spooks Posted January 5, 2010 Author Share Posted January 5, 2010 I`m sorry if u feel I reacted badly, but when you say no support thread, yet I have taken the trouble to provide a link in the download & within the zip & within the doc it does somewhat jarr!! The only one of those that reacts the way you say is the download one, & its a forum bug, I will not answer questions outside relavent threads. My link- Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
natureguy Posted January 5, 2010 Share Posted January 5, 2010 Thanks Sam! That link works. I saved it in my instructions file and will further communicate within that support forum. :) I`m sorry if u feel I reacted badly, but when you say no support thread, yet I have taken the trouble to provide a link in the download & within the zip & within the doc it does somewhat jarr!! The only one of those that reacts the way you say is the download one, & its a forum bug, I will not answer questions outside relavent threads. My link- Link to comment Share on other sites More sharing options...
markfinstro Posted January 6, 2010 Share Posted January 6, 2010 Hi Spooks, But have to say this works only for one-dimensional arrays (as is most with screenfields) so it does not work for two or more dimensional arrays (array_map), in that case you have to program it by yourself or extend this solution. But probably you get an error in that case (to replace a whole array with one value) , so it warns itselves. I'm using the Product Tabs 2 mod, and have found that neither snippet of code works on the ask_a_question.php, however with every other form, including one page checkout, it works perfectly. Any help with the ask_a_question.php would be appreciated as I've had someone probing the forms on our site to find any weakspots Mark Link to comment Share on other sites More sharing options...
markfinstro Posted January 7, 2010 Share Posted January 7, 2010 Hi Spooks, But have to say this works only for one-dimensional arrays (as is most with screenfields) so it does not work for two or more dimensional arrays (array_map), in that case you have to program it by yourself or extend this solution. But probably you get an error in that case (to replace a whole array with one value) , so it warns itselves. I'm using the Product Tabs 2.0 mod and cannot get either of the cleaning code snippets to work with the ask_a_question.php file. Any help would be appreciated Mark Link to comment Share on other sites More sharing options...
robertoalberto Posted January 8, 2010 Share Posted January 8, 2010 Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here. You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752 You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441 You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914 You can add htaccess protection http://addons.oscommerce.com/info/6066 You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044 Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts. You can add http://addons.oscommerce.com/info/6134 to assist with permission settings. Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer' Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc Update Sep. 09 The following addresses issues that have arisen or were not mentioned since this post was placed: SECURING THE ADMIN: You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here. FILEMANAGER: It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! ) Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla. To remove filemanger: Delete file_manager.php from catalog/admin open admin/includes/boxes/tools.php and delete the line: '<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' . It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed. BACKUPS: To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen. I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format. INSTALLATION: If you are unsure about installing these contributions this thread should help you. FORMS: Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars. after: require('includes/application_top.php'); add: // clean posted vars reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } This does not allow for arrays, additional code is needed if they are used. hi, My application_top not find the code that you say to change my version is / / Define the project version define ( 'PROJECT_VERSION', 'osCommerce 2.2-MS2'); Can you tell me how? Link to comment Share on other sites More sharing options...
vakondweb Posted January 10, 2010 Share Posted January 10, 2010 As far as I know there are a lot of attacks, which are use the admin/login.php file to open an other file in the admin, so it's easy to get logged in without any password or username :( The following change will give you protection against these hacks: Look for admin/includes/application_top.php (about row 136) find: $current_page = basename($_SERVER['PHP_SELF']); and replace: $current_page = basename($_SERVER['SCRIPT_FILENAME']); So /login.php like hack doesn't works any more ! :) Link to comment Share on other sites More sharing options...
