Oscommerce Security - Osc_Sec.php

[Taipo]

osC_Sec 4.1[r6]

 

Whats New?

1/ osC_Sec no longer supports the Security Pro whitelist code. $GETcleanup has been removed from the new updated version of osC_Sec. If you want whitelisting then it is best you install FWR MEDIA Security Pro 2.0[r7]

2/ Fixed a number of issues with the dbShield that could result in false positive bans

3/ Update to email notification

4/ Added items to the blacklists to catch malware include attempts

 

* For those updating, this will need to be a full reinstall sorry as both files need replacing.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Download from: http://addons.oscommerce.com/info/7834

[Taipo]

I have received a few emails concerned about why the scrubGET whitelisting function has been removed from the latest release of osC_Sec. So I think it best I address this here.

 

scrubGET was based on the core code piece from Security Pro[r7] and as a precautionary measure I have removed it from osC_Sec and left it up to users to install the original Security Pro[r7] should they want to continue whitelisting the _GET global. I still use the method though to detect attempts to use whitelisting to bypass your sites security.

 

But before that I want to make a point about application layer firewall and htaccess blacklisting.

 

Having had a bit of a play around with htaccess now specifically in the genre of blacklisting requests, I am more of the opinion now than ever that htaccess is best used to catch the more generic query string attempts and also the admin bypass attempts. But when it comes to the more cleverly obfuscated hack attempts, htaccess and application layer firewall based blacklisting can often be bypassed by the use of comment code.

 

An example of how htacces blacklisting can fail miserably is below.

 

Example injection URL and query:

http://localhost/index.php?id=-1+union+select+1,+table_name+from+information_schema.tables+where+table_name+=+users

 

The above query and any other queries used as examples in this discussion are not examples of vulnerabilities in osCommerce but are just used to demonstrate how webserver firewall, htaccess level blacklisting and other methods can be bypassed.

 

Same injection but with comment obfuscation:

http://localhost/index.php?id=-1+uni/**/on+sel/**/ect+1,+ta/**/ble_na/**/me+fro/**/m+inf/**/orma/**/tion_sch/**/ema.ta/**/bles+whe/**/re+ta/**/ble_n/**/ame+=+users

 

Application layer firewalls like Mod_Security will ignore the comment code /* and */ and anything inbetween thus rendering the request in its original form. MYSQL also ignores the comment code.

 

http://localhost/index.php?id=-1+union+select+1,+table_name+from+information_schema.tables+where+table_name+=+users

 

However all of the keywords like union, select, and other combinations, will be missed at the htaccess level because htaccess does not ignore comment code. Because of that, there are just too many variations for htaccess code to capture. Example ways of writing the word 'union' are: u/**/nion, un/**/ion, u/**/n/**/i/**/o/**/n, un/*someotherignoredtexthere*/ion etc

 

This 'can be' further exacerbated if the user has installed a whitelisting method like that employed in the FWR MEDIA Security Pro[r7] addon.

 

While a whitelisting function like that employed by FWR MEDIA Security Pro[r7] would render most plain database injection requests void by removing enough banned characters to break the request, therefore it would render the obfuscated request above as void because it strips out the * character but not the forward slash, an attacker however could construct a specific query to bypass the whitelisting function as well by simply adding in characters with the intent of bypassing the application layer firewall, and, htaccess, and finally, having the whitelisting function strip the banned characters out of the request.

 

Here are some examples of the same injection request above:

 

http://localhost/index.php?id=
-1|+un||io||n+se||le||ct+1,+ta||b||le+f||r||om+in||f||orma||to||n_sch||em||a.t||ab||le||s+w||h||e||re+ta||ble_n||ame+||=+u||ser

 

and

 

http://localhost/index.php?id=-1+[u](n)%3Ci%3Eo|*n+[s](e)%3Cl%3Ee|*c^t+1,+[t](a)%3Cb%3El|e*^+[f](r)%3Co%3Em|+[i](n)%3Cf%3Eo|r*m^a[t](o)%3Cn%3E_|
s*c^h[e](m)%3Ca%3E.|t*a^b[l](e)%3Cs%3E+w|h*e^r[e]+(t)%3Ca%3Eb|l*e^_[n](a)%3Cm%3Ee|+=+u*s^e(r)

 

If there were no whitelisting method active, both of these obfuscated requests would bypass the application layer firewall, htaccess blacklisting or other security filters designed to pick up such requests, but in the end would result in no threat to a vulnerable user input.

