♥FWR Media Posted January 12, 2010 Author Share Posted January 12, 2010 thanks for the prompt response, I am unsure about number 1 , when you say browse to it , do you mean via the file manager or ftp, i have tried both any nothing seems to change, as a result i get no FWR Security Pro option to turn on in my admin>configuration> as i think the installation is not installed correctly. No what it means is browse as in with the browser. So let's say your site is www.mysite.com/catalog you would browse to www.mysite.com/catalog/SecurityPro_installer.php Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
jada14 Posted January 12, 2010 Share Posted January 12, 2010 ok thanks, just tried that and i get this error message in browser Fatal error: Call to a member function add_current_page() on a non-object in /home/istamp/public_html/includes/application_top.php on line 330 what should i try now? Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 12, 2010 Author Share Posted January 12, 2010 ok thanks, just tried that and i get this error message in browser Fatal error: Call to a member function add_current_page() on a non-object in /home/istamp/public_html/includes/application_top.php on line 330 what should i try now? That is a standard osCommerce problem .. try closing ALL of your browser windows and trying again. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
jada14 Posted January 12, 2010 Share Posted January 12, 2010 thanks so much that has worked, i now see the fwr security pro option under configuration. Quote Link to comment Share on other sites More sharing options...
Dandon Posted January 28, 2010 Share Posted January 28, 2010 Hi, First of all, thanks a lot for sharing this, it seems to be a very useful and important contribution. I just installed this in my test site, and it seems to work but I'm not sure. If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off. When switched on, the shop returns the product found correctly, and the search box shows "C65" without the dangerous characters. When switched off, it returns "no such product found" qnd the search box shows the full string with all the characters. I understand this is OK and the way it's supposed to work. OTOH, I have tried this: Go to your shop with the url www(dot)myshop.com/index.php?fwrtest=[w](o)%3Cr%3Ek|i*n^g If it says just "working" then it's .. errm .. working. But it simply returns the shop's normal start page, both with the contrib switched on or off. Is this normal or am I missing something? It looks to me as if it's ignoring the "fwrtest=..." parameter. TIA for your time. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 28, 2010 Author Share Posted January 28, 2010 Hi, First of all, thanks a lot for sharing this, it seems to be a very useful and important contribution. I just installed this in my test site, and it seems to work but I'm not sure. If a put a search string in the search box like "|C*6^5" (there is a product called C65), I get different results if I turn it on or off. When switched on, the shop returns the product found correctly, and the search box shows "C65" without the dangerous characters. When switched off, it returns "no such product found" qnd the search box shows the full string with all the characters. I understand this is OK and the way it's supposed to work. OTOH, I have tried this: But it simply returns the shop's normal start page, both with the contrib switched on or off. Is this normal or am I missing something? It looks to me as if it's ignoring the "fwrtest=..." parameter. TIA for your time. You have to print out the _GET variable as it says in the instructions .. something like. if ( array_key_exists( 'fwrtest', $_GET ) ) { echo 'security Pro test: Result was: ' . $_GET['fwrtest'] . '<br />' . PHP_EOL; } You can put that temporarily in includes/footer.php or somewhere else. } Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Dandon Posted January 28, 2010 Share Posted January 28, 2010 Ok, sorry, it seems I missed that part of the instructions. I put that in the footer as you suggested, and yes it does put out the proper cleaned string! Thanks a lot again. Quote Link to comment Share on other sites More sharing options...
