risela Posted November 26, 2010 Share Posted November 26, 2010 i followed all the directions and have re-done it several times and it just isn't working. When i go to this step: Go into admin>configuration>FWR Security Pro and turn it on .. (set to true). i cannot find FWR Security Pro to turn it on... Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted November 26, 2010 Author Share Posted November 26, 2010 i followed all the directions and have re-done it several times and it just isn't working. When i go to this step: Go into admin>configuration>FWR Security Pro and turn it on .. (set to true). i cannot find FWR Security Pro to turn it on... You have to run the install script as per the instructions. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted December 10, 2010 Share Posted December 10, 2010 Hello, Once again my site is failing. Security Metrics always sends me possible Blind SQL injections. Could you look at this again and let me know what may be happening? I haven't made any upgrades or added any new contributions to the store since the last time I was on this forum. Thank you! Possible blind sql injection on http://domain.com/shop/advanced_search_result.php?action=buy_now&keywords=dog+mom+long+sleeve&sort=2a'>http://domain.com/shop/advanced_search_result.php?action=buy_now&keywords=dog+mom+long+sleeve&sort=2a wp - -bs ql "http://domain.com/shop/advanced_search_result.php?action=buy_now&keywords =dog+mom+long+sleeve&sort=2a" "http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D1&keywords=dog+mom+long+sleeve&sort=2a" TCP http/https 4 "http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D0&keywords=dog+mom+long+sleeve&sort=2a" cat <<EOF > bs ql.s h curl -L "http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D1&keywords=dog+mom+long+sleeve&sort=2a"> a curl -L "http://domain.com/shop/advanced_search_result.php?action=buy_now+and+1%3D0&keywords=dog+mom+long+sleeve&sort=2a"> b diff a b EOF s h bs ql.s h This website may have other injection related vulnerabilities. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 10, 2010 Author Share Posted December 10, 2010 Hello, Once again my site is failing. Security Metrics always sends me possible Blind SQL injections. Could you look at this again and let me know what may be happening? I haven't made any upgrades or added any new contributions to the store since the last time I was on this forum. Thank you! This is nothing to do with support of the security pro contribution. Perhaps you should post in the general forum. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
designcraft Posted December 10, 2010 Share Posted December 10, 2010 This is where I posted last time. You can see me on page 8. I use Security Pro for protection on my website and you have helped me in the past. I will post this somewhere else. Thank you for your time. lindsay Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 10, 2010 Author Share Posted December 10, 2010 This is where I posted last time. You can see me on page 8. I use Security Pro for protection on my website and you have helped me in the past. I will post this somewhere else. Thank you for your time. lindsay I may have answered "last time" but I should not have done. General posts here make it difficult for those seeking genuine support for this specific contribution difficult. I have however now answered your question in the general forum .. thanks for moving it. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
risela Posted December 11, 2010 Share Posted December 11, 2010 You have to run the install script as per the instructions. thanks! i have it set up now. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 23, 2010 Author Share Posted December 23, 2010 Security Pro 2.0 A new version has been released: Compatiblility: PHP 4/5 osCommerce All Versions. Effective Querystring Protection Against Hacking by Whitelisting The first Security Pro was written back in March 2008 when it became apparent that osCommerce shops were being hacked via the querystring through badly coded contributions like testimonials. Is it still necessary with the new 2.3.X versions of osCommerce Yes it is still just as valid. The target of Security Pro is not the core osCommerce coding which we all know is good, the target is the thousands of contributions which are usually poorly written. This is all new code but the concept remains the same .. with Security Pro installed it is impossible to pass bad characters through the querystring so long as the page loads application_top.php, which all osCommerce pages do. The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does. the only exeption to this that I could see was the REQUEST_METHOD and TRACE|TRACK. The concept is simple but effective. It's a waste of time to try and blacklist the huge number of hacking vectors as the XSS scripts try to do .. the only answer is whitelisting and this is what Security Pro does very well. What has Changed? In operation it is pretty much the same .. except .. * Total rewrite using more modern code ( albeit PHP4 compatible ) * Added to security stregnth by adding some string exclusions like GLOBALS, _REQUEST, base64_encode, UNION * Fixed a hole where a clever hacker could gain a dangerous double hyphen. * The XSS .htaccess contribution now has nothing to offer over Security Pro. * Simplified KISS installation with no database additions required. Installation This has been rewritten as KISS contribution ( Keep It Simple Stupid ) so is extremely quick and easy to install. