Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

Contributions will have instructions contained within on install details, follow those.

 

If a contib don`t, then don`t use it.

 

Use of a compare tool will also help.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply
I had an error with AntiXSS as well. Just putting the function into general.php broke it, without the call in application_top.php. That makes no sense... how could an uncalled function cause the page to break?

 

If you get errors simply from adding a function, then you added the function into the middle of code or outside of the php tags. Double check the documentation and ensure that you are adding the function in the correct place.

Link to comment
Share on other sites

I cannot successfully test IP trap after installing. I get the warning message after running mystore\personal, but the IP does not get logged in the text file and I can still browse everywhere afterwards. Permissions are 777 on the txt file. My hosting server does not allow me to upload .htaccess files for some reason. Could it be due to this?

 

Yeah, same thing here. I got myself banned, but I can still browse and shop all I want. My IP does not get logged, although I got the email saying it was banned. I have an .htaccess file, so I am no sure what the problem is. Any ideas out there? :blink:

 

Thanks,

 

Yol

I repeat myself when under stress, I repeat myself when under stress, I repeat myself...

 

--King Crimson (“Discipline”)

Link to comment
Share on other sites

  • 4 weeks later...

Re: IP Trap

 

I just installed and am getting these errors:

 

Warning: fopen(http://www.bellafavori.com/banned/IP_Trapped.txt) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections in /home/bellafav/public_html/personal/index.php on line 25

 

Warning: flock() expects parameter 1 to be resource, boolean given in /home/bellafav/public_html/personal/index.php on line 26

 

Warning: Cannot modify header information - headers already sent by (output started at /home/bellafav/public_html/personal/index.php:25) in /home/bellafav/public_html/personal/index.php on line 41

 

 

Help?

Link to comment
Share on other sites

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

Link to comment
Share on other sites

  • 3 weeks later...
You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Thanks for the great post, am working through the list now. Two questions, in regards to the Anti XSS

- ) there are two (reasonably) different contributions under that link - which is the better/more effective one?

- ) how do I know it's working?!

 

Thanks :)

Link to comment
Share on other sites

Re: IP Trap

 

I just installed and am getting these errors:

 

Warning: fopen(http://www.bellafavori.com/banned/IP_Trapped.txt) [function.fopen]: failed to open stream: HTTP wrapper does not support writeable connections in /home/bellafav/public_html/personal/index.php on line 25

 

Warning: flock() expects parameter 1 to be resource, boolean given in /home/bellafav/public_html/personal/index.php on line 26

 

Warning: Cannot modify header information - headers already sent by (output started at /home/bellafav/public_html/personal/index.php:25) in /home/bellafav/public_html/personal/index.php on line 41

 

 

Help?

 

This means that your banned / IP_Trapped.txt is not writable,

set the folder to 755 the file IP_Trapped.txt to 777

 

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

 

have you added the call in application_top.php?

 

If you are using the latest version then it should not be any problem as i rewrote it to be robust :-)

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Link to comment
Share on other sites

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

 

Files changed:

catalog/includes/secret.php

catalog/personal/index.php

 

Regards,

Eric_K

Link to comment
Share on other sites

Warning: file(DOCUMENT_ROOT/../banned/IP_Trapped.txt) [function.file]: failed to open stream: Permission denied in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 7

 

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 15

 

This is coming from the Application Top

 

I also wasn't getting banned... my IP never showed up... but then again maybe it all has to do with the error above... I disabled the application top code for now... any takers on this?

Yeah Yeah I am learning as I go... lol

Link to comment
Share on other sites

hi, I have applied most of the recommended addons without problems, except the last one : Anit cross site attack.

 

I added all 3 files in the contribution page.

after adding the contribution, I have the following error.(seems like from the first package)

 

Warning: Unexpected character in input: '\' (ASCII=92) state=1 in /home/... /catalog/includes/functions/general.php on line 33

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in /home/.../catalog/includes/functions/general.php on line 39

 

 

general.php line 33 and 39 are as follows :

 

  
  $search .= '~`";:?+/={}[]-_|'\';  // this is #33
  for ($i = 0; $i < strlen($search); $i++) { 
     // ;? matches the ;, which is optional 
     // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars 

     // @ @ search for the hex values 
     $val = preg_replace('/([x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // this is #39
     // @ @ 0{0,7} matches '0' zero to seven times 

 

 

is that line 33 correct? I wonder.

so, I tried with commenting out line 33, then it seemed working fine, except,

I couldn't add any products into shopping cart, and could not login as a customer.

all email address that I enter changed into some other character and says email and password don't match...

 

so, again I went to includes/application_top.php and commented out some from the addon lines :

removing top 2 lines made my site function normally.

