Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

 

 

 

 

 

I`m sorry if u feel I reacted badly, but when you say no support thread, yet I have taken the trouble to provide a link in the download & within the zip & within the doc it does somewhat jarr!! blink.gif

 

The only one of those that reacts the way you say is the download one, & its a forum bug, I will not answer questions outside relavent threads. wink.gif

 

My link-

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • Replies 657
  • Created
  • Last Reply

Thanks Sam! That link works. I saved it in my instructions file and will further communicate within that support forum. :)

 

I`m sorry if u feel I reacted badly, but when you say no support thread, yet I have taken the trouble to provide a link in the download & within the zip & within the doc it does somewhat jarr!! blink.gif

 

The only one of those that reacts the way you say is the download one, & its a forum bug, I will not answer questions outside relavent threads. wink.gif

 

My link-

Link to comment
Share on other sites

Hi Spooks,

 

But have to say this works only for one-dimensional arrays (as is most with screenfields) so it does not work for two or more dimensional arrays (array_map), in that case you have to program it by yourself or extend this solution. But probably you get an error in that case (to replace a whole array with one value) , so it warns itselves.

 

I'm using the Product Tabs 2 mod, and have found that neither snippet of code works on the ask_a_question.php, however with every other form, including one page checkout, it works perfectly.

 

Any help with the ask_a_question.php would be appreciated as I've had someone probing the forms on our site to find any weakspots

 

Mark

Link to comment
Share on other sites

Hi Spooks,

 

But have to say this works only for one-dimensional arrays (as is most with screenfields) so it does not work for two or more dimensional arrays (array_map), in that case you have to program it by yourself or extend this solution. But probably you get an error in that case (to replace a whole array with one value) , so it warns itselves.

 

I'm using the Product Tabs 2.0 mod and cannot get either of the cleaning code snippets to work with the ask_a_question.php file. Any help would be appreciated

 

Mark

Link to comment
Share on other sites

Lots of people ask this all too often, especially after they think they've been hacked, so the answers are all here.

 

You can prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

 

You can monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

 

You can block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

 

You can add htaccess protection http://addons.oscommerce.com/info/6066

 

You can stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

 

Do it now, avoid getting that nasty addition to your listings in google: 'This site might damage your computer'

Or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

 

Update Sep. 09

 

The following addresses issues that have arisen or were not mentioned since this post was placed:

 

SECURING THE ADMIN:

 

You must take steps to secure your admin, by re-naming & password protection. There is also a issue with hacks, read Jan's thread here.

 

FILEMANAGER:

 

It has long been known the filemanger is a security risk & should, nay MUST be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway, see here. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site ( dbase included!! )

 

Use a normal editor such as html-kit or notepad++ after downloading all your files to your PC with ftp such as filezilla.

 

To remove filemanger:

 

Delete file_manager.php from catalog/admin

 

open admin/includes/boxes/tools.php and delete the line:

 

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

 

It is also known that admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

 

BACKUPS:

 

To be safe you should make backups of your dBase and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

 

I recommend you use AutoBackup Database in Admin AND Database backup manager also Backup of all store files in zip format.

 

INSTALLATION:

 

If you are unsure about installing these contributions this thread should help you.

 

FORMS:

 

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

hi,

 

My application_top not find the code that you say to change

my version is / / Define the project version

define ( 'PROJECT_VERSION', 'osCommerce 2.2-MS2');

Can you tell me how?

Link to comment
Share on other sites

As far as I know there are a lot of attacks, which are use the admin/login.php file to open an other file in the admin,

so it's easy to get logged in without any password or username :(

 

The following change will give you protection against these hacks:

 

Look for admin/includes/application_top.php (about row 136)

find:

$current_page = basename($_SERVER['PHP_SELF']);

 

and replace:

$current_page = basename($_SERVER['SCRIPT_FILENAME']);

 

So /login.php like hack doesn't works any more ! :)

Link to comment
Share on other sites

I am trying to install XSS Shield (6044) "the other version".

I had problems with it before, but since we just restored the site (got hacked with the spam emails)

I'm checking all of the security updates.

