ehendley Posted May 21, 2010 Posted May 21, 2010 The original post is nearly 2 years old. I have v2.2 RC2a ... how much of this is pertinent now? r/ ed
Mort-lemur Posted May 21, 2010 Posted May 21, 2010 The original post is nearly 2 years old. I have v2.2 RC2a ... how much of this is pertinent now? r/ ed All of it Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.
ehendley Posted May 21, 2010 Posted May 21, 2010 All of it Hmmmm ... well, I don't have a file_manager.php under admin and Security Pro was part of my vanilla site. r/ ed
Mort-lemur Posted May 21, 2010 Posted May 21, 2010 Hmmmm ... well, I don't have a file_manager.php under admin and Security Pro was part of my vanilla site. r/ ed Well thats odd - Im on 2.2 Rc2a and had to delete file manager and add security pro. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.
ehendley Posted May 21, 2010 Posted May 21, 2010 Well thats odd - Im on 2.2 Rc2a and had to delete file manager and add security pro. That is weird! But I am gonna check the installs since they also have Easy Populate but it is not installed properly since it does not work once they moved the root (they eliminated the catalog folder, never set up the temp dir, & missed the catalog menu choice entirely) Thanks for the help tho ... most of these security updates are straight forward and very helpful :) r/ ed
bjhampe Posted June 9, 2010 Posted June 9, 2010 What would be best to eliminate remote form submission?
rpdesign Posted July 5, 2010 Posted July 5, 2010 Do i really need anti xss? :-" I've followed every install without hitches. :P Great forum by the way! Everything works as well without me screwing things up. :lol: Always backup your files! You will be glad you didMy add-ons :SSPP Seperate Shipping Per Product v2.5| SupportGift vouchers for SPPC 4.22 v2.1 | Support |Catalog Infobox v1.0 | Sorry no support for Catalog Infobox |HTML Mail v2.0 | Support |Upcoming Add ons:Addon Manager | Separate Pricing Per Product Qty |Coupon Populate | EZ-PDF Catalog
DesignAlot Posted July 13, 2010 Posted July 13, 2010 Hello. Now when I click on "checkout" I get this message... Warning: Cannot modify header information - headers already sent by (output started at /home/user/public_html/shop/includes/application_top.php:1073) in /home/user/public_html/shop/includes/functions/general.php on line 33 This happens at this address: "http://www.websiteaddress.com/shop/checkout_shipping.php" What do I need to fix? I ran the permissions updater and installed the security pro. UGGGG!
germ Posted July 13, 2010 Posted July 13, 2010 Headers Already Sent Click the link above for an explanation. The problem is in /shop/includes/application_top.php (line 1073) Most likely "whitespace(s)" at the end. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
DesignAlot Posted July 14, 2010 Posted July 14, 2010 Thanks, you were right. I think when I ran an automatic script for the security stuff, extra space was added. Because once I deleted that space on 1073, I got the same error at the end of "application_top.php" for two blank lines after the "?>". I am back up and running. Now I know what to look for next time with blank spaces or lines. Code... one wrong character and the whole thing stops working. Ugghh.
theoiks Posted July 14, 2010 Posted July 14, 2010 Hi All, It's been a while since my last ecommerce project and am just swinging by this thread to see if there's been any major security issues recently with 2.2RC2a. On the OP, the Security Pro contribution...is this still relevant? Hasn't been updated since 08 so I was wondering if there's a newer version or different mod altogether? Thanks
rpdesign Posted July 18, 2010 Posted July 18, 2010 there is something i noticed and that is websites that sell excess bandwidth such as 216.129.119.43 or layer42.net hide themselves as "customers" and hog your bandwidth using your site as their gateway :angry: But if you installed ip trap as mentioned in the first page you can add them to your blocked list :lol: I used this site to find out if they were a legitimate customer or not. I'm trying to see if i can make an add on for oscommerce to add this functionality to the admin side. Always backup your files! You will be glad you didMy add-ons :SSPP Seperate Shipping Per Product v2.5| SupportGift vouchers for SPPC 4.22 v2.1 | Support |Catalog Infobox v1.0 | Sorry no support for Catalog Infobox |HTML Mail v2.0 | Support |Upcoming Add ons:Addon Manager | Separate Pricing Per Product Qty |Coupon Populate | EZ-PDF Catalog
Klamath Posted July 19, 2010 Posted July 19, 2010 Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars. after: require('includes/application_top.php'); add: // clean posted vars reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } This does not allow for arrays, additional code is needed if they are used. Is this necessary anywhere in the OSC base files, or just for add-ons? Do any popular add-ons require this?
