Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

PHP Intrusion Detection System for osCommerce


celextel

Recommended Posts

Good evening. I've installed a clean (not upgrading) version of 1.7 for osc 2.3.1 this afternoon. With both test urls:

 

http://www.siteurl.com/&test=%22%3EXXX and

http://www.siteurl.com/?test="><script>eval(window.name)</script>

 

I receive the following:

403 Forbidden

 

You don't have permission to access / on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

  • If I remove the portion after the .com, the test site loads / functions properly.
  • The database tables have been created properly and are viewable from Php Admin.
  • I've gone through the install manual twice to verify placement of the files and code within the modified files.
  • I can add myself (ip from the Who's Online) and ban myself, and then receive the email successfully (using the contact form only).
  • Nothing is logged to the PHPIDS Log report however. Should it be when manually banning an IP?
  • The host is HostGator. Server running php 5.2.17 with PDO enabled (viewed from previous posts)
  • This is a new test site where I have been adding contributions to have as a 'master' for upgrading / creating other sites.

Is this a hosting issue? Thank you for any light anyone can shed on this. Jim

Link to comment
Share on other sites

Suggestion:

 

file: banned_ip.php

code:

$ip_check = tep_get_ip_address();

Since tep_get_ip_address() can allow either the values of the HTTP_X_FORWARDED_FOR or HTTP_CLIENT_IP header (if set) to be the ip address ahead of the dependable REMOTE_ADDR, and because it is possible to spoof both of those headers, it might be better to stick with REMOTE_ADDR as the ip address to check for banned IPs in the db. That would also be consistent with the fact that REMOTE_ADDR is used as the ip address that is banned in the banned.php file.

 

I know that where the webserver is a part of a cluster configuration, this can also cause false IP addresses to be banned, if you however depend on tep_get_ip_address() to check IPs in the db, that may allow for this addon to be completely bypassed if an attacker got to thinking about sending spoofed HTTP_X_FORWARDED or HTTP_CLIENT_IP ip addresses with their attacks.

 

code suggestion:

$ip_check = ( false !== isset( $_SERVER ) ) ? $_SERVER[ "REMOTE_ADDR" ] : getenv( "REMOTE_ADDR" );

 

Or more simply:

$ip_check = $_SERVER[ "REMOTE_ADDR" ]

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

2. Unzip the zipped file and rename "phpids-0.6.4" directory as "phpids".

 

3. Make sure that this renamed directory has the following directories directly in it:

docs

lib

tests

 

 

None of these files are in any of the packages

Link to comment
Share on other sites

Maybe if it said create these 3 directories in ........

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

What is says is to:

1. Download "PHPIDS 0.6.3.1 (ZIP)" or the latest version at:

http://php-ids.org/downloads/

 

2. Unzip the zipped file and rename "phpids-0.6.3.1" directory as "phpids".

 

3. Make sure that this renamed directory has the following directories directly in it:

docs

lib

nbproject

tests

 

This site can not be reached. if you have go somewhere else to get these that are not in the packages, then it is not a complete package and should state that in the package downloads instead of saying (this is a complete package.

Link to comment
Share on other sites

getting this error 1.6 installed with latest phpids 7.0 innstalled

Fatal error: Call to a member function bindParam() on a non-object in /home/xx/public_html/xxx/includes/phpids/lib/IDS/Log/Database.php on line 272

Link to comment
Share on other sites

Does anyone have the phpids that they can upload to the package area. The http://php-ids.org/downloads/ can no longer be reached.

Thanks

 

Try https://phpids.org/downloads/

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • 4 weeks later...

Can't get wishlist.php to work because POST.prod_link and REQUEST.prod_link are being detected as xss attacks:

 

 

Affected tags: xss csrf

Affected parameters: REQUEST.prod_link.0=http%3A%2F%2Fwww.domain.com%2Fstore%2Fproduct_info.php%3Fproducts_id%3D367%7B1%7D2, POST.prod_link.0=http%3A%2F%2Fwww.domain.com%2Fstore%2Fproduct_info.php%3Fproducts_id%3D367%7B1%7D2,

Request URI: /store/wishlist.php

 

I added REQUEST.prod_link and POST.prod_link to the exclusion list with no luck.

 

If I have a number of items on wishlist, the total impact bans me...Any ideas?

