Oscommerce Security - Osc_Sec.php

[callenords]

Is there away of disabling the osc_sec cookie check?

 

I often receive this message - even though its clearly not a hacker attempt: "osC_Sec detected malicious cookie content..."

 

And since I use IP trap, the IP is banned.

 

Thanks!

[Taipo]

In the latest version of osc_sec.php, find:

      $this->cookieShield();

 

and replace with:

#     $this->cookieShield();

[burt]

I have been unable to use the last 10 or 12 iterations of osc_sec.

 

Installation produces a 500 (if I recall correctly) error (note, osc_sec files only, not using the htaccess modifications).

[Taipo]

Try this version out Burt.

 

http://pastebin.com/Hn2ifX6U

 

( grab the code from the raw paste data at the bottom )

 

Let me know if that sorts the issue, if so I will post an update.

[burt]

Taipo - that version seems to work well, thank you.

[sunnydt]

ok Maybe Im missing something but where do I edit? such as $httphost = "www.yoursite.com"; Cant find it anywhere.

[Taipo]

The only bits to edit now are in osc.php file which is in the zip file in the includes directory along with osc_sec.php

 

In fact you do not need to edit anything if you just want to add it, however if you want to ban ip addresses and such then osc.php is the file you want to look in. Check the readme.htm file for more on editing the settings.

[Taipo]

osC_Sec 5.0.1

 

Whats New?

- Added extra checks in $checkfilename

- Fixed an issue where files contain extra '.'. i.e. file.name.php

- Fix phpSelfFix() function

- Fixed whitespace issue with $this->_httphost

- More additions to the dbShield() function to protect against database injection attempts

- Fixed a number of issues with dbShield() to prevent false positives

- Removed base64_decode aspect of dbShield() due to it causing errors in some configurations

- More additions to getShield() function to detect local file read attempts

- Remake of the postShield() function

- Remake of the cookieShield() function

- Fixed an error in ipTrapped()

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/8283

[RMD27]

Hi Taipo

 

Google & Babel translate do not work on my site anymore, could the OSC SEC contirbution be stopping it from working?

 

I also have Security Pro 2.0 installed.

 

These are the characters Google uses

http://translate.google.com/translate?hl=en&sl=en&tl=sq&u=http%3A%2F%2Fwww.oscommerce.com%2F

 

And this is what Babel uses

 

http://babelfish.yahoo.com/translate_url?doit=done&tt=url&intl=1&fr=bf-home&trurl=http%3A%2F%2Fwww.oscommerce.com%2F&lp=en_nl&btnTrUrl=Translate

 

I added % and & and = to the Secuity Pro whitelist but the translation from these pages comes back as

 

blank page for Google and with an

 

error(0) for Babel

[ptt81]

I have a similar problem with Google Translate, my page loads fine but it report the following error at the top of the page:

 

Warning: file () [ function.file ]: Emri nuk mund të jetë bosh në / home / mydomain / public_html / përfshinë / osc_sec.php on line 675

[Taipo]

What does " Emri nuk mund të jetë bosh në" mean PT?

[ptt81]

I have no idea, i just click on a random language, but the original error message is:

 

Warning : file() [ function.file ]: Filename cannot be empty in /home/mydomain/public_html/includes/osc_sec.php on line 675

 

Warning : Cannot modify header information - headers already sent by (output started at /home/mydomain/public_html/includes/osc_sec.php:675) in /home/mydomain/public_html/includes/functions/general.php on line 1355

[RMD27]

so what is the thought on this? could osc_sec be stopping the translation or not??? :huh:

[Taipo]

Try this version Ricardo

http://pastebin.com/RGWKExAq

 

Let me know how it goes.

[RMD27]

Hello Taipo,

 

Unfortunately no difference. Maybe it is something to do with FWRs plug in. Ill leave a message on his support thread and let you know what he says!

 

http://www.oscommerce.com/forums/topic/293326-contribution-security-pro-querystring-protection-against-hackers/page__hl__fwr__st__240

[Taipo]

You can also try this as it could be associated with the way osC_Sec deals with post form data.

 

Find these two lines:

 

 
  # check _POST variables against the blacklist
  $this->postShield();

 

and replace with:

 
  # check _POST variables against the blacklist
  # $this->postShield();

 

Let me know if that helps

[modem2.0]

Hi Taipo,

 

I'm taking your advice on another topic and I'm now building a new shop with osCommerce 2.3.1. Should this contribution also be used with osCommerce 2.3.1?

 

Thanks!

[Taipo]

It is not needed due to the fact that there are no known security issues with 2.3.1, however it doesn't hurt to install it.

[♥altoid]

Taipo, if you could help out with an issue that apparently osc_sec is causing it would be appreciated.

 

With one of the latest udpates, there apparently is an effect on an action on a page what Jack_MCS calls, "It is just a normal form update page" that effects that update in the adminstrative side of Header Tags SEO.

 

Specifically, when you select a keyword that is displayed on a table on the page, and click the appropriate activator, the intended delete action doesn't occur. I disable osc_sec in admin and the action then works. Another user, tried rolling back a version or two of osc_sec and that corrected the issue for him as well.

 

I wish I could be more descriptive of the actual code that is effected, but I don't know the coding well enough to figure it out. But it appears one of the last version or two of osc_sec is causing this.

 

Any hunches based on what I provided? Thanks

[Taipo]

Try following the instructions at my previous post and let me know if that fixes the issue.

[♥altoid]

Try following the instructions at my previous post and let me know if that fixes the issue.

 

That was the issue. After commmenting out as above, the issue is resolved. Thank you

[Taipo]

osC_Sec 5.0.2

 

Whats New?

- Fixed issues causing conflicts with some addons concerning the postShield() function

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

 

Download from: http://addons.oscommerce.com/info/8283

[♥altoid]

Taipo, I downloaded the latest but the problem came back again, so I changed that line of code to

# $this->postShield();

and the issue is resolved again.

FYI

[ptt81]

hey Taipo,

 

I have the same problem with the new version, my checkout page still will not let me pass payment selection page and I changed # $this->postShield(); and it fixed the problem as well. Looks like everyone has problem with this function.

[Taipo]

Try this one PT, I have removed the postShield function for now.

http://pastebin.com/RELeMuXL