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Xpajun Posted December 23, 2010 Share Posted December 23, 2010 Robert, one question - Very occasionally there may be a file that genuinely needs to pass via the querystring characters that are disallowed. This tends to be payment modules like Sage Pay ( formerly PROTX ). Is there a list of known files that have this problem, especially payment modules? Quote My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 23, 2010 Author Share Posted December 23, 2010 Robert, one question - Is there a list of known files that have this problem, especially payment modules? No .. the only one I ever actually heard about was the PROTX one. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Debs Posted December 24, 2010 Share Posted December 24, 2010 (edited) No .. the only one I ever actually heard about was the PROTX one. I don't mean to hijack your support forum... I just wanted to take a moment and say; Thank you Robert for all the diligent work you have done on this (and your other) great contribution/s. I really like your newer release of Security Pro (2.0 ( r7 ) I was unable to use your older release of security pro... as it conflicted with some of my custom code I use. It is nice to see the simplicity of your updated contribution. This new one works fine and the extra "peace of mind" added security provides is priceless. Thank you! Kind regards, Debs Edited December 24, 2010 by Debs Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 24, 2010 Author Share Posted December 24, 2010 I don't mean to hijack your support forum... I just wanted to take a moment and say; Thank you Robert for all the diligent work you have done on this (and your other) great contribution/s. I really like your newer release of Security Pro (2.0 ( r7 ) I was unable to use your older release of security pro... as it conflicted with some of my custom code I use. It is nice to see the simplicity of your updated contribution. This new one works fine and the extra "peace of mind" added security provides is priceless. Thank you! Kind regards, Debs Thanks is never a hijack :) Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 24, 2010 Author Share Posted December 24, 2010 Here's a bit of fun to try on a fresh osCommerce 2.3.1 An expanded bad search term .. [w](o)%3C<r>%3Ek|i*n^g If you put this in the search box and search. It actually returns a product :) Matrox G200 MMX Security Pro reduces the search term to "working" and that product has that word in its description Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Xsonic.pl Posted December 29, 2010 Share Posted December 29, 2010 I use Security Pro 2.0 and I have a problem. When I want test it is working - "Put in a bad character good character mix like [w](o)%3Cr%3Ek|i*n^g" http://www.autodrive.pl/advanced_search_result.php?keywords=[w](o)%3Cr%3Ek|i*n^g it change to: http://www.autodrive.pl/advanced_search_result.php?keywords=[w](o)<<r>>k|i*n^g It should read "working" not "[w](o)<<r>>k|i*n^g" - what is wrong ?? Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 29, 2010 Author Share Posted December 29, 2010 (edited) I use Security Pro 2.0 and I have a problem. When I want test it is working - "Put in a bad character good character mix like [w](o)%3Cr%3Ek|i*n^g" http://www.autodrive...t.php?keywords=[w](o)%3Cr%3Ek|i*n^g it change to: http://www.autodrive...t.php?keywords=[w](o)<<r>>k|i*n^g It should read "working" not "[w](o)<<r>>k|i*n^g" - what is wrong ?? a] Have you installed it correctly? b] Which version of osCommerce are you on? c] ( related to b] ) is compatibility.php called before the security pro code? require(DIR_WS_FUNCTIONS . 'compatibility.php'); d] If c] is correct does includes/functions/compatibility.php contain the following code? if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; $HTTP_COOKIE_VARS =& $_COOKIE; $HTTP_SESSION_VARS =& $_SESSION; $HTTP_POST_FILES =& $_FILES; $HTTP_SERVER_VARS =& $_SERVER; } else { if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array(); if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array(); if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array(); } Edited December 29, 2010 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Xsonic.pl Posted December 30, 2010 Share Posted December 30, 2010 Thank you! Now is OK. I have oscommerce 2.1 with many changes and sometimes have a problem with new contributions. Quote Link to comment Share on other sites More sharing options...
