spooks Posted August 29, 2008 Share Posted August 29, 2008 Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here. You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752 You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441 You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914 You can add htaccess protection http://addons.oscommerce.com/info/6066 You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts. You can add http://addons.oscommerce.com/info/6134 to assist with permission settings. Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer' Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc Update Sep. 09 The following addresses issues that have arisen or were not mentioned since this post was placed: SECURING THE ADMIN: You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here. FILEMANAGER: It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! ) Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla. To remove filemanger: Delete file_manager.php from catalog/admin open admin/includes/boxes/tools.php and delete the line: '<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' . It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed. BACKUPS: To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen. I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format. INSTALLATION: If you are unsure about installing these contributions this thread should help you. FORMS: Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars. after: require('includes/application_top.php'); add: // clean posted vars reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } This does not allow for arrays, additional code is needed if they are used. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
♥stubbsy Posted August 29, 2008 Share Posted August 29, 2008 Thanks Sam, there were a couple of tips in there that had passed me by... Cheers Dave Link to comment Share on other sites More sharing options...
Guest Posted August 29, 2008 Share Posted August 29, 2008 It always helps having to be pci compliant too....having that scan every few days going through your system catching anything that may be vulnerable. Never hurts to alert you to vulnerabilities. I love the Security Pro. I tried the IP trap but it worked so well my pci compliance scanner got blocked *laughing*. Now I just keep looking at my error log, and put questionable entities in my disallow lines of my .htaccess file. That may not be the best way to do it, but it's what I've got for now. Link to comment Share on other sites More sharing options...
php_Guy Posted September 4, 2008 Share Posted September 4, 2008 When you say... Permissions on folders should be no higher than 755. ... I assume you mean all except: /catalog/images /catalog/admin/backups /catalog/admin/images/graphs I get errors when I drop the permissions below 777 on those folders. Link to comment Share on other sites More sharing options...
Black Jack 21 Posted September 5, 2008 Share Posted September 5, 2008 Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts. Read it once again! Link to comment Share on other sites More sharing options...
php_Guy Posted September 5, 2008 Share Posted September 5, 2008 Read it once again! Thank you for your enlightened reply. However, it is osCommerce, not the host that requires that those folders be world writable. The docs and the knowledgebase both state that they should be left at 777. If there is a way to secure them while still keeping osCommerce happy please let me know how to do so. Link to comment Share on other sites More sharing options...
Guest Posted September 5, 2008 Share Posted September 5, 2008 Not one of my folders has permissions 777, everything works fine. Link to comment Share on other sites More sharing options...
sponna Posted September 5, 2008 Share Posted September 5, 2008 I believe 777 is only vulnerable if the server itself is vulnerable i.e. not set up securely. You cannot upload and execute a file remotely as far as I'm aware - the attack would need to come from within. Although this post is quite old, I think it makes interesting reading. Irrespective, always chmod to the most secure settings that still allow your site to run: http://www.simplemachines.org/community/in...hp?topic=2987.0 up the down escalator.......... Link to comment Share on other sites More sharing options...
php_Guy Posted September 6, 2008 Share Posted September 6, 2008 Not one of my folders has permissions 777, everything works fine. With /catalog/images set below 777, all is fine with the store. When I then enter admin, everything is still fine untill I click on products/catalog. At this point, osc sees that it is unable to write to the images directory (and therefore unable to upload images for new products, etc via admin) and therefore generates an error that is listed at the top of the screen. Since I ftp images up anyway this isn't a big issue but the /catalog/admin/backups and /catalog/admin/images/graphs have a similar problem. if they aren't world-writable, they cannot work as intended. Unless of course there is more to it tht I am unaware of. That's why I asked the initial question. As to it really being a security issue, I agree. I think a properly configured server manages the risk. However, it could be a bandwidth issue. Someone could use your world-writable directory as a warez file depository and post on warez boards where to get them. Suddenly, you could see a huge jump in bandwidth which could be costly if you have to pay for use beyond your allowance. Link to comment Share on other sites More sharing options...
DJStealth Posted September 7, 2008 Share Posted September 7, 2008 This seems a little confusing here. OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777. I guess the questions are this.. a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it? B) If so, maybe one can setup an .htaccess file to block write access this way? Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 7, 2008 Share Posted September 7, 2008 This seems a little confusing here. OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777. I guess the questions are this.. a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it? B) If so, maybe one can setup an .htaccess file to block write access this way? Add a .htaccess including the following code. php_flag engine off <Files ~ "\.(php*|s?p?html|cgi|pl)$"> deny from all </Files> Not my code. Was suggested to me by BL4CK from thedefaced[d0t]org security group, and I can see the benefit. Wont work with suexec but a php.ini version would suffice. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Bushmaster Posted September 8, 2008 Share Posted September 8, 2008 This seems a little confusing here. OSCommerce requires 777 for backup directory, images directory, and a few other places. Also, if you use a script that does caching of resized images, it also requires 777. I guess the questions are this.. a) Is it possible for someone to do an HTTP upload file to any directory that's 777, without a script accepting it? B) If so, maybe one can setup an .htaccess file to block write access this way? Its not osCommerce that requires it. It is the config of the server. On the host I use I have to set the configure.php set to 0444 to get the I can write error to go away so my image folder goes no higher then 0755 Link to comment Share on other sites More sharing options...
skunkbad Posted September 8, 2008 Share Posted September 8, 2008 Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here. You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752 You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441 You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914 You can add htaccess protection http://addons.oscommerce.com/info/6066 You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts. You can add http://addons.oscommerce.com/info/6134 to assist with permission settings. Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer' Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc If the default osCommerce script is really this vulnerable, I think osCommerce should let people know before they download the script and spend countless hours customizing their installation. No Links To My Website Here! Link to comment Share on other sites More sharing options...
