Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Oscommerce Security - Osc_Sec.php


Taipo

Recommended Posts

The easiest way is to test the admin bypass exploit for earlier versions of osCommerce:

 

www.yoursite.com/index.php/login.php

 

That should trigger osC_Sec if it is configured correctly. Depending on your settings, it will either merely stop the page from loading, or if you have ip banning activated, it will add your ip address to the main .htaccess file thus banning it.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • Replies 598
  • Created
  • Last Reply

The easiest way is to test the admin bypass exploit for earlier versions of osCommerce:

 

www.yoursite.com/index.php/login.php

 

That should trigger osC_Sec if it is configured correctly. Depending on your settings, it will either merely stop the page from loading, or if you have ip banning activated, it will add your ip address to the main .htaccess file thus banning it.

 

Hi

 

I got forbidden page Additionally, a 404 , is this osc_sec or or htacess? sorry to sound daft.

 

Many thanks

Using Bootstrap 8-)

Link to comment
Share on other sites

  • 2 weeks later...

The solution: Find and remove (line 428 in osc_sec.php): "%000",

 

If you are using Google Adwords ads, the code above triggers the security system for some of your paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter that in some cases triggers the security system).

 

I hope removing the code above is ok?

 

I've noticed that apart from removing "%000" you also need to remove these 3 from osc_sec.php:

 

"%bf%27"

"%a3%27"

"%8c%5c"

 

The gclid parameter sent by Google Adwords have triggered my security system several times because of them on "normal" visitors. I hope it is not a security risk to remove them :)

Link to comment
Share on other sites

  • 2 weeks later...

"I hope it is not a security risk to remove them"

No problem with removing those items

 

I have popped up an update with those items removed.

Goto: http://addons.oscommerce.com/info/8283

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 1 month later...

First, thank you for this great add-on.

 

Running osC_Sec version 5.0.9a on osCommerce MS2.2 and getting "osC_Sec detected malicious $_COOKIE content".

 

How do I tell if this is a false-positive?

How do I remove the malicious $_COOKIE content test?

 

REASON FOR BAN: osC_Sec detected malicious $_COOKIE content: [ 86aee24eef5ebdd4d34e1da5ffff3973 214551682.1895959564.1372243910.1372243910.1372243910.1 214551682.1.10.1372243910 214551682 214551682.1372243910.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=fake sunglasses spy 1 PR;null;null ].

Link to comment
Share on other sites

It looks like a false positive. There are four ways to fix this. Choose one ( only ) of the following options.

 

1/ find the following code and replace

 

Find: ( around line 414 )

 

if ( false !== ( bool )preg_match( "/(null){2,}/i", $nstring ) ) {

 

and replace with

 

if ( false !== ( bool )preg_match( "/(null){3,}/i", $nstring ) ) {

 

Or,

 

2/ To prevent the cookie test from checking for database styled injection attempts ( a little more drastic than just fixing the specific issue with that request above ):

 

Find ( around line 575 )

 

$injectattempt = ( ( bool )$this->injectMatch( $ckey ) ) ? true : ( ( bool )$this->injectMatch( $cval ) );

 

and replace with

 

# $injectattempt = ( ( bool )$this->injectMatch( $ckey ) ) ? true : ( ( bool )$this->injectMatch( $cval ) );

 

Or,

 

3/ To completely remove the cookie content test

 

Find

 

$this->_COOKIE_SHIELD();

 

and replace with

 

# $this->_COOKIE_SHIELD();

 

Or,

 

4/ Wait for the next update of osC_Sec which this and other issues will be addressed. Due out any day now.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

osC_Sec 5.1.0

 

Whats New?

- Additional blacklist items to block the latest attack vectors

- A small rewrite of the function that gets the visitors ip address.

- Removal of more items in blacklists that can lead to false positives in the Cookie content checking

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 3 weeks later...

osC_Sec 5.1.1

 

Whats New?

- Fixed a glitch in the way osC_Sec determines the ip address which may lead to false positives

 

http://addons.oscommerce.com/info/8283

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 1 month later...