 

When I install the following lines in .htaccess the site goes beserk. The images are missing, all of the fonts, backgrounds, etc. are gone. It's completely unformatted. This is a SSL secured site. Any ideas? Any help would be appreciated.

 

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

 

Also, what needs to go in index_error.php?

 

Thanks! :rolleyes:

 

I have narrowed this problem down to the line RewriteEngine on, causing the problem. If anyone has any ideas about his please let me know.

Thank you.

Link to comment
Share on other sites

I have narrowed this problem down to the line RewriteEngine on, causing the problem. If anyone has any ideas about his please let me know.

Thank you.

I don't know if it helps any or not, but part of that script can cause this problem

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I have narrowed this problem down to the line RewriteEngine on, causing the problem. If anyone has any ideas about his please let me know.

Thank you.

No...the RewriteEngine on simply turns on and off the engine making it follow or ignore the RewriteRule or condition that follows.

 

Comment out all the rules and test. Uncomment each rule and test until you fine the offending rule.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

No...the RewriteEngine on simply turns on and off the engine making it follow or ignore the RewriteRule or condition that follows.

 

Comment out all the rules and test. Uncomment each rule and test until you fine the offending rule.

 

I did do this and the problem line is RewriteEngine. If everything is in and this line is commented out, there are no display problems.

Or if I set it to off, there are no display problems. If it is in, and set to on, there is a display problem.

Link to comment
Share on other sites

Ok, let me try this again. Not sure if I am understanding you right or not.

 

Just turning on and off the rewrite engine should not give any errors. It is the ruleset that produces errors.

 

 

Use this...

 

Options +FollowSymLinks
RewriteEngine On 
# RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
#RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
#RewriteRule ^(.*)$ index_error.php [F,L]
#RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
#RewriteRule .* - [F]

 

Does this give you an error? If it does then you have a server issue that only your host can cure. If it does not then start removing the # one at a time until you get an error. The last line uncommented is the suspect line.

 

My guess is the Trace/Track line is giving you problems. This should actually be done at the server level, not in an htaccess file.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

Ok, let me try this again. Not sure if I am understanding you right or not.

 

Just turning on and off the rewrite engine should not give any errors. It is the ruleset that produces errors.

 

 

Use this...

 

Options +FollowSymLinks
RewriteEngine On 
# RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
#RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
#RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
#RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
#RewriteRule ^(.*)$ index_error.php [F,L]
#RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
#RewriteRule .* - [F]

 

Does this give you an error? If it does then you have a server issue that only your host can cure. If it does not then start removing the # one at a time until you get an error. The last line uncommented is the suspect line.

 

My guess is the Trace/Track line is giving you problems. This should actually be done at the server level, not in an htaccess file.

 

Yes, that gives me an error. Thanks for your help, I'll check with the hosting company.

Link to comment
Share on other sites

Clean post arrays

 

I don't think it would be a good idea to relax security just to enable complex passwords, your only re-opening the hole!!

 

Ok, been testing the code on account_password.php and "Houston, we have a problem!"

 

Situation 1:

We start with password 123abc$ (since some existing customers may have passwords that contain characters that aren't allowed)

I add the code to clean $_POST to account_password.php (the original snippet as there is no array)

Customer logs in with password 123abc$

Customer tries to change password but can't - error = passwords don't match.

 

Situation 2:

We start with password 123456B

I add the code to clean $_POST to account_password.php

Customer logs in with password 123456B

Customer changes password to 123456* ( well they think that's what they changed it to)

Customer tries to log in with 123456* but can only log in with 123456 (the * has been cleaned off when the form was posted when the password was changed)

 

So the snippet, if used on forms using passwords, is going to create a lot of password problems as far as I can see.

 

Just inform your users what they can enter, use php & javascript to validate the inputs. wink.gif

 

I don't know how to do that :'(

 

I'm still going to have the "hole" on pages that use passwords. What else can we do?

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

We could do something similar to this thread, the difference being we'd make a list of characters that are allowed in the password field.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

We could do something similar to this thread, the difference being we'd make a list of characters that are allowed in the password field.

Wow, that looks very interesting. I'd like to keep it like suggested but maybe restrict the special characters to 1 or 2 max so no damage can be performed - would that secure the hole there? What code changes are needed for that?