girolimoni Posted December 30, 2010 Share Posted December 30, 2010 I just updated, meaning installed your lated secuirity pro. but although spent now 2 hours checking why, it'w not working. here what i did: uploaded the new files in the modules folder and inserted the code above the ssl thing (please check code provided below). Then i deleted in application_top the old security pro entry and finally deleted the database entries of the confiration. well its not working. any sugesstions or what shall i provide you with in order to help us? Greetings // define the project version define('PROJECT_VERSION', 'osCommerce 2.2-MS2'); // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media if ($request_type == 'NONSSL'){ define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG); } else { define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG); } Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 30, 2010 Author Share Posted December 30, 2010 I just updated, meaning installed your lated secuirity pro. but although spent now 2 hours checking why, it'w not working. here what i did: uploaded the new files in the modules folder and inserted the code above the ssl thing (please check code provided below). Then i deleted in application_top the old security pro entry and finally deleted the database entries of the confiration. well its not working. any sugesstions or what shall i provide you with in order to help us? Greetings // define the project version define('PROJECT_VERSION', 'osCommerce 2.2-MS2'); // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; // Security Pro by FWR Media include_once DIR_WS_MODULES . 'fwr_media_security_pro.php'; $security_pro = new Fwr_Media_Security_Pro; // If you need to exclude a file from cleansing then you can add it like below //$security_pro->addExclusion( 'some_file.php' ); $security_pro->cleanse( $PHP_SELF ); // End - Security Pro by FWR Media if ($request_type == 'NONSSL'){ define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG); } else { define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG); } Try reading the post 2 above. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
girolimoni Posted December 30, 2010 Share Posted December 30, 2010 Try reading the post 2 above. you mean about the compatiblity? yes, but here the // some code to solve compatibility issues require(DIR_WS_FUNCTIONS . 'compatibility.php'); is after the new security pro code in aplication_top. However i just checked my compatibility.php and it doens't have your code in it. Can you please advise where to add it? Thanks in advance. here my compatibility.php: <?php /* $Id: compatibility.php,v 1.19 2003/04/09 16:12:54 project3000 Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2003 osCommerce Released under the GNU General Public License Modified by Marco Canini, <[email protected]> - Fixed a bug with arrays in $HTTP_xxx_VARS */ //// // Recursively handle magic_quotes_gpc turned off. // This is due to the possibility of have an array in // $HTTP_xxx_VARS // Ie, products attributes function do_magic_quotes_gpc(&$ar) { if (!is_array($ar)) return false; while (list($key, $value) = each($ar)) { if (is_array($value)) { do_magic_quotes_gpc($value); } else { $ar[$key] = addslashes($value); } } } // $HTTP_xxx_VARS are always set on php4 if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array(); if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array(); if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array(); // handle magic_quotes_gpc turned off. if (!get_magic_quotes_gpc()) { do_magic_quotes_gpc($HTTP_GET_VARS); do_magic_quotes_gpc($HTTP_POST_VARS); do_magic_quotes_gpc($HTTP_COOKIE_VARS); } if (!function_exists('array_splice')) { function array_splice(&$array, $maximum) { if (sizeof($array) >= $maximum) { for ($i=0; $i<$maximum; $i++) { $new_array[$i] = $array[$i]; } $array = $new_array; } } } if (!function_exists('in_array')) { function in_array($lookup_value, $lookup_array) { reset($lookup_array); while (list($key, $value) = each($lookup_array)) { if ($value == $lookup_value) return true; } return false; } } if (!function_exists('array_reverse')) { function array_reverse($array) { for ($i=0, $n=sizeof($array); $i<$n; $i++) $array_reversed[$i] = $array[($n-$i-1)]; return $array_reversed; } } if (!function_exists('constant')) { function constant($constant) { eval("\$temp=$constant;"); return $temp; } } if (!function_exists('is_null')) { function is_null($value) { if (is_array($value)) { if (sizeof($value) > 0) { return false; } else { return true; } } else { if (($value != '') && ($value != 'NULL') && (strlen(trim($value)) > 0)) { return false; } else { return true; } } } } if (!function_exists('array_merge')) { function array_merge($array1, $array2, $array3 = '') { if (empty($array3) && !is_array($array3)) $array3 = array(); while (list($key, $val) = each($array1)) $array_merged[$key] = $val; while (list($key, $val) = each($array2)) $array_merged[$key] = $val; if (sizeof($array3) > 0) while (list($key, $val) = each($array3)) $array_merged[$key] = $val; return (array) $array_merged; } } if (!function_exists('is_numeric')) { function is_numeric($param) { return ereg('^[0-9]{1,50}.?[0-9]{0,50}$', $param); } } if (!function_exists('array_slice')) { function array_slice($array, $offset, $length = 0) { if ($offset < 0 ) { $offset = sizeof($array) + $offset; } $length = ((!$length) ? sizeof($array) : (($length < 0) ? sizeof($array) - $length : $length + $offset)); for ($i = $offset; $i<$length; $i++) { $tmp[] = $array[$i]; } return $tmp; } } if (!function_exists('array_map')) { function array_map($callback, $array) { if (is_array($array)) { $_new_array = array(); reset($array); while (list($key, $value) = each($array)) { $_new_array[$key] = array_map($callback, $array[$key]); } return $_new_array; } else { return $callback($array); } } } if (!function_exists('str_repeat')) { function str_repeat($string, $number) { $repeat = ''; for ($i=0; $i<$number; $i++) { $repeat .