Link to comment
Share on other sites

  • 3 weeks later...

Hello, good evening

 

I’m trying to instal a clean (not upgrading) version of 1.7 for osc 2.2rc2a.

 

At “Step-B: Admin” point 5 states:

 

Find the following code in admin/includes/boxes/tools.php file:

 

Array {

‘code’ => FILENAME_ACTION_RECORDER,

‘title’ => BOX_TOOLS_ACTION_RECORDER,

‘link’ => tep_href_link (FILENAME_ACTION_RECORDER)

},

 

Though that array is not in my “tools.php” file. The whole content of my file is:

 

<?php

/*

$Id: tools.php 1739 2007-12-20 00:52:16Z hpdl $

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

Copyright © 2002 osCommerce

Released under the GNU General Public License

*/

?>

<!-- tools //-->

<tr>

<td>

<?php

$heading = array();

$contents = array();

$heading[] = array('text' => BOX_HEADING_TOOLS,

'link' => tep_href_link(FILENAME_BACKUP, 'selected_box=tools'));

if ($selected_box == 'tools') {

$contents[] = array('text' => '<a href="' . tep_href_link(FILENAME_BACKUP) . '" class="menuBoxContentLink">' . BOX_TOOLS_BACKUP . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_BANNER_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_BANNER_MANAGER . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_CACHE) . '" class="menuBoxContentLink">' . BOX_TOOLS_CACHE . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_DEFINE_LANGUAGE) . '" class="menuBoxContentLink">' . BOX_TOOLS_DEFINE_LANGUAGE . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_MAIL) . '" class="menuBoxContentLink">' . BOX_TOOLS_MAIL . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_NEWSLETTERS) . '" class="menuBoxContentLink">' . BOX_TOOLS_NEWSLETTER_MANAGER . '</a><br>' .

'<a href="' . tep_href_link(FILENAME_SERVER_INFO) . '" class="menuBoxContentLink">' . BOX_TOOLS_SERVER_INFO . '</a><br>' .

'<a href="' . tep_href_link('csv_import.php') . '" class="menuBoxContentLink">Importar CSV de Excel/OOCalc</a><br>' .

'<a href="' . tep_href_link(FILENAME_WHOS_ONLINE) . '" class="menuBoxContentLink">' . BOX_TOOLS_WHOS_ONLINE . '</a>');

}

$box = new box;

echo $box->menuBox($heading, $contents);

?>

</td>

</tr>

<!-- tools_eof //-->

 

Please, can anyone tell me where insert the following required code or if lacks some code in my file?

The code to insert is:

 

array(

'code' => FILENAME_PHPIDS,

'title' => BOX_TOOLS_PHPIDS,

'link' => tep_href_link(FILENAME_PHPIDS)

),

array(

'code' => FILENAME_BANNED_IP,

'title' => BOX_TOOLS_BANNED_IP,

'link' => tep_href_link(FILENAME_BANNED_IP)

),

 

Thank you for any help you can give me.

Angel Barros

Link to comment
Share on other sites

Hi

 

Just add a line after

 

'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .

 

and change the words in capitals to those for the contibution you are trying to add.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

  • 2 weeks later...

Hi, Let me apologise first in case this problem has already been posted, but its late now and I cant find anything similar.

 

I am hoping you can help me with this error :-

 

1146 - Table 'a4993375_msc.TABLE_BANNED_IP' doesn't exist

 

select ip_address from TABLE_BANNED_IP where ip_status='0'

 

[TEP STOP]

 

when I try to access the shop, http://mywebsite/catalog/index.php. This occured when trying the test http://mywebsite/catalog/index.php.?id=1&test=">XXX. Prior to this test I could access the site easily.

 

I am running oscommerce 2.3.1 on win xp64 with phpids 1.7 installed. Given that I am fairly new to php, can you point me to where I have went wrong. There are no entries in the PHPIDS log and no entries in the banned IP section.

Edited by DougieMac
Link to comment
Share on other sites

Hi, Let me apologise first in case this problem has already been posted, but its late now and I cant find anything similar.

 

I am hoping you can help me with this error :-

 

1146 - Table 'a4993375_msc.TABLE_BANNED_IP' doesn't exist

 

select ip_address from TABLE_BANNED_IP where ip_status='0'

 

[TEP STOP]

 

when I try to access the shop, http://mywebsite/catalog/index.php. This occured when trying the test http://mywebsite/catalog/index.php.?id=1&test=">XXX. Prior to this test I could access the site easily.

