Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

 

Signing off for the night, got to get to the day job first thing AM but will work on this later Sunday.

 

Thanks

 

Back at it a bit....in a 2.2 shop with osc sec active, as before i cannot update a product, such as after an edit, or changing a quantity.

 

So I tried a "work around" with easy populate. With osc sec active, I could use EP to export a file, but after editing the file and trying to upload and import that file, it didn't work. I.E I could see the page trying, but no update occurred. Then disabling osc sec on the admin side, I tried the upload and import and it was processes immediately. The file was up update product quantity.

 

That's it for now....and I going to go back an reenable osc sec for security purposes.

 

Thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

osC_Sec 4.0[r6]

Whats New?

 

- Fix to the session.use_only_cookies code

- Moved the scubGET function to the osc.php file

 

* FOR THOSE UPDATING, replace BOTH the osc.php and osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Steve try the latest update and let me know if that issue is still happening or not.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Steve try the latest update and let me know if that issue is still happening or not.

 

Will do, for now out the door to the day job, but will do the update this evening and get you the results.

Thanks for your assistance on this. Much appreciated.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

Steve try the latest update and let me know if that issue is still happening or not.

Hi there, updated to osC_Sec 4.0[r7], results as follows:

  • In Who's Online, clicking the Show Bots box, did not get kicked back to admin sign on...so all OK there.
  • When editing an order, after the edit I am able to click the Preview and Update buttons without getting kicked back to admin sign on..so all OK there
  • In Easy Populate, I was able to upload and import a file for inventory management, so all OK there.

Those were the only issues I noticed, so unless something else comes up, I'd say were good to go.

 

 

Again, thank you for the support you provide.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

That is great to hear, glad all is well.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

hi, in my admin file i have the following line

// set php_self in the local scope

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

 

and not

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

 

so what should i replace the code too please.

Link to comment
Share on other sites

Yes replace that code with the code in the readme.htm

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hi

 

I tried upgrading to ver. 4.0(r7) and got an problem with my external cc operator. When someone confirms an transaction and is send back to the shop the shopping cart is not empty which results in an empty order in my db.

I have gone back to 3.0(r4) which I know works.

 

Other then that everything works perfect.

 

/Jesper

Link to comment
Share on other sites

Did you have any of these three options activated in osc.php when you ran into that problem Jesper?

 

 
 $nonGETPOSTReqs = 0;
 $GETcleanup = 0;
 $osCSpamTrap = 0;

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Did you have any of these three options activated in osc.php when you ran into that problem Jesper?

 

 $nonGETPOSTReqs = 0;
 $GETcleanup = 0;
 $osCSpamTrap = 0;

 

My settings were:

$nonGETPOSTReqs = 1;

$GETcleanup = 1;

$osCSpamTrap = 0;

 

On memory I believe that nonGET and GETcleanup always have been set to 1.

Link to comment
Share on other sites

What is the name of the 3rd party payment processor you are using.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

The way around this if you have time to make some amendments is to add the callback filenames into the bypass code.

 

If you have time message me through the list of filenames that quickpay call back on your site and I will custom design the bypass code to bypass those filenames so the callback can come uninterrupted from your 3rd party processor. I can then also add them into the next release of osC_Sec for others using the same payment processor and also so that you then would not have to continually have to update your code everytime you want to update osC_Sec.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

osC_Sec 4.0[r8]

Whats New?

- Code cleanup.

- Added a function to blacklist bad web harvesters

- Addressed an issue that could lead to a loop in some server configurations

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from:

http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 4.0[r9]

 

Whats New?

- Added blacklist items

- Small fix to $osCSpamTrap code

 

* For those updating, replace the osc_sec.php file in includes/ with the one in this package.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Has anyone had this problem

 

# - QUERY_STRING = action=update_order_field&oID=3788&field=customers_postcode&new_value=31059x

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Can you message me the full email notification thanks Geoffrey.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

The bit I need to see is this line: "REASON FOR BAN: ....."

 

Including other bits of info...

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Will do but don't have access to my emails until tomorrow.

 

Problem is that order_edit.php with an ajax add-on calls order_edit_ajax.php with customer_postcode in the url.

 

_post check finds this and naturally boots it out.

 

Had the same problem updating the billing postcode and delivery postcode.

 

My quick fix solution was to change order_edit.php to pass over the field name to update that did not have the string _post in it and then "change" it back to the correct name.

 

So field=customers_postcode in the url became field=customers_xxpostcode

 

				<td class="dataTableContent" valign="top"><input name="update_delivery_xpostcode" size="5" value="<?php echo $order->delivery['postcode']; ?>" <?php if (ORDER_EDITOR_USE_AJAX == 'true') { ?>onChange="updateShippingZone('delivery_xxpostcode', encodeURIComponent(this.value))"<?php } ?>></td>

 

And line 46 in order_edit_ajax.php became

 

 tep_db_query("UPDATE " . TABLE_ORDERS . " SET ". str_replace('xx', '', $_GET['field']) . " = '" . oe_iconv($_GET['new_value']) . "' WHERE orders_id = '" . $_GET['oID'] . "'");

 

Works a dream but something integrated into your contribution would be the best solution.

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

I have sent through the fix in your email for you ;)

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Hello, I was working with a 2.3.1 shop last night and when adding a product, then using AJAX-AttributeManager-V2.8.7 I was having problems adding an attribute for stock. The attribute manager would distort upon trying to select an attribute and not function at all.

 

Thought about it overnight and tried disabling this setting in osc.php:

 

$osCSpamTrap

 

I had that enabled, before, but after disabling that setting, attribute manager worked again.

 

Provided FYI and thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

I think with the AJAX Attrib manager, from memory, pretty much needs all the optional features in osC_Sec disabled, except ip address banning/IP Trap.

 

Other than that, did you notice any other anomolies when using $osCSpamTrap?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...