Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

Hi Taipo,

 

I have installed Osc SEC on one of my sites to trial how it behaves with my mods.

 

I have tried testing it using :

 

http://www.mysite.co.uk/catalog/admin/categories.php/login.php?cookies=1

 

And it takes me to a not found page like:

Not Found

 

The requested URL /admin/categories.php/login.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

No emails are received and the only error I can see in the cpanel error log is the not found error.

 

any ideas?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

osC_Sec 4.0

Whats New?

- Fix to admin sessions cookie not being destroyed under certain circumstances when $osCSpamTrap is enabled

- $chkPostLocation now throws an access denied message and calls a page die when data is attempted to be posted from an external source, rather than adding the IP to the ban list as it previously did if IP banning is enabled.

- Update to getShield to improve the way it deals with request uri strings

 

* For those updating, just replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

http://www.mysite.co.uk/catalog/admin/categories.php/login.php?cookies=1

 

Since both categories.php and login.php should exist in your admin directory no matter whether you have renamed the admin directory or not, the 404 file not found will be the server telling you that some other part of that URL you are testing with is not correct. For example is there an admin directory in that location. Apologies if this comes across as a rather simple response, its a process of elimination so we have to start with the obvious.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi,

Yes there is a directory called Admin, but it only contains one file - a file that will trigger IP Trap.M

 

My "Real" admin has been renamed.

 

What puzzles me is that neither IP Trap or OSC SEC reacted to a blatant attempt to access a file within "Admin" regardless of if that file existed or not.

 

Thanks

 

I know now that OSC SEC is working as I received an email in the night having banned an IP with the following:

 

.------------[ ALL $_GET VARIABLES ]-------------

#

# - aID=1

# - action=insert

#

`--------------------------------------------------------

 

.---------[ ALL $_POST FORM VARIABLES ]-------

#

# - username = admincrash

# - password = wew

#

`--------------------------------------------------------

 

But the above question still puzzles me.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Firstly version 4.0[r2] of osC_Sec is out which will catch more attempts than the previous versions.

 

Second thing is osC_Sec does not catch attempts to access files that do not exist. osC_Sec is a filtering script that works inside of osCommerce codeset and blacklist and whitelists requests made by site users against real osCommerce files that actually exist.

 

If you request

http://www.mysite.co.uk/catalog/admin/categories.php/login.php?cookies=1

then because osC_Sec has the correcting $PHP_SELF code in it, it will translate the request to:

http://www.mysite.co.uk/catalog/admin/categories.php?cookies=1

at which point your webserver seeing there is no file in the admin directory called category.php, will throw a file not found error as it should.

 

The only way to catch and match requests on directories for files that do not exist is via htaccess.

 

IP Trap is a tripwire concept that if someone tries to access /somedirectory/index.php and that file index.php is set with the IP Trap code, the attempt is then caught and the IP banned.

 

If you want IP Trap to catch an attempt against admin/categories.php file then you need to actually have a file called categories.php in the admin directory which if I remember correctly means taking the code from the personal/index.php file and copying it into a file called category.php in your admin directory.

 

That way any request at all to admin/category.php whether it has ?cookies=1 or not as a query, will get trapped.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thanks Taipo.

 

And thanks for producing OSC SEC - I will now install on my other sites.

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Glad its working for you.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi Again,

 

Just found an anomaly with orders being processed via Paypal IPN.

 

Prior to installing OSC SEC these orders when paid for gave a status of "Processing".

 

Post installation the status of the order is remaining at "Pending" which may mean that I could miss some orders.

 

Any idea how this is happening?

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

What features do you have switched on in osc.php

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi,

 

These are the settings:

 

$timestampOffset = 0

$nonGETPOSTReqs = 1

$chkPostLocation = 0

$GETcleanup = 1

$osCSpamTrap = 0

$banipaddress = 0

$useIPTRAP = 1

$emailenabled = 1

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

There doesn't seem to be anything in those settings that could be conflicting with paypal. I have just uploaded a new update at http://addons.oscommerce.com/info/7834, update to that version as it has a lot more bypasses in it for 3rd party processors like Paypal.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

And on that note:

 

osC_Sec 4.0[r4]

Whats New?

 

- Added flood protection to the $osCSpamTrap beta test feature.

- Removed the $chkPostLocation function as it is causing too many conflicts

- Further enhancements of $PHP_SELF code

 

* For those updating, replace both osc.php and osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

By the way Heather, which version of Paypal payment system are you using in osCommerce?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Let me know if that fixes things for you.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hello,

firsto all thanks for this very useful Add On.

I just wanted to let you know two suggestions:

1. As I have a multilingual instalation, I had to add a list of special characters for the spanish and german language to the character white list of the search function in the osc_sec.php file at line 545 (vers. osC_Sec_4.0[r3]).

This line looks now like this:

	  $nodes = preg_replace('/[^\w\s\p{L}\d\√§\√∂\√º\√û\√ñ\√ì\√ü\√©\√≠\√∫\√≥\√°\√Å\√ç\√â\√ö\√ú\√±\√ë\¬∫\¬™\‚Ǩ\r?,Ä=@%:{}\/.-]/i', '', $nodes );

 

Now my suggestion is :

Would it be possible to put this in a separate file as a special caracter whitelist for languages which need this feature?

Like this it would be possible to avoid editing the osc_sec.php file befor uploading each new version.

 

2. I appreciate how you intend to keep your ad on actualised, but is it really necessary to upload up to 4 new versions per day?

How about to collect updates for uploading once per week maybe?

 

Thanks and best regards

 

raiwa

Link to comment
Share on other sites

Hi there, I am having a glitch in a couple of my shops running osc sec after the past update or two.

