Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

ie SecurityPro_installer.php in your browser!!!!!!!!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply

I've done it at last - Thanks both. There's no stopping me now!.

 

Thanks for taking the timeto help me.

 

Anthony

 

 

 

 

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

ie SecurityPro_installer.php in your browser!!!!!!!!!

Link to comment
Share on other sites

Not sure we are talking about the same thing. I didn't really understand your post (sorry).

 

I do not have your htaccess stuff (a lot of this stuff did not work for me anyway and crashed my site).

 

I do have ip trap working.

 

My only issue is with Security Pro and the files that I added to Security Pro exclude list in admin.

 

Security Pro on, modules do not work.

 

Security Pro off, modules do work.

 

Security Pro is now off before I permantently remove it.

 

 

I thougth I had that situation too... but curiously enough having tried everything else... I decided to put Security Pro back up (cause I remembered that I installed that one first, Site Monitor second and IP Trap last... and after installing Security Pro... everything was working with my payments)... so Security Pro is back on... I removed the call to the secret.php file in the application_top.php file and funny enough... my payments are working again. As soon as my site isn't interacting with the Ip Trap contrib... all is well. As soon as I put the call to secret.php file, everything starts to go wrong again.

 

I'm starting to think that maybe what I did wrong is how I coded this line that shows up twice in personal/index.php and once in includes/secret.php : /home/***username***/public_html/catalog/banned/IP_Trapped.txt

 

I coded mine this way... and please note, I'm sooooooooooo not an expert so I'm pretty sure I did it wrong:

/var/www/vhosts/mysite.com/httpdocs/catalog/banned/IP_Trapped.txt

 

could it be that I did that wrong and it's what's been creating all this havoc?

 

Any toughts?

Link to comment
Share on other sites

I thougth I had that situation too... but curiously enough having tried everything else... I decided to put Security Pro back up (cause I remembered that I installed that one first, Site Monitor second and IP Trap last... and after installing Security Pro... everything was working with my payments)... so Security Pro is back on... I removed the call to the secret.php file in the application_top.php file and funny enough... my payments are working again. As soon as my site isn't interacting with the Ip Trap contrib... all is well. As soon as I put the call to secret.php file, everything starts to go wrong again.

 

I'm starting to think that maybe what I did wrong is how I coded this line that shows up twice in personal/index.php and once in includes/secret.php : /home/***username***/public_html/catalog/banned/IP_Trapped.txt

 

I coded mine this way... and please note, I'm sooooooooooo not an expert so I'm pretty sure I did it wrong:

/var/www/vhosts/mysite.com/httpdocs/catalog/banned/IP_Trapped.txt

 

could it be that I did that wrong and it's what's been creating all this havoc?

 

Any toughts?

What was the sympton with the payment module not working?

Link to comment
Share on other sites

the customer would pick Paypal as their payment option... and click continue... they would be redirected to the Paypal page... the payment would complete and on the customer screen, the customer was redirected to the checkout_success.php page and the order was completed on the customers side but on the admin side, the "completion" of the payment never appeared which leads me to believe that something in my IP Trap was preventing the Paypal gateway to return to the cart and give the information of payment completed.

 

Every single time I remove the call to the secret.php page in the application_top.php page... everything works. The htaccess file new code doesnt' seem to affect anything... the new robot.txt file doesn't affect anything either in the working of my site nor is Security Pro or Site Monitor...and I would think the robot.txt and htaccess files, if they were causing issues, would still be causing them weither the call to the IP Trap contrib was made or not. I'm not a pro at this... but that's what my gut's telling me at this time.

 

If anything in my thinking is flawed... don't hesitated to say so.

Link to comment
Share on other sites

the customer would pick Paypal as their payment option... and click continue... they would be redirected to the Paypal page... the payment would complete and on the customer screen, the customer was redirected to the checkout_success.php page and the order was completed on the customers side but on the admin side, the "completion" of the payment never appeared which leads me to believe that something in my IP Trap was preventing the Paypal gateway to return to the cart and give the information of payment completed.

 

Every single time I remove the call to the secret.php page in the application_top.php page... everything works. The htaccess file new code doesnt' seem to affect anything... the new robot.txt file doesn't affect anything either in the working of my site nor is Security Pro or Site Monitor...and I would think the robot.txt and htaccess files, if they were causing issues, would still be causing them weither the call to the IP Trap contrib was made or not. I'm not a pro at this... but that's what my gut's telling me at this time.

 

If anything in my thinking is flawed... don't hesitated to say so.

Yours is different to mine. After payment was made via the payment gateway, the customer was returned to the shops payment page with the card error message at the top.

Link to comment
Share on other sites

  • 2 weeks later...

Apologies in advance - I am feeling my way and have no experience of php/sql web building other than my self taught experience over the last few weeks.

Any step by step support without being flamed would be greatly appreciated :rolleyes:

 

re instruction

Firstly: -

"Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings."

 

When I try to open the php script in IE it just shows a page of text and doesn't appear run the script. How can I tell if it updated?

 

I am okay with the other instructions until I get to

 

"Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

 

Is this through my store (catalog/admin control panel - same place as new administrators are set up?) or should it be available thro' FTP? I can't see it in either but that may be down to me getting step 1 wrong!!!

Link to comment
Share on other sites

Apologies in advance - I am feeling my way and have no experience of php/sql web building other than my self taught experience over the last few weeks.

