Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Anti-hacker Account Mods, Secure your account pages


spooks

Recommended Posts

And the resources folder?

 

 

its just for the doc files!.

 

 

I though the instructions quite strait forward, I did'nt think people would go looking for stuff that's not there!! huh.gif

 

 

It takes a long time to write these docs and most time people don't even bother to read what you took the trouble to write (see how many time I post 'please read the doc') so there is no insentive to spend ages making sure every little thing is blindingly obvious, especially as most of the time you get sod all thanks for all the work anyway! laugh.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I always surf with no-script on .

 

 

You should perhaps shout that loader! biggrin.gif

 

The number here that rely on javascript/ajax script on their sites to the detriment of all else is scary, all too often I find sites that simply wont work with scripts off!! ohmy.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Okay I really want to secure my new but am having trouble with my very first contribution - Sam's Anti-hacker Account Mods. I uploaded all of the files to the original oscommerce 2.2rc2a, checked with them with a compare tool, read installation file, and read instructions. Changed all the $HTTP_POST_VARS to $_POST for the new files.

 

Here is my problem. I can not create a profile. Once everything is filled in and continue button clicked on I am sent back to the create profile page and have to reenter everything.

 

Also it does not recognize a profile I set up before the changes.

 

Any help appreciated.

Link to comment
Share on other sites

Hi Sam,

 

First, many thanks for all you do for the community. I (and I know many others) have learned so much from your posts and contributions.

 

On to my question...

I have a heavily modified site where I have already dinked with the create account, contact us, login page, and many others that allow input by the user. I've also already fixed my country code/state dropdown, removed the fax field, etc, etc. Consequently, I would like to only use the part of your contribution that sanitizes all the input strings. To do that, would I:

 

1. Put the account_secure.php file in my includes/functions directory

2. For any file with an input field, put:

require('includes/functions/account_secure.php'); 
clean_post ();

 

Is there anything else I would need to do?

 

Also - a remedial question (sorry, but I'm asking so I'll learn) - the clean_post() goes in the file with the input field, and has to go after the require, but other than that does it matter where it's put in the file? At first, I thought it had to go after the $_POST, but then I noticed the directions for the address_book_process.php had it before.

 

Many thanks for your help!

Link to comment
Share on other sites

 

 

Here is my problem. I can not create a profile. Once everything is filled in and continue button clicked on I am sent back to the create profile page and have to reenter everything.

 

 

 

 

Try using the supplied files, what you describe is abnormal, if there are erros in the input data you will return to the form with error messages, but the data will still be there, though sanitised.

 

 

 

Also check your settings, as detailed in the doc.

 

 

PS Whe posting info like server type, php and osC versions are best given in case or relavence. wink.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

1. Put the account_secure.php file in my includes/functions directory

2. For any file with an input field, put:

require('includes/functions/account_secure.php'); 
clean_post ();

 

 

 

 

 

 

 

 

Yes thats fine, so long as it appears b4 any post vars are used, remember the password issue that was the original idea of the add-on & that you wll loose all the advantages of the various input validations.

 

 

 

 

 

 

 

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Try using the supplied files, what you describe is abnormal, if there are erros in the input data you will return to the form with error messages, but the data will still be there, though sanitised.

 

 

 

Also check your settings, as detailed in the doc.

 

 

PS Whe posting info like server type, php and osC versions are best given in case or relavence. wink.gif

 

Thanks for taking the time to respond so quickly. I agree this sounds abnormal from all that I have read. Sorry for not including all the info you may need Server Apache 2.0, PHP Version 4.3.9, osC 2.2rc2a.

 

SO I restarted again by uploading oscommerce 2.2rc2a (it was working fine) next I uploaded all of the supplied files (now not working). Then I went back to the install file and changed the following then using WINMERGE I compared each file to make sure they were correct:

1. In account_password.php -> changed 2 instances of $HTTP_ POST_VARS to $_POST

2. In login.php -> changed 2 instances of $HTTP_GET_VARS

3. In includes/modules/address_book_details.php -> changed 3 instances of $HTTP_GET_VARS

4. In checkout_shipping.php -> changed 7 instances of $HTTP_POST_VARS

5. In includes/languages/english.php -> added wording for ENTRY_PASSWORD_TEXT & ENTRY_PASSWORD_NEW_TEXT

6. Changed $strong_pw = false to true

7. Changed $login_box = false to true

8. Changed $no_fax = false to true

 

I did not change in the file /includes/functions/account_secure on line 47 if (PHP_VERSION >= 4.1) $HTTP_POST_VARS =& $_POST; (It didn't look like something I should change.)

 

After all of that I still have the following problems:

 

1. Cannot login is to an existing account -> Error message saying no email and/or password

2. Forgot password page does not recognize the email address -> I verified it is in the database.

3. Create Account page does not work -> once the continue button is click it brings you back to a blank page with no errors except the date is March 17, 1900

4. Contact Us page gives errors for the last name, forgotten message warning, email address not valid -> even though all item were filled in correctly.

