spooks Posted February 24, 2010 Posted February 24, 2010 Thanks in advance!! PCI scan but do basic checks 1st, like put [w](o)%3Cr%3Ek|i*n^g into search & any other form fields, after submit it should turn to working, if not add security. also put mysite.com/admin, if anything other than your missing page error comes up, make security changes detailed. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted February 24, 2010 Author Posted February 24, 2010 are there any sites that do free pci scans? I will look for a paid service once the site is up and going. Thanks!
dcrider1 Posted February 25, 2010 Author Posted February 25, 2010 PCI scan but do basic checks 1st, like put [w](o)%3Cr%3Ek|i*n^g into search & any other form fields, after submit it should turn to working, if not add security. also put mysite.com/admin, if anything other than your missing page error comes up, make security changes detailed. ok so these things i have already done Security Pro Anti XSS from pixclinic (instructions werent real clear, but i believe i did it right) Renamed/protected admin folder(used cpanel for pw protect) After renaming/protecting I followed these instructions After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php: define('DIR_WS_ADMIN', '/renamed_admin_directory/');define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/'); I also deleted admin/filemanager.php and associated links. (dont know where to find associated links) I then deleted admin/define_language.php and associated link in the "Tools" box. (also dont know about associated link in the "tools" box) I found all of these instuctions through searches here on the forums. I dont know what else I can or should do. but do basic checks 1st, like put [w](o)%3Cr%3Ek|i*n^g into search & any other form fields, after submit it should turn to working, if not add security. I copied your code/letters there and put it in the search box, clicked submit, and nothing happens. not sure about that!? Thanks for all your help, I will message you the url to the site.
longhorn1999 Posted February 25, 2010 Posted February 25, 2010 are there any sites that do free pci scans? I will look for a paid service once the site is up and going. Thanks! Your hosting service might have an agreement with McAfee for instance to provide 1 yr. of PCI scans in the included price. Also, if you're paying for PayPal Pro, McAfee PCI scans are included.
spooks Posted February 25, 2010 Posted February 25, 2010 Most sites that do scans will give you your first free, but as your site is still easily hackable its pointless right now. You need to enable security pro, please read instuctions that come with add-ons!! You could add Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 for sanitising accounts & contact_us & providing an easy option for reviews. But you must read the instructions!! Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted February 25, 2010 Author Posted February 25, 2010 Most sites that do scans will give you your first free, but as your site is still easily hackable its pointless right now. You need to enable security pro, please read instuctions that come with add-ons!! You could add Sam's Anti-hacker Account Mods http://addons.oscommerce.com/info/7202 for sanitising accounts & contact_us & providing an easy option for reviews. But you must read the instructions!! I went in to admin and set security pro to "true". The other two options, there were no instructions as what to do. I did a pci scan and it says I have 6 security holes, 5 security warnings, and 93 security notes. Are the notes, to worry with? I think most of my holes are from software needing updated on the server side?
dcrider1 Posted February 26, 2010 Author Posted February 26, 2010 I went in to admin and set security pro to "true". The other two options, there were no instructions as what to do. I did a pci scan and it says I have 6 security holes, 5 security warnings, and 93 security notes. Are the notes, to worry with? I think most of my holes are from software needing updated on the server side? Ok I have added Sams Anti mod, Im pretty sure everything went good and right. The thing you told me to do with "[w](o)%3Cr%3Ek|i*n^g" does what you said. I guess I should do another pci scan, or is there more to do before another scan? Thanks for your help and patience!!
spooks Posted February 26, 2010 Posted February 26, 2010 Ok I have added Sams Anti mod, Im pretty sure everything went good and right. The thing you told me to do with "[w](o)%3Cr%3Ek|i*n^g" does what you said. I guess I should do another pci scan, or is there more to do before another scan? Thanks for your help and patience!! Add require('includes/functions/account_secure.php'); clean_post (); at the start of product_reviews_write.php any any other files you have accepting post vars. When I looked at your site I noted I was able to browse dirs, that a serious flaw, the htacces add-on sorts that Have you made the admin secure as per Jan's thread? Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted February 26, 2010 Author Posted February 26, 2010 Add require('includes/functions/account_secure.php'); clean_post (); at the start of product_reviews_write.php any any other files you have accepting post vars. When I looked at your site I noted I was able to browse dirs, that a serious flaw, the htacces add-on sorts that Have you made the admin secure as per Jan's thread? Ok I will do the code, you provided, this evening. Is that something i missed? Thank you for being patient, but what do you suggest for this? When I looked at your site I noted I was able to browse dirs, that a serious flaw, the htacces add-on sorts that Yes, admin has been renamed, and password protected through cpanel. Thanks again for all your help!
