Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

It works at Windows (my test server) and do not works at Linux (production server).

 

I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings.

 

  /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
    if ( is_array( $nodes ) ) {
  foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 		      scrubster( $value );
               } else {
                     $nodes = getCleaner( $nodes, TRUE );
                     $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
                     $nodes = getCleaner( $nodes, FALSE );
               }
         }
    } else {
         $nodes = getCleaner( $nodes, TRUE );
         $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) );
         $nodes = getCleaner( $nodes, FALSE );
   }
   return $nodes;
 }

 /**
 * Called above, this will clean up
 * values but not interfere with umlauts
 */
 function getCleaner($string, $conv=1) {
   $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . 
          $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] );
   $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,&szlig");
   $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig");
   $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß");
   for($wr=0;$wr<=count($tolist);$wr++) {
      if ( $conv > 0 ) {
          $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string);
      } else {
   $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string);
      }
   }
   return $string;
}

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

Try the last version I put up if you get a chance. Below is a slightly modified version which replaces the previous two functions.

 

 /** 
 * Clean up GET request vars 
 * as well as multidimensional arrays 
 */ 
 setlocale(LC_CTYPE, 'C');
 function scrubster( $nodes ) { 
    if ( is_array( $nodes ) ) { 
         foreach( $nodes as $key=>$value ) { 
               if ( is_array( $value ) ) { 
                     scrubster( $value ); 
               } else { 
                     $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) ); 
               } 
         } 
    } else { 
         $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) ); 
   } 
   return $nodes; 
 }

 

I have uploaded it to a production server here: http://warbeast.netne.net/

 

This is what I am seeing in FF

 

28hctjo.jpg

 

The test code I am using in application_top.php below the osc_sec.php require include is:

 

echo  "ABCDEFGabcdefg,=,.,@,:,{,},_,-ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g";
echo "<br>\n";
echo scrubster( "ABCDEFGabcdefg,=,.,@,:,{,},_,-ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" );

 

In my browser it is displaying correctly. However using the PCRE method of filtering can run into probs depending on the servers locale settings.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

I think the problem again is that for some reason some of these addons are calling constant defined variables via HTTP_GET_VARS instead of just calling the defined item directly.

 

However, these are some of the issues we have to face when working around each others addons.

 

Try this one out then. It is a bit of the old (as in a bit of the original fix) and a bit of the new.

 

Replace the entire piece above with this. It should at a guess, cause the order editor to work better.

 

 /**
 * Clean up GET request vars
 * as well as multidimensional arrays
 */
 function scrubster( $nodes ) {
	if ( is_array( $nodes ) ) {
 	foreach( $nodes as $key=>$value ) {
               if ( is_array( $value ) ) {
 	      	scrubster( $value );
               } else {
                     $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
               }
         }
	} else {
         $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) );
   }
   return $nodes;
 }

 

Hi!

 

FF with test line shows:

auml,ouml,uuml,Auml,Ouml,Uuml,euro,szlig,ampauml,ampauml,ampuuml,ampAuml,ampOuml,ampUuml,ampeuro,ampszlig,ä,ö,ü,Ä,Ö,Ü,€,ß working

 

I did a test and Order Editor is working again :rolleyes:

 

FF (Coupon Codes shows):

Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht

 

sign is still filtered, but beside it looks good.

I did a test with Coupon Codes and Order Editor only.

These made most problems in combination with osc_sec.

Best regards

 

Popsel

Link to comment
Share on other sites

That may have to be the final balance in the end I think. Its not the optimum, but at least the main function is working.

 

In the end that filter is not as crucial to the security of 2.2.x as the other non-optional parts of osC_Sec. The optional sections are optional for that reason, if they create a conflict they can at least be switched off unless, like yourself, you know how to code your way around them.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec_2.5[r3] Updated

Whats New?

- GET cleanup now better presents special characters

- Added the osC_Sec version to the diagnostic email. If you have allowed a diagnostic email to be sent, it will now include which version of osC_Sec you are using.

- Changed the whitelisting function to the perl compatible regular expression

- Added more blacklisted items to the form filtering ($_POST requests)

 

NOTE: For users upgrading from osC_Sec_2.5[r2] you only need replace the osc_sec.php with the one contained in this zip file.

