Taipo Posted May 21, 2011 Author Share Posted May 21, 2011 Try this. Replace this part of the code above: /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $tolist[$wr], $string); } } return $string; } With the following: /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,ä,ä,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro,ae,oe,ue,Ae,Oe,Ue,euro,szlig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } This probably could be written in simpler terms, but in the end, its the result that matters. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 Try this. Replace this part of the code above: /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $tolist[$wr], $string); } } return $string; } With the following: /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,ä,ä,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,szlig,euro,ae,oe,ue,Ae,Oe,Ue,euro,szlig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,ß,€,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } This probably could be written in simpler terms, but in the end, its the result that matters. Hi! I checked with the same conditions, but the result did not change :huh: Frontend output is this: Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht. Firebug analysis is showing that Firefox is getting this string: <td class="headerError">Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.</td> That`s why Firefox does not display umlauts. The generated code für provides a display of für instead of the desired output: für So I was trying to find out the conditions to get the desired output. If $nonGETPOSTReqs = 1 and umlauts are not coded like ü but normal written as ü define('ENTRY_DISCOUNT_COUPON_MIN_PRICE_ERROR', 'Der Mindestbestellwert für diesen Gutschein beträgt %s und wurde noch nicht erreicht'); and this line is disabled for testing /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes ); } } } else { $nodes = getCleaner( $nodes, TRUE ); // Next line disabled for testing: // $nodes = preg_replace("/[^ a-zA-Z0-9?,ßäöüÄÖÜ€=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } then I receive this (perfect) frontend output: Der Mindestbestellwert für diesen Gutschein beträgt 10,00 € und wurde noch nicht erreicht. Looking into the code using Firebug shows this: <td class="headerError">Der Mindestbestellwert für diesen Gutschein beträgt 10,00 € und wurde noch nicht erreicht.</td> From this view I think there are 2 problems: 1. The filter function (scrubster) sometimes still filters standard written umlauts (ö ä ü Ö Ä Ü €) To show that, enabling the above disabled line, in function scrubster shows this result: Frontend ouput: Der Mindestbestellwert fr diesen Gutschein betrgt 10,00 und wurde noch nicht erreicht. Firebug analysis: <td class="headerError">Der Mindestbestellwert fr diesen Gutschein betrgt 10,00 und wurde noch nicht erreicht.</td> 2. If umlauts are html coded in the message string, they are not bypassed correctly. So the browser shows the code for umlauts but not the umlauts special character itself. Hopefully this research can help you to fix this problem. Thanks again for your patience. Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 22, 2011 Author Share Posted May 22, 2011 Ok that does help a bit. Try this for size: /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } Hopefully this might work. It should work where umlauts are html coded and are in actual form. Where it probably will not work is where you want to display the html encoded umlaut. But that would be rare in osCommerce one would think. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 Ok that does help a bit. Try this for size: /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } Hopefully this might work. It should work where umlauts are html coded and are in actual form. Where it probably will not work is where you want to display the html encoded umlaut. But that would be rare in osCommerce one would think. Ok, we have to see where the problem occurs. It still doesn't provide the right output. With actual version I have: Frontend showing: Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht. Firebug showing: <td class="headerError">Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht.</td> I added a logfile to see whats going in and out of function scrubster /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { unlink("scrubster.txt"); // Erase old logfile first $file = fopen("scrubster.txt", "a+"); // Open debug file fwrite($file, 'in ='.$nodes.chr(10)); // Write input to file if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } fwrite($file, 'out='.$nodes.chr(10).chr(13)); // Write output to file and add new Line fclose($file); // Close file return $nodes; } This is the result: in =Der Mindestbestellwert für diesen Gutschein beträgt 10,00 € und wurde noch nicht erreicht. out=Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht. So we see that nothing beside the € sign is changed. The changes must appear elsewhere. (If I do the same test with normal umlauts they are filtered in the output.) Is there any further prcosessing of these strings inside OSC_SEC beside the function scrubster ? Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 22, 2011 Author Share Posted May 22, 2011 Nothing else filters the GET requests. The two other actions that happen are 1/ back in the osc.php the setlocale( LC_TIME, "en_NZ" ); is where setlocale determines the time, so unless that has been changed to the wrong settings it should not interfere with the output, and the other place is where $_REQUEST is reset as a merge of $_GET and $_POST vars. see: $_REQUEST = array_merge( $_GET, $_POST ); The difficulty I am having in trying to debug this is that it tests correct on my test system here. And by the looks of the output it is reporting correctly. The only other thing is the way the browser may be converting the output itself. What is the charset set to in the html head of your page, the DOCTYPE and what is the charset set to in your browser? ps if you dont mind, can you PM me the url to your website so I can see it for myself? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 Nothing else filters the GET requests. The two other actions that happen are 1/ back in the osc.php the setlocale( LC_TIME, "en_NZ" ); is where setlocale determines the time, so unless that has been changed to the wrong settings it should not interfere with the output, and the other place is where $_REQUEST is reset as a merge of $_GET and $_POST vars. see: $_REQUEST = array_merge( $_GET, $_POST ); The difficulty I am having in trying to debug this is that it tests correct on my test system here. And by the looks of the output it is reporting correctly. The only other thing is the way the browser may be converting the output itself. What is the charset set to in the html head of your page, and what is the charset set to in your browser? ps if you dont mind, can you PM me the url to your website so I can see it for myself? Ok, the site is using <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN"> <html dir="LTR" lang="de"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> and the browser is switching according to it (iso-8859-1). Hmm... I see this filtering is a problematic topic. I am just a PHP beginner but had this idea for a workaround: What if we had a global flag for disable the filter once, until the string is sent. At the place where a problematc string is send, just before set the filter disable flag, send the string and the filter activates itself after sending one string. Here is my proposal, you are welcome to make it better or safer :rolleyes: /* Inside the problematic function, just before the string is send add: $oscsec_filter_once_off=true; This disables the filter once. After the string is sent the filter is automatic switched on again. */ /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { global $oscsec_filter_once_off; // Flag can be set in any function if (!$oscsec_filter_once_off) // If $oscsec_filter_once_off is set to TRUE skip filtering one time { /* For testing only unlink("scrubster.txt"); // Erase old logfile first $file = fopen("scrubster.txt", "a+"); // Open debug file fwrite($file, 'in ='.$nodes.chr(10)); // Write input to file */ if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } /* For testing only fwrite($file, 'out='.$nodes.chr(10).chr(13)); // Write output to file and add new Line fclose($file); // Close file */ } $oscsec_filter_once_off = False; // Now automatic enable filtering again for security return $nodes; } Sorry, there is no web access to my store. I hope to be able to open it in august. Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 22, 2011 Author Share Posted May 22, 2011 To give you some idea of the issue we are facing, have a look at my test site http://warbeast.netne.net/. On the top right where you log in I have displayed the same message we are testing with. This has been defined into the includes/language/english.php file and is displaying correctly in both IE and FF. This site is running the latest version of osC_Sec.php. Are those characters displaying correctly in your browser? Here is what I am seeing... So I am not able to replicate the problem you are having on your site without seeing your site sorry. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 To give you some idea of the issue we are facing, have a look at my test site http://warbeast.netne.net/. On the top right where you log in I have displayed the same message we are testing with. This has been defined into the includes/language/english.php file and is displaying correctly in both IE and FF. This site is running the latest version of osC_Sec.php. Are those characters displaying correctly in your browser? Here is what I am seeing... So I am not able to replicate the problem you are having on your site without seeing your site sorry. OK, which data I should enter (coupon code) goods value, test customer data ? Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 22, 2011 Author Share Posted May 22, 2011 I am not sure what you are asking. All I did was enter the German string you were testing, into one of the defined constants in my sites english.php file to see how it is displaying the umlauts. It is not an accurate test because I have not installed the addons you are using. The only other way I can test osC_Sec to try and replicate the conditions you are experiencing is to install all the addons you have installed. If I can replicate the results you are getting then I can find out what is causing the code to display incorrectly. In the meantime if you have to, set $GETcleanup to 0 which will disable it. By the way, which version of osCommerce are you using? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 OK, which data I should enter (coupon code) goods value, test customer data ? @Taipo Dear Taipo, I don`t know, why your code works on your site and doesn`t show the same result on my site. I see this is a problematic situation for both of us - if you can not reproduce the faulty displayed messages you can`t find a fix for it. If I would have the same output like you, then I woudn`t have a reason to bother you. Anyway, finally I found a workaround (tested with IE6, FF 4.01 and Chrome 11) to display all the problematic messages in the right way here, too :rolleyes: So again, thank you very much for support. Best regards Popsel Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 I am not sure what you are asking. All I did was enter the German string you were testing... Yes, this is not the same situation. I thought you have installed the same plugin, too. Then I would need to log in as a customer and need a valid coupon code for testing :rolleyes: In the meantime if you have to, set $GETcleanup to 0 which will disable it. With my workaround I can leave it at $GETcleanup=1 to keep it more secure. By the way, which version of osCommerce are you using? I am using OSC V2.2rc2a Best regards Popsel Link to comment Share on other sites More sharing options...
popsel Posted May 22, 2011 Share Posted May 22, 2011 Yes, this is not the same situation. I thought you have installed the same plugin, too. Then I would need to log in as a customer and need a valid coupon code for testing :rolleyes: With my workaround I can leave it at $GETcleanup=1 to keep it more secure. I am using OSC V2.2rc2a Finally I can show some pics how it looks with my workaround: Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Author Share Posted May 23, 2011 I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up. It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 23, 2011 Share Posted May 23, 2011 I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up. It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem. Hi! I have a heavy modified shop with tons of addons and some own things. You will have a lot of fun :D : Add 3 Images with Admin Add Qty to listings (Mengeneingabebox) Admin German 2.2MS2 Admin Reports Count Reset über Skype anrufen AGB Zustimmung AJAX Attribute Manager ++ All In One FCK Editor WYSIWYG Editor Anti Robot Validation Artikelnummer automatisch hochzählen lassen Auto Update Currencies V 1.0 Banner Manager für Rc2.2a Banner Picture Hack in Banner Manager Better SEO Images V1.1 Box Caching erweitern Center Shop (Shopbreite begrenzen) change date format CK EDITOR nightly & Install Instructions +++ Counter Reset V1.0 Cronjob on Windows Xampp CSS hover enlarged image popup MOD CSS MENU OK Cycling products +++ Database Optimizer V 1.0 Datenschutz Zustimmung in Popup Datum auf DEUTSCH UMSTELLEN Delete Category Images V 1.0 Discount Coupon Codes +++ Easy Tool Tip text balloon ++ EUR-Zeichen in QSCommerce Extra pages-info box w admin Falsche Rundung von osCommerce - gelöst! P Faster Page Loads, Less DB queries FCK Player Plugin & Free Video to Flash Converter Flash Banners Flash Videos in den Hintergrund bringen Hermes Export HTML Status Update Auto-emailer with product images and links +++ HTML-Befehle Übersicht If price = 0.00 dont display price Image Check Image Hack Protection Image Upload Resizer Impressum Länderliste DE oben Leerzeichen bei Währung & Preis Low Stock Report Mp3_preview_with_Flash_player_v1.0 MWST und Versandkostenanzeige Nachnamen bei den Bewertungen nicht mehr anzeigen Order Editor 5.09b OS COMMERCE How to install a contribution Page Cache 1.6 Payment Type Charge PaymethodsQuickinfobox Preisauszeichnungsverordnung MWST und Versandkostenanzeige Products thumbnail image display and popups on the admin Punkt statt Komma am Num. Ziffernblock Pure CSS Image Swap On Hover For osC Buttons Rechnungslayout über Admin + Texteingabe in Rechnung Report Missing & unassinged Images Review Notification Sales Report Between Two Dates Scrolling Bestsellers Send Admin HTML e-mails SEO Assistant SEO images v.0.99 Skype Contact Store Mode (Open Closed Maintenance) Vorschau bei neuem Produkt oder bei Update überspringen Widerrufsbelehrung XPricesPerProduct +++ X-Sell (Produktverlinkung NEUE VERSION) Zones International Default Zonesworld Version_v2.zip OSC_SEC(urity) latest version with fix SiteMonitor I don`t want to bother you again, but if you like to know about other problemns I had with OSC_SEC: So far I had to find workarounds because these addons in combination with OSC_SEC did not work in my shop: Rechnungslayout über Admin + Texteingabe in Rechnung AJAX Attribute Manager Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Author Share Posted May 23, 2011 The problem with the AJAX Attrib Manager will probably also be linked to the $GETcleanup issue as well. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 23, 2011 Share Posted May 23, 2011 I would still like to get to the bottom of this if possible even just for my own reference. Can you give me a list of every addon you are using. I see you have listed Discount Coupon Codes V3.34 and Order Editor V5.09 so far. Once I have that list I can set up a test scenario here and activate the German language and try to replicate the issue you have brought up. It seems that perhaps one of those addons is reacting to another section of osC_Sec.php other than the section we are working on. I would like to find out which part of that code that is causing the problem. Hi! I see, even after a lot of posts, it may be still unclear for you, why it doesn`t work ? Your code could not help me to fix this problem because, even after all these changes, it filters uncoded umlaut characters (ä ü ....) and the € sign. That is the reason why it did not work for me and I had to find a workaround. If you still don`t have enough you may continue investigating it ;) Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Author Share Posted May 23, 2011 I did not realise it was affecting the uncoded umlauts. This may work better then: /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } As you saw in your debug print out that you did, the cleaner actually did not affect the encoded umlauts, yet they were still displaying incorrectly afterward. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 23, 2011 Share Posted May 23, 2011 I did not realise it was affecting the uncoded umlauts. This may work better then: /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,äöüÄÖÜ€ß=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } As you saw in your debug print out that you did, the cleaner actually did not affect the encoded umlauts, yet they were still displaying incorrectly afterward. Hi! I did a quick test, and the uncoded umlauts are still gone after passing OSC_SEC. You can test it yourself with a logging function like I did. Feed OSC_SEC with some uncoced umlaut strings and look into the debug file output what is left over - very simple method. If there are missing umlaut or € sign chars then something is wrong. That is the reason why it works for me if filtering is disabled / OSC_SEC is bypassed. For now I have to continue developing my store - there is still a lot of work to do. So I have no more time for tests with this topic. Actually my workaround is working for me, so I will stick to it. If you can find a way to fix the problem, it would be great if you could include this in the next official OSC_SEC update. Cheers! Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Author Share Posted May 23, 2011 Unfortunately we are constantly getting two different sets of results from the same piece of script. There must be other variables involved that are outside of what osC_Sec does as my testing has no problems in displaying the uncoded ulmauts, so I am unable to assist any more with this sorry. However I think as it stands, the code above does improve the way osC_Sec filters the ulmauts so I will leave it in the next version when it is released. Sorry I could not be of more assistance to you. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Author Share Posted May 23, 2011 For Reference this is a test. Settings: - Character encoding in your browser set to Western(ISO-8859-1) - in includes/language/yourlanguage.php set define('CHARSET', 'iso-8859-1'); In application_top.php, after require('includes/osc_sec.php'); paste this code: echo scrubster( "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" ); You should see the resulting text when you load your site. ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß working - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
rdva Posted May 23, 2011 Share Posted May 23, 2011 Taipo, i have similar to popsel's problem with russian language. Function scrubster() filters out all non-latin symbols. All russian symbols is non-latin. The workaround (for me) is: find preg_replace("/[^ a-zA-Z0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); replace with preg_replace("/[^ a-zA-Zа-яА-Я0-9?=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); Can u see the difference? Is your browser correctly display cyrilic symbols? Link to comment Share on other sites More sharing options...
