Taipo Posted May 11, 2015 Author Share Posted May 11, 2015 I had a further sweep through the code differences in the latest release and found another little bug. So try the latest release 5.2.1 and hopefully that has fixed it. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 11, 2015 Share Posted May 11, 2015 Working fine now, thank you! :thumbsup: Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 11, 2015 Author Share Posted May 11, 2015 Thats great news. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 11, 2015 Share Posted May 11, 2015 There was however one BIG advantage with the version 5.2.0, I have "star product" contribution installed on the home page (where the image of King Gold is) and there is a Add to Cart button. It works fine, however after adding the product to cart, the page redirects to product_info.php page with Product Not Found title. Same for module Specials that is on the same page... There was no redirection with v 5.2.0, product was added to cart and page remained same. Would you please perhaps have a solution that would cure this Product Not Found redirection? Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 11, 2015 Author Share Posted May 11, 2015 I am not able to replicate this issue. When I add to the cart it appears to work fine for me. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 12, 2015 Share Posted May 12, 2015 Try any product in the bottom box called Specials for May please, I have changed the code for buy now in the Star box but if you hoover above it it doesn't seem right even if it works. Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 12, 2015 Author Share Posted May 12, 2015 Which version of star product as you using?  Also, try going through the same test you ran earlier commenting out these, one at a time. fix_server_vars(); $this->_REQUEST_Shield(); $this->dbShield(); $this->getShield(); $this->postShield(); $this->cookieShield(); $this->checkReqType(); Let me know if one of those is the cause. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 12, 2015 Share Posted May 12, 2015 OK, I've disabled all of those lines, one by one and no change, products is added to cart and redirect follows to product_info.php with title Item Not Found. Just to avoid confusion, same behavior in v 5.1.4._1, it was only working as expected in v.5.2.0. Â With regards to star product, it is rather old version 1.6 I believe and since it was edited, and it is rather short code, I post it: <?php //REMOVE THIS LINES IF YOU DON'T WANT TO SHOW THE HEADER // $header_star_product = array(); // $header_star_product[] = array('align' => 'center', 'text' => sprintf(STAR_TITLE)); // new contentBoxHeading($header_star_product); //END OF -REMOVE THIS LINES IF YOU DON'T WANT TO SHOW THE HEADER- function tep_star_product_with_attributes($products_id) { $attributes_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_ATTRIBUTES . " where products_id = '" . (int)$products_id . "'"); $attributes = tep_db_fetch_array($attributes_query); if ($attributes['count'] > 0) { return true; } else { return false; } } $star_products_query = tep_db_query("select substring(pd.products_description, 1, 598) as products_description, p.products_id, p.products_image, p.manufacturers_id, p.products_price, IF(s.status, s.specials_new_products_price, NULL) as specials_new_products_price, IF(s.status, s.specials_new_products_price, p.products_price) as final_price, p.products_tax_class_id, sp.product_id from ( " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd, " . TABLE_STAR_PRODUCT . " sp ) left join " . TABLE_SPECIALS . " s on p.products_id = s.products_id where p.products_id = pd.products_id and p.products_status = '1' and pd.products_description != '' and p.products_id=sp.product_id and pd.language_id = '" . $languages_id . "'"); $star_products = tep_db_fetch_array($star_products_query); $star_products['products_name'] = tep_get_products_name($star_products['products_id']); /* $evita_cortar_palabras = explode( ' ', $star_products["products_description"] ); array_pop( $evita_cortar_palabras ); $star_products["products_description"] = implode( ' ', $evita_cortar_palabras ); */ //if (tep_star_product_with_attributes($star_products['products_id'])) { if (MODULE_ORDER_TOTAL_SHIPPING_FREE_SHIPPING == 'true') { $star_products["0"] = array('align' => 'center', 'params' => 'width="100%" valign="top"', 'text' => '<tr> <td align="center" width="100%"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . tep_image(DIR_WS_IMAGES . $star_products['products_image'], $star_products['products_name'], STAR_IMAGE_WIDTH, STAR_IMAGE_HEIGHT, 'hspace="0" vspace="0"') . '</a></td> </tr> <tr> <td width="100%" class="star-product-title">' . $star_products['products_name'] . '</td> </tr> <tr> <td width="100%" class="star-product-price" align="center">' . STAR_PRICE . $products_price = $currencies->display_price($star_products['final_price'], tep_get_tax_rate($star_products['products_tax_class_id'])) . '</td> </tr> <tr> <td class="main" align="center">' . STAR_FREE_SHIPPING . '</td> </tr> <tr> <td width="100%" class="star-product" align="center"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . STAR_READ_MORE . '</a>Â Â |Â Â <a href="' . tep_href_link(FILENAME_HOME, tep_get_all_get_params(array('action')) . 