Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

how to test site for hackability?


dcrider1

Recommended Posts

  • Replies 51
  • Created
  • Last Reply
Posted

Thanks in advance!!

 

 

PCI scan

 

 

but do basic checks 1st, like put [w](o)%3Cr%3Ek|i*n^g into search & any other form fields, after submit it should turn to working, if not add security.

 

also put mysite.com/admin, if anything other than your missing page error comes up, make security changes detailed.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

PCI scan

 

 

but do basic checks 1st, like put [w](o)%3Cr%3Ek|i*n^g into search & any other form fields, after submit it should turn to working, if not add security.

 

also put mysite.com/admin, if anything other than your missing page error comes up, make security changes detailed.

 

ok so these things i have already done

Security Pro

Anti XSS from pixclinic (instructions werent real clear, but i believe i did it right)

Renamed/protected admin folder(used cpanel for pw protect)

After renaming/protecting I followed these instructions

 

After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');

define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

 

I also deleted admin/filemanager.php and associated links. (dont know where to find associated links)

I then deleted admin/define_language.php and associated link in the "Tools" box. (also dont know about associated link in the "tools" box)

 

 

I found all of these instuctions through searches here on the forums. I dont know what else I can or should do.

 

but do basic checks 1st, like put [w](o)%3Cr%3Ek|i*n^g into search & any other form fields, after submit it should turn to working, if not add security.

I copied your code/letters there and put it in the search box, clicked submit, and nothing happens. not sure about that!?

 

Thanks for all your help, I will message you the url to the site.

Posted

are there any sites that do free pci scans? I will look for a paid service once the site is up and going. Thanks!

 

 

Your hosting service might have an agreement with McAfee for instance to provide 1 yr. of PCI scans in the included price. Also, if you're paying for PayPal Pro, McAfee PCI scans are included.

Posted

Most sites that do scans will give you your first free, but as your site is still easily hackable its pointless right now.

 

You need to enable security pro, please read instuctions that come with add-ons!!

 

 

You could add Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 for sanitising accounts & contact_us & providing an easy option for reviews. But you must read the instructions!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

Most sites that do scans will give you your first free, but as your site is still easily hackable its pointless right now.

 

You need to enable security pro, please read instuctions that come with add-ons!!

 

 

You could add Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 for sanitising accounts & contact_us & providing an easy option for reviews. But you must read the instructions!!

 

I went in to admin and set security pro to "true". The other two options, there were no instructions as what to do. I did a pci scan and it says I have 6 security holes, 5 security warnings, and 93 security notes. Are the notes, to worry with? I think most of my holes are from software needing updated on the server side?

Posted

I went in to admin and set security pro to "true". The other two options, there were no instructions as what to do. I did a pci scan and it says I have 6 security holes, 5 security warnings, and 93 security notes. Are the notes, to worry with? I think most of my holes are from software needing updated on the server side?

 

 

Ok I have added Sams Anti mod, Im pretty sure everything went good and right. The thing you told me to do with "[w](o)%3Cr%3Ek|i*n^g" does what you said. I guess I should do another pci scan, or is there more to do before another scan? Thanks for your help and patience!!

Posted

Ok I have added Sams Anti mod, Im pretty sure everything went good and right. The thing you told me to do with "[w](o)%3Cr%3Ek|i*n^g" does what you said. I guess I should do another pci scan, or is there more to do before another scan? Thanks for your help and patience!!

 

 

Add

 

require('includes/functions/account_secure.php');
clean_post ();

 

at the start of product_reviews_write.php any any other files you have accepting post vars.

 

 

When I looked at your site I noted I was able to browse dirs, that a serious flaw, the htacces add-on sorts that

 

Have you made the admin secure as per Jan's thread?

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

Add

 

require('includes/functions/account_secure.php');
clean_post ();

 

at the start of product_reviews_write.php any any other files you have accepting post vars.

 

 

When I looked at your site I noted I was able to browse dirs, that a serious flaw, the htacces add-on sorts that

 

Have you made the admin secure as per Jan's thread?

 

Ok I will do the code, you provided, this evening. Is that something i missed?

 

Thank you for being patient, but what do you suggest for this?