I noticed today when I was looking at whos online in admin, when i checked the "show bots" box, I got kicked off site back to admin sign on. I let it go as I had other stuff to do, but this evening when editing a product, when clicking "preview" I got kicked back to admin sign on again. Same thing happened when trying to select catalog in the left column.

The only thing I changed in the past day or so was the osc sec update, so i went into admin/includes/application_top and disabled osc sec. That fixed things. I enabled it again, and the problems came back.

I had to disable osc sec to complete the item edit, then I re-enabled osc_sec via un-commenting the appropriate application top line.

Ideas?

These are 2.2 rC2a shops

 

PS on this.....I rolled back to osC_Sec 3.0[r7] and the problem disappeared....FYI on that.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

1. As I have a multilingual instalation, I had to add a list of special characters for the spanish and german language to the character white list of the search function in the osc_sec.php file at line 545 (vers. osC_Sec_4.0[r3]).

 

I have a fix for this but it seems the new site is playing tricks with the pasted code. Can you email me the $node line you are using to [email protected] and I will add it in to the next release of osC_Sec

 

2. I appreciate how you intend to keep your ad on actualised, but is it really necessary to upload up to 4 new versions per day?

How about to collect updates for uploading once per week maybe?

 

That is most certainly the intention and apologies if there have been a string of them lately. I have another project coming up in a week and need to get as many of these fine tunings out of the way before moving on to that. That has resulted in updates as I find them unfortunately and will continue this way for the next 7 days, after that things will quieten down as my time will be used elsewhere.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi there, I am having a glitch in a couple of my shops running osc sec after the past update or two.

I noticed today when I was looking at whos online in admin, when i checked the "show bots" box, I got kicked off site back to admin sign on. I let it go as I had other stuff to do, but this evening when editing a product, when clicking "preview" I got kicked back to admin sign on again. Same thing happened when trying to select catalog in the left column.

The only thing I changed in the past day or so was the osc sec update, so i went into admin/includes/application_top and disabled osc sec. That fixed things. I enabled it again, and the problems came back.

I had to disable osc sec to complete the item edit, then I re-enabled osc_sec via un-commenting the appropriate application top line.

Ideas?

These are 2.2 rC2a shops

 

PS on this.....I rolled back to osC_Sec 3.0[r7] and the problem disappeared....FYI on that.

 

Just to help me narrow down where you issues are can you post what settings you have enabled in osc.php please.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

 

Just to help me narrow down where you issues are can you post what settings you have enabled in osc.php please.

 

Sure...

 

I reinstalled osC_Sec_4.0[r5] and verified the glitches as noted were present again.

 

My settings:

 

$timestampOffset = -5; # Set the time offset from GMT, example: a setting of -10 is GMT-10 which is Tahiti, 12 is New Zealand

$nonGETPOSTReqs = 0; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is

$GETcleanup = 0; # 1 = Clean up $_GET variables, 0 = don't cleanup. If you use FWR_SECURITY_PRO then you can set this to not 0.

$osCSpamTrap = 0; # 1 = Demand visitor browsers understand javascript on selected input pages, 0 = disable the check ( see readme.htm for more info )

 

/**

* this section of settings is to allow osC_Sec.php

* to ban an IP address if it breaks the rules

* see readme.htm for further information

**/

 

$banipaddress = 1; # 1 = adds ip to htaccess for permanent ban, 0 = calls a page die if injection detected

$useIPTRAP = 0; # 1 = add IPs to the IP Trap contribution, 0 = leave it off

$ipTrapBlocked = ""; # Put the full URL to your blocked.php if you intend to use IP Trap.

# Example: $ipTrapBlocked = "http://www.yourwebsite.com/blocked.php";

 

I also have emailenabled with the appropriate info there, but didn't include on a hunch it's not related...

 

Thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

Also which whos online addon are you using.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Also which whos online addon are you using.

 

It's Who's Online 3.5.4 by SteveDallas

 

I check that about every other or so time I am in admin, it was working OK before the latest osc sec update.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

Try this out Steve

 

In the latest version of osc_sec.php find this line:

 if ( false !== ini_get( "session.use_only_cookies" ) ) ini_set( "session.use_only_cookies", 0 );

 

And replace with:

//  if ( false !== ini_get( "session.use_only_cookies" ) ) ini_set( "session.use_only_cookies", 0 );

 

Basically commenting it out, and see if that problem persists. Let me know what happens.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Try this out Steve

 

**************

 

Basically commenting it out, and see if that problem persists. Let me know what happens.

 

Hi there, testing whos online it kicked me back to admin sign on

 

Attempting to update a product...ditto.

 

Signing off for the night, got to get to the day job first thing AM but will work on this later Sunday.

 

Thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

There doesn't seem to be anything in those settings that could be conflicting with paypal. I have just uploaded a new update at http://addons.oscommerce.com/info/7834, update to that version as it has a lot more bypasses in it for 3rd party processors like Paypal.

 

Hi Taipo - thanks for the assistance.

 

I have just updated to V4r5 and will now carry out a test.

 

The paypal IPN module I am using (which works fine previously) is osCommerce 2.2 MS2 PayPal IPN Payment Module v2.3.4.7 (4 Mar 2009) which was downoaded here: http://addons.oscommerce.com/info/2679

 

I will now try testing the new version of OSC SEC with a trial purchase

 

Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Hi Taipo,

 

Just made two trial purchases, one using Paypal IPN and one using Barclays EPDQ

 

Both went through without any problems and the Callback successfully changed the order status to "Processing" as per normal.

 

I don't know what you did on the new version (V4r5) but it solved my problem.

 

Thank you so much for your dedication to this great security modification and for your great support.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...