bonester1981 Posted February 17, 2010 Share Posted February 17, 2010 (edited) Hi, first of all: thanks FWR for your work! Installing was easy and I tested it. When I tested the functionality a little error occured: When a customer will log in and has forgotten his password and tries a few passwords he will sooner or later get a new one. When pressing the password forgotten link, the customer will be redirected to password_forgotten.php and the email address will be prompted in the email address field, but while using Security Pro, the @ sign will be removed and user@example.com will become userexample.com . This is very uncomfortable for the customer so I wanted to change this: The core Security Pro files check if page is declared and will break down the whole security for that page, but this isn´t either what I wanted so I worked around that allowing special chars for user defined pages: includes\functions\security.php Find: // Changelog - removed %(percent) added urldecodefunction tep_clean_get__recursive($get_var) { if (!is_array($get_var)) return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var)); // Add the preg_replace to every element. return array_map('tep_clean_get__recursive', $get_var); } Replace with: function tep_get_char_exclusions(){$fwr_security_excludes = array(); $fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS); //to fill in the array is a bit tricky: //At first you have to make a list of safe files to exclude from cleansing //in the FWR Security Pro admin. //you have to put a number 0-99 before your chars you want //to be allowed and put the declared catalog filename(s) to the right //See lines below for an example $extra_chars = array( '1@' => FILENAME_PASSWORD_FORGOTTEN); //'2@' => FILENAME_LOGIN, //'3+/+#' => FILENAME_INDEX, while ($page_name = current($extra_chars)) { if ($page_name == basename($_SERVER['PHP_SELF'])) { $allowed = substr(key($extra_chars), 0, 2); if(!is_numeric($allowed)){ $allowed = substr(key($extra_chars), 1); }else{ $allowed = substr(key($extra_chars), 2); } $replace = "/[^ {}a-zA-Z0-9_.-"; $replace .= $allowed; $replace .= "]/i"; } next($extra_chars); } if(!isset($replace)){ $replace = "/[^ {}a-zA-Z0-9_.-]/i"; } return $replace; } //only for testing if function tep_get_char_exclusions(); works properly //echo tep_get_char_exclusions(); // Changelog - removed %(percent) added urldecode function tep_clean_get__recursive($get_var) { if (!is_array($get_var)) return preg_replace(tep_get_char_exclusions(), "", urldecode($get_var)); // Add the preg_replace to every element. return array_map('tep_clean_get__recursive', $get_var); } While experimenting I found out, that you can´t use something like this: $extra_chars = array( '@' => FILENAME_PASSWORD_FORGOTTEN, '@' => FILENAME_LOGIN); When I used the $extra_chars on other functions it came like this: $extra_chars = array( '@' => FILENAME_LOGIN); When someone has another way, please tell me! Another step has to be taken: application_top.php Replace: // FWR Media Security Proif ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) { $fwr_security_excludes = array(); if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' ) $fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS); if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) ) include('includes/functions/security.php'); } if ( function_exists('tep_clean_get__recursive') ) { // Recursively clean $HTTP_GET_VARS and $_GET // There is no legitimate reason for these to contain anything but .. // A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space $HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS); $_GET = tep_clean_get__recursive($_GET); $_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed. fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value } // END - FWR Media Security Pro with // FWR Media Security Proif ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) { require_once('includes/functions/security.php'); $HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS); $_GET = tep_clean_get__recursive($_GET); //$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed. fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value } // END - FWR Media Security Pro Then go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php If you want another page allow extra chars, do following: For index.php 1. Go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php,index.php 2. Go to includes\functions\security.php and change in tep_get_char_exclusions() : $extra_chars = array( '1@' => FILENAME_PASSWORD_FORGOTTEN); //'2@' => FILENAME_LOGIN, to $extra_chars = array( '1@' => FILENAME_PASSWORD_FORGOTTEN), '2@#([' => FILENAME_LOGIN); For every filename you declare in this part of this code, you to put a number before your allowed chars. the