Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

How to secure your osCommerce 2.2 site.


spooks

Recommended Posts

Posted

Adam,

 

Comment out these lines:

 

BAN IP NUMBERS, ALL OF TURKEY

 

FORCE TYPE

 

so they appear like this:

 

#BAN IP NUMBERS, ALL OF TURKEY

 

#FORCE TYPE

 

 

 

 

Chris

  • Replies 657
  • Created
  • Last Reply
Posted

Tried it guys, still getting the internal error.. hmm, i guess its just delete some code and see what it is making the problem :/

Posted

Tried it guys, still getting the internal error.. hmm, i guess its just delete some code and see what it is making the problem :/

This is sort of 'out there' but you need to make sure that your host has OptionsOverride set to true or else none of this will work. Most hosts do, but may limit what you can do in there. If you are on your own server then the OptionsOverride is not on by default.

 

And you can test by commenting out blocks of code rather than deleting it. You can't simply comment out individual lines as some code is dependent on other, so comment out logical blocks until it works. Rather, comment out the entire file, then uncomment logical blocks until it stops working.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Posted

Another thing to check are the file permissions for your htaccess, and... some hosts do not allow use of the htaccess file at all you may be better off checking on a server you know does accept htaccess then you know the script is not your problem

Regards

Nic

Sometimes you're the dog and sometimes the lamp post

[/url]

My Contributions

Posted

Adam,

 

Unfortunately that means your hosting provider won't allow many of the protection scripts to function that included in the .htaccess protection scripts contribution.

 

 

Chris

Posted

Geeez, great! So how bad is this? Is it better to move hosting or just implement as many as i can and add other protection features?

 

Thank you for all your help!

Posted

Geeez, great! So how bad is this? Is it better to move hosting or just implement as many as i can and add other protection features?

 

Thank you for all your help!

Personally, I wouldn't use the host because I rely on the ability to block ip addresses and to prevent php scripts from running in image directories.

 

If you can explain to your host why you need this perhaps they can offer you an alternate hosting package or some other solution.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Posted

I would go with another host, I can host you if you like, just private message me.

 

Let me ask you the Oscommerce version 2.3.1 alot of these security has been applied correct?

Posted

Although 2.3.1 has improved security, many of the most commonly used contributions have not yet been updated to work with 2.3.1, so there are a lot of people waiting to upgrade until the contributions are upgraded.

 

 

 

Chris

Posted

Can anyone recommend a good cheap hosting service in the uk? Fasthost looks good

 

Seem to remember with fasthosts if you navigate away from the registration pages you get an even cheper deal. If you intend to host more than one site there I would recommend registering a url you will not use and then you can have each of your real sites in a sub-directory.

 

But I am not running mysql on this package.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Posted

Hello, I'm trying to use this with ultimate SEO. This is the current code in my htacces file, when I add yours below I get a 500 error. I would love some advise on how I need to modify it, as I'm not familiar with php at all.

 

# Begin Ultimate SEO V2.2d

Options +FollowSymLinks

RewriteEngine On

 

# RewriteBase instructions

# Change RewriteBase dependent on how your shop is accessed as below.

# http://www.mysite.com = htttp://www.compositewerkz.com /

# http://www.mysite.com/catalog/ = RewriteBase /catalog/

# http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/

 

# Change the following line using the instructions above

 

RewriteBase /htttp://www.compositewerkz.com/

 

RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-m-(.*).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pi-(.*).html$ popup_image.php?pID=$2&%{QUERY_STRING}

RewriteRule ^(.*)-by-(.*).html$ all-products.php?fl=$2&%{QUERY_STRING}

RewriteRule ^(.*)-t-(.*).html$ articles.php?tPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-a-(.*).html$ article_info.php?articles_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-au-(.*).html$ articles.php?authors_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pr-(.*).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pri-(.*).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-f-(.*).html$ faqdesk_info.php?faqdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-fc-(.*).html$ faqdesk_index.php?faqPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-fri-(.*).html$ faqdesk_reviews_info.php?faqdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-fra-(.*).html$ faqdesk_reviews_article.php?faqdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-i-(.*).html$ information.php?info_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-links-(.*).html$ links.php?lPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pm-([0-9]+).html$ info_pages.php?pages_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-n-(.*).html$ newsdesk_info.php?newsdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-nc-(.*).html$ newsdesk_index.php?newsPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-nri-(.*).html$ newsdesk_reviews_info.php?newsdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-nra-(.*).html$ newsdesk_reviews_article.php?newsdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-po-([0-9]+).html$ pollbooth.php?pollid=$2&%{QUERY_STRING}

# End Ultimate SEO V2.2d 

Posted

Hello, I'm trying to use this with ultimate SEO. This is the current code in my htacces file, when I add yours below I get a 500 error. I would love some advise on how I need to modify it, as I'm not familiar with php at all.

