Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

osC_Sec 2.8[r9]

Whats New?

- Small fix to email disabler code to remove error notice

- Cleanup of global code

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

osC_Sec 2.9

Whats New?

- Cookies are now tested against the blacklists

- Removed excess code which caused a double up in the email notification

 

To update just replace the osc_sec.php file in your includes directory

 

Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Security is really very important for all things, whether it is any website or any other things. this file is really very necessary for our websites. i will definitely gonna apply this.

Link to comment
Share on other sites

Hi Taipo

 

I'm using your addon for quite a while now - great stuff.

Getting error in admin using Quick Updates contribution - quick_updates.php

Once I've change values and hit update I get banned

 

Anything I can do to allow this contribution to continue to work (was working with OSC_sec addon before)

 

Thanks

Getting the Phoenix off the ground

Link to comment
Share on other sites

If you have email notifications switched on can you forward me the ban notification content to my email address [email protected]

 

Also what version of osC_Sec did you upgrade from?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Or use the PM function on these forums to forward me the email notification. If you didnt have notifications on, remove your IP address from the htaccess file, turn on email notifications and repeat the action that got you banned in the first place then you should receive the email.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 3.0

 

This is a complete update and both osc.php and osc_sec.php files need to be updated. Don't forget to reset your settings in osc.php

 

Whats New?

- Added the $osCSpamTrap function (see readme.htm)

- Update to blacklists

- Update to mailer code

- Fixed glitch in IP Trap code

- Fixed glitch in 2.3.1 $PHP_SELF code

- Fix to the getDIR() function

- Streamline the cookieShield function

- Expire Cookie option has been removed due to too many conflicts with various versions of osCommerce

 

Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

As you can see from above I have decided to drop the expired cookie feature and replace it with a javascript check instead. Too many users enabled the expired cookie function without testing it to see if it affected their sites, so it is actually best left out of future releases starting with this one.

 

Now to the osCSpamTrap feature:

Firstly this function is not compatible with every version of osCommerce. Test this thoroughly and disable it if you find any anomolies. I have tested it on base installs of osCommerce 2.2 RC1, osCommerce 2.3.1, Digistore 4.0, Digistore 4.1, Creloaded 6.4.1a, OscMax 204 and 205.

 

With osCSpamTrap enabled, browsers that do not understand javascript will be prevented from viewing pages that require user inputs like search pages, login and register pages. All legitimate web browsers (for example Firefox) can view javascript and 99% come with javascript enabled. Only the most paranoid of your site visitors will have javascript disabled.

 

Almost all automated spam bots will trip up on this feature as they are mostly basic forms attempting to post bogus information via the user inputs on your site.

 

This will prevent spammers whose automated tools do not understand javascript, from mass registering, posting attack code, attempting to inject malicious queries via your sites URL and more.

 

Now for the downside to this option:

 

* Unfortunately many legitimate search spiders also do not 'understand' javascript as well.

 

So this feature has been configured to only work on selected pages on your website so as not to interfere with search engine searchs of your product range, nor is it configured to work with the customer ordering process.

 

Areas protected by $osCSpamTrap are:

 

- admin area

- all login pages

- lost password pages

- search pages

- account creation

- contact forms

 

At the very least these sections of your site are the most targetted by spammers. Although there are other areas as well, those are already covered by the other functions in osC_Sec.

 

Disclaimer: If by activating this function you find that your site has become unviewable or continues to load in a continuous looping fashion or presents some other similar error, then go to osc.php and disable $osCSpamTrap

 

Finally as an extra overcautious observation on my part, I recommend that unless you really understand the full impact of such an option, that you leave it disabled.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Just checking that the latest version is OK without the:

$httphost = "www.myshop.com"; # enter your site host without http:// using this format www.yourwebsite.com

in osc.php

 

Thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

The host setting has been removed as of several versions ago. If you want to add in your own host then its fine to add that line back in the osc.php settings file. osC_Sec still checks to see if $httphost is already set before attempting to set it itself.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

You're welcome Ennio

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

The host setting has been removed as of several versions ago. If you want to add in your own host then its fine to add that line back in the osc.php settings file. osC_Sec still checks to see if $httphost is already set before attempting to set it itself.