dcrider1 Posted February 27, 2010 Author Posted February 27, 2010 Add require('includes/functions/account_secure.php'); clean_post (); at the start of product_reviews_write.php any any other files you have accepting post vars. I thought with Sams Anti Hacker mod that all post vars were replaced? I still need to know what you mean about dirs? I put the code in the product_reviews_write.php, I assume you meant toward the top, i think i put it on line 13. Now Im waiting for your assistance. Thanks again!!
spooks Posted February 27, 2010 Posted February 27, 2010 I thought with Sams Anti Hacker mod that all post vars were replaced? only on those pages the function is applied, hence the addition to the reviews page. I still need to know what you mean about dirs? if you enter the path to say your images dir in the browser, you can viuew that dir as I said add the htaccess contib detailed in the op of http://www.oscommerce.com/forums/index.php?showtopic=313323 to fix that & more Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted March 1, 2010 Author Posted March 1, 2010 only on those pages the function is applied, hence the addition to the reviews page. if you enter the path to say your images dir in the browser, you can viuew that dir as I said add the htaccess contib detailed in the op of http://www.oscommerce.com/forums/index.php?showtopic=313323 to fix that & more Anyone want to tell me how to use the directions for the htaccess contribution? You can not merely copy and paste, as other contributions allowed. Either there is alot of code missing, or I am in left field looking for a kite. Thanks!
dcrider1 Posted March 2, 2010 Author Posted March 2, 2010 only on those pages the function is applied, hence the addition to the reviews page. if you enter the path to say your images dir in the browser, you can viuew that dir as I said add the htaccess contib detailed in the op of http://www.oscommerce.com/forums/index.php?showtopic=313323 to fix that & more 1) I added all of the htaccess contribution. I dont think that fixed you being able to see my directory, if thats what you were speaking of. 2) How do I go about finding the pages that accept post vars? I have done the following pages through "sams anti hacker contribution" 1.catalog/account_edit.php 2.catalog/account_password.php 3.catalog/address_book_process.php 4.catalog/create_account.php 5.catalog/ccheckout_shipping.php 6.catalog/login.php 7.catalog/password_forgotten.php 8.catalog/contact_us.php 9.catalog/checkout_shipping_address.php 10.catalog/checkout_payment_address.php 11.catalog/includes/form_check.js.php 12.catalog/includes/functions/password_funcs.php 13.catalog/includes/modules/address_book_details.php 14.catalog/includes/modules/checkout_new_address.php 15.catalog/includes/languages/english/create_account.php.php and the review page you spoke of Thanks for your help with these questions. Please tell me how to proceed.
spooks Posted March 2, 2010 Posted March 2, 2010 Perhaps you missed it when creating you htaccess file, the part that prevents browsing is the line: Options -Indexes Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted March 2, 2010 Author Posted March 2, 2010 When i manually enter the address to the product_reviews_write.php page I get a redirect to a login/create account page, and it has this at the bottom. Fatal error: Cannot redeclare tep_show_category() (previously declared in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php:12) in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php on line 57
spooks Posted March 2, 2010 Posted March 2, 2010 When i manually enter the address to the product_reviews_write.php page I get a redirect to a login/create account page, thats norml behaviour as u must be logged in Fatal error: Cannot redeclare tep_show_category() (previously declared in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php:12) in /home/jscb/public_html/letsroll/catalog/includes/boxes/categories.php on line 57 your error is due to somehow calling includes/boxes/categories.php twice on the page, u need to find where u r doing that Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted March 2, 2010 Author Posted March 2, 2010 Perhaps you missed it when creating you htaccess file, the part that prevents browsing is the line: Options -Indexes This? # Redirect index.php to domain.comRewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.YOURSITE.COM/ [R=301,L] If that is what you are speaking of, IT IS in my htaccess file already.