 

You dealt with account_password & create_account but what about login.php?

 

Should I move this discussion to that thread Spooks?

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

You dealt with account_password & create_account but what about login.php?

 

Too late for me to edit post. I suppose we need to factor in password_forgotten so it issues acceptable passwords to match the new restrictions that will be in account_password & create_account ? Login.php will have to be able to deal with old passwords that may have illegal characters? Did I open a can of worms?

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Too late for me to edit post. I suppose we need to factor in password_forgotten so it issues acceptable passwords to match the new restrictions that will be in account_password & create_account ? Login.php will have to be able to deal with old passwords that may have illegal characters? Did I open a can of worms?

 

 

I`m looking at the issue, it may need to create an add-on, if specials chars r needed, it means adding processing to ensure they can do no harm, I`ll update when I`ve sorted smthg suitable, or found an existing solution. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I hope your greenhouse is still standing.

:)

 

I think you are mistaken about several items.

 

1. You can't use the code as it is because it doesn't disallow anything. But I will make changes and post new code if you like. I just posted the link as an example of what it takes to implement a password filtering program.

 

2. You don't have to modify any other files than the ones mentioned in that thread.

 

And you'll have to deal with "illeagal" passwords that have already been created yourself. I'm not prepared to go down that road.

 

Sorry...

:blush:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

I`m looking at the issue, it may need to create an add-on, if specials chars r needed, it means adding processing to ensure they can do no harm, I`ll update when I`ve sorted smthg suitable, or found an existing solution. wink.gif

ok, thanks Spooks, I'll keep an eye out for an update.

 

I hope your greenhouse is still standing.

Greenhouse still standing, just don't know for how long! Ha ha!

1. You can't use the code as it is because it doesn't disallow anything.

I did understand that bit, just wasn't sure what would need to be added to restrict the use of special characters that could be used maliciously. Yes, would be interested in implementing, depends on the illegal passwords point below. I only want to keep the h*ckers out, not my customers ;)

 

2. You don't have to modify any other files than the ones mentioned in that thread.

OK, I'll assume that takes care of password resets then

 

And you'll have to deal with "illeagal" passwords that have already been created yourself.

That bit worries me a lot! And I wanted to increase the password min length as well but there is a bug mentioned in this post so I wish my tin opener had broken a wee while back and that I'd known these things 3 years ago. I suppose dealing correctly with passwords from the beginning is something that web owners should set up on osc installations before customers get access to creating accounts.

 

Will happily test any code suggestions.

Cheers

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

At the top of /catalog/create_account.php AFTER this code:

 

  if (strlen($password) < ENTRY_PASSWORD_MIN_LENGTH) {
   $error = true;

   $messageStack->add('create_account', ENTRY_PASSWORD_ERROR);
 } elseif ($password != $confirmation) {
   $error = true;

   $messageStack->add('create_account', ENTRY_PASSWORD_ERROR_NOT_MATCHING);
 }

ADD this code:

 

// bof extra password validation

// checking for illegal characters

 $m = array();
 if ( preg_match_all("/([a-z0-9 .-_{}])/", $password ,&$m) != strlen($password) ) {
   $error = true;
   $messageStack->add('create_account', ENTRY_PASSWORD_INVALID);
 }

 if ( ! $error ) {
// checking for illegal words

   $bad_words = array(
'base64_encode',
'script',
'iframe',
'GLOBALS',
'_REQUEST');

   for ( $i = 0 ; $i < count($bad_words); $i++ ) {
     if ( stristr($password, $bad_words[$i] ) !== FALSE ) {
       $error = true;

       $messageStack->add('account_password', ENTRY_PASSWORD_INVALID);
       break;
     }
   }
 )

// eof extra password validation

At the top of /catalog/account_password.php AFTER this code:

 

  if (strlen($password_current) < ENTRY_PASSWORD_MIN_LENGTH) {
   $error = true;

   $messageStack->add('account_password', ENTRY_PASSWORD_CURRENT_ERROR);
 } elseif (strlen($password_new) < ENTRY_PASSWORD_MIN_LENGTH) {
   $error = true;