next where '3*' => FILENAME_LOGIN and so on... Comments are appreciated! Edited February 17, 2010 by bonester1981 Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 17, 2010 Author Share Posted February 17, 2010 Hi, first of all: thanks FWR for your work! Installing was easy and I tested it. When I tested the functionality a little error occured: When a customer will log in and has forgotten his password and tries a few passwords he will sooner or later get a new one. When pressing the password forgotten link, the customer will be redirected to password_forgotten.php and the email address will be prompted in the email address field, but while using Security Pro, the @ sign will be removed and user@example.com will become userexample.com . This is very uncomfortable for the customer so I wanted to change this: The core Security Pro files check if page is declared and will break down the whole security for that page, but this isn´t either what I wanted so I worked around that allowing special chars for user defined pages: includes\functions\security.php Find: Replace with: While experimenting I found out, that you can´t use something like this: When I used the $extra_chars on other functions it came like this: When someone has another way, please tell me! Another step has to be taken: application_top.php Replace: with Then go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php If you want another page allow extra chars, do following: For index.php 1. Go to your admin area ->FWR Security Pro->File Exclusions and set password_forgotten.php,index.php 2. Go to includes\functions\security.php and change in tep_get_char_exclusions() : to For every filename you declare in this part of this code, you to put a number before your allowed chars. the next where '3*' => FILENAME_LOGIN and so on... Comments are appreciated! I am not aware of any changes that are needed to Security Pro. The functionality you are suggesting I think must be an addon .. if so, that addon should be modified in my opinion to not pass unnecessary characters via querystring. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
spooks Posted February 17, 2010 Share Posted February 17, 2010 I am not aware of any changes that are needed to Security Pro. The functionality you are suggesting I think must be an addon .. if so, that addon should be modified in my opinion to not pass unnecessary characters via querystring. Hi, please excuse me for posting in your thread Robert, but sometimes there are posts you feel you must comment on. Your contrib is great & I always tell everyone its install is a must. I have not seen any need for any alterations. bonester1981 must have a peculiar install, password forgotten uses the post method, so wont be affected by this!! I suggest he looks further afield for solutions to his issue & examines his code re the abnormal behaviour. It surprising how many assume thier code (template?) is standard without ever comparing to the core osC files. Quote Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Stealth1 Posted February 22, 2010 Share Posted February 22, 2010 This is probably a very n00b question but I installed this just now and browsed my site and ran through the checkout process up to the point of submitting the order and saw no errors. Would this be a good sign that nothing is being blocked or not working? I am not sure on the best way to test that nothing is having issues after this is installed. Quote Link to comment Share on other sites More sharing options...
Francys Posted February 23, 2010 Share Posted February 23, 2010 Hi all, good job with the osc for what i'm seeing ehehheh i'm newbie to this forums, and i would like you to answer me how to sort this: Installed FWR Security PRO, and when a customer clicks for more info regarding a product it isn't openning the pdf link (i tested it and it is because security pro is redirecting (http://addons.oscommerce.com/info/5752 ). I recongnise security pro is a good anti hacks tool but how shall i sort this? Example: - customer enters a given product description, at the end there is the option click this for more details. - and generally i have a product datasheet with technical info for the customer in pdf If security pro is turned of the pdf is loaded like its supposed to, is security pro is on the customer is redirected to shop entrance... the pdf files are stored like this: AA_<product_name>_<reference>.pdf i tried to make exclusion with <full path>\AA_<product_name>_<reference>.pdf,AA_<product_name>_<reference>.pdf and none worked... how to sort this. thanks in advance Oh btw, i would like only to exclude these pdf files, and not compromise the security pro strengths. thanks in advance Quote Link to comment Share on other sites More sharing options...