 

So what do you think is the problem besides I am new to this. Hopefully something easy. :unsure:

Link to comment
Share on other sites

 

 

The only thing I can think of is that your server is not recognising expresions correctly & so the sanitise function is wiping all the data (you do have a rather old php versiomn!)

 

Try the contact_us (i assume u updated that too) form, if you leave the e-mail address blank, on submit you will get returned to to form with with error, you should see what you placed b4, if not try commenting out the line

clean_post ();

ie change to

// clean_post;

 

If your data issues vanish, then its you server not recognising the regex expression, if so ask your host why the server appears not to understand perl syntax regex expressions.

 

Yu could also check your error log to see if that is showing anything.

Edited by spooks

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Yes thats fine, so long as it appears b4 any post vars are used, remember the password issue that was the original idea of the add-on & that you wll loose all the advantages of the various input validations.

 

Thanks so much Sam.

 

1. My passwords are already saved in hex format - is that enough?

 

2. I've already added most of the validations that I need for the various account pages, but will definitely be referencing this add-on if any of them turn out to not be good enough.

 

3. On my contact_us page I was already using this validation for the enquiry field:

$enquiry = strip_tags($_POST['enquiry']);
$enquiry = preg_replace ('/([\x80-\xff])/se','',$enquiry);

Using the clean_post function instead, was taking out exclamation points and other characters normally used in the message text of emails, which if it's a security issue, I'm glad to take out, but needed to ask - since the $enquiry field is not written to the database, is the above validation enough? If it's not, is there still a way I can securely allow users to use periods and exclamation points in their message text?

 

4. I did my best to research what your regular expression is limiting, but it's like learning a really hard foreign language to me. Would you be willing to explain it in plain english if it wouldn't take too much time? preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/i", "", urldecode($vars));

 

Thanks again for your time.

Link to comment
Share on other sites

The only thing I can think of is that your server is not recognising expresions correctly & so the sanitise function is wiping all the data (you do have a rather old php versiomn!)

 

Try the contact_us (i assume u updated that too) form, if you leave the e-mail address blank, on submit you will get returned to to form with with error, you should see what you placed b4, if not try commenting out the line

clean_post ();

ie change to

// clean_post;

 

If your data issues vanish, then its you server not recognising the regex expression, if so ask your host why the server appears not to understand perl syntax regex expressions.

 

Yu could also check your error log to see if that is showing anything.

 

Yep! Your right! If I comment out the clean_post the contact us page works. But I'm guessing doing that isn't a good thing.

 

As you suggested I also checked my error log and found >>

 

1. PHP Notice: Undefined index: email_address in /xxxxxxxxxx/httpdocs/catalog/login.php on line 17, referer:

 

2. PHP Warning: Compilation failed: PCRE does not support \\L, \\l, \\N, \\P, \\p, \\U, \\u, or \\X at offset 3 in /xxxxxxxxxx/catalog/includes/functions/account_secure.php on line 39, referer:

 

Are these causing the problem and can it be fixed?

Link to comment
Share on other sites

Hi again.

 

I have installed twice and always find the same stone in the road. Firefox and Iexplorer (not a php errorshows an error about codification if a add this piece of code in particular to login.php

 

// anti-hacker account
 require('includes/functions/account_secure.php');
$password = tep_to_hex($_POST['password']);
 unset($_POST['password']);
if (!isset($_POST['email_address'])) { 
	$_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']);
}
$email_address = '';
clean_post ();
// EOF anti-hacker account

 

Don´t get me wrong as i get "working" in contact-us , tell-a-friend or anything without login i have tested so far.

 

Quite puzzled...

Link to comment
Share on other sites

 

2. PHP Warning: Compilation failed: PCRE does not support \\L, \\l, \\N, \\P, \\p, \\U, \\u, or \\X at offset 3 in /xxxxxxxxxx/catalog/includes/functions/account_secure.php on line 39, referer:

 

 

 

OK, yes its as I expected, your server does not understand the expession, its using PCRE rather than perl & further your PCRE is compiled without unicode support, you could ask your host to remidy that.

 

The issue is that it don't understand \p{L}\p{M} in the line:

return preg_replace("/[^\p{L}\p{M}\w\r@ :{}_.-]/i", "", urldecode($vars)); 

within account_secure.php.

 

you could alter that line to:

 

return preg_replace("/[^\w\r@ :{}_.-]/i", "", urldecode($vars)); 

 

but the result will be any 'foreign chars' input will be removed, ie its best if your host can sort their server, I hope their not a re-seller!! huh.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

 

 

I have installed twice and always find the same stone in the road. Firefox and Iexplorer (not a php errorshows an error about codification if a add this piece of code in particular to login.php

 

Don´t get me wrong as i get "working" in contact-us , tell-a-friend or anything without login i have tested so far.

