no no that's fine .. we all started somewhere. About the "catalog" thing we use "catalog" as a standard term meaning the root of your site. Some people have the site running from.. www.mysite.com Some .. www.mysite.com/catalog/ Some .. www.mysite.com/catalog/shop/ When we say catalog we are just referring to where the root files are like product_info.php. The installer goes there then you browse to it. The security.php file goes in <root of site>includes/functions/ Edited December 29, 2009 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
jada14 Posted January 12, 2010 Share Posted January 12, 2010 I have tried to "run" the installer - I guess I am just going about this all wrong. I have followed each and every step given: Firstly: - Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings. Secondly:- Upload security.php to catalog/includes/functions/ Finally:- catalog/includes/application_top.php Find ... // set the application parameters $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION); while ($configuration = tep_db_fetch_array($configuration_query)) { define($configuration['cfgKey'], $configuration['cfgValue']); } Add directly BELOW ... // FWR Media Security Pro if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) { $fwr_security_excludes = array(); if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' ) $fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS); if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) ) include('includes/functions/security.php'); } if ( function_exists('tep_clean_get__recursive') ) { // Recursively clean $HTTP_GET_VARS and $_GET // There is no legitimate reason for these to contain anything but .. // A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space $HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS); $_GET = tep_clean_get__recursive($_GET); $_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed. fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value } // END - FWR Media Security Pro Go into admin>configuration>FWR Security Pro and turn it on .. (set to true). PLEASE NOTE: You MUST delete the install file catalog/SecurityPro_installer.php after use! The main problem I am having is this: This installation was done via Fantastico so everything was basically installed for me. I tried to install Oscommerce via manually and got frustrated and quit. I just ordered new hosting that came with the script basically pre - installed. Ok - now I am trying to do this but I find no catalog file. Now in the one I did manually I did have a catalog file but in this one I do not find one. I have ran a search for the file and there is no such file. SO I installed Securtiy Pro installer php under public html/admin and security.php to public html /admin/includes/functions/ and admin/includes/application_top.php I find nothing that installed. I cannot continue onto the part where I am suppose to "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)" because I still cannot find it. I am told that I did not run the installer...how do I do this. I am so sorry this sounds awful but I am new at this and appreciate any help. did anyone respond directly to this query, i am having the same issue and cannot find the FWR security Pro file under admin, getting a bit frustrated help please Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 12, 2010 Author Share Posted January 12, 2010 did anyone respond directly to this query, i am having the same issue and cannot find the FWR security Pro file under admin, getting a bit frustrated help please Which bit of the installation are you confused with? 1) Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings. 2) Upload security.php to catalog/includes/functions/ or .. 3) Adding the code block to catalog/includes/application_top.php Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
jada14 Posted January 12, 2010 Share Posted January 12, 2010 thanks for the prompt response, I am unsure about number 1 , when you say browse to it , do you mean via the file manager or ftp, i have tried both any nothing seems to change, as a result i get no FWR Security Pro option to turn on in my admin>configuration> as i think the installation is not installed correctly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.