   $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR);
 } elseif ($password_new != $password_confirmation) {
   $error = true;

   $messageStack->add('account_password', ENTRY_PASSWORD_NEW_ERROR_NOT_MATCHING);
 }

ADD this code:

 

// bof extra password validation

// checking for illegal characters

 $m = array();
 if ( preg_match_all("/([a-z0-9 .-_{}])/", $password_new ,&$m) != strlen($password_new) ) {
   $error = true;

   $messageStack->add('account_password', ENTRY_PASSWORD_INVALID);

 if ( ! $error ) {

// checking for illegal words

   $bad_words = array(
'base64_encode',
'script',
'iframe',
'GLOBALS',
'_REQUEST');

   for ( $i = 0 ; $i < count($bad_words); $i++ ) {
     if ( stristr($password_new, $bad_words[$i] ) !== FALSE ) {
       $error = true;

       $messageStack->add('account_password', ENTRY_PASSWORD_INVALID);
       break;
     }
   }
 }

// eof extra password validation

Then in /catalog/includes/languages/english.php ADD this:

 

define('ENTRY_PASSWORD_INVALID', 'Your password contains characters or words that are not allowed.');

(Customize to suit).

 

BACKUP ALL FILES INVOLVED BEFORE MAKING ANY EDITS.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

 

// bof extra password validation

// checking for illegal characters

 $m = array();
 if ( preg_match_all("/([a-z0-9 .-_{}])/", $password ,&$m) != strlen($password) ) {
   $error = true;
   $messageStack->add('create_account', ENTRY_PASSWORD_INVALID);
 }

 if ( ! $error ) {
// checking for illegal words

   $bad_words = array(
'base64_encode',
'script',
'iframe',
'GLOBALS',
'_REQUEST');

   for ( $i = 0 ; $i < count($bad_words); $i++ ) {
     if ( stristr($password, $bad_words[$i] ) !== FALSE ) {
       $error = true;

       $messageStack->add('account_password', ENTRY_PASSWORD_INVALID);
       break;
     }
   }
 )

// eof extra password validation

 

 

Thank you Germ, that looks awesome. Tell me to go away if I ask too much...but now that you've tempted me with the PCI compliant/ strong password standard in the other thread, I wondering if it's possible to combine the code to:

 

force the password to contain at least one character from:

 

1. Digits 0 thru 9

2. Upper case letters A thru Z

3. Lower case letters a thru z

PLUS

4. A character NOT found in the 3 previous (1 x special character allowed)

 

Or would that simply re-open the hole? Can damage be done with just 1 special character?

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Special chars in password

 

 

I have now created code that will safely allow any characters to be used for the password which will also work for existing passwords, the contrib will also add improvements/ better security for a number of account fields.

 

I will release it as a add-on as soon as it is ready. biggrin.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Special chars in passwords

 

 

OK, the add-on is created, you will find it here this is an initial release, so issues may arrise, there have been none in testing though!

 

It works by processing all password inputs before anything else, passwords are translated to hex values, the inputs validated then deleted as no longer required (only the hex strings are processed further). An option is provided to ensure existing passwords will work.

 

Once the initial processing is done, all inputs (post vars) are sanitized.

 

 

Features:

 

  • A new option is added to require the user to input a 'strong' password
  • The date of birth field is now a drop down
  • The telephone field is checked its numeric (if entered) and contains only limited allowed chars.
  • The post code field is checked for the correct format, but only for UK & USA sites.
  • If strong password is enabled, password forgotten will generate strong passwords.
  • The State/Province/County: field is pre-filled with the zones for the store country, rather than a blank field that gets populated on submit!
  • The Country drop down is pre-selected to the store country.
  • All input fields are sanitized.

The package includes all account files where user input is allowed, so ensuring those inputs are sanitized, that includes the contact_us file.

 

Support thread will be found at http://forums.oscomm...howtopic=352361

 

 

 

 

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

OK, the add-on is created, you will find it here this is an initial release, so issues may arrise, there have been none in testing though!

 

Superb, will have a look at this and do some testing in a few days when I get a chance.

 

Thank you Sam

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...