ptt81 Posted March 13, 2012 Share Posted March 13, 2012 Hey Taipo, Thanks for that but Is this the same as me commented out the function # $this->postShield(); ? or is there anything new added? Link to comment Share on other sites More sharing options...
Taipo Posted March 15, 2012 Author Share Posted March 15, 2012 basically the same PT - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
walkman Posted March 15, 2012 Share Posted March 15, 2012 Does this add on prevent "url injection"? This method was just flagged by my PCI scanning company. I previously installed code to prevent SQL injection in my input fields but didn't realize the SQL could be imbeded in the URL osCsid. Link to comment Share on other sites More sharing options...
Taipo Posted March 17, 2012 Author Share Posted March 17, 2012 @@walkman Yes osC_Sec prevents malicious url injections. I have made a small change to osC_Sec for those using IP Trap in conjunction. Here is the update. Will release it officially in a day or so. http://pastebin.com/uqDeDR0k - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mafiouso Posted March 30, 2012 Share Posted March 30, 2012 hello, i installed osC_Sec_5.0.2 seem everything was working ok, i have one problem with paypal IPN (PayPal IPN v2.3.4.6) the orders go through, the payment to, but does not return the status or paypal details to OSC. please let me know if you can help. thanks. Link to comment Share on other sites More sharing options...
mr_absinthe Posted April 1, 2012 Share Posted April 1, 2012 Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something? admin file: // set php_self in the local scope // if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); catalog file: // set php_self in the local scope //$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted April 1, 2012 Author Share Posted April 1, 2012 hello, i installed osC_Sec_5.0.2 seem everything was working ok, i have one problem with paypal IPN (PayPal IPN v2.3.4.6) the orders go through, the payment to, but does not return the status or paypal details to OSC. please let me know if you can help. thanks. Unless I am mistaken I believe the callback from the Paypal server is a POST request. The latest version of osC_Sec as of http://pastebin.com/uqDeDR0k does not filter the POST variables at all so should not be interferring with the order callback. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted April 1, 2012 Author Share Posted April 1, 2012 Hello, I would like to install your latest version, but I've noticed that I've a changed code in both application_top.php files. I believe that this change is from here: http://www.oscommerce.com/forums/topic/348589-serious-hole-found-in-oscommerce/page__view__findpost__p__1467014, but would you be so kind as to have a look at it and tell me if replacing the following code could break something? admin file: // set php_self in the local scope // if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); catalog file: // set php_self in the local scope //$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']); /** * Reliably set PHP_SELF as a filename .. platform safe */ function setPhpSelf() { $base = ( array( 'SCRIPT_NAME', 'PHP_SELF' ) ); foreach ( $base as $index => $key ) { if ( array_key_exists( $key, $_SERVER ) && !empty( $_SERVER[$key] ) ) { if ( false !== strpos( $_SERVER[$key], '.php' ) ) { preg_match( '@[a-z0-9_]+\.php@i', $_SERVER[$key], $matches ); if ( is_array( $matches ) && ( array_key_exists( 0, $matches ) ) && ( substr( $matches[0], -4, 4 ) == '.php' ) && ( is_readable( $matches[0] ) ) ) { return $matches[0]; } } } } return 'index.php'; } // end method $PHP_SELF = setPhpSelf(); They mostly do the same thing, but you would be best to change the code to the one in osC_Sec as that is the latest code supplied by the developers of osCommerce as part of the fix to that serious security issue. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mafiouso Posted April 4, 2012 Share Posted April 4, 2012 Warning: require_once(/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php) [function.require-once]: failed to open stream: No such file or directory in /home/USER/public_html/shopping/includes/application_top.php on line 43 Fatal error: require_once() [function.require]: Failed opening required '/home/USER/public_html/shopping/ext/modules/payment/paypal_ipn/includes/osc_sec.php' (include_path='.:/usr/lib/php') in /home/USER/public_html/shopping/includes/application_top.php on line 43 line 43 is require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' ); if i leave this on paypal ipn wont work? can advice would be great. thank you Link to comment Share on other sites More sharing options...
Taipo Posted April 4, 2012 Author Share Posted April 4, 2012 replace: require_once( DIR_FS_CATALOG . 'includes/osc_sec.php' ); with: require_once( '/home/youruser/public_html/includes/osc_sec.php' ); This is so that you can use the actual file path. So replace '/home/user/public_html/includes/osc_sec.php' with the actual file path to osc_sec.php - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
EricK Posted April 11, 2012 Share Posted April 11, 2012 Does using server-wide SSL create these PHP Warnings? Thanks, EricK [11-Apr-2012 14:55:44] PHP Warning: file() [<a href='function.file'>function.file</a>]: Filename cannot be empty in /home/<user>/public_html/includes/osc_sec.php on line 636 [11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cookie - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101 [11-Apr-2012 14:55:44] PHP Warning: session_start() [<a href='function.session-start'>function.session-start</a>]: Cannot send session cache limiter - headers already sent (output started at /home/<user>/public_html/includes/osc_sec.php:636) in /home/<user>/public_html/includes/functions/sessions.php on line 101 [11-Apr-2012 14:55:44] PHP Warning: Cannot modify header information - headers already sent by (output started at /home/<user>/public_html/includes/osc_sec.php:636) in Unknown on line 0 Link to comment Share on other sites More sharing options...