Guest Posted January 13, 2010 Share Posted January 13, 2010 I am trying to install XSS Shield (6044) "the other version". I had problems with it before, but since we just restored the site (got hacked with the spam emails) I'm checking all of the security updates. When I install the following lines in .htaccess the site goes beserk. The images are missing, all of the fonts, backgrounds, etc. are gone. It's completely unformatted. This is a SSL secured site. Any ideas? Any help would be appreciated. Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] Also, what needs to go in index_error.php? Thanks! :rolleyes: I have narrowed this problem down to the line RewriteEngine on, causing the problem. If anyone has any ideas about his please let me know. Thank you. Link to comment Share on other sites More sharing options...
germ Posted January 13, 2010 Share Posted January 13, 2010 I have narrowed this problem down to the line RewriteEngine on, causing the problem. If anyone has any ideas about his please let me know. Thank you. I don't know if it helps any or not, but part of that script can cause this problem If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 13, 2010 Share Posted January 13, 2010 I have narrowed this problem down to the line RewriteEngine on, causing the problem. If anyone has any ideas about his please let me know. Thank you. No...the RewriteEngine on simply turns on and off the engine making it follow or ignore the RewriteRule or condition that follows. Comment out all the rules and test. Uncomment each rule and test until you fine the offending rule. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
Guest Posted January 13, 2010 Share Posted January 13, 2010 No...the RewriteEngine on simply turns on and off the engine making it follow or ignore the RewriteRule or condition that follows. Comment out all the rules and test. Uncomment each rule and test until you fine the offending rule. I did do this and the problem line is RewriteEngine. If everything is in and this line is commented out, there are no display problems. Or if I set it to off, there are no display problems. If it is in, and set to on, there is a display problem. Link to comment Share on other sites More sharing options...
♥mdtaylorlrim Posted January 13, 2010 Share Posted January 13, 2010 Ok, let me try this again. Not sure if I am understanding you right or not. Just turning on and off the rewrite engine should not give any errors. It is the ruleset that produces errors. Use this... Options +FollowSymLinks RewriteEngine On # RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] #RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] #RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] #RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] #RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) #RewriteRule ^(.*)$ index_error.php [F,L] #RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) #RewriteRule .* - [F] Does this give you an error? If it does then you have a server issue that only your host can cure. If it does not then start removing the # one at a time until you get an error. The last line uncommented is the suspect line. My guess is the Trace/Track line is giving you problems. This should actually be done at the server level, not in an htaccess file. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...? Link to comment Share on other sites More sharing options...
Guest Posted January 13, 2010 Share Posted January 13, 2010 Ok, let me try this again. Not sure if I am understanding you right or not. Just turning on and off the rewrite engine should not give any errors. It is the ruleset that produces errors. Use this... Options +FollowSymLinks RewriteEngine On # RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] #RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] #RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] #RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] #RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) #RewriteRule ^(.*)$ index_error.php [F,L] #RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) #RewriteRule .* - [F] Does this give you an error? If it does then you have a server issue that only your host can cure. If it does not then start removing the # one at a time until you get an error. The last line uncommented is the suspect line. My guess is the Trace/Track line is giving you problems. This should actually be done at the server level, not in an htaccess file. Yes, that gives me an error. Thanks for your help, I'll check with the hosting company. Link to comment Share on other sites More sharing options...