 

I am running oscommerce 2.3.1 on win xp64 with phpids 1.7 installed. Given that I am fairly new to php, can you point me to where I have went wrong. There are no entries in the PHPIDS log and no entries in the banned IP section.

 

 

Ok, fresh look at the forum this morning and I found the solution. Doh! Apologies.

Link to comment
Share on other sites

  • 1 month later...

Hello,

 

I'm building a new shop using oscommerce 2.3.1 and I added this contrib, but when I do the 2 suggested tests I get the following error:

 

Exception: PDOException: SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: NO)

I'm building it on my windows PC using WAMP, so I'm wondering if this is the problem...

 

I have it running correctly on my old oscommerce 2.2 shop...

 

Any idea?

Link to comment
Share on other sites

I found the issue of my problem... My Wamp MySQL server is not running on the default port, and the script is not using the OSC configuration. Once I changed the port on osc_phpids.php in the modules folder it worked flawlessly.

Link to comment
Share on other sites

  • 1 month later...

Hi,

 

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750

But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

 

Is there a way to fix this?

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

 

I'm having this contribution installed, and I'm also using the contribution customer Must Accept Terms and Conditions (MATC) http://addons.oscommerce.com/info/5750

But now I have lots on entries in the table PHPIDS Log related to REQUEST.conditions and POST.conditions in the create_account.php file and with all the conditions written.

 

Is there a way to fix this?

Anyone??

Link to comment
Share on other sites

  • 4 weeks later...

Hi,

I have just discovered that my installation of phpids, was causing a problem with my paypal IPN notifications. Sometimes they were getting sent, sometimes not and checking the error logs on the server for paypals ipn notification url (173.0.81.1) I found

 

[Wed May 23 06:18:54 2012] [error] [client 173.0.81.1] PHP Fatal error: Class 'PDO' not found in /home/****/public_html/includes/phpids/lib/IDS/Log/Database.php on line 172

 

I have disabled phpids for a while and ipn notifications are now ok. I use paypal standard module for payments.

 

I see there is an option in admin phpids, for variable exclusions and thinking that maybe there is something I can enter there that might stop phpids blocking paypal ipns. The ipn notification script in my oscommerce is at /ext/modules/payment/paypal/standard_ipn.php

 

I could post that page if someone may be able to tell me whether there is a variable there i could exclude? What do you think?

Link to comment
Share on other sites

  • 2 months later...
  • 4 weeks later...

Hi there,

 

I had installed this addon, till step E Test, TEST-1, I got a warning as below:

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /includes/modules/osc_phpids.php:199) in /includes/functions/sessions.php on line 102

 

And the TEST-2, I did not see any test result, the page just showed HTTP 406 Not Acceptable.

 

Is it normal or what I did wrong?

 

Many thanks in advance.

 

Lyn

Link to comment
Share on other sites

  • 1 month later...

Hi, I just got an attack:

 

IP: 184.82.78.125

Date: 2012-11-08T10:12:16+11:00

Impact: 14

Affected tags: xss csrf id rfe lfi

Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,

Request URI: /mg/product_info.php?products_id=212/trackback

 

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

 

Lyn

Link to comment
Share on other sites

  • 1 month later...

Hi, I just got an attack:

 

IP: 184.82.78.125

Date: 2012-11-08T10:12:16+11:00

Impact: 14

Affected tags: xss csrf id rfe lfi

Affected parameters: REQUEST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6, POST.excerpt=%5B...%5D+that+is+the+end+of+this+article.+Here+you%E2%80%99ll+find+some+sites+that+we+think+you%E2%80%99ll+appreciate%2C+just+click+the+links+over%5B...%5D%E2%80%A6,

Request URI: /mg/product_info.php?products_id=212/trackback

 

anyone knows what should I do, and if my website has affected, if so what steps should I go futher? Many thanks in advance.

 

Lyn

 

I've got it to. For different IPs it started to send notifications somewhere about 21 december, almost 100 per day. What to do now? Is it a hack attack on shop?

 

Entering PHPLDS plugin in Admin Panel gives popup with "9537246810"...

Edited by LeanderPL
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...