Taipo Posted April 11, 2012 Author Share Posted April 11, 2012 No, but I think if you are using IP Trap along with osC_Sec then you may get that warning. I have written up a fix for this, it will be officially posted up shortly. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted April 12, 2012 Author Share Posted April 12, 2012 osC_Sec 5.0.3 Whats New? - Fixed issues causing conflicts with some addons concerning the postShield() function - Fixed issues causing conflicts with some addons concerning the ipTrap function New Install instructions: see the readme.htm, as per usual, all updates contain the complete package Updating: Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file. Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com Download from: http://addons.oscommerce.com/info/8283 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
mr_absinthe Posted April 17, 2012 Share Posted April 17, 2012 It took me a while to nail this down... but if I keep osC_Sec enabled on one of my stores, I'm unable to supply a xml feed to one of the shopping sites. The feed is being generated by a .php file and with the osC_Sec enabled, I was receiving the following error from them: Warning: extract() expects parameter 1 to be array, null given in... I was receiving no emails from osC_Sec to help me nail it, despite the fact that it is enabled. I was able to see the xml file in my browser just fine. To be able to supply them with the feed, I have to keep the osC_Sec disabled at the moment. Any idea please? Absinthe Original Liquor Store Link to comment Share on other sites More sharing options...
Taipo Posted April 18, 2012 Author Share Posted April 18, 2012 Can you PM me the full error message thanks. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
RMD27 Posted May 1, 2012 Share Posted May 1, 2012 Hello Taipo Does osc_sec stop 2 question marks being included in the URL? Google is trying to see this page *************.php?product_info.php?cPath************ But it is finding ***********.phpproduct_info.php?cPath************ EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens. Ill open a new thread Link to comment Share on other sites More sharing options...
Mort-lemur Posted May 3, 2012 Share Posted May 3, 2012 Hi Taipo, Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban: osC_Sec blacklist hex encoded query_string value is banned: %%. What is this checking for or what could be causing it ? Many Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Taipo Posted May 4, 2012 Author Share Posted May 4, 2012 Hello Taipo Does osc_sec stop 2 question marks being included in the URL? Google is trying to see this page *************.php?product_info.php?cPath************ But it is finding ***********.phpproduct_info.php?cPath************ EDIT, Taipo, thinking about it, I dont think osc_sec has anything to do with the problem because I can type in the ? and the page opens. Ill open a new thread Perhaps it may be linked to Security Pro as that does rewrite the $_GET global. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted May 4, 2012 Author Share Posted May 4, 2012 Hi Taipo, Upgraded to the latest version and have found that a few genuine customers are being IP Trap banned with the following as reason for the ban: osC_Sec blacklist hex encoded query_string value is banned: %%. What is this checking for or what could be causing it ? Many Thanks Can you PM me the entire email notification please. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Mort-lemur Posted May 5, 2012 Share Posted May 5, 2012 Hi Taipo, Sent you the email text by pm. The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case. Thanks Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
RMD27 Posted May 5, 2012 Share Posted May 5, 2012 Taipo Okay I looked into this issue again because I was not able to access the modules box in the admin I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! (w00t) My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what. Link to comment Share on other sites More sharing options...
RMD27 Posted May 5, 2012 Share Posted May 5, 2012 Taipo Okay I looked into this issue again because I was not able to access the modules box in the admin I completely removed the.htaccess hardening code that you wrote and I can access the modules box and as a bonus, the translate also works now! (w00t) My question now, if you have time, do you think you could see whats up with the .htaccess? I was looking incidences of & and = but I see they are featured a lot in the .htaccess file so I cant work out whats what. actually, scratch that, the translation works now regardless of the htaccess, its just the modules box that is effected by the htaccess Link to comment Share on other sites More sharing options...
RMD27 Posted May 5, 2012 Share Posted May 5, 2012 Hi Taipo, Sent you the email text by pm. The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case. Thanks osc_sec creates a trapped.txt file? if so where would I find it??? Link to comment Share on other sites More sharing options...
Mort-lemur Posted May 5, 2012 Share Posted May 5, 2012 Sorry no - the .txt file is part of the IP Trap contribution. You can select OSC SEC to ban IPs be either .htaccess or by using the IP Trap as I have done. Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
Taipo Posted May 6, 2012 Author Share Posted May 6, 2012 Hi Taipo, Sent you the email text by pm. The %% ban seems to be trapping quite a few visitors, maybe even googlebot - so I daily clean the IP trap trapped.txt file just in case. Thanks Try the latest update Heather http://addons.oscommerce.com/info/8283 - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.