tigergirl Posted January 14, 2010 Share Posted January 14, 2010 Clean post arrays I don't think it would be a good idea to relax security just to enable complex passwords, your only re-opening the hole!! Ok, been testing the code on account_password.php and "Houston, we have a problem!" Situation 1: We start with password 123abc$ (since some existing customers may have passwords that contain characters that aren't allowed) I add the code to clean $_POST to account_password.php (the original snippet as there is no array) Customer logs in with password 123abc$ Customer tries to change password but can't - error = passwords don't match. Situation 2: We start with password 123456B I add the code to clean $_POST to account_password.php Customer logs in with password 123456B Customer changes password to 123456* ( well they think that's what they changed it to) Customer tries to log in with 123456* but can only log in with 123456 (the * has been cleaned off when the form was posted when the password was changed) So the snippet, if used on forms using passwords, is going to create a lot of password problems as far as I can see. Just inform your users what they can enter, use php & javascript to validate the inputs. I don't know how to do that :'( I'm still going to have the "hole" on pages that use passwords. What else can we do? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
germ Posted January 15, 2010 Share Posted January 15, 2010 We could do something similar to this thread, the difference being we'd make a list of characters that are allowed in the password field. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
tigergirl Posted January 15, 2010 Share Posted January 15, 2010 We could do something similar to this thread, the difference being we'd make a list of characters that are allowed in the password field. Wow, that looks very interesting. I'd like to keep it like suggested but maybe restrict the special characters to 1 or 2 max so no damage can be performed - would that secure the hole there? What code changes are needed for that? You dealt with account_password & create_account but what about login.php? Should I move this discussion to that thread Spooks? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
tigergirl Posted January 15, 2010 Share Posted January 15, 2010 You dealt with account_password & create_account but what about login.php? Too late for me to edit post. I suppose we need to factor in password_forgotten so it issues acceptable passwords to match the new restrictions that will be in account_password & create_account ? Login.php will have to be able to deal with old passwords that may have illegal characters? Did I open a can of worms? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
spooks Posted January 15, 2010 Author Share Posted January 15, 2010 Too late for me to edit post. I suppose we need to factor in password_forgotten so it issues acceptable passwords to match the new restrictions that will be in account_password & create_account ? Login.php will have to be able to deal with old passwords that may have illegal characters? Did I open a can of worms? I`m looking at the issue, it may need to create an add-on, if specials chars r needed, it means adding processing to ensure they can do no harm, I`ll update when I`ve sorted smthg suitable, or found an existing solution. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
germ Posted January 15, 2010 Share Posted January 15, 2010 I hope your greenhouse is still standing. :) I think you are mistaken about several items. 1. You can't use the code as it is because it doesn't disallow anything. But I will make changes and post new code if you like. I just posted the link as an example of what it takes to implement a password filtering program. 2. You don't have to modify any other files than the ones mentioned in that thread. And you'll have to deal with "illeagal" passwords that have already been created yourself. I'm not prepared to go down that road. Sorry... :blush: If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
tigergirl Posted January 15, 2010 Share Posted January 15, 2010 I`m looking at the issue, it may need to create an add-on, if specials chars r needed, it means adding processing to ensure they can do no harm, I`ll update when I`ve sorted smthg suitable, or found an existing solution. ok, thanks Spooks, I'll keep an eye out for an update. I hope your greenhouse is still standing. Greenhouse still standing, just don't know for how long! Ha ha! 1. You can't use the code as it is because it doesn't disallow anything. I did understand that bit, just wasn't sure what would need to be added to restrict the use of special characters that could be used maliciously. Yes, would be interested in implementing, depends on the illegal passwords point below. I only want to keep the h*ckers out, not my customers ;) 2. You don't have to modify any other files than the ones mentioned in that thread. OK, I'll assume that takes care of password resets then And you'll have to deal with "illeagal" passwords that have already been created yourself. That bit worries me a lot! And I wanted to increase the password min length as well but there is a bug mentioned in this post so I wish my tin opener had broken a wee while back and that I'd known these things 3 years ago. I suppose dealing correctly with passwords from the beginning is something that web owners should set up on osc installations before customers get access to creating accounts. Will happily test any code suggestions. Cheers I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