 

Download from: http://www.oscommerce.com/community/contributions,7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi,

 

I have been trying to implement this addon but have been encountering errors and I am hoping you can help me with them.

 

Firstly, I keep getting the error

####### OSC_SEC.PHP WARNING: Please enable write access to your shop catalogs .htaccess file thanks #######

at the top of the front end and the admin backend pages. Which .htaccess should I be providing write access to and what level access should I be giving it? I have tried updating the one in the includes folder (I set it to 777 to ensure that it was completely open) and the error does not go.

 

Secondly:

I get the following errors on the website front end

Notice: Undefined variable: getHexvars in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 245

 

Notice: Undefined variable: _SESSION in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 397

 

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 404

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/includes/functions/sessions.php on line 102

 

The website works regardless of the errors.

 

Finally, I get the following errors when I access the website/admin page

Notice: Undefined variable: getHexvars in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 245

 

Notice: Undefined variable: _SESSION in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 397

 

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php on line 404

 

Notice: Constant SESSION_FORCE_COOKIE_USE already defined in /var/www/vhosts/*Website*/httpdocs/*admin*/includes/application_top.php on line 85

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/*admin*/includes/functions/sessions.php on line 102

 

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/*Website*/httpdocs/includes/osc_sec.php:50) in /var/www/vhosts/*Website*/httpdocs/*admin*/includes/functions/general.php on line 22

 

I am unable to access the admin pages due to these errors.

 

I will have to disable the addon for now as the client will no doubt want to access the admin page tomorrow. If you have any suggestions please let me know. If you need any additional information, please let me know.

 

Thanks in advance

 

Simon

Link to comment
Share on other sites

Hi,

 

I have been trying to implement this addon but have been encountering errors and I am hoping you can help me with them.

 

Firstly, I keep getting the error

####### OSC_SEC.PHP WARNING: Please enable write access to your shop catalogs .htaccess file thanks #######

at the top of the front end and the admin backend pages. Which .htaccess should I be providing write access to and what level access should I be giving it? I have tried updating the one in the includes folder (I set it to 777 to ensure that it was completely open) and the error does not go.

 

The htaccess in the root directory of your store is the one that needs to be made writable. Probably a setting of 666 would do it. But try 644 first, if no go then 666.

 

Secondly:

I get the following errors on the website front end

Notice: Undefined variable: getHexvars in /path_to/includes/osc_sec.php on line 245

 

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 397

 

Are you running this on a test server? Generally the production servers have error notices disabled.

 

Warning: Cannot modify header information - headers already s

ent by (output started at /path_to/includes/osc_sec.php:50) in /path_to/osc_sec.php on line 404

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:50) in /path_to/includes/functions/sessions.php on line 102

 

These will probably disappear once you set the htaccess to writable.

 

Finally, I get the following errors when I access the website/admin page

Notice: Undefined variable: getHexvars in /path_to/includes/osc_sec.php on line 245

 

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 397

 

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:50) in /path_to/includes/osc_sec.php on line 404

 

Notice: Constant SESSION_FORCE_COOKIE_USE already defined in /path_to/admin/includes/application_top.php on line 85

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:50) in /path_to/admin/includes/functions/sessions.php on line 102

 

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:50) in /path_to/admin/includes/functions/general.php on line 22

 

Most of those will disappear once you correct the htaccess issue.

 

Let me know if there are any errors left after you have corrected those.

 

If you cannot change the server settings for error notices then add this line to osC_Sec.php

 

At the top find:

  $currentVersion = "2.5.[r3]";

 

In the line above it add the following:

  error_reporting(6135);

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Wow, thanks for the quick reply.

 

I changed the code so that the errors were appearing on the screen, this is something that I was toggling on/off to see what was happening.

 

I am actually in the process of restoring the files back to before I started to change everything because there seems to be some problems with the code now. Once I have done that I will try installing it all again and I will let you know if I have any issues,

 

Thanks

 

Simon

Link to comment
Share on other sites

Generally error notices are not something that affects the way the site runs. If you would rather not add the error code above, which will turn off notices, then try this way.

 

In the line under:

  $oscsec_ipPass = 1;

 

Add:

  $getHexvars = "";

 

That way you can still toggle error notices off and on.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi,

 

Unfortunately this has not worked. I have updated the .htaccess file to permission 644 and then 666 with no luck. i still get the error message.

