spooks Posted March 23, 2009 Author Share Posted March 23, 2009 Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings. ie SecurityPro_installer.php in your browser!!!!!!!!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Anthony Watkins Posted March 23, 2009 Share Posted March 23, 2009 I've done it at last - Thanks both. There's no stopping me now!. Thanks for taking the timeto help me. Anthony Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings. ie SecurityPro_installer.php in your browser!!!!!!!!! Link to comment Share on other sites More sharing options...
mariemeh Posted March 24, 2009 Share Posted March 24, 2009 Not sure we are talking about the same thing. I didn't really understand your post (sorry). I do not have your htaccess stuff (a lot of this stuff did not work for me anyway and crashed my site). I do have ip trap working. My only issue is with Security Pro and the files that I added to Security Pro exclude list in admin. Security Pro on, modules do not work. Security Pro off, modules do work. Security Pro is now off before I permantently remove it. I thougth I had that situation too... but curiously enough having tried everything else... I decided to put Security Pro back up (cause I remembered that I installed that one first, Site Monitor second and IP Trap last... and after installing Security Pro... everything was working with my payments)... so Security Pro is back on... I removed the call to the secret.php file in the application_top.php file and funny enough... my payments are working again. As soon as my site isn't interacting with the Ip Trap contrib... all is well. As soon as I put the call to secret.php file, everything starts to go wrong again. I'm starting to think that maybe what I did wrong is how I coded this line that shows up twice in personal/index.php and once in includes/secret.php : /home/***username***/public_html/catalog/banned/IP_Trapped.txt I coded mine this way... and please note, I'm sooooooooooo not an expert so I'm pretty sure I did it wrong: /var/www/vhosts/mysite.com/httpdocs/catalog/banned/IP_Trapped.txt could it be that I did that wrong and it's what's been creating all this havoc? Any toughts? Link to comment Share on other sites More sharing options...
Guest Posted March 24, 2009 Share Posted March 24, 2009 I thougth I had that situation too... but curiously enough having tried everything else... I decided to put Security Pro back up (cause I remembered that I installed that one first, Site Monitor second and IP Trap last... and after installing Security Pro... everything was working with my payments)... so Security Pro is back on... I removed the call to the secret.php file in the application_top.php file and funny enough... my payments are working again. As soon as my site isn't interacting with the Ip Trap contrib... all is well. As soon as I put the call to secret.php file, everything starts to go wrong again. I'm starting to think that maybe what I did wrong is how I coded this line that shows up twice in personal/index.php and once in includes/secret.php : /home/***username***/public_html/catalog/banned/IP_Trapped.txt I coded mine this way... and please note, I'm sooooooooooo not an expert so I'm pretty sure I did it wrong: /var/www/vhosts/mysite.com/httpdocs/catalog/banned/IP_Trapped.txt could it be that I did that wrong and it's what's been creating all this havoc? Any toughts? What was the sympton with the payment module not working? Link to comment Share on other sites More sharing options...
mariemeh Posted March 24, 2009 Share Posted March 24, 2009 the customer would pick Paypal as their payment option... and click continue... they would be redirected to the Paypal page... the payment would complete and on the customer screen, the customer was redirected to the checkout_success.php page and the order was completed on the customers side but on the admin side, the "completion" of the payment never appeared which leads me to believe that something in my IP Trap was preventing the Paypal gateway to return to the cart and give the information of payment completed. Every single time I remove the call to the secret.php page in the application_top.php page... everything works. The htaccess file new code doesnt' seem to affect anything... the new robot.txt file doesn't affect anything either in the working of my site nor is Security Pro or Site Monitor...and I would think the robot.txt and htaccess files, if they were causing issues, would still be causing them weither the call to the IP Trap contrib was made or not. I'm not a pro at this... but that's what my gut's telling me at this time. If anything in my thinking is flawed... don't hesitated to say so. Link to comment Share on other sites More sharing options...