Francys Posted February 24, 2010 Share Posted February 24, 2010 is anyone ever answering? btw im newbie to this forums, what is the average response time? i posted 5 critical issues in different threads affecting my shop 2 days ago and so far noone has answered me with an attempt of solution... i'm not the type of hassling to much with questions, i don't like to bother people and i think these forums are built to try and help, i know people here is volunteer so i really try to only post important things and if i can help anyone i will of course. And to be honest with you i thought oscommerce community would be bigger... for instance i tried to find but these forums don't have brazilian or portuguese sections (only german i think)... correct me if im wrong please thanks. Equalizer 1 Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 24, 2010 Author Share Posted February 24, 2010 Oh btw, i would like only to exclude these pdf files, and not compromise the security pro strengths. thanks in advance You shouldn't need to exclude anything. If the pdf system has stopped working then it is sending illegal characters via the querystring, the solution is to modify the pdf script to use only allowed characters in the querystring it sends. Francys 1 Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Francys Posted February 24, 2010 Share Posted February 24, 2010 You shouldn't need to exclude anything. If the pdf system has stopped working then it is sending illegal characters via the querystring, the solution is to modify the pdf script to use only allowed characters in the querystring it sends. Thank you very much for your kind answer . I would like to use the exclude files options (it is more pratical and i already tried to rename the files for 1.pdf and it still isnt working) because: - there is no security breach whatsoever - i don't need to modify any script which would pose an additional problem And finally i just need to upload a list of the files (that aren't that many) comma separated and without spaces EX: AA_efef_33.pdf,AA_3242_rf2.pdf,...,AB_234_23.pdf (by the way it doesn't matter where the files are does it? the pdfs are located inside a folder in root (outside catalog) and i don't have problem opening with security pro off, when it's ON it just redirects to shop entrance. Thanks in advance Quote Link to comment Share on other sites More sharing options...
Francys Posted February 24, 2010 Share Posted February 24, 2010 Thank you very much for your kind answer . I would like to use the exclude files options (it is more pratical and i already tried to rename the files for 1.pdf and it still isnt working) because: - there is no security breach whatsoever - i don't need to modify any script which would pose an additional problem And finally i just need to upload a list of the files (that aren't that many) comma separated and without spaces EX: AA_efef_33.pdf,AA_3242_rf2.pdf,...,AB_234_23.pdf (by the way it doesn't matter where the files are does it? the pdfs are located inside a folder in root (outside catalog) and i don't have problem opening with security pro off, when it's ON it just redirects to shop entrance. Thanks in advance OK I THINK I GOT IT... LOLOL I just exclude redirect.php...... Its working Is this a security breach or is ok to leave redirect.php excluded ?! thanks in advance Quote Link to comment Share on other sites More sharing options...
Francys Posted February 27, 2010 Share Posted February 27, 2010 Hi FWR This will interest anyone using pdfs in his/her site as URL, so i would like to know a confirmation regarding if disabling redirect.php by excluding is ok?! or if it will pose a security problem?! thanks in advance Quote Link to comment Share on other sites More sharing options...
eStore B Posted February 28, 2010 Share Posted February 28, 2010 I am trying to secure site.......using Security Pro http://addons.oscommerce.com/info/5752 I have gotten to the last step of instructions. "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)." I have gone to the catalog/admin/configuration.php......... but I do not see the code "WR Security Pro and turn it on .. (set to true)." Can anyone give a suggestion please Quote Link to comment Share on other sites More sharing options...
www.in.no Posted February 28, 2010 Share Posted February 28, 2010 It means that you have to logg in to admin and under the first section named configuration You will find the FWR Security Pro If the installation has been done correctly. It has notting to do with the configuration file. Quote Link to comment Share on other sites More sharing options...
eStore B Posted February 28, 2010 Share Posted February 28, 2010 It means that you have to logg in to admin and under the first section named configuration You will find the FWR Security Pro If the installation has been done correctly. It has notting to do with the configuration file. ok,that was too simple....thank you very much Can you suggest the next thing to do to secure site? Quote Link to comment Share on other sites More sharing options...
www.in.no Posted February 28, 2010 Share Posted February 28, 2010 Read the security forum and the pinned post there on how to secure your osc shop. Quote Link to comment Share on other sites More sharing options...