 

When I installed the addon, I had to modify the installation process slightly. Firstly I was getting an error that the code couldn't access something at httpdocsincludes/osc_sec.php. I had to change the line "require(DIR_FS_CATALOG . 'includes/osc_sec.php');" in the includes directory version of the application_top.php to "require(DIR_FS_CATALOG . '/includes/osc_sec.php');"

 

I then got an error in the includes/osc_sec.php file. I had to change line 15 from " include(DIR_FS_CATALOG . 'includes/osc.php');" to "include(DIR_FS_CATALOG . '/includes/osc.php');"

 

I don't know if they are in any way significant, but I am at a loss. Let me know if you can think of anything.

 

The only other thing that I might mention is, for the line of code that I need to replace (as per your install instructions), in the includes version of that file, the following code appears under the comment

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

 

When I changed it, I set it to:

// set php_self in the local scope

// if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

// set php_self in the local scope

if ( empty( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

 

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

I am assuming that this is correct.

 

Thanks

 

Simon

Link to comment
Share on other sites

Hi,

 

Unfortunately this has not worked. I have updated the .htaccess file to permission 644 and then 666 with no luck. i still get the error message.

 

When I installed the addon, I had to modify the installation process slightly. Firstly I was getting an error that the code couldn't access something at httpdocsincludes/osc_sec.php. I had to change the line "require(DIR_FS_CATALOG . 'includes/osc_sec.php');" in the includes directory version of the application_top.php to "require(DIR_FS_CATALOG . '/includes/osc_sec.php');"

 

I then got an error in the includes/osc_sec.php file. I had to change line 15 from " include(DIR_FS_CATALOG . 'includes/osc.php');" to "include(DIR_FS_CATALOG . '/includes/osc.php');"

 

The easiest fix for this is to replace the require statement with the direct path to osc_sec.php.

 

Use this example instead:

 

require('/home/youruser/public_html/includes/osc_sec.php');

 

Replacing the path (/home/....) above with the actual path to the osc_sec file in the includes directory. Place this code in both application_top.php files replacing the one you have used already.

 

Also in osc.php replace the following also with the entire path

 

$htaccessfile = DIR_FS_CATALOG . ".htaccess";

 

with:

 

$htaccessfile = "/home/youruser/public_html/.htaccess";

 

and replace:

 

 $ipTrappedURL = DIR_FS_CATALOG . "banned/IP_Trapped.txt";

 

with:

 

 $ipTrappedURL = "/home/youruser/public_html/banned/IP_Trapped.txt";

 

(replacing the path above with your own site path.

 

The only other thing that I might mention is, for the line of code that I need to replace (as per your install instructions), in the includes version of that file, the following code appears under the comment

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

 

When I changed it, I set it to:

// set php_self in the local scope

// if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

// set php_self in the local scope

if ( empty( $PHP_SELF ) ) $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );

 

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

 

I am assuming that this is correct.

 

That is correct.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

After a quick rethink. The issue is that in your configure files there is a forward slash missing in the DIR_FS_CATALOG setting. So ignore all that above for now and try adding a trailing slash to DIR_FS_CATALOG.

 

Example: (includes/configure.php)

 

change:

define('DIR_FS_CATALOG', '/home/yourusername/public_html/catalog');

 

to:

define('DIR_FS_CATALOG', '/home/yourusername/public_html/catalog/');

 

and see if that does not cause more problems than it fixes.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Taipo,

 

I changed the files as per the post about setting the full path, and the site is still returning errors (actually warnings rather than errors).

 

Then I noticed your last post so I reversed the changes I made and changes the DIR_FS_CATALOG and tried again. The same warnings appeared (with the error logging showing on the screen).

 

Here are the warnings. The site is working ok, so my question is, do these warnings indicate a problem with the addon not working? If it is working then I am happy to ignore the warnings.

