Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

I am not sure this questions pertains to the contribs this I am going to go out a limb and guess you just installed oscommerce for the first time. 444 works just fine but 400 being ideal there should be no message or problem. Im not sure but you may need to contact your host and ask why your permission settings are not being applied. Also keeping mind there are 2 configure files. Make sure you get both of them. One in the admin directory and one and the includes directory. This particular error is of course talking about the one in your /includes/ directory. I would contact your host for further help on why your permissions are not being applied.

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply

not related to this thread, search theres plenty on this (+ you can't set with ftp!!!)

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I am not sure this questions pertains to the contribs this I am going to go out a limb and guess you just installed oscommerce for the first time. 444 works just fine but 400 being ideal there should be no message or problem. Im not sure but you may need to contact your host and ask why your permission settings are not being applied. Also keeping mind there are 2 configure files. Make sure you get both of them. One in the admin directory and one and the includes directory. This particular error is of course talking about the one in your /includes/ directory. I would contact your host for further help on why your permissions are not being applied.

 

changing it via cpanel FTP worked out better, thanks :)

Link to comment
Share on other sites

Anybody got any thoughts why after entering cc details on authorize.net

 

https://secure.authorize.net/gateway/transact.dll

 

the ip trap is activated when returning to the xss script is too?

 

I know some people do not like authorize.net but this is overkill!!

 

:-)

 

The ip trap script, block.php, displays a you are blocked page but it is not shown if I change punish = 2 to = 0 in secret.php script

 

$ua = ( isset($_SERVER['HTTP_USER_AGENT']) && ($_SERVER['HTTP_USER_AGENT'] != "")) ? $_SERVER['HTTP_USER_AGENT'] : "";

$ip = $_SERVER["REMOTE_ADDR"]."\n";

$punish = 0;

if ( $ua == "" )

{

$punish = 2;

}

 

The browser agent is not shown on the screen. Just had a thought is it single quotes around HTTP_USER_AGENT?

 

So once that was changed I then get told to "go away" by the XSS script. Looks like the rules in .htaccess redirects the page as well.

 

Took this out and everything worked

 

# extra anti uri and xss attack script 2 - sql injection prevention

#Options +FollowSymLinks

#RewriteEngine On

#RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]

#RewriteRule ^(.*)$ log.php [NC]

#RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]

#RewriteRule ^(.*)$ log.php [NC]

#RewriteCond %{QUERY_STRING} (java script:).*(wink.gif.* [NC]

#RewriteRule ^(.*)$ log.php [NC]

#RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]

#RewriteRule ^(.*)$ log.php [NC]

#RewriteRule (,|;|<|>|'|`) /log.php [NC]

 

Put transact.dll in the exclude list and turned on the functionality.

 

and only the secrep.php seemed to trigger the block

 

Can you see what is being invoked?

 

I would prefer to re-enable ip trap and xss so any help would be appreciaed.

 

Thanks

 

Geoffrey

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

100% secured my website? without any contributions.

 

The simple solution is firewall protection + Mod Security

Please read this line: Do you want to find all the answers to your questions? click here. As for contribution database it's located here!

8 people out of 10 don't bother to read installation manuals. I can recommend: if you can't read the installation manual, don't bother to install any contribution yourself.

Before installing contribution or editing/updating/deleting any files, do the full backup, it will save to you & everyone here on the forum time to fix your issues.

Any issues with oscommerce, I am here to help you.

Link to comment
Share on other sites

Has anyone had problems with their payment modules after installing Security Pro (even though those payment modules are excluded)?

Link to comment
Share on other sites

Like on site payment modules where payment happens on site or like paypal standard?

Where the transaction is directed through a 3rd party gateway (and the payment file is in the exclude list).

Link to comment
Share on other sites

I never knew they were supposed to be on the exclude list. I am just now getting to open a new store with it installed. I think I did all my test purchases prior to installing it though. If I am supposed to have it in the exclude list let me know and I will test my installation and look for problems. What exactly is going on?

Link to comment
Share on other sites

I never knew they were supposed to be on the exclude list. I am just now getting to open a new store with it installed. I think I did all my test purchases prior to installing it though. If I am supposed to have it in the exclude list let me know and I will test my installation and look for problems. What exactly is going on?

You put them (payment modules) on the exclude list if they don't work with security pro installed and you can't get them to work.

 

In my case the return code is not handled properly and you go back to the payment page (Credit Card Error is at the top of the page) instead of checkout success. The module reads the return code as an error when security pro is on, no error when security pro is off.

Link to comment
Share on other sites

I was testing this with Paypal Standard. Did you have to actually make the purchase and go through redirection to the site to test properly? I went through the process and to Paypal off server payment and then manually returned myself back to checkout_success.php without actually buying. You have me worried. I'd better test it right.

Link to comment
Share on other sites

I was testing this with Paypal Standard. Did you have to actually make the purchase and go through redirection to the site to test properly? I went through the process and to Paypal off server payment and then manually returned myself back to checkout_success.php without actually buying. You have me worried. I'd better test it right.

 

I did that when I first installed security pro.

 

Yes, the transaction has to be completed.

 

Mine was not paypal, it was my banks oscommerce module.

Link to comment
Share on other sites

Just gave it one more test run with a real purchase and a redirect from paypal standard back to the site and still had no problems or errors. I am doing this on the RC2a version if I stated that correctly.