web-project Posted September 8, 2008 Share Posted September 8, 2008 very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list. example: Time: Sun Sep 7 18:16:39 2008 +0100IP: 193.xx.xxx.xxx (country name) Failures: 1 (mod_security) Interval: 215 seconds Blocked: Yes Log entries: [sun Sep 07 18:16:35 2008] [error] [client 193.xx.xxx.xxx] ModSecurity: Access denied with code 406 (phase 2). Pattern match "(?:\\\\b(?:(?:n(?:et(?:\\\\b\\\\W+?\\\\blocalgroup|\\\\.exe)|(?:map|c)\\\\.exe)|t(?:racer(?:oute|t)|elnet\\\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\\\.exe|echo\\\\b\\\\W*?\\\\by+)\\\\b|c(?:md(?:(?:32)?\\\\.exe\\\\b|\\\\b\\\\W*?\\\\/c)|d(?:\\\\b\\\\W*?[\\\\\\\\/]|\\\\W*?\\\\.\\\\.)|hmod.{0,40}? ..." at ARGS:goto. [id "950006"] [msg "System Command Injection. Matched signature </mail>"] [severity "CRITICAL"] [hostname "domain name"] [uri "/admin/file_manager.php?goto=/home/user_name/public_html//images/mail"] [unique_id "dvZTxFXqk2sAAH@an4YAAAAE"] Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here! 8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself. Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues. Any issues with oscommerce, I am here to help you. Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 8, 2008 Share Posted September 8, 2008 very useful contributions, if the server is not setup properly. Personally using firewall on my server and getting only email logs of people who is trying to hack oscommerce websites & these people/IP addreses automatically in my black list. example: Server set up is no replacement at all for code side input/output escaping, server security is a totally different animal addressing totally different needs. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
WoodsWalker Posted September 12, 2008 Share Posted September 12, 2008 Thanks for the list, Sam, and thanks Deborah for that hint regarding PCI compliance. You're right on. Right now my compliance people are failing me due to apparent vulnerability to cross-site scripting, so this thread came at just the right time. ~Wendy Link to comment Share on other sites More sharing options...
themilkman Posted September 12, 2008 Share Posted September 12, 2008 Hi I am looking at the install instructions for Anti XSS and do not understand how it can write to a file called iplog.txt? Nowhere in the .htaccess code is there are reference to ip address being written to the .txt file. Am I missing code here? ======= Also I have installed Secure your site with an IP trap http://addons.oscommerce.com/info/5914. The add-on successfully blocks you but when it write the IP address to a text file alled IP_trapped.txt the blocked IP address is written as an invisible line. Also when the program writes an email to you again the IP address is not shown/invisible. Does any one know how to make the IP address visible? Thank You TMM Whats the point of a signature? Link to comment Share on other sites More sharing options...
themilkman Posted September 13, 2008 Share Posted September 13, 2008 Hi I have installed security pro latest version but get the follwoing error after entire add-on installation: 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'MAX_RANDOM_SELECT_NEW' at line 1 select products_id, products_image, products_tax_class_id, products_price from products where products_status = '1' order by products_date_added desc limit MAX_RANDOM_SELECT_NEW Can anyone please suggest what to do here? Thanka Bal Whats the point of a signature? Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted September 13, 2008 Share Posted September 13, 2008 Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly. Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
themilkman Posted September 13, 2008 Share Posted September 13, 2008 Make sure the file that should have been put in /includes/languages/english is there or an edit to add a define to /includes/languages/english.php has been done corectly. Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder Please explain Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix. Thanks B Whats the point of a signature? Link to comment Share on other sites More sharing options...
themilkman Posted September 13, 2008 Share Posted September 13, 2008 Hi for the contribution for Security Pro 1.0.2 http://addons.oscommerce.com/info/5752 there is no mention of having to put anything into the languages/english folder Please explain Basically when I load my site the main page just shows the header image, side menu and the rest is blank with the error message. I have not put back the old application_top file and it is back to normal until I find out the fix. Thanks B Hi this issue is fixed - I accidentall commented something out. On another note - does anyone have any test cases to test all the contributions in this thread? Many Thanks B Whats the point of a signature? Link to comment Share on other sites More sharing options...
lakay Posted September 22, 2008 Share Posted September 22, 2008 hello Link to comment Share on other sites More sharing options...
Hotclutch Posted September 23, 2008 Share Posted September 23, 2008 I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this? Link to comment Share on other sites More sharing options...
Celebrimbor Posted September 25, 2008 Share Posted September 25, 2008 When i tried install the AntiXSS.. o had an error>>>>>>>>> Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/factoryr/public_html/includes/functions/general.php on line 39 Can somebody help me please.. Thank you Rafael OScommerce Rocks! Link to comment Share on other sites More sharing options...
So_Not_an_HTML_genius Posted November 6, 2008 Share Posted November 6, 2008 Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here. You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752 You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441 You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914 You can add htaccess protection http://addons.oscommerce.com/info/6066 You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts. You can add http://addons.oscommerce.com/info/6134 to assist with permission settings. Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer' Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc How do I install addons. I know this is probably a thread elsewhere but for the life of me, I cannot find it. Can someone please tell me where I can learn or get a tutorial as to how to install addons? I really feel lost with phps. I also have a question as to how to find php pages in my store/catalog that appear in my index. If I look at my index page live on the web and look at the source, there is more info there than is found on my index.php. I know these may seem like basic questions and you all may think...my god, they should know how to do this but I do not. So, even if there is a tutorial that can help. I can use it! Thanks, Kelly Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.