When I looked at your site I noted I was able to browse dirs, that a serious flaw, the htacces add-on sorts that

 

Yes, admin has been renamed, and password protected through cpanel. Thanks again for all your help!

Posted

Add

 

require('includes/functions/account_secure.php');
clean_post ();

 

at the start of product_reviews_write.php any any other files you have accepting post vars.

 

I thought with Sams Anti Hacker mod that all post vars were replaced?

 

I still need to know what you mean about dirs?

 

I put the code in the product_reviews_write.php, I assume you meant toward the top, i think i put it on line 13. Now Im waiting for your assistance. Thanks again!!

Posted

I thought with Sams Anti Hacker mod that all post vars were replaced?

 

 

 

only on those pages the function is applied, hence the addition to the reviews page.

 

 

 

I still need to know what you mean about dirs?

 

if you enter the path to say your images dir in the browser, you can viuew that dir

 

as I said add the htaccess contib detailed in the op of http://www.oscommerce.com/forums/index.php?showtopic=313323 to fix that & more

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

only on those pages the function is applied, hence the addition to the reviews page.

 

 

 

 

 

if you enter the path to say your images dir in the browser, you can viuew that dir

 

as I said add the htaccess contib detailed in the op of http://www.oscommerce.com/forums/index.php?showtopic=313323 to fix that & more

 

Anyone want to tell me how to use the directions for the htaccess contribution? You can not merely copy and paste, as other contributions allowed. Either there is alot of code missing, or I am in left field looking for a kite. Thanks!

Posted

only on those pages the function is applied, hence the addition to the reviews page.

 

 

 

 

 

if you enter the path to say your images dir in the browser, you can viuew that dir

 

as I said add the htaccess contib detailed in the op of http://www.oscommerce.com/forums/index.php?showtopic=313323 to fix that & more

 

1) I added all of the htaccess contribution. I dont think that fixed you being able to see my directory, if thats what you were speaking of.

 

2) How do I go about finding the pages that accept post vars?

 

I have done the following pages through "sams anti hacker contribution"

 

1.catalog/account_edit.php

2.catalog/account_password.php

3.catalog/address_book_process.php

4.catalog/create_account.php

5.catalog/ccheckout_shipping.php

6.catalog/login.php

7.catalog/password_forgotten.php

8.catalog/contact_us.php

9.catalog/checkout_shipping_address.php

10.catalog/checkout_payment_address.php

11.catalog/includes/form_check.js.php

12.catalog/includes/functions/password_funcs.php

13.catalog/includes/modules/address_book_details.php

14.catalog/includes/modules/checkout_new_address.php

15.catalog/includes/languages/english/create_account.php.php

and the review page you spoke of

 

Thanks for your help with these questions. Please tell me how to proceed.

Posted

 

 

Perhaps you missed it when creating you htaccess file, the part that prevents browsing is the line:

 

Options -Indexes

 

 

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

When i manually enter the address to the product_reviews_write.php page I get a redirect to a login/create account page, and it has this at the bottom.

 

Fatal error: Cannot redeclare tep_show_category() (previously declared in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php:12) in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php on line 57
Posted

When i manually enter the address to the product_reviews_write.php page I get a redirect to a login/create account page,

 

 

thats norml behaviour as u must be logged in

Fatal error: Cannot redeclare tep_show_category() (previously declared in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php:12) in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php on line 57

 

your error is due to somehow calling includes/boxes/categories.php twice on the page, u need to find where u r doing that

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

Perhaps you missed it when creating you htaccess file, the part that prevents browsing is the line:

 

Options -Indexes

 

This?

 

# Redirect index.php to domain.com

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/

 

RewriteRule ^index\.php$ http://www.YOURSITE.COM/ [R=301,L]

 

If that is what you are speaking of, IT IS in my htaccess file already.

Posted

This?

# Redirect index.php to domain.com

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/

RewriteRule ^index\.php$ http://www.YOURSITE.COM/ [R=301,L]

 

 

If that is what you are speaking of, IT IS in my htaccess file already.

 

 

NO, that part, as it says in the comment, is to remove index.php from the url, totally different function, if you dont have the:

 

Options -Indexes

 

just add that line.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

NO, that part, as it says in the comment, is to remove index.php from the url, totally different function, if you dont have the:

 

Options -Indexes

 

just add that line.

