[contribution] Security Pro - Querystring protection against hackers.

[♥FWR Media]

thanks for the prompt response,

 

I am unsure about number 1 , when you say browse to it , do you mean via the file manager or ftp, i have tried both any nothing seems to change, as a result i get no

FWR Security Pro option to turn on in my admin>configuration> as i think the installation is not installed correctly.

 

No what it means is browse as in with the browser.

 

So let's say your site is www.mysite.com/catalog you would browse to www.mysite.com/catalog/SecurityPro_installer.php

[jada14]

ok thanks,

 

just tried that and i get this error message in browser

 

Fatal error: Call to a member function add_current_page() on a non-object in /home/istamp/public_html/includes/application_top.php on line 330

 

what should i try now?

[♥FWR Media]

ok thanks,

 

just tried that and i get this error message in browser

 

Fatal error: Call to a member function add_current_page() on a non-object in /home/istamp/public_html/includes/application_top.php on line 330

 

what should i try now?

 

That is a standard osCommerce problem .. try closing ALL of your browser windows and trying again.

[jada14]

thanks so much that has worked, i now see the fwr security pro option under configuration.

[Dandon]

Hi,

First of all, thanks a lot for sharing this, it seems to be a very useful and important contribution.

I just installed this in my test site, and it seems to work but I'm not sure.

If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off.

 

When switched on, the shop returns the product found correctly, and the search box shows "C65" without the dangerous characters. When switched off, it returns "no such product found" qnd the search box shows the full string with all the characters.

I understand this is OK and the way it's supposed to work.

 

OTOH, I have tried this:

 

Go to your shop with the url

 

www(dot)myshop.com/index.php?fwrtest=[w](o)%3Cr%3Ek|i*n^g

 

If it says just "working" then it's .. errm .. working.

 

But it simply returns the shop's normal start page, both with the contrib switched on or off. Is this normal or am I missing something? It looks to me as if it's ignoring the "fwrtest=..." parameter.

 

TIA for your time.

[♥FWR Media]

Hi,

First of all, thanks a lot for sharing this, it seems to be a very useful and important contribution.

I just installed this in my test site, and it seems to work but I'm not sure.

If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off.

 

When switched on, the shop returns the product found correctly, and the search box shows "C65" without the dangerous characters. When switched off, it returns "no such product found" qnd the search box shows the full string with all the characters.

I understand this is OK and the way it's supposed to work.

 

OTOH, I have tried this:

 

 

But it simply returns the shop's normal start page, both with the contrib switched on or off. Is this normal or am I missing something? It looks to me as if it's ignoring the "fwrtest=..." parameter.

 

TIA for your time.

 

You have to print out the _GET variable as it says in the instructions .. something like.

 

if ( array_key_exists( 'fwrtest', $_GET ) ) {
 echo 'security Pro test: Result was: ' . $_GET['fwrtest'] . '<br />' . PHP_EOL;
}

 

You can put that temporarily in includes/footer.php or somewhere else.

}

[Dandon]

Ok, sorry, it seems I missed that part of the instructions.

I put that in the footer as you suggested, and yes it does put out the proper cleaned string!

Thanks a lot again.

[bonester1981]

Hi,

first of all: thanks FWR for your work!

 

Installing was easy and I tested it. When I tested the functionality a little error occured:

When a customer will log in and has forgotten his password and tries a few passwords he will sooner or later get a new one. When pressing the password forgotten link, the customer will be redirected to password_forgotten.php and the email address will be prompted in the email address field, but while using Security Pro, the @ sign will be removed and user@example.com will become userexample.com . This is very uncomfortable for the customer so I wanted to change this:

The core Security Pro files check if page is declared and will break down the whole security for that page, but this isn´t either what I wanted so I worked around that allowing special chars for user defined pages:

 

includes\functions\security.php

Find:

// Changelog - removed %(percent) added urldecode

function tep_clean_get__recursive($get_var)

{

if (!is_array($get_var))

return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var));

 

// Add the preg_replace to every element.

return array_map('tep_clean_get__recursive', $get_var);

}

Replace with:

function tep_get_char_exclusions(){

$fwr_security_excludes = array();

$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);

//to fill in the array is a bit tricky:

//At first you have to make a list of safe files to exclude from cleansing

//in the FWR Security Pro admin.