eveorgan Posted July 29, 2010 Posted July 29, 2010 Firstly: - Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings. Sorry, but somebody please tell me what 'browse to it' means!!!!! Browse to it? Load it in your browser? How do you do this - simply opening the file from your Security Pro download on your PC will do nothing to your server files - somebody please explain! I use 'Fetch' on a MAC as my FTP program, and there is no 'browsing' function available for files at all, i'm at my wits end here - i don't understand what this step is asking me to do. Someone please run me through this in detail, what I should click, etc. Nothing is happening. Thank you!
Mort-lemur Posted July 29, 2010 Posted July 29, 2010 Hi, Browse to it simply means that after you copy the files over you goto www.yoursite.com/SecurityPro_installer.php in your browser - be it IE or Firefox or Mozilla etc. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.
eveorgan Posted July 30, 2010 Posted July 30, 2010 Hi, Browse to it simply means that after you copy the files over you goto www.yoursite.com/SecurityPro_installer.php in your browser - be it IE or Firefox or Mozilla etc. Thanks Thanks so much for your reply :o) I've tried this, then double checked everything and tried again - and I keep getting a 404 error message, file not found. Why could this be?? Needless to say, it hasn't auto-inserted the admin details so I can't 'turn FWR on' in my admin panel as it isn't there. Anybody else have this problem, or know how to fix it?? Thanks so much again! :) xx
Guest Posted September 12, 2010 Posted September 12, 2010 You recommend these settings for files and folders : Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If the folders have a setting of 755 do the files in these folders need to be set to 644? Thanks in advance, Heather
♥FWR Media Posted September 12, 2010 Posted September 12, 2010 You recommend these settings for files and folders : Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If the folders have a setting of 755 do the files in these folders need to be set to 644? Thanks in advance, Heather Yes the average file should be 0644 Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
♥FWR Media Posted September 12, 2010 Posted September 12, 2010 New file security addon available. ( PHP 5.2+ is needed ) KISS FileSafe .. installs in minutes .. no file changes .. no admin settings. Click the link to learn more. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
seandenby Posted September 15, 2010 Posted September 15, 2010 can someone not take the v2.2 of OSC and add all these security fixes and then upload it for everyone to download...25 pages of updates is ALOT!
♥mdtaylorlrim Posted September 15, 2010 Posted September 15, 2010 can someone not take the v2.2 of OSC and add all these security fixes and then upload it for everyone to download...25 pages of updates is ALOT! Some of them do the same thing and would conflict with each other, possibly. And some may be a compilation of two or three of the others making some unnecessary if you have one specific add-on. But, I suspect that the new, yet-to-be-release version 2.3 will have those updates. Community Bootstrap Edition, Edge Avoid the most asked question. See How to Secure My Site and How do I...?
seandenby Posted September 16, 2010 Posted September 16, 2010 will i be able to upgrade me currently modified 2.2 to 2.3? no way im starting again :angry:
economic_computing Posted September 29, 2010 Posted September 29, 2010 Can someone explain to me why the vulnerable file_manager.php was continued to be released along with the package well after the exploit was known, and without any big flashing warning REMOVE THIS SCRIPT OR YOU CAN BE HACKED?
Guest Posted September 29, 2010 Posted September 29, 2010 Sean, YES, there will be upgrade documents in the 2.3 download. OR you can read it here: Upgrade from RC2a to 2.3 Chris
Guest Posted September 29, 2010 Posted September 29, 2010 David, Another fine question that really has no sound explanation. However, you will be happy to know that v2.3 has those vulnerabilities corrected. Chris
Recommended Posts
Archived
This topic is now archived and is closed to further replies.