spooks Posted March 2, 2010 Posted March 2, 2010 This? # Redirect index.php to domain.com RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.YOURSITE.COM/ [R=301,L] If that is what you are speaking of, IT IS in my htaccess file already. NO, that part, as it says in the comment, is to remove index.php from the url, totally different function, if you dont have the: Options -Indexes just add that line. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted March 2, 2010 Author Posted March 2, 2010 NO, that part, as it says in the comment, is to remove index.php from the url, totally different function, if you dont have the: Options -Indexes just add that line. Thank you for all your help. I know its aggravating to help an amateur(at best) with this stuff. When you say just add that line, what line? If you are saying its in the installation file for the htaccess contribution, It is not there. I have added every single thing that is on the install file. Can you point me to what code you are referring to?
spooks Posted March 2, 2010 Posted March 2, 2010 Thank you for all your help. I know its aggravating to help an amateur(at best) with this stuff. When you say just add that line, what line? If you are saying its in the installation file for the htaccess contribution, It is not there. I have added every single thing that is on the install file. Can you point me to what code you are referring to? If its not there I`m surprised, I could have sworn it was, it should be, anyway, just add that line to your htaccess file & you will be sorted, add it immediatly after the snippit you posted b4 if your not sure. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted March 3, 2010 Author Posted March 3, 2010 If its not there I`m surprised, I could have sworn it was, it should be, anyway, just add that line to your htaccess file & you will be sorted, add it immediatly after the snippit you posted b4 if your not sure. ok i added Options -Indexes right after RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/RewriteRule ^index\.php$ http://www.burgersmarketpc.COM/ [R=301,L] I can still access the directory, i tried it before and after the [R=301, L], it didnt make a difference.
spooks Posted March 3, 2010 Posted March 3, 2010 ok i added right after I can still access the directory, i tried it before and after the [R=301, L], it didnt make a difference. it must be on its own line, not part of that, please google htaccess files if your so unclear. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
dcrider1 Posted March 3, 2010 Author Posted March 3, 2010 it must be on its own line, not part of that, please google htaccess files if your so unclear. It is now on its own line, and i can still access the directory. Is it because of the subdirectory of the root site? What you are trying to get me to do, cant be any harder than the rest of the changes i have made to the htaccess file. I googled htaccess file help before and through this entire post, there isnt much help in reference to the issues i have had, including this one. Here is a partial shot of the file with what you wanted me to do. # $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $# # This is used with Apache WebServers # # For this to work, you must include the parameter 'Options' to # the AllowOverride configuration # # Example: # # <Directory "/usr/local/apache/htdocs"> # AllowOverride Options # </Directory> # # 'All' with also work. (This configuration is in the # apache/conf/httpd.conf file) # The following makes adjustments to the SSL protocol for Internet # Explorer browsers #<IfModule mod_setenvif.c> # <IfDefine SSL> # SetEnvIf User-Agent ".*MSIE.*" \ # nokeepalive ssl-unclean-shutdown \ # downgrade-1.0 force-response-1.0 # </IfDefine> #</IfModule> # If Search Engine Friendly URLs do not work, try enabling the # following Apache configuration parameter # AcceptPathInfo On # Fix certain PHP values # (commented out by default to prevent errors occuring on certain # servers) # php_value session.use_trans_sid 0 # php_value register_globals 1 Options +FollowSymLinks RewriteEngine On RewriteCond % {QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond % {REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] RewriteEngine on php_flag register_globals off SetEnvIfNoCase User-Agent "^libwww-perl*" block_bad_bots Deny from env=block_bad_bots RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /index\.php\ HTTP/ RewriteRule ^index\.php$ http://www.burgersmarketpc.COM/ [R=301,L] Options -Indexes RewriteCond %{HTTP_HOST} ^burgersmarketpc.COM [NC] RewriteRule ^(.*)$ http://www.burgersmarketpc.COM/$1 [L,R=301] RewriteBase / RewriteCond %{HTTP_USER_AGENT} libwww-perl [OR] RewriteCond %{QUERY_STRING} tool25 [OR] RewriteCond %{QUERY_STRING} cmd.txt [OR] RewriteCond %{QUERY_STRING} cmd.gif [OR] RewriteCond %{QUERY_STRING} r57shell [OR] RewriteCond %{QUERY_STRING} c99 [OR]
dcrider1 Posted March 3, 2010 Author Posted March 3, 2010 it must be on its own line, not part of that, please google htaccess files if your so unclear. In the mean time of waiting for you to respond, i was playing around in cpanel. I turned indexes off, and now can NOT access the directory. Is that good enough?
Recommended Posts
Archived
This topic is now archived and is closed to further replies.