//you have to put a number 0-99 before your chars you want

//to be allowed and put the declared catalog filename(s) to the right

//See lines below for an example

$extra_chars = array( '1@' => FILENAME_PASSWORD_FORGOTTEN);

//'2@' => FILENAME_LOGIN,

//'3+/+#' => FILENAME_INDEX,

while ($page_name = current($extra_chars)) {

if ($page_name == basename($_SERVER['PHP_SELF'])) {

$allowed = substr(key($extra_chars), 0, 2);

if(!is_numeric($allowed)){

$allowed = substr(key($extra_chars), 1);

}else{

$allowed = substr(key($extra_chars), 2);

}

$replace = "/[^ {}a-zA-Z0-9_.-";

$replace .= $allowed;

$replace .= "]/i";

}

next($extra_chars);

}

if(!isset($replace)){

$replace = "/[^ {}a-zA-Z0-9_.-]/i";

}

return $replace;

}

//only for testing if function tep_get_char_exclusions(); works properly

//echo tep_get_char_exclusions();

 

 

// Changelog - removed %(percent) added urldecode

function tep_clean_get__recursive($get_var)

{

if (!is_array($get_var))

 

return preg_replace(tep_get_char_exclusions(), "", urldecode($get_var));

 

// Add the preg_replace to every element.

return array_map('tep_clean_get__recursive', $get_var);

}

While experimenting I found out, that you can´t use something like this:

$extra_chars = array( '@' => FILENAME_PASSWORD_FORGOTTEN,

'@' => FILENAME_LOGIN);

When I used the $extra_chars on other functions it came like this:

$extra_chars = array( '@' => FILENAME_LOGIN);

When someone has another way, please tell me!

 

Another step has to be taken:

application_top.php

Replace:

// FWR Media Security Pro

if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {

$fwr_security_excludes = array();

if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' )

$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);

if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) )

include('includes/functions/security.php');

}

if ( function_exists('tep_clean_get__recursive') ) {

// Recursively clean $HTTP_GET_VARS and $_GET

// There is no legitimate reason for these to contain anything but ..

// A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space

$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);

$_GET = tep_clean_get__recursive($_GET);

$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.

fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value

}

// END - FWR Media Security Pro

with

// FWR Media Security Pro

if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {

require_once('includes/functions/security.php');

$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);

$_GET = tep_clean_get__recursive($_GET);

//$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.

fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value

}

// END - FWR Media Security Pro

Then go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php

 

If you want another page allow extra chars, do following:

For index.php

1. Go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php,index.php

2.

Go to includes\functions\security.php and change in tep_get_char_exclusions() :

 

$extra_chars = array( '1@' => FILENAME_PASSWORD_FORGOTTEN);

//'2@' => FILENAME_LOGIN,

to

$extra_chars = array( '1@' => FILENAME_PASSWORD_FORGOTTEN),

'2@#([' => FILENAME_LOGIN);

For every filename you declare in this part of this code, you to put a number before your allowed chars. the next where '3*' => FILENAME_LOGIN

and so on...

 

Comments are appreciated!

Edited February 17, 2010 by bonester1981

[♥FWR Media]

Hi,

first of all: thanks FWR for your work!

 

Installing was easy and I tested it. When I tested the functionality a little error occured:

When a customer will log in and has forgotten his password and tries a few passwords he will sooner or later get a new one. When pressing the password forgotten link, the customer will be redirected to password_forgotten.php and the email address will be prompted in the email address field, but while using Security Pro, the @ sign will be removed and user@example.com will become userexample.com . This is very uncomfortable for the customer so I wanted to change this:

The core Security Pro files check if page is declared and will break down the whole security for that page, but this isn´t either what I wanted so I worked around that allowing special chars for user defined pages:

 

includes\functions\security.php

Find:

 

Replace with:

 

While experimenting I found out, that you can´t use something like this:

 

When I used the $extra_chars on other functions it came like this:

 

When someone has another way, please tell me!

 

Another step has to be taken:

application_top.php

Replace:

 

with

 

Then go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php

 

If you want another page allow extra chars, do following:

For index.php

1. Go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php,index.php

2.

Go to includes\functions\security.php and change in tep_get_char_exclusions() :

 

 

to

 

For every filename you declare in this part of this code, you to put a number before your allowed chars. the next where '3*' => FILENAME_LOGIN

and so on...

 

Comments are appreciated!

 

I am not aware of any changes that are needed to Security Pro. The functionality you are suggesting I think must be an addon .. if so, that addon should be modified in my opinion to not pass unnecessary characters via querystring.

[spooks]

I am not aware of any changes that are needed to Security Pro. The functionality you are suggesting I think must be an addon .. if so, that addon should be modified in my opinion to not pass unnecessary characters via querystring.

 

Hi, please excuse me for posting in your thread Robert, but sometimes there are posts you feel you must comment on.

 

Your contrib is great & I always tell everyone its install is a must. I have not seen any need for any alterations.

 

 

bonester1981 must have a peculiar install, password forgotten uses the post method, so wont be affected by this!!