Guest Posted March 25, 2009 Share Posted March 25, 2009 the customer would pick Paypal as their payment option... and click continue... they would be redirected to the Paypal page... the payment would complete and on the customer screen, the customer was redirected to the checkout_success.php page and the order was completed on the customers side but on the admin side, the "completion" of the payment never appeared which leads me to believe that something in my IP Trap was preventing the Paypal gateway to return to the cart and give the information of payment completed. Every single time I remove the call to the secret.php page in the application_top.php page... everything works. The htaccess file new code doesnt' seem to affect anything... the new robot.txt file doesn't affect anything either in the working of my site nor is Security Pro or Site Monitor...and I would think the robot.txt and htaccess files, if they were causing issues, would still be causing them weither the call to the IP Trap contrib was made or not. I'm not a pro at this... but that's what my gut's telling me at this time. If anything in my thinking is flawed... don't hesitated to say so. Yours is different to mine. After payment was made via the payment gateway, the customer was returned to the shops payment page with the card error message at the top. Link to comment Share on other sites More sharing options...
scfcrob Posted April 2, 2009 Share Posted April 2, 2009 Apologies in advance - I am feeling my way and have no experience of php/sql web building other than my self taught experience over the last few weeks. Any step by step support without being flamed would be greatly appreciated :rolleyes: re instruction Firstly: - "Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings." When I try to open the php script in IE it just shows a page of text and doesn't appear run the script. How can I tell if it updated? I am okay with the other instructions until I get to "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)." Is this through my store (catalog/admin control panel - same place as new administrators are set up?) or should it be available thro' FTP? I can't see it in either but that may be down to me getting step 1 wrong!!! Link to comment Share on other sites More sharing options...
Guest Posted April 2, 2009 Share Posted April 2, 2009 Apologies in advance - I am feeling my way and have no experience of php/sql web building other than my self taught experience over the last few weeks.Any step by step support without being flamed would be greatly appreciated :rolleyes: re instruction Firstly: - "Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings." When I try to open the php script in IE it just shows a page of text and doesn't appear run the script. How can I tell if it updated? I am okay with the other instructions until I get to "Go into admin>configuration>FWR Security Pro and turn it on .. (set to true)." Is this through my store (catalog/admin control panel - same place as new administrators are set up?) or should it be available thro' FTP? I can't see it in either but that may be down to me getting step 1 wrong!!! As Sam said in post 101. http:www.yourdomain.com/catalog/SecurityPro_installer.php If that does not work, then you cannot do anything in your admin. Link to comment Share on other sites More sharing options...
Eirik Posted April 18, 2009 Share Posted April 18, 2009 Couple things I'm curious about firstly there is a contribution http://addons.oscommerce.com/info/6536 that supposedly shores up a security risk in the whois_online. So my first question is this actually a risk? and my second question, contribution http://addons.oscommerce.com/info/6044 has an alternative posted that removes html tags as well and Im curious if that means FCKedit would cease to function? Thank you in advance for your time and consideration. Link to comment Share on other sites More sharing options...
spooks Posted April 18, 2009 Author Share Posted April 18, 2009 any time quotes are allowed there is a risk so sanitising them is good. these contribs work on the client side, so anything operating on the admin side is un-affected. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Eirik Posted April 18, 2009 Share Posted April 18, 2009 Thank you so much for the fast reply, it's very much appreciated. Link to comment Share on other sites More sharing options...
bhavatmaj Posted April 22, 2009 Share Posted April 22, 2009 thanks bhavatmaj Link to comment Share on other sites More sharing options...
spooks Posted April 23, 2009 Author Share Posted April 23, 2009 thanks thats all u ever say!!! :huh: Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
andes1 Posted April 24, 2009 Share Posted April 24, 2009 HA HA HA Tomorrow he'll add " thanks a lot". Ha HA ha Note: I just kidding (no offense)... some pick of fun is always necessary Link to comment Share on other sites More sharing options...
Eirik Posted May 4, 2009 Share Posted May 4, 2009 So I have implemented all the security patches that were suggested and I'm running smoothly, that is until I decided I needed to reimplemented the tell a friend for some additional "word of mouth" advertising. I have hit a wall, the Security Pro add-on is so diligent it scrubs my @'s and even after a good amount of searching, I can't figure out how to allow an additional character to escape the cleansing. edit, this is the add-on I'm referring to. http://addons.oscommerce.com/info/5752 edit, I have found I can exclude the tell_a_friend.php from the cleansing via the admin, but this isn't really ideal I don't think since I would be leaving a gap in the overall security of the site, maybe I'm wrong on that. Link to comment Share on other sites More sharing options...
