Oscommerce Security - Osc_Sec.php

[Taipo]

The easiest way is to test the admin bypass exploit for earlier versions of osCommerce:

 

www.yoursite.com/index.php/login.php

 

That should trigger osC_Sec if it is configured correctly. Depending on your settings, it will either merely stop the page from loading, or if you have ip banning activated, it will add your ip address to the main .htaccess file thus banning it.

[jamo32]

The easiest way is to test the admin bypass exploit for earlier versions of osCommerce:

 

www.yoursite.com/index.php/login.php

 

That should trigger osC_Sec if it is configured correctly. Depending on your settings, it will either merely stop the page from loading, or if you have ip banning activated, it will add your ip address to the main .htaccess file thus banning it.

 

Hi

 

I got forbidden page Additionally, a 404 , is this osc_sec or or htacess? sorry to sound daft.

 

Many thanks

[callenords]

The solution: Find and remove (line 428 in osc_sec.php): "%000",

 

If you are using Google Adwords ads, the code above triggers the security system for some of your paid visitors (Google Adwords ads a "?gclid=XXXXXXXXX" parameter that in some cases triggers the security system).

 

I hope removing the code above is ok?

 

I've noticed that apart from removing "%000" you also need to remove these 3 from osc_sec.php:

 

"%bf%27"

"%a3%27"

"%8c%5c"

 

The gclid parameter sent by Google Adwords have triggered my security system several times because of them on "normal" visitors. I hope it is not a security risk to remove them :)

[Taipo]

"I hope it is not a security risk to remove them"

No problem with removing those items

 

I have popped up an update with those items removed.

Goto: http://addons.oscommerce.com/info/8283

[mr_absinthe]

But it still contains "%000"...

[Taipo]

Try now

http://addons.oscommerce.com/info/8283

[mr_absinthe]

:thumbsup:

[EricK]

First, thank you for this great add-on.

 

Running osC_Sec version 5.0.9a on osCommerce MS2.2 and getting "osC_Sec detected malicious $_COOKIE content".

 

How do I tell if this is a false-positive?

How do I remove the malicious $_COOKIE content test?

 

REASON FOR BAN: osC_Sec detected malicious $_COOKIE content: [ 86aee24eef5ebdd4d34e1da5ffff3973 214551682.1895959564.1372243910.1372243910.1372243910.1 214551682.1.10.1372243910 214551682 214551682.1372243910.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=fake sunglasses spy 1 PR;null;null ].

[Taipo]

It looks like a false positive. There are four ways to fix this. Choose one ( only ) of the following options.

 

1/ find the following code and replace

 

Find: ( around line 414 )

 

if ( false !== ( bool )preg_match( "/(null){2,}/i", $nstring ) ) {

 

and replace with

 

if ( false !== ( bool )preg_match( "/(null){3,}/i", $nstring ) ) {

 

Or,

 

2/ To prevent the cookie test from checking for database styled injection attempts ( a little more drastic than just fixing the specific issue with that request above ):

 

Find ( around line 575 )

 

$injectattempt = ( ( bool )$this->injectMatch( $ckey ) ) ? true : ( ( bool )$this->injectMatch( $cval ) );

 

and replace with

 

# $injectattempt = ( ( bool )$this->injectMatch( $ckey ) ) ? true : ( ( bool )$this->injectMatch( $cval ) );

 

Or,

 

3/ To completely remove the cookie content test

 

Find

 

$this->_COOKIE_SHIELD();

 

and replace with

 

# $this->_COOKIE_SHIELD();

 

Or,

 

4/ Wait for the next update of osC_Sec which this and other issues will be addressed. Due out any day now.

[Taipo]

osC_Sec 5.1.0

 

Whats New?

- Additional blacklist items to block the latest attack vectors

- A small rewrite of the function that gets the visitors ip address.

- Removal of more items in blacklists that can lead to false positives in the Cookie content checking

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

[Taipo]

osC_Sec 5.1.1

 

Whats New?

- Fixed a glitch in the way osC_Sec determines the ip address which may lead to false positives

 

http://addons.oscommerce.com/info/8283

[bbott]

I'm receiving the following error in my logs:

 

[25-Aug-2013 12:11:09 America/New_York] PHP Fatal error: Call to undefined method osC_Sec::karo() in /home/website/public_html/includes/osc_sec.php on line 626

 

Any ideas?