'action=buy_now&products_id=' . $star_products['products_id'], 'NONSSL') . '">' . STAR_ADD . '</a><br /><br /> </td> </tr>'); $star_products_output = array_slice($star_products, sizeof($star_products)-1); new productListingBox($star_products_output); } else { $star_products["0"] = array('align' => 'center', 'params' => 'width="100%" valign="top"', 'text' => '<tr> <td align="center" width="100%"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . tep_image(DIR_WS_IMAGES . $star_products['products_image'], $star_products['products_name'], STAR_IMAGE_WIDTH, STAR_IMAGE_HEIGHT, 'hspace="0" vspace="0"') . '</a></td> </tr> <tr> <td width="100%" class="star-product-title">' . $star_products['products_name'] . '</td> </tr> <tr> <td width="100%" class="star-product" align="center">' . STAR_PRICE_OLD . $products_price = $currencies->display_price($star_products['products_price'], tep_get_tax_rate($star_products['products_tax_class_id'])) . '</td> </tr> <tr> <td width="100%" class="star-product-price" align="center">' . STAR_PRICE . $products_price = $currencies->display_price($star_products['final_price'], tep_get_tax_rate($star_products['products_tax_class_id'])) . '</td> </tr> <tr> <td width="100%" class="star-product" align="center"><a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $star_products['products_id']) . '">' . STAR_READ_MORE . '</a>Â Â |Â Â <a href="' . tep_href_link(FILENAME_HOME, tep_get_all_get_params(array('action')) . 'action=buy_now&products_id=' . $star_products['products_id'], 'NONSSL') . '">' . STAR_ADD . '</a><br /><br /> </td> </tr>'); $star_products_output = array_slice($star_products, sizeof($star_products)-1); new productListingBox($star_products_output); } ?> Replacing FILENAME_PRODUCT_INFO with FILENAME_HOME helps to avoid the same issue I'm having with Specials box. However it doesn't seem right... Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 12, 2015 Author Share Posted May 12, 2015 Yeah it would have worked in 5.2.0 because it was malfunctioning...  Other thing is to test disabling $this->setGlobals(); On the off chance this has some affect. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 12, 2015 Share Posted May 12, 2015 :(Â Still the same I'm afraid Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 12, 2015 Author Share Posted May 12, 2015 Lastly try commenting out $PHP_SELF = $this->phpSelfFix(); - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted May 12, 2015 Share Posted May 12, 2015 No sir... Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted May 12, 2015 Author Share Posted May 12, 2015 Well that pretty much disables everything osC_Sec does. So I am stumped as to what could be the cause. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
FranzderFranke Posted May 15, 2015 Share Posted May 15, 2015 Could your plugin help with such a problem? Â http://www.oscommerce.com/forums/topic/407697-strange-urls-in-google-webmaster-tools/ Â Â Link to comment Share on other sites More sharing options...
stefan21 Posted July 8, 2015 Share Posted July 8, 2015 Hello Taipo,  I'm running OSC 2.3.4 with Ultimate SEO URLs. PHP 5.3.29. Now my question:  1.) I modified the application_top.php in the admin/includes section like this:  // some code to solve compatibility issues require(DIR_WS_FUNCTIONS . 'compatibility.php'); require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );// set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';// set php_self in the local scope $req = parse_url($HTTP_SERVER_VARS['SCRIPT_NAME']); $PHP_SELF = substr($req['path'], ($request_type == 'SSL') ? strlen(DIR_WS_HTTPS_ADMIN) : strlen(DIR_WS_ADMIN)); // set php_self in the local scope if( !isset( $PHP_SELF ) ) {   if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;   $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); }  2.) The application_top.php in the catalog/includes folder like:  // some code to solve compatibility issues require(DIR_WS_FUNCTIONS . 'compatibility.php'); require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );// set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';/** * ULTIMATE Seo Urls 5 PRO by FWR Media * function to return the base filename */ function usu5_base_filename() {   // Probably won't get past SCRIPT_NAME unless this is reporting cgi location   $base = new ArrayIterator( array( 'SCRIPT_NAME', 'PHP_SELF', 'REQUEST_URI', 'ORIG_PATH_INFO', 'HTTP_X_ORIGINAL_URL', 'HTTP_X_REWRITE_URL' ) );   while ( $base->valid() ) {     if ( array_key_exists( $base->current(), $_SERVER ) && !empty( $_SERVER[$base->current()] ) ) {       if ( false !