Francys Posted March 3, 2010 Share Posted March 3, 2010 Hi FWR This will interest anyone using pdfs in his/her site as URL, so i would like to know a confirmation regarding if disabling redirect.php by excluding is ok?! or if it will pose a security problem?! thanks in advance Since i have got no reply and reading a bit in this post another person suggested this and it seems it is a nice fashion on how to sort so i take it as resolve. Quote Link to comment Share on other sites More sharing options...
seshalyn_pr Posted March 8, 2010 Share Posted March 8, 2010 You have to print out the _GET variable as it says in the instructions .. something like. if ( array_key_exists( 'fwrtest', $_GET ) ) { echo 'security Pro test: Result was: ' . $_GET['fwrtest'] . '<br />' . PHP_EOL; } You can put that temporarily in includes/footer.php or somewhere else. } It's Working!!! Woohoo :D . For a newbie like me, and who doesn't know the least bit of php (chinese to me) whenever I install something, get no errors, and find out it's working, oooo can't explain the happiness that is felt lolssssss. Anyways just wanted to say thank you FWR for the contribution, and Sam for always putting his input throughout, and everyone who contributes to make others osc experience easier!!! Thanks!!! Quote I Hate PHP, LoLssss Visit My Site, Any constructive comments and suggestions Welcome :) WARNING: IT'S STILL UNDER CONSTRUCTION, LOLS Link to comment Share on other sites More sharing options...
john_roberts Posted March 9, 2010 Share Posted March 9, 2010 I have been wrestling with PCI compliance and cross site scripting is my last major nut to crack. This white-file(?) replacement is exactly what I need. (Thank You) I am not very fluent with PHP code, but I have managed to get most add-ins to work over a few years. I am having no success with this FWR security pro add in. I have run the install program . I have put the security.php file in ...(formerly called catalog)/includes/functions I have added the new code in ...(formerly catalog)/includes/application_top.php I have turned security pro on (true) in admin configuration I get no cleaning of entered text. It's not [w](o)%3Cr%3Ek|i*n^g I tried uninstall and re-ran install program. I have added some echo code in application_top to confirm that security pro is "true", it is.. I added and removed some echo code in application_top to confirm that cleaning function exists and is found. it does in security.PHP I conformed that !array is true. I repeat I am not very competent with PHP code so I may be missing something simple. My "catalog" directory goes by another name, but this is reflected in configuration area and (AFAIK) the store has been working fine for years. When I type fwrtest=[w](o)%3Cr%3Ek|i*n^g in browser string, I get fwrtest=[w](o)<r>k|i*n^g response. I am working beyond my ability to debug in PHP. Anything simple I may be overlooking? My head hurts. John Roberts Note: still running 2.2rc2a but corrected for deprecated PHP functions when upgraded server to newer version PHP in PCI compliance process. May still be a few clinkers, but don't get any deprecated function errors. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted March 9, 2010 Author Share Posted March 9, 2010 I have been wrestling with PCI compliance and cross site scripting is my last major nut to crack. This white-file(?) replacement is exactly what I need. (Thank You) I am not very fluent with PHP code, but I have managed to get most add-ins to work over a few years. I am having no success with this FWR security pro add in. I have run the install program . I have put the security.php file in ...(formerly called catalog)/includes/functions I have added the new code in ...(formerly catalog)/includes/application_top.php I have turned security pro on (true) in admin configuration I get no cleaning of entered text. It's not [w](o)%3Cr%3Ek|i*n^g I tried uninstall and re-ran install program. I have added some echo code in application_top to confirm that security pro is "true", it is.. I added and removed some echo code in application_top to confirm that cleaning function exists and is found. it does in security.PHP I conformed that !array is true. I repeat I am not very competent with PHP code so I may be missing something simple. My "catalog" directory goes by another name, but this is reflected in configuration area and (AFAIK) the store has been working fine for years. When I type fwrtest=[w](o)%3Cr%3Ek|i*n^g in browser string, I get fwrtest=[w](o)<r>k|i*n^g response. I am working beyond my ability to debug in PHP. Anything simple I may be overlooking? My head hurts. John Roberts Note: still running 2.2rc2a but corrected for deprecated PHP functions when upgraded server to newer version PHP in PCI compliance process. May still be a few clinkers, but don't get any deprecated function errors. You don't need to do anything but install it and turn it on in admin. It's an easy install with no room for error. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.