spooks Posted November 2, 2009 Author Share Posted November 2, 2009 well i'm using CRE loaded so i don't know what exactly in there Don't CRE have any security advise? I mentiomed a little ealier the most important measures, make sure you complete at least those. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
navuho Posted November 3, 2009 Share Posted November 3, 2009 Don't CRE have any security advise? I mentiomed a little ealier the most important measures, make sure you complete at least those. Cre loaded don't seems to care for their customer this days. I looked at logs i think i found the guy, but still i cant see what he did. Its some sql injection of some kind but dunno what. Link to comment Share on other sites More sharing options...
spooks Posted November 3, 2009 Author Share Posted November 3, 2009 Cre loaded don't seems to care for their customer this days. I looked at logs i think i found the guy, but still i cant see what he did. Its some sql injection of some kind but dunno what. If you install what I said he wont be able to get back in. If CRE don`t support perhaps its time u changed. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
pizzasupreme Posted November 3, 2009 Share Posted November 3, 2009 1. Thats the default behaviour for osC, you need to mod the upload class to fix: function upload($file = '', $destination = '', $permissions = '777', $extensions = '') { change that as you need for your server 2. You have failed to run the setup file, so admin setting do not exist, run that to fix your issue. 3. I don't know htacces that well, but that looks incomplete to me, try: RewriteCond %{HTTP_HOST} !^www\.YOURSITE\.com [NC] RewriteCond %{HTTP_HOST} !^$ RewriteRule ^(.*) http://www.YOURSITE.com/$1 [L,R=301] 4. Sorry, don't know any, its a lot of effort to write them & their often not appreciated when you do, so many don't bother. Thank you so much, Spooks. I was able to change the class/upload file and it's working properly now. I also ran the setup for database backup program and it looks good too. I must have coppied the code incorrectly to my previous message (for the htaccess), but even with the correct code you posted I still have a problem. I can get to the hompage, but everything after that times out, firefox says it is an endless loop. Regardless, I will look around a bit more and if I find an answer will post back. Thank you again, Harold Link to comment Share on other sites More sharing options...
navuho Posted November 3, 2009 Share Posted November 3, 2009 If you install what I said he wont be able to get back in. If CRE don`t support perhaps its time u changed. Yes you are right. I found what happened. One of the sites of my server was hacked and they get me from there. Link to comment Share on other sites More sharing options...
Flinspach Posted November 9, 2009 Share Posted November 9, 2009 Hi spooks, thank you for this security advice I installed the add-on http://addons.oscommerce.com/info/6044 Anti XSS against Cross Site Scripting attacks in the original version (Protev, June 2008). I get an error in the line $search .= '~`";:?+/={}[]-_|'\'; Should this line be like that: $search .= '~`";:?+/={}[]-_|\\'; with \\ instead of '\ in the string ? Thank you Martin Link to comment Share on other sites More sharing options...
spooks Posted November 9, 2009 Author Share Posted November 9, 2009 Hi spooks, thank you for this security advice I installed the add-on http://addons.oscommerce.com/info/6044 Anti XSS against Cross Site Scripting attacks in the original version (Protev, June 2008). I get an error in the line $search .= '~`";:?+/={}[]-_|'\'; Should this line be like that: $search .= '~`";:?+/={}[]-_|\\'; with \\ instead of '\ in the string ? Thank you Martin Personally I only use the htaccess parts of that contrib, but your right that line is in error, reserved chars are not being escaped, it should be smthg like: $search .= '~`\";:?+\/={}[]-_|\''; Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Flinspach Posted November 9, 2009 Share Posted November 9, 2009 Hi spooks, ok, thank you. What version of the htaccess parts of that contrib do you prefer ? Martin Link to comment Share on other sites More sharing options...
spooks Posted November 9, 2009 Author Share Posted November 9, 2009 Hi spooks, ok, thank you. What version of the htaccess parts of that contrib do you prefer ? Martin Its titled 'other version' in the downlod section Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
Flinspach Posted November 9, 2009 Share Posted November 9, 2009 Hi spooks, thank you for the prompt response. Martin Link to comment Share on other sites More sharing options...
madstarr Posted November 11, 2009 Share Posted November 11, 2009 Spooks. I am redoing my entire site because of being hacked continually the last several weeks and am putting into place all your suggested security issues. You recommended:: Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 I added just the .htaccess part as you mentioned in earlier post. The directions on this link have a recommendation for using a different contribution http://addons.oscommerce.com/info/6546 Which do you suggest using? Thank you. madstarr Link to comment Share on other sites More sharing options...
spooks Posted November 11, 2009 Author Share Posted November 11, 2009 Spooks. I am redoing my entire site because of being hacked continually the last several weeks and am putting into place all your suggested security issues. You recommended:: Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 I added just the .htaccess part as you mentioned in earlier post. The directions on this link have a recommendation for using a different contribution http://addons.oscommerce.com/info/6546 Which do you suggest using? Thank you. madstarr The 2nd contrib you refer to is very limited in function, all it does is clean the string at point of entry into the dbase, it perfectly feasable that an sql injection attack could have inserted code prior to that point, also if you've applied the other snippits for cleaning the GET & POST, then the string would already be cleaned by then. The first, being htaccess, is much more powerful & comprehensive, in truth there is no contest!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
madstarr Posted November 12, 2009 Share Posted November 12, 2009 The 2nd contrib you refer to is very limited in function, all it does is clean the string at point of entry into the dbase, it perfectly feasable that an sql injection attack could have inserted code prior to that point, also if you've applied the other snippits for cleaning the GET & POST, then the string would already be cleaned by then. The first, being htaccess, is much more powerful & comprehensive, in truth there is no contest!! Thanks Spooks. Working away at it. It appears that google identified malware on mine as traffcount.cn just an fyi for anybody out there. Link to comment Share on other sites More sharing options...
