daninjapan Posted October 1, 2008 Posted October 1, 2008 Has anyone noticed the declare hack in the 'who's online' feature recently? It seems i'm being hit with it every day. The URL looks something like this: /?;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204 I've been reading about it, and it seems it is a hack that is trying to get into your SQL database to plant things in there. Is the oscommerce script protected against this hack, or is ther any updates available for this?
spooks Posted October 1, 2008 Posted October 1, 2008 http://www.oscommerce.com/forums/index.php?showtopic=313323 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
daninjapan Posted October 2, 2008 Author Posted October 2, 2008 I have put the following in my htaccess file: RewriteCond %{QUERY_STRING} ^.*(;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark).* [NC] RewriteRule .* - [F] Can anyone see any problems with this rewrite?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.