Eirik Posted May 4, 2009 Share Posted May 4, 2009 Figured I would post an addition to my original in case other people in future run in to this problem, while I am still looking for a way in which to pass the @ from the info box to the tell_a_friend.php without using the excludes for security pro I have found a way in which you can like your current product to the tell_a_friend so it will email the proper link. <?php echo '<a href="' . tep_href_link(FILENAME_TELL_A_FRIEND, 'products_id=' . $HTTP_GET_VARS['products_id']) . '">' . tep_image_button('button_tell_a_friend.gif', BOX_HEADING_TELL_A_FRIEND) . '</a>'; ?> That link can be placed anywhere within the product page and will send the product information to the tell_a_friend.php Link to comment Share on other sites More sharing options...
spooks Posted May 5, 2009 Author Share Posted May 5, 2009 security pro works through an 'allowed' list, to allow an additional char u must add to that list. in security.php return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var)); to allow the @ put return preg_replace("/[^ {}a-zA-Z0-9@_.-]/i", "", urldecode($get_var)); ;) Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Eirik Posted May 5, 2009 Share Posted May 5, 2009 security pro works through an 'allowed' list, to allow an additional char u must add to that list. in security.php return preg_replace("/[^ {}a-zA-Z0-9_.-]/i", "", urldecode($get_var)); to allow the @ put return preg_replace("/[^ {}a-zA-Z0-9@_.-]/i", "", urldecode($get_var)); ;) Thanks so much, you are a gentleman and a scholar sir! Link to comment Share on other sites More sharing options...
Guest Posted May 7, 2009 Share Posted May 7, 2009 I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt' Files changed: catalog/includes/secret.php catalog/personal/index.php Regards, Eric_K i am having the same problem with the 99.999.99.999 and i still am not baned. i changed the single quotes to double and that didn fix it. help?!? will Link to comment Share on other sites More sharing options...
Guest Posted May 7, 2009 Share Posted May 7, 2009 QUOTE (charinlasvegas @ Dec 7 2008, 08:51 PM) Also, I just rec'd about 7 emails that my ip has been banned however I can still do whatever I want at my site. When I opened IP_Trapped.txt my ip is not listed, it shows 999.999.999.999 I got the IP Trap to work by replacing the " " double quotes with ' ' single quotes where you define absolute path to '/home/***username***/public_html/catalog/banned/IP_Trapped.txt' Files changed: catalog/includes/secret.php catalog/personal/index.php Regards, Eric_K i am having a probem with ip trap it just shows the 999.999.999.999 and i am not baned even thou i tryed to ban myself i did the above fix but it didnt fix the problem. i still am not baned. please help me will Link to comment Share on other sites More sharing options...
spooks Posted May 7, 2009 Author Share Posted May 7, 2009 double check u set path correct Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
mhsuffolk Posted May 8, 2009 Share Posted May 8, 2009 Which Anti XSS Contribution or method should I use? I have installed all the contributions in Sam's original post except the Anti XSS (http://addons.oscommerce.com/info/6044), the reason being there seems to be several complete rewrites of it and there is also another contribution referred from the original i.e. http://addons.oscommerce.com/info/6546 plus an alternative method in Post #69 of this Topic. I am very confident in adding contributions but not sure which one to use as my coding knowledge does not go that deep. Any advice will be greatly appreciated Martin Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
Guest Posted May 8, 2009 Share Posted May 8, 2009 i am having the same problem with the 99.999.99.999 and i still am not baned. i changed the single quotes to double and that didn fix it. help?!? will Is the file writeable? Link to comment Share on other sites More sharing options...
Eirik Posted May 9, 2009 Share Posted May 9, 2009 So I have a question, I have been creating my MySQL db's using a root user and then switching to a user in the config file that only allows data settings. So Im curious if there is a "secure" privileges setup that I should be using. What I mean is should the user only have select, insert, update, delete? should it include file privileges? Thanks in advance for your time and consideration. Link to comment Share on other sites More sharing options...
Guest Posted May 12, 2009 Share Posted May 12, 2009 QUICK QUESTION i read the Protect your site via htaccess and it looks like a simple install. does it work as good as it says. All the IPs as well, are they all bad, has anybody had any problems with this add on??? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.