tigergirl Posted November 13, 2009 Share Posted November 13, 2009 FORMS: Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars. after: require('includes/application_top.php'); add: // clean posted vars reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } This does not allow for arrays, additional code is needed if they are used. I just wondered the quickest way to check which files I may need to add this code to? Is there a file checker/ search programme that can go through the folders? Am I looking for $_POST or $HTTP_POST_VARS & tep_draw_form as well? Thanks I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
spooks Posted November 13, 2009 Author Share Posted November 13, 2009 I just wondered the quickest way to check which files I may need to add this code to? Is there a file checker/ search programme that can go through the folders? Am I looking for $_POST or $HTTP_POST_VARS & tep_draw_form as well? Thanks Most pages that use forms use the post method, some simply add this snippit to application top to cover all, but remember some add-ons use arrays that this would delete & some (mainly payment modules) use characters that this would remove. Sorry not the precise answer you wanted! PS osC uses $HTTP_POST_VARS, but add-ons may use $_POST, the 2 are interchangable, though $HTTP_POST_VARS is deprecated in php 5 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
JR Sales Company Posted November 17, 2009 Share Posted November 17, 2009 Most pages that use forms use the post method, some simply add this snippit to application top to cover all, but remember some add-ons use arrays that this would delete & some (mainly payment modules) use characters that this would remove. Sorry not the precise answer you wanted! PS osC uses $HTTP_POST_VARS, but add-ons may use $_POST, the 2 are interchangable, though $HTTP_POST_VARS is deprecated in php 5 Where would you recommend as the best spot to insert the snippet if you were going to put it in app_top.php? Right before everything else? Thanks! :D Link to comment Share on other sites More sharing options...
spooks Posted November 17, 2009 Author Share Posted November 17, 2009 Where would you recommend as the best spot to insert the snippet if you were going to put it in app_top.php? Right before everything else? Thanks! No, maybe at the end, but I think the best place would be just b4 the cart functions, ie just b4 switch ($HTTP_GET_VARS['action']) { Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
tigergirl Posted November 19, 2009 Share Posted November 19, 2009 FORMS: Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars. after: require('includes/application_top.php'); add: // clean posted vars reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } This does not allow for arrays, additional code is needed if they are used. Thanks for the last reply. I'm looking at account_edit.php first off. It has $HTTP_POST_VARS so I added the above code. But email address has @ so should that character be added to preg_replace ? The word array appears in the file - will this make a difference? How do I test if it's working? I have anti-robot registration installed. I'm unsure about this and a little nervous I break something. I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
spooks Posted November 19, 2009 Author Share Posted November 19, 2009 Thanks for the last reply. I'm looking at account_edit.php first off. It has $HTTP_POST_VARS so I added the above code. But email address has @ so should that character be added to preg_replace ? The word array appears in the file - will this make a difference? How do I test if it's working? I have anti-robot registration installed. I'm unsure about this and a little nervous I break something. If you look the @ is already there in that string. osC uses array a lot, but arrays within post vars very rarely and not within account_edit.php, just test to see if any entered data is lost where the form action includes the add_multi param. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
tigergirl Posted November 19, 2009 Share Posted November 19, 2009 If you look the @ is already there in that string. OOPS! Perhaps I should have gone to the optician first! Sorry about that! Double DOH! In account_edit I put this for customer name : [w](o)%3Cr%3Ek|i*n^g but it still says [w](o)%3Cr%3Ek|i*n^g . Shouldn't is say "working"? Or did I test it wrongly? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
spooks Posted November 19, 2009 Author Share Posted November 19, 2009 OOPS! Perhaps I should have gone to the optician first! Sorry about that! Double DOH! In account_edit I put this for customer name : [w](o)%3Cr%3Ek|i*n^g but it still says [w](o)%3Cr%3Ek|i*n^g . Shouldn't is say "working"? Or did I test it wrongly? Likely your server is treating $_POST & $HTTP_POST_VARS seperatly. Near the start of application_top.php add: if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; } Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
tigergirl Posted November 19, 2009 Share Posted November 19, 2009 Likely your server is treating $_POST & $HTTP_POST_VARS seperatly. Near the start of application_top.php add: if (PHP_VERSION >= 4.1) { $HTTP_GET_VARS =& $_GET; $HTTP_POST_VARS =& $_POST; } Thank you Sam, it is now "working" so I will go and do the other files. Should we do the admin side as well? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
tigergirl Posted November 19, 2009 Share Posted November 19, 2009 Would there be a potential issue using the $_POST fix on pages that require a password? It's just that the most secure passwords may contain values that may be cleaned off?? checkout_success appears to have POST and array together? Should fix be applied on that page? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
Jitty25 Posted November 20, 2009 Share Posted November 20, 2009 Hello spooks, thank you for your constant support. I usually find all answers, but I am not sure this time. I installed Security Pro, IP trap, Anti XSS, htaccess for renamed admin folder, I deleted file_maganer and define_language.php, and I added the code that you have mentioned to every file containing $_POST vars. Can I remove the Anti XSS now when I have your code in every of those files? How can I add my language characters to the code? I mean something like š etc. All those characters get omitted in every form now. Should we add your code to admin part of the website too? I am asking because of this report http://secunia.com/advisories/22275/ I am sorry if it was discussed on the forum previously, I haven´t found it. Thank you very much for your help Link to comment Share on other sites More sharing options...
OilyPablo Posted November 21, 2009 Share Posted November 21, 2009 My first post here. I just wanted to thank spooks and others for saving our bacon. We were on our third day of fighting off hackers and somehow I stumbled on this site. A couple of the "patches" stopped the jealous idiot in his tracks. THANKS!! :D Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.