The oscommerce version should not matter, it is the way that security pro handles the response code (hence the need for the option to exclude)

Link to comment
Share on other sites

Sorry your having problems Leslie I wish I was able to do something more and guide you in the right direction. It not really being my forte all I know to suggest is to double check excluded files if it consist of more than one. Perhaps if you have more than one excluded that relates to this issue then try removing file exclusions one at a time in different orders until the error goes away and and FWR still active. I do not understand why the fact of a file being excluded would throw an error though. Maybe you are missing a file that should be excluded as well rather than removing excluded files. Are payments still going through despite the error or is it preventing a transfer?

 

Edit- Not really a solution but if everything is functioning correctly aside from the error display and you are unable to fix it then consider commenting out the error. Again though only if thins are actually still working correctly aside from error display.

Link to comment
Share on other sites

Sorry your having problems Leslie I wish I was able to do something more and guide you in the right direction. It not really being my forte all I know to suggest is to double check excluded files if it consist of more than one. Perhaps if you have more than one excluded that relates to this issue then try removing file exclusions one at a time in different orders until the error goes away and and FWR still active. I do not understand why the fact of a file being excluded would throw an error though. Maybe you are missing a file that should be excluded as well rather than removing excluded files. Are payments still going through despite the error or is it preventing a transfer?

 

Glad you are not having problems.

 

Jason, you miss the point.

 

If a file is excluded, security pro should not have any effect on it. It should be like security pro is not installed as far as the excluded file is concerned. The problem is within security pro because disabling security pro lets the module work correctly.

 

The install documentation even gives an example of having two files excluded.

Link to comment
Share on other sites

Sorry your having problems Leslie I wish I was able to do something more and guide you in the right direction. It not really being my forte all I know to suggest is to double check excluded files if it consist of more than one. Perhaps if you have more than one excluded that relates to this issue then try removing file exclusions one at a time in different orders until the error goes away and and FWR still active. I do not understand why the fact of a file being excluded would throw an error though. Maybe you are missing a file that should be excluded as well rather than removing excluded files. Are payments still going through despite the error or is it preventing a transfer?

 

Edit- Not really a solution but if everything is functioning correctly aside from the error display and you are unable to fix it then consider commenting out the error. Again though only if thins are actually still working correctly aside from error display.

 

Commenting out the error would not stop the return to the payment page.

Link to comment
Share on other sites

Hi

 

I'm a novice to all of this but am really trying to watch and learn. My background is HR so this is all very new (but interesting) to me.

 

I've just tried to Install Secruity Pro and all appeared to go well. I downloaded the zip file, unzipped the contents, uploaded the Securitypro_installer.php file into the root directory of my site (the permissions automaticaly went to 644) and then uploaded the security.php file into my 'functions' file. I then found the 'application_top.php' file and added the required code in.

 

I've now gone into the admin section of my site and despite refreshing, I can't see the 'FWR Security Pro' listing.

 

The code in my application_top.php file reads:-

 

// set the application parameters

$configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);

while ($configuration = tep_db_fetch_array($configuration_query)) {

define($configuration['cfgKey'], $configuration['cfgValue']);

}

// FWR Media Security Pro

if ( defined('FWR_SECURITY_PRO_ON') && FWR_SECURITY_PRO_ON === 'true' ) {

$fwr_security_excludes = array();

if ( defined('FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON') && FWR_SECURITY_PRO_FILE_EXCLUSIONS_ON === 'true' )

$fwr_security_excludes = explode(',', FWR_SECURITY_PRO_FILE_EXCLUSIONS);

if ( !in_array(basename($_SERVER['PHP_SELF']), $fwr_security_excludes) )

include('includes/functions/security.php');

}

if ( function_exists('tep_clean_get__recursive') ) {

// Recursively clean $HTTP_GET_VARS and $_GET

// There is no legitimate reason for these to contain anything but ..

// A-Z a-z 0-9 -(hyphen).(dot)_(underscore) {} space

$HTTP_GET_VARS = tep_clean_get__recursive($HTTP_GET_VARS);

$_GET = tep_clean_get__recursive($_GET);

$_REQUEST = $_GET + $_POST; // $_REQUEST now holds the cleaned $_GET and std $_POST. $_COOKIE has been removed.

fwr_clean_global($_GET); // Change the $GLOBALS value to the cleaned value

}

// END - FWR Media Security Pro

// if gzip_compression is enabled, start to buffer the output

if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded

 

 

Can anyone give me a nudge in the right direction?

 

Thanks

Anthony

Link to comment
Share on other sites

Has anyone had problems with their payment modules after installing Security Pro (even though those payment modules are excluded)?

 

See post 79

 

http://www.oscommerce.com/forums/index.php?s=&...t&p=1379776

 

Autorize.net falls over even if it is in the exclude list.

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

See post 79

 

http://www.oscommerce.com/forums/index.php?s=&...t&p=1379776

 

Autorize.net falls over even if it is in the exclude list.

Not sure we are talking about the same thing. I didn't really understand your post (sorry).

 

I do not have your htaccess stuff (a lot of this stuff did not work for me anyway and crashed my site).

 

I do have ip trap working.

 

My only issue is with Security Pro and the files that I added to Security Pro exclude list in admin.

 

Security Pro on, modules do not work.

 

Security Pro off, modules do work.

 

Security Pro is now off before I permantently remove it.

Link to comment
Share on other sites

Hi

 

This is going to sound incredibly daft but how do I run the installer? I uploaded it to the main directory but was then unsure what to do to get it to execute.

 

Sorry for such a daft question but I am learning....honest!

 

Anthony

 

You open the file in your web browser.

 

Do not forget to delete the file when you have installed.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...