== strpos( $_SERVER[$base->current()], '.php' ) ) {         preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$base->current()], $matches );         if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) )                                   && ( substr( $matches[0], -4, 4 ) == '.php' )                                   && ( is_readable( $matches[0] ) ) ) {           return $matches[0];         }       }     }     $base->next();   }   // Some odd server set ups return / for SCRIPT_NAME and PHP_SELF when accessed as mysite.com (no index.php) where they usually return /index.php   if ( ( $_SERVER['SCRIPT_NAME'] == '/' ) || ( $_SERVER['PHP_SELF'] == '/' ) ) {     return 'index.php';   }   // Return the standard RC3 code   return ( ( ( strlen( ini_get( 'cgi.fix_pathinfo' ) ) > 0) && ( (bool)ini_get( 'cgi.fix_pathinfo' ) == false ) ) || !isset( $_SERVER['SCRIPT_NAME'] ) ) ? basename( $_SERVER['PHP_SELF'] ) : basename( $_SERVER['SCRIPT_NAME'] ); } // End function// set php_self in the local scope $PHP_SELF = usu5_base_filename(); // set php_self in the local scope if( !isset( $PHP_SELF ) ) {   if ( @phpversion() >= "5.0.0" && ( !ini_get("register_long_arrays" ) || @ini_get("register_long_arrays" ) == "0" || strtolower(@ini_get("register_long_arrays" ) ) == "off" ) ) $HTTP_SERVER_VARS = $_SERVER;   $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] ); } Does it work, and does it make sense to set the if causes and leave the originals? Your help would be appreciated. Thank you in advance,  stefan Link to comment Share on other sites More sharing options...
Taipo Posted July 8, 2015 Author Share Posted July 8, 2015 osC_Sec was coded to address security issues in earlier versions of osCommerce. Â For 2.3.4, the following code inclusion is enough. require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' ); Leave the other changes, they are only if you are still using 2.2 versions - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted July 8, 2015 Author Share Posted July 8, 2015 Could your plugin help with such a problem?  http://www.oscommerce.com/forums/topic/407697-strange-urls-in-google-webmaster-tools/  Sorry I missed this. If you are using Oscommerce. 2.2 then you should probably also install osC_Sec.  As to the 404s, they aren't really a security issue, its just some misconfigured cache breaking attempt of a crawler that is probably using proxy servers.  The urls you should focus on are the ones that return a 200 ;) which is what osC_Sec deals with. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
stefan21 Posted July 9, 2015 Share Posted July 9, 2015 osC_Sec was coded to address security issues in earlier versions of osCommerce.  For 2.3.4, the following code inclusion is enough. require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' ); Leave the other changes, they are only if you are still using 2.2 versions  Thank you very much for your reply. stefan Link to comment Share on other sites More sharing options...
stefan21 Posted July 9, 2015 Share Posted July 9, 2015 Taipo, Â coming up with another question. Â In default is: HTTP Errors you want to exclude any ban 400,401,403,404,405,408,415,416,417,500,501,502,503,504,505 Â The help says: The HTTP Errors that you want to exclude being bannedSeperate by a comma .... example 401,403,404 etc I suggest you only ban 404, and possibly 403. Â As I'm only a user, I do not understand clearly - should I leave the default, or is your suggestion only to put 404 and 403 in the list? Â Thank's again for your reply. stefan Link to comment Share on other sites More sharing options...
Taipo Posted July 9, 2015 Author Share Posted July 9, 2015 Perhaps you are referring to another addon other than osC_Sec? Â Are you also using IP_Trap? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
stefan21 Posted July 10, 2015 Share Posted July 10, 2015 Shame on me - you're right! I mixed up your addon and Linuxuk http and IP Trap. I'm sorry that I have bothered you, won't happen again. Â stefan Link to comment Share on other sites More sharing options...
Taipo Posted July 10, 2015 Author Share Posted July 10, 2015 Hey no problem. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
jamo32 Posted May 25, 2016 Share Posted May 25, 2016 Hi  Taipo  Running a security patched ms2.2 version  what version of osc_sec would work please and what is the best way to test it, I have install osc_sec and set it to work with ip trap but it does not seems to trigger ip trap when I test it.  Many Thanks Using Bootstrap 8-) Link to comment Share on other sites More sharing options...
jamo32 Posted May 25, 2016 Share Posted May 25, 2016 Sorry must learn to read is there a link to your Ip trap using the wrong one lol Using Bootstrap 8-) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.