 

OK...I must have missed that when I did just the osc_sec.php updates. I will do a complete update as per the recent upload as is and thank you.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

osC_Sec 3.0[r1]

Whats New?

- general cleanup of all the code

 

For those updating, please replace both osc.php and osc_sec.php (reminder to add in your own settings again to osc.php).

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 3.0[r2]

Whats New?

- Updated Blacklists

- Update to the way $PHP_SELF is set

- Fix to getShield, postShield and cookieShield

- Updated the email notification

- Added more server variables to sessions to make them more unique to each visitor

 

For those updating, just replace the osc_sec.php file.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi

 

I have upgraded to 3.0 (r3) of this fine program and have encountered a problem.

 

I'm using a invoice pdf contribution (http://www.oscommerce.com/community/contributions,5321) to create invoices and now I get banned every time I try creating one from the admin area. In the e-mail notification I get the following:

 

REASON FOR BAN: getShield() listed item request_uri is banned: passthru.

 

Time of ban: Wed, 24 Aug 2011 19:03:36

 

.------------[ ALL $_GET VARIABLES ]-------------

#

# order_id=169

# passthruID=mycode

#

`--------------------------------------------------------

 

I tried $GETcleanup = 0; with no effect.

 

Anyone have and idea how to work around this?

 

Kind Regards

Jesper

Link to comment
Share on other sites

Try the latest update Jesper [here]. I've made a few changes to the blaclists and also addressed your issue as well.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Try the latest update Jesper [here]. I've made a few changes to the blaclists and also addressed your issue as well.

 

Thank you Taipo it works again. It is really nice that you support the contribution this well. Much appreciated.

 

/Jesper

Link to comment
Share on other sites

Great to hear its working again.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 3.0[r5]

Whats New?

- Update to blacklists

- Fixed issues in $osCSpamTrap which can cause logouts in some versions of osCommerce if activated

- If activated, the session timeout for $osCSpamTrap is set to 60 minutes

 

For those updating, just replace the osc_sec.php file.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

For those updating, just replace the osc_sec.php file.

 

Taipo, I'm a little behind the times. I have version 2.7. Does simply replacing the osc_sec.php still apply in my situation?

 

Also, I have a couple of sites and I like to keep them of both up-to-date. Often times I make a change in one and copy it over to the over site. I try to limit the number of hard-coded references, so (hopefully) not to forget making a change. I remember not to copy over site-specific files, such as .htaccess, configure.php and template files.

 

Which brings me to my question, on line 28 of the osc.php, the domain name is hard coded.

 

 $httphost = "www.yourstire.com"; 	# enter your site host without http:// using this format www.yourwebsite.com

 

Is it possible to make it relative by using something like:

 

 $httphost = "www." . STORE_NAME; 	# enter your site host without http:// using this format www.yourwebsite.com

 

Assuming that STORE_NAME equals "yoursite.com" is it possible to get the STORE_NAME from the configuration table? If possible, is there anything else I need do to have it work properly?

Link to comment
Share on other sites

If you are updating from 2.7 then its best you do it like a complete new install which will mean replacing both osc.php and osc_sec.php files. There is no need to hard code the domain name anymore.

 

Go through the readme.htm again as well, the other thing that has changed is where osc_sec.php is called in both of your application_top.php files.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 3.0[r6]

- $osCSpamTrap now cleans up its sessions on log off

- Update to the $PHP_SELF code

- Added another function to increase effectiveness of $chkPostLocation feature in preventing the posting of data from unauthorised forms

 

For those updating, just replace the osc_sec.php file.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 3.0[r7]

Whats New?

 

- Added a list of files to the ipBypass exclusion list including the range of sitemonitor files and some payment processor callback files.

- Added a version checker to restrict certain features depending on which version of osCommerce being used

 

* For those updating, you will need to replace both osc_sec.php and osc.php files.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 3.0[r8]

 

Whats New?

 

- Improvement for $osCSpamTrap removal of sessions and cookies

- More checks of non-standard server request types

- Removed the inJECTorChk function as it is not needed

 

* For those updating, just replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...