 

Thank you for all your help. I know its aggravating to help an amateur(at best) with this stuff.

 

When you say just add that line, what line? If you are saying its in the installation file for the htaccess contribution, It is not there. I have added every single thing that is on the install file. Can you point me to what code you are referring to?

Posted

Thank you for all your help. I know its aggravating to help an amateur(at best) with this stuff.

 

When you say just add that line, what line? If you are saying its in the installation file for the htaccess contribution, It is not there. I have added every single thing that is on the install file. Can you point me to what code you are referring to?

 

 

If its not there I`m surprised, I could have sworn it was, it should be, anyway, just add that line to your htaccess file & you will be sorted, add it immediatly after the snippit you posted b4 if your not sure.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

If its not there I`m surprised, I could have sworn it was, it should be, anyway, just add that line to your htaccess file & you will be sorted, add it immediatly after the snippit you posted b4 if your not sure.

 

ok i added

Options -Indexes
right after
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/

RewriteRule ^index\.php$ http://www.burgersmarketpc.COM/ [R=301,L]

 

I can still access the directory, i tried it before and after the [R=301, L], it didnt make a difference.

Posted

ok i added right after

 

I can still access the directory, i tried it before and after the [R=301, L], it didnt make a difference.

 

 

it must be on its own line, not part of that, please google htaccess files if your so unclear.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

it must be on its own line, not part of that, please google htaccess files if your so unclear.

 

It is now on its own line, and i can still access the directory. Is it because of the subdirectory of the root site? What you are trying to get me to do, cant be any harder than the rest of the changes i have made to the htaccess file. I googled htaccess file help before and through this entire post, there isnt much help in reference to the issues i have had, including this one. Here is a partial shot of the file with what you wanted me to do.

 

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $

#

# This is used with Apache WebServers

#

# For this to work, you

 

must include the parameter 'Options' to

# the AllowOverride configuration

#

# Example:

#

# <Directory

 

"/usr/local/apache/htdocs">

# AllowOverride Options

# </Directory>

#

# 'All' with also work. (This configuration is

 

in the

# apache/conf/httpd.conf file)

 

# The following makes adjustments to the SSL protocol for Internet

# Explorer

 

browsers

 

#<IfModule mod_setenvif.c>

# <IfDefine SSL>

# SetEnvIf User-Agent ".*MSIE.*" \

# nokeepalive

 

ssl-unclean-shutdown \

# downgrade-1.0 force-response-1.0

# </IfDefine>

#</IfModule>

 

# If Search Engine

 

Friendly URLs do not work, try enabling the

# following Apache configuration parameter

 

# AcceptPathInfo On

 

# Fix

 

certain PHP values

# (commented out by default to prevent errors occuring on certain

# servers)

 

# php_value

 

session.use_trans_sid 0

# php_value register_globals 1

 

 

Options +FollowSymLinks

RewriteEngine On

RewriteCond %

 

{QUERY_STRING} base64_encode.*\(.*\) [OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond

 

%{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

RewriteRule ^(.*)$ index_error.php [F,L]

RewriteCond %

 

{REQUEST_METHOD} ^(TRACE|TRACK)

RewriteRule .* - [F] RewriteEngine on php_flag register_globals off SetEnvIfNoCase

 

User-Agent "^libwww-perl*" block_bad_bots Deny from env=block_bad_bots RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\

 

/index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.burgersmarketpc.COM/ [R=301,L]

 

Options -Indexes

 

RewriteCond %{HTTP_HOST} ^burgersmarketpc.COM [NC] RewriteRule ^(.*)$ http://www.burgersmarketpc.COM/$1 [L,R=301]

 

RewriteBase / RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR] RewriteCond %{QUERY_STRING} tool25 [OR] RewriteCond

 

%{QUERY_STRING} cmd.txt [OR] RewriteCond %{QUERY_STRING} cmd.gif [OR] RewriteCond %{QUERY_STRING} r57shell [OR]

 

RewriteCond %{QUERY_STRING} c99 [OR]

Posted

it must be on its own line, not part of that, please google htaccess files if your so unclear.

 

In the mean time of waiting for you to respond, i was playing around in cpanel. I turned indexes off, and now can NOT access the directory. Is that good enough?

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...