 

However after whitelisting stripped out the banned characters in the _GET global, both instances above would result in the following GET request:

 

http://localhost/index.php?id=-1+union+select+1,+table_name+from+information_schema.tables+where+table_name+=+users

 

Is this issue being exploited yet by attackers? Not that I am aware of, but the sooner users of the older versions of osCommerce patch the security issues with their sites, the sooner the attacks will shift from the easy to exploit admin authentication bypass exploit, to for example, probing for database vulnerabilities in addons at which point this type of security issue could be used against osCommerce sites.

 

My points are:

1) as always there is no substitution for solid securely written code in the first place, updating to the latest stable release is almost always the more secure method

2) that depending on a application layer firewall, htaccess blacklisting, and other XSS filters 'alone' cannot protect your website code from being exploited if there is any security issues that may exist that are yet to be discovered, and

3) In respect of the osCommerce admin authentication bypass exploit, I have yet to see how the whitelisting function has prevented these types of attacks in the 'outdated versions of osCommerce' and so users have to weigh up the pros and cons of whitelisting in this manner due to the added security risks this method can bring to a content management system.

4) osC_Sec has been designed to catch these attempts

 

A bit of a read I know, and like any observations of mine, are always open to debate.

[Taipo]

osC_Sec 4.1[r7]

 

### REMINDER: For those updating, this will need to be a full reinstall as #BOTH# files need replacing ###

 

Whats New?

1/ osC_Sec has been rewritten as a PHP 4.x backward compatible class, so it is important that you replace both files in the includes directory with the two files in this zip file. That also means you will need to redo the settings in osc.php as well.

2/ $nonGETPOSTReqs now bans IP addresses (if ip banning is activated) of requests that are neither GET, POST, OPTIONS or HEAD

3/ Fixed an issue where dbShield might miss a critical database injection attempt

4/ Fixed an error in the postShield code

5/ dbShield() now checks _GET variables for base64 encoded strings

6/ Update to the getShield to better catch attempts to include malicious file content

7/ Improvement to the osCSecBypass() function

8/ The diagnostics email function has been removed now as it is no longer needed

9/ Fixed an error in the email notification script concerning multidimentional arrays

 

Download from: http://addons.oscommerce.com/info/7834

 

Please report any bugs to the discussion forums at http://tinyurl.com/oscsec or email rohepotae@gmail.com

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

[Taipo]

Popped a quick amendment up, 4.1[r7a] with a fix of a syntax issue.

[Taipo]

osC_Sec 4.1[r8]

 

Whats New?

 

Fixed a bug in the $osCSpamTrap. The aspect of $osCSpamTrap which monitors the admin directory has now been restricted to version 2.3.1

 

The best security for your admin directory is to firstly upgrade to version 2.3.1. Failing that it is best you use htaccess basic user authentication. You can also renamed the directory as well.

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

 

Please report any bugs to the discussion forums at http://tinyurl.com/oscsec or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834

[Taipo]

osC_Sec 4.1[r9]

 

Whats New?

 

Finally got around to developing out the check_ip() and getRealIP() functions.

- check_ip() can now test the format of both IPv4 and IPv6 ip addresses.

- getRealIP() has been modified to better handle proxy servers

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834

[♥altoid]

Hi there, osc_sec generated a different type of ban that I've seen before and I was wondering if you would explain what the reason for the ban means and it's importance

 

Here's the first part of the notification:

 

 

This IP [ xx.xxx.xxx.xx ] has been htaccess banned on the "myshop.com" website by osC_Sec.php version 4.1[r9]

 

REASON FOR BAN: osC_Sec Array listed item is banned: %0d%0a.

 

Time of ban: Thu, 01 Dec 2011 13:21:48

 

.------------[ ALL Array VARIABLES ]------------- # # - products_id = 485 #

`--------------------------------------------------------

 

.---------[ ALL Array FORM VARIABLES ]------- # # - No POST form data #

 

thank you..

[♥geoffreywalton]

Why would you want a url with \r\n in it?

 

G

[♥altoid]

Why would you want a url with \r\n in it?

 

G

 

if you mean from my post, the there isn't anything like that.

 

its something like this:

 

"http://www.myshop.com/my-listed-product--c-66_99.html"

[♥geoffreywalton]

no, someone tried to accees your site with 0d0a in the url.

 

Why?

 

I don't know but this contribution doesn't like it.

 

Hope that makes sese.

 

G

[♥altoid]

no, someone tried to accees your site with 0d0a in the url.

 

Why?

 

I don't know but this contribution doesn't like it.

 

Hope that makes sese.

 

G

 

That's what I was wondering about. Hope Taipo can offer something. I'll take a look at the logs too and see what I can find.