 

# Begin Ultimate SEO V2.2d

Options +FollowSymLinks

RewriteEngine On

 

# RewriteBase instructions

# Change RewriteBase dependent on how your shop is accessed as below.

# http://www.mysite.com = htttp://www.compositewerkz.com /

# http://www.mysite.com/catalog/ = RewriteBase /catalog/

# http://www.mysite.com/catalog/shop/ = RewriteBase /catalog/shop/

 

# Change the following line using the instructions above

 

RewriteBase /htttp://www.compositewerkz.com/

 

RewriteRule ^(.*)-p-(.*).html$ product_info.php?products_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-c-(.*).html$ index.php?cPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-m-(.*).html$ index.php?manufacturers_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pi-(.*).html$ popup_image.php?pID=$2&%{QUERY_STRING}

RewriteRule ^(.*)-by-(.*).html$ all-products.php?fl=$2&%{QUERY_STRING}

RewriteRule ^(.*)-t-(.*).html$ articles.php?tPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-a-(.*).html$ article_info.php?articles_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-au-(.*).html$ articles.php?authors_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pr-(.*).html$ product_reviews.php?products_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pri-(.*).html$ product_reviews_info.php?products_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-f-(.*).html$ faqdesk_info.php?faqdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-fc-(.*).html$ faqdesk_index.php?faqPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-fri-(.*).html$ faqdesk_reviews_info.php?faqdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-fra-(.*).html$ faqdesk_reviews_article.php?faqdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-i-(.*).html$ information.php?info_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-links-(.*).html$ links.php?lPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-pm-([0-9]+).html$ info_pages.php?pages_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-n-(.*).html$ newsdesk_info.php?newsdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-nc-(.*).html$ newsdesk_index.php?newsPath=$2&%{QUERY_STRING}

RewriteRule ^(.*)-nri-(.*).html$ newsdesk_reviews_info.php?newsdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-nra-(.*).html$ newsdesk_reviews_article.php?newsdesk_id=$2&%{QUERY_STRING}

RewriteRule ^(.*)-po-([0-9]+).html$ pollbooth.php?pollid=$2&%{QUERY_STRING}

# End Ultimate SEO V2.2d 

 

The htaccess file has nothing to do with PHP. It is a distributed server configuration file.

 

Just checked your site, it seem to be working fine:

http://www.compositewerkz.com/

 

Do note this line though

RewriteBase /htttp://www.compositewerkz.com/

 

Triple ttt's ? Though this wouldn't cause the site to return a 500 internal server error, send me a PM if you would like more details.

Posted

This line:

 

RewriteBase /htttp://www.compositewerkz.com/

 

 

should be RewriteBase /

 

 

or this

 

RewriteBase /catalog (unless you put your cart into a shop or store folder, then substitute the directory name)

 

 

 

Nothing else.

 

 

Chris

Posted

I am an IT person who is unfamiliar with osCommerce - Our site has been hacked and the site creator no longer is available - google flagged the site and I have been trying to find someone that could help change the admin password and locked down the site so that it does not get compromised again -- please help

Posted

I tried to install Security Pro on my OS Commerce v2.2 RC2a. I attempted to run

SecurityPro_installer.php in my root directory of my store, but it doesn't appear to do anything. I tried to run the script within a shell, nothing, within file manager in OS commerce, just waits a few

seconds, then blinks. Nothing. Do you have a manual way of installing this? I have Sitemonitor and all permissions installed. Thanks, Steve

Posted

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

Had an interesting one recently.

 

Files kept disappearing from the site, mainly header_tags.php, general.php, html_output.php.

 

Site monitor would not run as trying to check if 78,000 images were in the ignore list blew the max_execution time and max_input_time.

 

As the package did not have the cron facility I even wrote a script to check if any of the files had gone and upload any that had gone.

 

Eventually it turned out that the site was not hacked but that the host had some security software that thought the files were malicious and just deleted them.

 

HTH someone

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Posted

Security Pro 2.0 has been released.

 

Totally new more modern code ( albeit PHP4 compatible ).

More protection.

Compatible with osCommerce all versions including 2.3.1.

 

A word about .htaccess XSS contributions. I don't know if anyone realises but none that I have seen do anything but try and replicate what Security Pro already does better, although more so now .. example ..

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

base64_encode is covered by security Pro

 

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Tags can not get through security pro as <> and % are banned characters

 

RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

Again tags cannot get through Security Pro

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

GLOBALS is now banned by Security Pro

 

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

_REQUEST now banned by Security Pro

 

 

RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)

This one may be worth keeping as the request method is not querystring based

 

Just so you are not adding unnecessary code to .htaccess as these rules are quite server intensive and the file gets filled with rubbish.

Posted

I installed AutoBackup Database in Admin - http://addons.oscommerce.com/info/2314

 

and I keep getting this error:

 

Warning: mkdir() [function.mkdir]: No such file or directory in /home/public_html/admin/auto_backup_setup.php on line 7

Error, Backup Directory Does Not Exist, please create it or run "auto_backup_setup.php"

 

Line 7

 

if ($action == 'yes' && !is_dir(DIR_FS_BACKUP)) mkdir(DIR_FS_BACKUP);

Posted

Hello,

 

Thank you for this add on. I would know if this contribution work fine with your rewriting contribution

 

Regards

Loic


Regards
-----------------------------------------
Loïc

Contact me by skype for business
Contact me @gyakutsuki for an answer on the forum

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...