Any step by step support without being flamed would be greatly appreciated :rolleyes:

 

re instruction

Firstly: -

"Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings."

 

When I try to open the php script in IE it just shows a page of text and doesn't appear run the script. How can I tell if it updated?

 

I am okay with the other instructions until I get to

 

"Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)."

 

Is this through my store (catalog/admin control panel - same place as new administrators are set up?) or should it be available thro' FTP? I can't see it in either but that may be down to me getting step 1 wrong!!!

As Sam said in post 101. http:www.yourdomain.com/catalog/SecurityPro_installer.php

 

If that does not work, then you cannot do anything in your admin.

Link to comment
Share on other sites

  • 3 weeks later...

Couple things I'm curious about firstly there is a contribution http://addons.oscommerce.com/info/6536 that supposedly shores up a security risk in the whois_online. So my first question is this actually a risk? and my second question, contribution http://addons.oscommerce.com/info/6044 has an alternative posted that removes html tags as well and Im curious if that means FCKedit would cease to function?

 

Thank you in advance for your time and consideration.

Link to comment
Share on other sites

any time quotes are allowed there is a risk so sanitising them is good.

 

these contribs work on the client side, so anything operating on the admin side is un-affected.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

thanks

 

thats all u ever say!!! :huh:

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 2 weeks later...

So I have implemented all the security patches that were suggested and I'm running smoothly, that is until I decided I needed to reimplemented the tell a friend for some additional "word of mouth" advertising. I have hit a wall, the Security Pro add-on is so diligent it scrubs my @'s and even after a good amount of searching, I can't figure out how to allow an additional character to escape the cleansing.

 

 

 

edit, this is the add-on I'm referring to.

http://addons.oscommerce.com/info/5752

 

 

edit, I have found I can exclude the tell_a_friend.php from the cleansing via the admin, but this isn't really ideal I don't think since I would be leaving a gap in the overall security of the site, maybe I'm wrong on that.

Link to comment
Share on other sites

Figured I would post an addition to my original in case other people in future run in to this problem, while I am still looking for a way in which to pass the @ from the info box to the tell_a_friend.php without using the excludes for security pro I have found a way in which you can like your current product to the tell_a_friend so it will email the proper link.

 

<?php echo '<a href="' . tep_href_link(FILENAME_TELL_A_FRIEND, 'products_id=' . $HTTP_GET_VARS['products_id']) . '">' . tep_image_button('button_tell_a_friend.gif', BOX_HEADING_TELL_A_FRIEND) . '</a>'; ?>

 

That link can be placed anywhere within the product page and will send the product information to the tell_a_friend.php

Link to comment
Share on other sites

security pro works through an 'allowed' list, to allow an additional char u must add to that list.

 

in security.php

 

 return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var));

 

to allow the @ put

 

return preg_replace("/[^ {}a-zA-Z0-9@_.-]/i", "", urldecode($get_var));

 

 

;)

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

security pro works through an 'allowed' list, to allow an additional char u must add to that list.

 

in security.php

 

 return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var));

 

to allow the @ put

 

return preg_replace("/[^ {}a-zA-Z0-9@_.-]/i", "", urldecode($get_var));

 

 

;)

 

Thanks so much, you are a gentleman and a scholar sir!

Link to comment
Share on other sites

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

 

Files changed:

catalog/includes/secret.php

catalog/personal/index.php

 

Regards,

Eric_K

 

 

i am having the same problem with the 99.999.99.999 and i still am not baned. i changed the single quotes to double and that didn fix it.

 

help?!?

 

will

Link to comment
Share on other sites

QUOTE (charinlasvegas @ Dec 7 2008, 08:51 PM)

Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site.

 

When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999

 

I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt'

 

Files changed:

catalog/includes/secret.php

catalog/personal/index.php

 

Regards,

Eric_K

 

i am having a probem with ip trap it just shows the 999.999.999.999 and i am not baned even thou i tryed to ban myself i did the above fix but it didnt fix the problem. i still am not baned.

 

please help me

 

will

Link to comment
Share on other sites

double check u set path correct

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Which Anti XSS Contribution or method should I use?

 

I have installed all the contributions in Sam's original post except the Anti XSS (http://addons.oscommerce.com/info/6044), the reason being there seems to be several complete rewrites of it and there is also another contribution referred from the original i.e. http://addons.oscommerce.com/info/6546 plus an alternative method in Post #69 of this Topic. I am very confident in adding contributions but not sure which one to use as my coding knowledge does not go that deep.

 

Any advice will be greatly appreciated

 

Martin

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

i am having the same problem with the 99.999.99.999 and i still am not baned. i changed the single quotes to double and that didn fix it.

 

help?!?

 

will

Is the file writeable?

Link to comment
Share on other sites

So I have a question, I have been creating my MySQL db's using a root user and then switching to a user in the config file that only allows data settings. So Im curious if there is a "secure" privileges setup that I should be using. What I mean is should the user only have select, insert, update, delete? should it include file privileges?

 

Thanks in advance for your time and consideration.

Link to comment
Share on other sites

QUICK QUESTION

 

 

 

i read the Protect your site via htaccess and it looks like a simple install. does it work as good as it says. All the IPs as well, are they all bad, has anybody had any problems with this add on???

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...