 

Thanks

[♥altoid]

If I am reading the log correctly, it looks like it was a Bing search that brought the IP to my site, then this line looks like the 403 part that resulted in the ban

 

xx.xxx.xxx.xx - - [01/Dec/2011:13:21:48 -0500] "GET /my-product-p-485.html HTTP/1.1" 403 20 "http://www.myshop.com/my-product-c-66_99.html" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)"

[Taipo]

I can see there is an issue with the way the emails are formatted, I will fix that in the next release.

 

As Geoffrey stated,

%0d%0a

has no place in a request_uri and if it is resident then that is often a sign that someone is running a security vulnerability scan of your site. Tools like Havij and Acunetix are used by both security professionals and attackers alike, and these tools along with many others will as a part of their assessment, test query strings to see if they can generate database or php errors which in themselves can be signs of possible security vulnerabilities. Adding a line feed, return combination into a query string, on some web systems can result in a database or php error.

 

So the original idea was to ban the occurrence of that url encoded line feed code in order to put a stop to security scans, however in doing so in earlier versions of osC_Sec I noticed that there were too many false positive bans coming in so removed it from the getShield() blacklist in a later release.

 

It looks like I need to also remove it from the cookieshield blacklist as well, so will do so in the next update coming out shortly.

[Taipo]

osC_Sec 4.2

 

Whats New?

 

- Added additional checks in the getRealIP() function

- Fixed print issues with the email notification

- Removed an item from the cookieshield blacklist that could cause false positive results

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834

[♥altoid]

Taipo and G thanks for responding.

 

I just installed Taipos latest version in my shops. Thanks

[Taipo]

osC_Sec 4.2[r1]

 

Whats New?

 

- More updates to getRealIP() and check_ip() functions

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: just replace the osc_sec.php in your website includes directory with the osc_sec.php file in this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

[Taipo]

osC_Sec 4.2[r4]

 

Whats New?

 

# Removal of $osCSpamTrap from osC_Sec.

In order for $osCSpamTrap to work most effectively and securely it must be included further down the application_top.php page. Therefore I have decided to remove it from osC_Sec and will be releasing it shortly as a stand-alone addon.

 

# Fixed an error with the IP Trap code

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: Replace both the osc_sec.php and osc.php files in your website includes directory with the osc_sec.php and osc.php files in this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834

[Guest]

Good Evening,

 

Just installed this add-on due to multiple hacks. Started over from scratch. I see that it's working, but now i'm having issues using my Admin Interface. Can you give some guidance on how to temporarily disable Osc_Sec or provide a work around?

 

Thanks in advance,

 

Dedric )

[Taipo]

What problems are you specifically having with your admin area?

[FrostyFred]

I too am having problems in he admin area.

 

If I install the latest os sec and comment out the powered by line, as suggested eleswhere, it works for all my other admin options except configuration.

 

For this one I just get a blank screen.

 

comment out the code as below and it works fine

 

// some code to solve compatibility issues
 require(DIR_WS_FUNCTIONS . 'compatibility.php');
echo "<br>pre<br>";
//  require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' );
echo "<br>post<br>";

 

version is

 

 define('PROJECT_VERSION', 'osCommerce 2.2-MS2');

 

 

Now to find out where it is having a sense of humour failure unless you know

[Taipo]

That is rather odd that the error is triggered by configuration.php calls. Can you pm me the contents of your admin/configuration.php file thanks.

[ctec2001]

Just set up the latest version of osc_Sec without issue. Thanks again for the help.

[♥altoid]

Taipo, Jack has modified the Site Monitor add on significantly, and I believe that osc_sec -- Site Monitor issue is arising again. After I uploaded Jack's latest, when I went to the configure part in Site Monitor, I got banned. I have a work around by manually editing the file, but when I try to run the script that does it via php, it bans me. So FYI on that. Jack's latest is: http://addons.oscommerce.com/info/4441

Thanks

[Taipo]

Ok I will take a look at it and pop out an update shortly.

[Taipo]

osC_Sec 4.2[r6]

 

Whats New?

- Cleanup of excess code and functions no longer used

- Removed ip bypass list from the oscSecBypass() function

- Further work on the getShield() function

- Update to instructions in readme.htm

- Faster HTTPS check

- osC_Sec's osc_sec.php can now work as a standalone file for users who have multiple websites and use the default settings

- Fixed an issue with Sitemonitor so that osC_Sec bypasses Sitemonitor files correctly

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating: Replace the osc_sec.php file in your website includes directory with the osc_sec.php file in this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/7834