[Taipo]

Thanks for that Greg.

 

I have uploaded an update with a fix in it for this issue, and a number of other tweaks as well.

 

------------------------------

 

osC_Sec 5.1.2

 

Whats New?

- Fixed several minor variable declarations

- Fixed a small issue where online file scanners would give false positives when scanning osC_Sec

- Added features to prevent osC_Sec from htaccess banning the IP address of the web host server

- Fixed a coding error in _REQUEST_Shield (thanks to bbot)

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

[bbott]

Awesome, thank for the quick fix! I'll keep an eye on my logs and let you know if anything else pops up after updating to 5.1.2

[Taipo]

Re; http://www.oscommerce.com/forums/topic/394779-oscommerce-233-hacked/

 

I have updated osC_Sec to block attempts to exploit the admin via the attack listed in the thread above.

 

However the best way to block this attack while waiting for an update from osCommerce, is to make sure you have htaccess password security on your admin directory using a hard to crack password. For an example of a strong yet memorable password, check out the techniques being used by this web app

 

http://www.safepasswd.com

 

===========================================================

 

osC_Sec 5.1.3

 

Whats New?

- Update to the blacklists

- Update to the way osC_Sec deals with hex code

 

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

 

Updating:

Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

 

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email hokioi-security@riseup.net

 

Download from: http://addons.oscommerce.com/info/8283

[Geotex]

Is the new 5.1.4 you posted compatible with the new IP Trap V6 that used database for storing blacklisted addresses?

[Taipo]

The new version I am developing will no longer support IPTrap ( see the Pareto Security link in my sig ) although it won't prevent the TRAP from doing its thing. The other major change is that it will no longer email out notifications.

 

Banning IP addresses has become a lot more volatile what with the many webserver proxy configurations where the REMOTE_ADDR is the webserver or upline proxy IP rather than the actual visitor IP address. Therefore is too easy to accidentally ban the webserver IP address or the upline proxy IP address which would cause a denial of service condition.

 

This is made even easier when applications try to determine the IP address to ban from spoofable headers like X_FORWARDED_FOR.

 

So most of what Pareto Security will do is call a 403 access denied header on a specific banned request rather than permanently ban an IP address, although IP banning function will be still optional. It will most certainly not allow the server IP address to be banned.

[Geotex]

Thank you for the update. We get hit so often, I have disabled the send email on all but one account. Will be looking forward to a release of your Pareto Security. Is it ready for any field tests, or is the code listed still at an alpha stage?

[Taipo]

Its usable. I just haven't written up install instructions for it yet or uploaded it to the addons repository. Hopefully soonish.

[Taipo]

http://www.oscommerce.com/forums/topic/396035-oscommerce-0day-sql-injection-vulnerability/

 

Although you will all need to patch your shops, if you have osC_Sec installed, your site will not have been vulnerable to this database injection attack.

[ArtcoInc]

1) Is the v5.1.4 version the latest? And if so, why was the add-on number, name, and category changed?

 

v5.1.4 @ http://addons.oscommerce.com/info/8929

 

-vs-

 

v5.1.3 @ http://addons.oscommerce.com/info/8283

 

 

2) Do you know if your add-in is compatible with FWR Media's Security Pro?

 

http://addons.oscommerce.com/info/7708

 

Thanks!

 

Malcolm

[Taipo]

5.1.4 is the latest. I can't quite remember why I changed the location of the file in addons, too long ago.

 

Its compatible with FWR Security Pro, but it in actual fact removes the need for it.

[ArtcoInc]

5.1.4 is the latest. I can't quite remember why I changed the location of the file in addons, too long ago.

 

Its compatible with FWR Security Pro, but it in actual fact removes the need for it.

 

Thank you!

 

Malcolm

[Taipo]

I've added 5.1.4 to the older link. Still not sure why it got uploaded into the credit modules, maybe it was a late one and I went cross-eyed or something.

[Mort-lemur]

Hi Taipo,

 

What are the implications of OSC Sec with OSC Version 2.3.4 especially the changes to PHP Self as detailed here: http://library.oscommerce.com/Online&en&oscom_2_3&release_notes&v2_3_4#upg6

 

Many Thanks