I'm receiving the following error in my logs:

 

[25-Aug-2013 12:11:09 America/New_York] PHP Fatal error: Call to undefined method osC_Sec::karo() in /home/website/public_html/includes/osc_sec.php on line 626

 

Any ideas?

Link to comment
Share on other sites

Thanks for that Greg.

 

I have uploaded an update with a fix in it for this issue, and a number of other tweaks as well.

 

------------------------------

 

osC_Sec 5.1.2

 

Whats New?

- Fixed several minor variable declarations

- Fixed a small issue where online file scanners would give false positives when scanning osC_Sec

- Added features to prevent osC_Sec from htaccess banning the IP address of the web host server

- Fixed a coding error in _REQUEST_Shield (thanks to bbot)

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 1 month later...

Re; http://www.oscommerce.com/forums/topic/394779-oscommerce-233-hacked/

 

I have updated osC_Sec to block attempts to exploit the admin via the attack listed in the thread above.

 

However the best way to block this attack while waiting for an update from osCommerce, is to make sure you have htaccess password security on your admin directory using a hard to crack password. For an example of a strong yet memorable password, check out the techniques being used by this web app

 

http://www.safepasswd.com

 

===========================================================

 

osC_Sec 5.1.3

 

Whats New?

- Update to the blacklists

- Update to the way osC_Sec deals with hex code

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email [email protected]

 

Download from: http://addons.oscommerce.com/info/8283

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...

The new version I am developing will no longer support IPTrap ( see the Pareto Security link in my sig ) although it won't prevent the TRAP from doing its thing. The other major change is that it will no longer email out notifications.

 

Banning IP addresses has become a lot more volatile what with the many webserver proxy configurations where the REMOTE_ADDR is the webserver or upline proxy IP rather than the actual visitor IP address. Therefore is too easy to accidentally ban the webserver IP address or the upline proxy IP address which would cause a denial of service condition.

 

This is made even easier when applications try to determine the IP address to ban from spoofable headers like X_FORWARDED_FOR.

 

So most of what Pareto Security will do is call a 403 access denied header on a specific banned request rather than permanently ban an IP address, although IP banning function will be still optional. It will most certainly not allow the server IP address to be banned.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thank you for the update. We get hit so often, I have disabled the send email on all but one account. Will be looking forward to a release of your Pareto Security. Is it ready for any field tests, or is the code listed still at an alpha stage?

GEOTEX from Houston, TX

 

(George)

Link to comment
Share on other sites

Its usable. I just haven't written up install instructions for it yet or uploaded it to the addons repository. Hopefully soonish.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 3 months later...

http://www.oscommerce.com/forums/topic/396035-oscommerce-0day-sql-injection-vulnerability/

 

Although you will all need to patch your shops, if you have osC_Sec installed, your site will not have been vulnerable to this database injection attack.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 3 months later...

1) Is the v5.1.4 version the latest? And if so, why was the add-on number, name, and category changed?

 

v5.1.4 @ http://addons.oscommerce.com/info/8929

 

-vs-

 

v5.1.3 @ http://addons.oscommerce.com/info/8283

 

 

2) Do you know if your add-in is compatible with FWR Media's Security Pro?

 

http://addons.oscommerce.com/info/7708

 

Thanks!

 

Malcolm

Link to comment
Share on other sites

5.1.4 is the latest. I can't quite remember why I changed the location of the file in addons, too long ago.

 

Its compatible with FWR Security Pro, but it in actual fact removes the need for it.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

5.1.4 is the latest. I can't quite remember why I changed the location of the file in addons, too long ago.

 

Its compatible with FWR Security Pro, but it in actual fact removes the need for it.

 

Thank you!

 

Malcolm

Link to comment
Share on other sites

I've added 5.1.4 to the older link. Still not sure why it got uploaded into the credit modules, maybe it was a late one and I went cross-eyed or something.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 weeks later...

Hi Taipo,

 

What are the implications of OSC Sec with OSC Version 2.3.4 especially the changes to PHP Self as detailed here: http://library.oscommerce.com/Online&en&oscom_2_3&release_notes&v2_3_4#upg6

 

Many Thanks

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...