I suggest he looks further afield for solutions to his issue & examines his code re the abnormal behaviour.

 

It surprising how many assume thier code (template?) is standard without ever comparing to the core osC files.

[Stealth1]

This is probably a very n00b question but I installed this just now and browsed my site and ran through the checkout process up to the point of submitting the order and saw no errors. Would this be a good sign that nothing is being blocked or not working?

 

I am not sure on the best way to test that nothing is having issues after this is installed.

[Francys]

Hi all, good job with the osc for what i'm seeing ehehheh i'm newbie to this forums, and i would like you to answer me how to sort this:

 

Installed FWR Security PRO, and when a customer clicks for more info regarding a product it isn't openning the pdf link (i tested it and it is because security pro is redirecting (http://addons.oscommerce.com/info/5752 ).

 

I recongnise security pro is a good anti hacks tool but how shall i sort this?

 

Example:

- customer enters a given product description, at the end there is the option click this for more details.

- and generally i have a product datasheet with technical info for the customer in pdf

 

If security pro is turned of the pdf is loaded like its supposed to, is security pro is on the customer is redirected to shop entrance...

 

the pdf files are stored like this: AA_<product_name>_<reference>.pdf

i tried to make exclusion with <full path>\AA_<product_name>_<reference>.pdf,AA_<product_name>_<reference>.pdf and none worked... how to sort this.

 

thanks in advance

 

Oh btw, i would like only to exclude these pdf files, and not compromise the security pro strengths.

 

thanks in advance

[Francys]

is anyone ever answering? btw im newbie to this forums, what is the average response time?

i posted 5 critical issues in different threads affecting my shop 2 days ago and so far noone has answered me with an attempt of solution... i'm not the type of hassling to much with questions, i don't like to bother people and i think these forums are built to try and help, i know people here is volunteer so i really try to only post important things and if i can help anyone i will of course.

 

And to be honest with you i thought oscommerce community would be bigger... for instance i tried to find but these forums don't have brazilian or portuguese sections (only german i think)... correct me if im wrong please thanks.

[♥FWR Media]

Oh btw, i would like only to exclude these pdf files, and not compromise the security pro strengths.

 

thanks in advance

 

You shouldn't need to exclude anything. If the pdf system has stopped working then it is sending illegal characters via the querystring, the solution is to modify the pdf script to use only allowed characters in the querystring it sends.

[Francys]

You shouldn't need to exclude anything. If the pdf system has stopped working then it is sending illegal characters via the querystring, the solution is to modify the pdf script to use only allowed characters in the querystring it sends.

 

Thank you very much for your kind answer . I would like to use the exclude files options (it is more pratical and i already tried to rename the files for 1.pdf and it still isnt working) because:

- there is no security breach whatsoever

- i don't need to modify any script which would pose an additional problem

And finally i just need to upload a list of the files (that aren't that many) comma separated and without spaces EX:

AA_efef_33.pdf,AA_3242_rf2.pdf,...,AB_234_23.pdf

 

(by the way it doesn't matter where the files are does it? the pdfs are located inside a folder in root (outside catalog) and i don't have problem opening with security pro off, when it's ON it just redirects to shop entrance.

 

Thanks in advance

[Francys]

Thank you very much for your kind answer . I would like to use the exclude files options (it is more pratical and i already tried to rename the files for 1.pdf and it still isnt working) because:

- there is no security breach whatsoever

- i don't need to modify any script which would pose an additional problem

And finally i just need to upload a list of the files (that aren't that many) comma separated and without spaces EX:

AA_efef_33.pdf,AA_3242_rf2.pdf,...,AB_234_23.pdf

 

(by the way it doesn't matter where the files are does it? the pdfs are located inside a folder in root (outside catalog) and i don't have problem opening with security pro off, when it's ON it just redirects to shop entrance.

 

Thanks in advance

 

OK I THINK I GOT IT... LOLOL

 

I just exclude redirect.php......

 

 

Its working

 

Is this a security breach or is ok to leave redirect.php excluded ?!

 

thanks in advance

[Francys]

Hi FWR

 

This will interest anyone using pdfs in his/her site as URL, so i would like to know a confirmation regarding if disabling redirect.php by excluding is ok?! or if it will pose a security problem?!

 

thanks in advance

[eStore B]

I am trying to secure site.......using Security Pro http://addons.oscommerce.com/info/5752

 

I have gotten to the last step of instructions.

 

"Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

 

I have gone to the catalog/admin/configuration.php.........

 

but I do not see the code "WR Security Pro and turn it on .. (set to true)."

 

Can anyone give a suggestion please

[www.in.no]

It means that you have to logg in to admin and under the first section named

configuration

You will find the

FWR Security Pro

 

If the installation has been done correctly.