 

 

 

I'm sorry, I can't tell what you mean, do you have errors, is something hapenning, or not happening? Please make your issue clear. smile.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Sorry, my previous post was severed somehow.

 

If i add this piece of code to login.php

 

// anti-hacker account

require('includes/functions/account_secure.php');

$password = tep_to_hex($_POST['password']);

unset($_POST['password']);

if (!isset($_POST['email_address'])) {

$_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']);

}

$email_address = '';

clean_post ();

// EOF anti-hacker account

 

I get this firefox crash "Content encoding error

The page you are trying to view can not be shown because it uses a compression format invalid or unsupported" and if usin original login.php it shows ok.

Link to comment
Share on other sites

I get this firefox crash "Content encoding error

The page you are trying to view can not be shown because it uses a compression format invalid or unsupported" and if usin original login.php it shows ok.

 

 

Its your editor, its refering to the encoding of the page, not code in the page, use a proper editor MS programs such as 'word' etc cause this also filemanager in admin.

 

Edit your files with a proper text editor, such as html-kit or notepad++

 

You must also ensure you transfer your files by ftp in the correct mode http://www.oscommerce.com/forums/topic/353800-how-to-ensure-your-images-have-valid-filenames/page__view__findpost__p__1484091

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

And php error log says:

 

PHP Notice: Undefined index: password in D:\wamp\www\hm\login.php on line 14

PHP Notice: Undefined index: email_address in D:\wamp\www\hm\login.php on line 17

 

pinch.gif

 

 

Those are notices, minor isssue can be ignored

 

 

As I said b4 its refering to the encoding of the page, not code in the page, you need to find what you are doing to create mal encoded pages, they should have no encoding, just plain text

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

As far as i can see that piece of code in index.php triggers that firefox error, I am using all your files in the contribution.

 

With this:

// anti-hacker account
 require('includes/functions/account_secure.php');
$password = tep_to_hex($_POST['password']);
 unset($_POST['password']);
if (!isset($_POST['email_address'])) { 
	$_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']);
}
$email_address = '';
clean_post ();
// EOF anti-hacker account

I still get the error. No index.php is shown

 

 

But with this

// anti-hacker account
 require('includes/functions/account_secure.php');
//$password = tep_to_hex($_POST['password']);
 //unset($_POST['password']);
//if (!isset($_POST['email_address'])) { 
	//$_POST['email_address'] = $_GET['email_address']; unset($_GET['email_address']);
//}
//$email_address = '';
clean_post ();
// EOF anti-hacker account

 

Shows login.php, i can try [w](o)%3Cr%3Ek|i*n^g an i get "working"...... :huh:

Link to comment
Share on other sites

 

 

Perhaps you have your server set up oddly, of course windows is not the best type of server to use.

 

You need to use the tep_to_hex function, the e-mail stuff is just for convenience. The sanitise is working as u have left that part in.

 

 

 

Upload your files to a real server (linux) I bet you will find it all fine, or install linux onto your PC, the basic is a lot more strait forward than windows & it will install alongside your existing. I recomend Fedora 12.

 

 

 

There are quite a number of areas within osC(add-ons) that wont work under windows most times.

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Perhaps you have your server set up oddly, of course windows is not the best type of server to use.

 

You need to use the tep_to_hex function, the e-mail stuff is just for convenience. The sanitise is working as u have left that part in.

 

Upload your files to a real server (linux) I bet you will find it all fine, or install linux onto your PC, the basic is a lot more strait forward than windows & it will install alongside your existing. I recomend Fedora 12.

 

There are quite a number of areas within osC(add-ons) that wont work under windows most times.

 

Indeed.

I uploaded the wamp version to my linux server online, a kind of a shadow shop and once I modified the configure file i saw login.php without problem. There is the thin to adapt to spanish the languages files you provided.

 

PD. I also use Opensuse 11.2 but no with lamp or similar...another think to do...

 

Regards

Link to comment
Share on other sites

Sam, have you ever tried it in firefox with "remember password feature ON" keeps seeing the postal code field as password........quite odd. " Want to remember 3355 as your password?"

Other fields get a clean "working". This time is online with linux server.

Link to comment
Share on other sites

Sam, have you ever tried it in firefox with "remember password feature ON" keeps seeing the postal code field as password........quite odd. " Want to remember 3355 as your password?"

Other fields get a clean "working". This time is online with linux server.

 

 

Its not taking the postcode field as the password, but as the id or name for the account.

 

Its a firefox error, there's not a lot I can do, the field names & id's are unchanged from ther default osC & it would be a bad idea to vary from that.

 

What firefox is actually doing is taking the last input field b4 the password fields & assumeing thats the 'id' field for the account

 

If you move the email field to below the country field, it gets the right one!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...