Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

  • Replies 657
  • Created
  • Last Reply
Posted

The original post is nearly 2 years old.

 

I have v2.2 RC2a ... how much of this is pertinent now?

 

r/

ed

 

All of it

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Posted

All of it

 

 

Hmmmm ... well, I don't have a file_manager.php under admin and Security Pro was part of my vanilla site.

 

r/

ed

Posted

Hmmmm ... well, I don't have a file_manager.php under admin and Security Pro was part of my vanilla site.

 

r/

ed

 

Well thats odd - Im on 2.2 Rc2a and had to delete file manager and add security pro.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Posted

Well thats odd - Im on 2.2 Rc2a and had to delete file manager and add security pro.

 

That is weird! But I am gonna check the installs since they also have Easy Populate but it is not installed properly since it does not work once they moved the root (they eliminated the catalog folder, never set up the temp dir, & missed the catalog menu choice entirely)

 

Thanks for the help tho ... most of these security updates are straight forward and very helpful :)

 

r/

ed

  • 3 weeks later...
  • 4 weeks later...
Posted

Do i really need anti xss? :-" I've followed every install without hitches. :P Great forum by the way! Everything works as well without me screwing things up. :lol:

Always backup your files! You will be glad you did

My add-ons :

SSPP Seperate Shipping Per Product v2.5| Support
Gift vouchers for SPPC 4.22 v2.1 | Support |
Catalog Infobox v1.0 | Sorry no support for Catalog Infobox |
HTML Mail v2.0 | Support |




Upcoming Add ons:

Addon Manager |
Separate Pricing Per Product Qty |
Coupon Populate |
EZ-PDF Catalog

  • 2 weeks later...
Posted

Hello. Now when I click on "checkout" I get this message...

 

Warning: Cannot modify header information - headers already sent by (output started at /home/user/public_html/shop/includes/application_top.php:1073) in /home/user/public_html/shop/includes/functions/general.php on line 33

 

This happens at this address: "http://www.websiteaddress.com/shop/checkout_shipping.php"

 

What do I need to fix? I ran the permissions updater and installed the security pro. UGGGG!

Posted

Headers Already Sent

 

Click the link above for an explanation.

 

The problem is in /shop/includes/application_top.php (line 1073)

 

Most likely "whitespace(s)" at the end.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

Thanks, you were right. I think when I ran an automatic script for the security stuff, extra space was added. Because once I deleted that space on 1073, I got the same error at the end of "application_top.php" for two blank lines after the "?>". I am back up and running. Now I know what to look for next time with blank spaces or lines. Code... one wrong character and the whole thing stops working. Ugghh.

Posted

Hi All,

It's been a while since my last ecommerce project and am just swinging by this thread to see if there's been any major security issues recently with 2.2RC2a.

On the OP, the Security Pro contribution...is this still relevant? Hasn't been updated since 08 so I was wondering if there's a newer version or different mod altogether?

Thanks

Posted

there is something i noticed and that is websites that sell excess bandwidth such as 216.129.119.43 or layer42.net hide themselves as "customers" and hog your bandwidth using your site as their gateway :angry: But if you installed ip trap as mentioned in the first page you can add them to your blocked list :lol: I used this site

to find out if they were a legitimate customer or not. I'm trying to see if i can make an add on for oscommerce to add this functionality to the admin side.

Always backup your files! You will be glad you did

My add-ons :

SSPP Seperate Shipping Per Product v2.5| Support
Gift vouchers for SPPC 4.22 v2.1 | Support |
Catalog Infobox v1.0 | Sorry no support for Catalog Infobox |
HTML Mail v2.0 | Support |




Upcoming Add ons:

Addon Manager |
Separate Pricing Per Product Qty |
Coupon Populate |
EZ-PDF Catalog

Posted

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

 

after:

 

require('includes/application_top.php');

add:

 
// clean posted vars
reset($_POST);
  while (list($key, $value) = each($_POST)) {
	   if (!is_array($_POST[$key])) {
		  $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
  		} else { unset($_POST[$key]); } // no arrays expected 
  }

 

This does not allow for arrays, additional code is needed if they are used.

 

Is this necessary anywhere in the OSC base files, or just for add-ons? Do any popular add-ons require this?

  • 2 weeks later...
Posted

Firstly: -

Upload SecurityPro_installer.php to your catalog folder. Browse to it and the installation will auto insert your admin settings.

 

Sorry, but somebody please tell me what 'browse to it' means!!!!! Browse to it? Load it in your browser? How do you do this - simply opening the file from your Security Pro download on your PC will do nothing to your server files - somebody please explain!

I use 'Fetch' on a MAC as my FTP program, and there is no 'browsing' function available for files at all, i'm at my wits end here - i don't understand what this step is asking me to do.

Someone please run me through this in detail, what I should click, etc. Nothing is happening.

Thank you!

Posted

Hi,

 

Browse to it simply means that after you copy the files over you goto www.yoursite.com/SecurityPro_installer.php in your browser - be it IE or Firefox or Mozilla etc.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Posted

Hi,

 

Browse to it simply means that after you copy the files over you goto www.yoursite.com/SecurityPro_installer.php in your browser - be it IE or Firefox or Mozilla etc.

 

Thanks

 

Thanks so much for your reply :o)

I've tried this, then double checked everything and tried again - and I keep getting a 404 error message, file not found.

Why could this be?? Needless to say, it hasn't auto-inserted the admin details so I can't 'turn FWR on' in my admin panel as it isn't there.

Anybody else have this problem, or know how to fix it??

Thanks so much again!

:) xx

  • 1 month later...
Posted

You recommend these settings for files and folders :

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755.

 

If the folders have a setting of 755 do the files in these folders need to be set to 644?

 

Thanks in advance,

Heather

Posted

You recommend these settings for files and folders :

 

Also make sure that all files, except for the two configure.php files have permissions no higher than 644.

 

The permissions for the two configure.php files will vary according to the server your site is on - it could be 644, 444 or 400 which is correct.

 

Permissions on folders should be no higher than 755.

 

If the folders have a setting of 755 do the files in these folders need to be set to 644?

 

Thanks in advance,

Heather

 

Yes the average file should be 0644

Posted

New file security addon available. ( PHP 5.2+ is needed )

 

KISS FileSafe .. installs in minutes .. no file changes .. no admin settings. Click the link to learn more.

Posted

can someone not take the v2.2 of OSC and add all these security fixes and then upload it for everyone to download...25 pages of updates is ALOT!

Posted

can someone not take the v2.2 of OSC and add all these security fixes and then upload it for everyone to download...25 pages of updates is ALOT!

Some of them do the same thing and would conflict with each other, possibly. And some may be a compilation of two or three of the others making some unnecessary if you have one specific add-on. But, I suspect that the new, yet-to-be-release version 2.3 will have those updates.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

  • 2 weeks later...
Posted

Can someone explain to me why the vulnerable file_manager.php was continued to be released along with the package well after the exploit was known, and without any big flashing warning REMOVE THIS SCRIPT OR YOU CAN BE HACKED?

Posted

David,

 

Another fine question that really has no sound explanation. However, you will be happy to know that v2.3 has those vulnerabilities corrected.

 

 

 

Chris

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...