 

It has notting to do with the configuration file.

[eStore B]

It means that you have to logg in to admin and under the first section named

configuration

You will find the

FWR Security Pro

 

If the installation has been done correctly.

 

It has notting to do with the configuration file.

 

 

ok,that was too simple....thank you very much

 

Can you suggest the next thing to do to secure site?

[www.in.no]

Read the security forum and the pinned post there on how to secure your osc shop.

[Francys]

Hi FWR

 

This will interest anyone using pdfs in his/her site as URL, so i would like to know a confirmation regarding if disabling redirect.php by excluding is ok?! or if it will pose a security problem?!

 

thanks in advance

 

Since i have got no reply and reading a bit in this post another person suggested this and it seems it is a nice fashion on how to sort so i take it as resolve.

[seshalyn_pr]

You have to print out the _GET variable as it says in the instructions .. something like.

 

if ( array_key_exists( 'fwrtest', $_GET ) ) {
 echo 'security Pro test: Result was: ' . $_GET['fwrtest'] . '<br />' . PHP_EOL;
}

 

You can put that temporarily in includes/footer.php or somewhere else.

}

It's Working!!! Woohoo :D . For a newbie like me, and who doesn't know the least bit of php (chinese to me) whenever I install something, get no errors, and find out it's working, oooo can't explain the happiness that is felt lolssssss. Anyways just wanted to say thank you FWR for the contribution, and Sam for always putting his input throughout, and everyone who contributes to make others osc experience easier!!! Thanks!!!

[john_roberts]

I have been wrestling with PCI compliance and cross site scripting is my last major nut to crack.

 

This white-file(?) replacement is exactly what I need. (Thank You)

I am not very fluent with PHP code, but I have managed to get most add-ins to work over a few years.

 

I am having no success with this FWR security pro add in.

 

I have run the install program .

I have put the security.php file in ...(formerly called catalog)/includes/functions

I have added the new code in ...(formerly catalog)/includes/application_top.php

I have turned security pro on (true) in admin configuration

 

I get no cleaning of entered text. It's not [w](o)%3Cr%3Ek|i*n^g

 

I tried uninstall and re-ran install program.

I have added some echo code in application_top to confirm that security pro is "true", it is..

I added and removed some echo code in application_top to confirm that cleaning function exists and is found. it does

in security.PHP I conformed that !array is true.

 

I repeat I am not very competent with PHP code so I may be missing something simple.

 

My "catalog" directory goes by another name, but this is reflected in configuration area and (AFAIK) the store has been working fine for years.

 

When I type fwrtest=[w](o)%3Cr%3Ek|i*n^g in browser string, I get fwrtest=[w](o)<r>k|i*n^g response.

 

 

I am working beyond my ability to debug in PHP.

 

Anything simple I may be overlooking? My head hurts.

 

John Roberts

 

Note: still running 2.2rc2a but corrected for deprecated PHP functions when upgraded server to newer version PHP in PCI compliance process. May still be a few clinkers, but don't get any deprecated function errors.

[♥FWR Media]

I have been wrestling with PCI compliance and cross site scripting is my last major nut to crack.

 

This white-file(?) replacement is exactly what I need. (Thank You)

I am not very fluent with PHP code, but I have managed to get most add-ins to work over a few years.

 

I am having no success with this FWR security pro add in.

 

I have run the install program .

I have put the security.php file in ...(formerly called catalog)/includes/functions

I have added the new code in ...(formerly catalog)/includes/application_top.php

I have turned security pro on (true) in admin configuration

 

I get no cleaning of entered text. It's not [w](o)%3Cr%3Ek|i*n^g

 

I tried uninstall and re-ran install program.

I have added some echo code in application_top to confirm that security pro is "true", it is..

I added and removed some echo code in application_top to confirm that cleaning function exists and is found. it does

in security.PHP I conformed that !array is true.

 

I repeat I am not very competent with PHP code so I may be missing something simple.

 

My "catalog" directory goes by another name, but this is reflected in configuration area and (AFAIK) the store has been working fine for years.

 

When I type fwrtest=[w](o)%3Cr%3Ek|i*n^g in browser string, I get fwrtest=[w](o)<r>k|i*n^g response.

 

 

I am working beyond my ability to debug in PHP.

 

Anything simple I may be overlooking? My head hurts.

 

John Roberts

 

Note: still running 2.2rc2a but corrected for deprecated PHP functions when upgraded server to newer version PHP in PCI compliance process. May still be a few clinkers, but don't get any deprecated function errors.

 

You don't need to do anything but install it and turn it on in admin. It's an easy install with no room for error.