= $string; } return $repeat; } } if (!function_exists('checkdnsrr')) { function checkdnsrr($host, $type) { if(tep_not_null($host) && tep_not_null($type)) { @exec("nslookup -type=$type $host", $output); while(list($k, $line) = each($output)) { if(eregi("^$host", $line)) { return true; } } } return false; } } ?> Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 30, 2010 Author Share Posted December 30, 2010 (edited) you mean about the compatiblity? yes, but here the // some code to solve compatibility issues require(DIR_WS_FUNCTIONS . 'compatibility.php'); is after the new security pro code in aplication_top. However i just checked my compatibility.php and it doens't have your code in it. Can you please advise where to add it? Please don't post complete files .. it makes the thread impossible to read. Find .. // $HTTP_xxx_VARS are always set on php4 if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array(); if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array(); if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array(); Replace with .. if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; $HTTP_COOKIE_VARS =& $_COOKIE; $HTTP_SESSION_VARS =& $_SESSION; $HTTP_POST_FILES =& $_FILES; $HTTP_SERVER_VARS =& $_SERVER; } else { if (!is_array($HTTP_GET_VARS)) $HTTP_GET_VARS = array(); if (!is_array($HTTP_POST_VARS)) $HTTP_POST_VARS = array(); if (!is_array($HTTP_COOKIE_VARS)) $HTTP_COOKIE_VARS = array(); } you really should update your files, you are running extremely old and insecure code. Edited December 30, 2010 by FWR Media girolimoni 1 Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
girolimoni Posted December 30, 2010 Share Posted December 30, 2010 Great, working now. Really appreciated your help. I know, we really should update, but honetly no idea where to begin :(. One little addtional question: we have a 4 languages store so i modified this string in order to keep search resulst o.k. Do you think its risky for security resons? those letters are really often used. Greetings $cleansed = preg_replace( "/[^\s{}a-z0-9äüöéèê_\.\-]/i", "", urldecode( $get ) ); Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted December 30, 2010 Author Share Posted December 30, 2010 (edited) Great, working now. Really appreciated your help. I know, we really should update, but honetly no idea where to begin :(. One little addtional question: we have a 4 languages store so i modified this string in order to keep search resulst o.k. Do you think its risky for security resons? those letters are really often used. Greetings $cleansed = preg_replace( "/[^\s{}a-z0-9äüöéèê_\.\-]/i", "", urldecode( $get ) ); They are just language characters so you'll be fine. You may want to add the capitals as well as the i modifier will not work for special characters. Edited December 30, 2010 by FWR Media Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 3, 2011 Author Share Posted January 3, 2011 (edited) Modification for Languages that have Special Characters This change is optional and only relevant for languages which have special language characters. What does it do? You can add your language special characters to a variable, these characters will then be ignored by the whitelist. This is essential for e.g. search functionality to work with such languages. Open up .. catalog/includes/modules/fwr_media_security_pro.php Find the COMPLETE function spro_cleanse_get_recursive() Change it to .. function spro_cleanse_get_recursive( $get ) { /** * IMPORTANT - DO NOT use the below to gimp the whitelist, this should be used for valid language special characters only * * @example $lang_additions = 'åÅäÄöÖ'; * @var string - Valid language special characters to be added to the whitelist */ $lang_additions = ''; // Special language characters go here - see the example above if ( !is_array( $get ) ) { $banned_string_pattern = '@GLOBALS|_REQUEST|base64_encode|UNION|%3C|%3E@i'; // Apply the whitelist $pattern = "/[^\s{}a-z0-9_\.\-" . $lang_additions . "]/i"; $cleansed = preg_replace( $pattern, "", urldecode( $get ) ); // Remove banned words $cleansed = preg_replace( $banned_string_pattern, '', $cleansed ); // Ensure that a clever hacker hasn't gained himself a naughty double hyphen -- after our cleansing return preg_replace( '@[-]+@', '-', $cleansed ); } // Add the preg_replace to every element. return array_map( 'spro_cleanse_get_recursive', $get ); } Obviously the .. $lang_additions = 'åÅäÄöÖ'; Can contain any language special characters that you wish, this should NOT be used to gimp the whitelist. IMPORTANT: This file now MUST be saved as the correct charset, it can no longer be saved as a standard ASCII file. Edited January 3, 2011 by FWR Media kiku90 1 Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Moxamint Posted January 14, 2011 Share Posted January 14, 2011 Hi, Is this fix in application_top.php still valid with Security Pro? /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); Many thank! BTW, I've been enjoying your contributions very much. Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted January 14, 2011 Author Share Posted January 14, 2011 Hi, Is this fix in application_top.php still valid with Security Pro? /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); Many thank! BTW, I've been enjoying your contributions very much. Security Pro has nothing to do with base file names it cleanses the querystring. If you have already installed USU5 or USU5 PRO then this has already been done. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.