 

Website

 

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 400

 

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:400) in /path_to/includes/osc_sec.php on line 407

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:400) in /path_to/includes/functions/sessions.php on line 102

 

 

Admin back end

 

Notice: Undefined variable: _SESSION in /path_to/includes/osc_sec.php on line 400

 

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:400) in /path_to/includes/osc_sec.php on line 407

 

Notice: Constant SESSION_FORCE_COOKIE_USE already defined in /path_to/admin/includes/application_top.php on line 86

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /path_to/includes/osc_sec.php:400) in /path_to/admin/includes/functions/sessions.php on line 102

 

Warning: Cannot modify header information - headers already sent by (output started at /path_to/includes/osc_sec.php:400) in /path_to/admin/includes/functions/general.php on line 22

Link to comment
Share on other sites

Since correcting the 'DIR_WS_CATALOG' in configure.php files in both includes directories seems to have fixed the other issues (these are different warnings), it is probably a good idea at this point to upload a fresh copy of osC_Sec to your server.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

If you are still getting the error notices then add this to osc_sec.php

 

Find:

$currentVersion = "2.5.[r3]";

 

on the next line add

error_reporting(6135);

 

That will leave the session errors.

 

In osc.php find

$testExpiredCookie = 1;

 

change this to

$testExpiredCookie = 0;

 

Let me know what errors are left after that.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Heya,

 

No errors appearing now.

 

Does that mean that it is working correctly, or does it just mean that we have hidden the errors?

 

Thanks

 

Simon

 

As I explained earlier the notices are not errors to be concerned about and in the properly configured production server they would be disabled by default. The expired cookie test is a tripwire I added in to catch out spam bots. It is clashing with some other code in your website so it is best disabled. It is not critical to the operation of osC_Sec which is why it is an optional component that can be switched off.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

As I explained earlier the notices are not errors to be concerned about and in the properly configured production server they would be disabled by default. The expired cookie test is a tripwire I added in to catch out spam bots. It is clashing with some other code in your website so it is best disabled. It is not critical to the operation of osC_Sec which is why it is an optional component that can be switched off.

 

 

In that case, I am a happy man.

 

Thank you so much for your help!

 

Simon

Link to comment
Share on other sites

osC_Sec_2.5[r4]

Whats New?

- Fixed error notices about $getHexvars

- Tidy up of $arbitrarysession_block

- Better prevention code of directly viewing of osc.php and osc_sec.php

- Auto set PHP error notices to off

- Fixed bug in $chkPostLocation where if activated, whitelisted IPs were still being blocked from free posting without referers or cookies preset.

- Changes to the GET whitelist filter to assist it to allow unicode through

- Set up a workaround to set the DIR_FS_CATALOG constant correctly where it is missing a trialing forward-slash

 

NOTE: With this upgrade you will need to update both osc.php and osc_sec.php

 

Download from: http://www.oscommerce.com/community/contributions,7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

In the next update of osC_Sec I have added the following instructions into the readme.htm for those still using osCommerce 2.2.1. This is an additional piece of code that ensures that if the login.php filename is in the URL then the site is actually redirected to the login.php page. This is not as critical a piece of code as the patching of the $PHP_SELF code in my opinion, even though it is listed as critical and the $PHP_SELF code change as low importance....

 

Code take from: http://www.oscommerce.info/confluence/display/OSCOM23/%28A%29+%28SEC%29+Administration+Tool+Log-In+Update

 

-----------------------

 

Scroll down catalog/admin/application_top.php and find the following line:

 

  $redirect = true 
}

 

After, add the following:

 

    if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset $HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
     $redirect = true;
   }

 

Lastly open catalog/admin/login.php and find the following line:

 

 Released under the GNU General Public License
*/

After, add the following:

 

    $login_request = true; 

 

--------------------------------------

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec_2.5[r5] updated

Whats New?

- updated the GET whitelist recursive function to check for arrays where strings should be

- moved items from the REQUEST blacklist to the GET blacklist

- added code change instructions to the readme.htm which will assist in securing the admin login in version 2.2.x of osCommerce (see post directly above)

 

NOTE: With this upgrade you will not need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://www.oscommerce.com/community/contributions,7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec_2.5[r6]

Whats New?

- Added more blacklisted items to the $_POST blacklist that would only appear in attempts to post malware code

- Removed a number of items from the $_POST blacklist that could cause a ban under certain normal conditions

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://www.oscommerce.com/community/contributions,7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Taipo, thanks again for your work! A little problem with 2.5.[r6] - scrubster filters out russian letter "ч" from $_GET. Other russian letters looks ok.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...