germ Posted January 16, 2010 Share Posted January 16, 2010 At the top of /catalog/create_account.php AFTER this code: if (strlen($password) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_ERROR); } elseif ($password != $confirmation) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_ERROR_NOT_MATCHING); } ADD this code: // bof extra password validation // checking for illegal characters $m = array(); if ( preg_match_all("/([a-z0-9 .-_{}])/", $password ,&$m) != strlen($password) ) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_INVALID); } if ( ! $error ) { // checking for illegal words $bad_words = array( 'base64_encode', 'script', 'iframe', 'GLOBALS', '_REQUEST'); for ( $i = 0 ; $i < count($bad_words); $i++ ) { if ( stristr($password, $bad_words[$i] ) !== FALSE ) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_INVALID); break; } } ) // eof extra password validation At the top of /catalog/account_password.php AFTER this code: if (strlen($password_current) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_CURRENT_ERROR); } elseif (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR); } elseif ($password_new != $password_confirmation) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING); } ADD this code: // bof extra password validation // checking for illegal characters $m = array(); if ( preg_match_all("/([a-z0-9 .-_{}])/", $password_new ,&$m) != strlen($password_new) ) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_INVALID); if ( ! $error ) { // checking for illegal words $bad_words = array( 'base64_encode', 'script', 'iframe', 'GLOBALS', '_REQUEST'); for ( $i = 0 ; $i < count($bad_words); $i++ ) { if ( stristr($password_new, $bad_words[$i] ) !== FALSE ) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_INVALID); break; } } } // eof extra password validation Then in /catalog/includes/languages/english.php ADD this: define('ENTRY_PASSWORD_INVALID', 'Your password contains characters or words that are not allowed.'); (Customize to suit). BACKUP ALL FILES INVOLVED BEFORE MAKING ANY EDITS. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
tigergirl Posted January 16, 2010 Share Posted January 16, 2010 // bof extra password validation // checking for illegal characters $m = array(); if ( preg_match_all("/([a-z0-9 .-_{}])/", $password ,&$m) != strlen($password) ) { $error = true; $messageStack->add('create_account', ENTRY_PASSWORD_INVALID); } if ( ! $error ) { // checking for illegal words $bad_words = array( 'base64_encode', 'script', 'iframe', 'GLOBALS', '_REQUEST'); for ( $i = 0 ; $i < count($bad_words); $i++ ) { if ( stristr($password, $bad_words[$i] ) !== FALSE ) { $error = true; $messageStack->add('account_password', ENTRY_PASSWORD_INVALID); break; } } ) // eof extra password validation Thank you Germ, that looks awesome. Tell me to go away if I ask too much...but now that you've tempted me with the PCI compliant/ strong password standard in the other thread, I wondering if it's possible to combine the code to: force the password to contain at least one character from: 1. Digits 0 thru 9 2. Upper case letters A thru Z 3. Lower case letters a thru z PLUS 4. A character NOT found in the 3 previous (1 x special character allowed) Or would that simply re-open the hole? Can damage be done with just 1 special character? I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
spooks Posted January 17, 2010 Author Share Posted January 17, 2010 Special chars in password I have now created code that will safely allow any characters to be used for the password which will also work for existing passwords, the contrib will also add improvements/ better security for a number of account fields. I will release it as a add-on as soon as it is ready. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
spooks Posted January 18, 2010 Author Share Posted January 18, 2010 Special chars in passwords OK, the add-on is created, you will find it here this is an initial release, so issues may arrise, there have been none in testing though! It works by processing all password inputs before anything else, passwords are translated to hex values, the inputs validated then deleted as no longer required (only the hex strings are processed further). An option is provided to ensure existing passwords will work. Once the initial processing is done, all inputs (post vars) are sanitized. Features: A new option is added to require the user to input a 'strong' password The date of birth field is now a drop down The telephone field is checked its numeric (if entered) and contains only limited allowed chars. The post code field is checked for the correct format, but only for UK & USA sites. If strong password is enabled, password forgotten will generate strong passwords. The State/Province/County: field is pre-filled with the zones for the store country, rather than a blank field that gets populated on submit! The Country drop down is pre-selected to the store country. All input fields are sanitized. The package includes all account files where user input is allowed, so ensuring those inputs are sanitized, that includes the contact_us file. Support thread will be found at http://forums.oscomm...howtopic=352361 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
tigergirl Posted January 19, 2010 Share Posted January 19, 2010 OK, the add-on is created, you will find it here this is an initial release, so issues may arrise, there have been none in testing though! Superb, will have a look at this and do some testing in a few days when I get a chance. Thank you Sam I'm feeling lucky today......maybe someone will answer my post! I do try and answer a simple post when I can just to give something back. ------------------------------------------------ PM me? - I'm not for hire Link to comment Share on other sites More sharing options...
Kokerskan Posted January 20, 2010 Share Posted January 20, 2010 From our supplier of card payments, we get this response cod https://www.domain.com/checkout_process.php?R=$&A=# . We will install Security Pro and wonder if we will encounter problems with this response cod? If so, how we change so we can use Security Pro? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.