 

// BOF : Remove XSS ATTACK
//		if (!empty($_POST)) array_walk_recursive($_POST, 'RemoveXSS');
//		if (!empty($_GET)) array_walk_recursive($_GET, 'RemoveXSS');
	if (!empty($_COOKIE)) array_walk_recursive($_COOKIE, 'RemoveXSS');
	if (!empty($_SERVER)) array_walk_recursive($_SERVER, 'RemoveXSS');
	if (!empty($_SESSION)) array_walk_recursive($_SESSION, 'RemoveXSS');
	if (!empty($_REQUEST)) array_walk_recursive($_REQUEST, 'RemoveXSS');
// EOF : Remove XSS ATTACK

 

can someone help ?

 

thanks to you all.

 

genesis

Link to comment
Share on other sites

Warning: file(DOCUMENT_ROOT/../banned/IP_Trapped.txt) [function.file]: failed to open stream: Permission denied in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 7

 

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/themancaveoutletstore.com/httpdocs/includes/secret.php on line 15

 

This is coming from the Application Top

 

I also wasn't getting banned... my IP never showed up... but then again maybe it all has to do with the error above... I disabled the application top code for now... any takers on this?

 

try for DOCUMENT_ROOT portion with absolute path to the files like :

 

/var/www/vhosts/themancaveoutletstore.com/httpdocs/banned/IP_Trapped.txt

 

in

includes/secret.php

and

personal/index.php

 

and change permission to 777 or 666 for IP_Trapped.txt

 

genesis

Link to comment
Share on other sites

I have installed all the contributions except the Security Pro contribution, they seem to be working fine.

 

Does anyone know how I would go about setting up a cron job to automatically backup the database every 3 hours?

 

What would the code be to do this?

 

Thanks,

 

Martyn

Link to comment
Share on other sites

Hello,

 

There is a little PROBLEM here: http://addons.oscommerce.com/info/6044

 

I've installed the latest Anti XSS+SQL Injection to help PCI Compliance by chrish123 added 19 Jul 2008.

 

When I click the <buy now> button on advanced_search_result.php the product is added to the customers basket

BUT I get redirected to the iplog.txt telling me I should go away ... which is no good at all.

 

When those lines are cut off .htaccess (commented) clicking the button gives no redirect:

 

This is the relevant part in .htaccess

# extra anti uri and xss attack script 2 - sql injection prevention
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (java script:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]

 

Should I keep only the pixclinic part of this contribution ?

Thanks for your kind advice,

David

david

Link to comment
Share on other sites

You have to be patient, we're providing free help, so you must wait till we have time.

 

The answer yes, the ssl only allows a secure connection, it does not 'secure' your site

 

The hackers are out there & if you don't protect the WILL get you.

 

I have a test site, for which there is no domain, its not published & without the IP you'll never find it, yet even that got attacked!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

You have to be patient, we're providing free help, so you must wait till we have time.

 

The answer yes, the ssl only allows a secure connection, it does not 'secure' your site

 

The hackers are out there & if you don't protect the WILL get you.

 

I have a test site, for which there is no domain, its not published & without the IP you'll never find it, yet even that got attacked!!

 

Thanks for your reply, I am paranoid about making my site more open to the public by launching it. I do appreciate the free help but I have to say more than half the time I post something I do not get a reply, not that its your fault of course.

Link to comment
Share on other sites

Hi,

I'm not sure if this is the place for this, but as it's a security related issue, I hoped someone may have some ideas.

 

I've been using the 'whosonline' contrib for some time now, and as a result, i've noticed an interesting connection to my site.

Basically, the 'customer' behaves like a 'bot, working it's way through the pages of the site 24 x 7, it doesn't have a session ID, or appear to go anywhere it shouldn't, however it's a permanent visitor to the site, with it's online time counter only resetting every 24 hrs, so at the least, it's a resource hog.

 

-Now the weird part (to me at least!)

It's IP keeps changing! It cycles through various sets of IP's ranging from Yahoo bot to private/ISP/Google addresses. I have tried banning the IP addresses it uses, but it simply 'morphs' to a new one (I gave up after 50 addresses, as many were inside address pools used by ISPs, and I didn't wish to ban legitimate users)- the next weird part is that whosonline doesn't see this as a new visitor, it keeps the online time, and entry time counters and updates the IP address.

 

Obviously there's some sort of spoofing going on here, the question is, how to stop it! - it only makes a database query every 30-40 seconds, so it's not tripping any DOS alarms on the server/firewall.

 

 

Has anyone else seen anything similar, or have any ideas about what this could be (and how to stop it)???

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...