popsel Posted May 23, 2011 Share Posted May 23, 2011 For Reference this is a test. Settings: - Character encoding in your browser set to Western(ISO-8859-1) - in includes/language/yourlanguage.php set define('CHARSET', 'iso-8859-1'); In application_top.php, after require('includes/osc_sec.php'); paste this code: echo scrubster( "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß [w](o)%3Cr%3Ek|i*n^g" ); You should see the resulting text when you load your site. Taipo, I get this with your test (CHARSET', 'iso-8859-1') in languages/german.php and same setting in FF: with this code in scrubster: if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^ a-zA-Z0-9?,=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } and this code in getCleaner: /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig,axe,oxe,uxe,Axe,Oxe,Uxe,euxro,szlxig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 23, 2011 Author Share Posted May 23, 2011 I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings. /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
popsel Posted May 24, 2011 Share Posted May 24, 2011 I have changed the cleanup syntax below. This may render some more of the non-english char items than the previous one. Using the perl compatible regular expressions will hopefully allow the browser character settings to make a better determination of what is displayed and what isn't. However this may not work on some locale settings. /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } } } else { $nodes = getCleaner( $nodes, TRUE ); $nodes = preg_replace("/[^\w\s?,€=@%:{}\/_.-]/i", "", urldecode( $nodes ) ); $nodes = getCleaner( $nodes, FALSE ); } return $nodes; } /** * Called above, this will clean up * values but not interfere with umlauts */ function getCleaner($string, $conv=1) { $x = md5( $_SERVER["REMOTE_ADDR"] . $_SERVER["HTTP_USER_AGENT"] . $_SERVER["HTTP_HOST"] . $_SERVER["DOCUMENT_ROOT"] . $_SERVER["SERVER_SOFTWARE"] . $_SERVER["PATH"] ); $tolist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); $fromlist = explode(",", "ae,oe,ue,Ae,Oe,Ue,euro,szlig,ae,oe,ue,Ae,Oe,Ue,euro,szlig"); $finlist = explode(",", "ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ö,ü,Ä,Ö,Ü,€,ß"); for($wr=0;$wr<=count($tolist);$wr++) { if ( $conv > 0 ) { $string = str_replace($tolist[$wr], $x.$fromlist[$wr], $string); } else { $string = str_replace($x.$fromlist[$wr], $finlist[$wr], $string); } } return $string; } Hi! Using the code above I get now in FF: ä,ö,ü,Ä,Ö,Ü,€,ß,ä,ä,ü,Ä,Ö,Ü,€,ß,Ã,Ã,Ã,Ã,Ã,Ü,€,ß working and under real conditions FF outputs: Der Mindestbestellwert für diesen Gutschein beträgt 10,00 und wurde noch nicht erreicht This is looking good, but where is the € sign ? For your information: The biggest problem with osc_sec for me was the fact, it filtered umlauts in Order Editor. After changing an address with unlauts and a page reload the umlauts were gone. This was a really heavy limitation and making Order Editor close to useless. After your very first code change I could work with Order Editor and umlauts :rolleyes: Displaying an error message with wrong chars, which only some people may see, is not that much important. So I was happy at the end to find a workaround for that. Actually the situation changed: The error messages display nearly perfect (beside the € sign), but in Order Editior I have the same problem again: All umlauts are removed aftter changing it and a page reload Best regards Popsel Link to comment Share on other sites More sharing options...
Taipo Posted May 24, 2011 Author Share Posted May 24, 2011 I think the problem again is that for some reason some of these addons are calling constant defined variables via HTTP_GET_VARS instead of just calling the defined item directly. However, these are some of the issues we have to face when working around each others addons. Try this one out then. It is a bit of the old (as in a bit of the original fix) and a bit of the new. Replace the entire piece above with this. It should at a guess, cause the order editor to work better. /** * Clean up GET request vars * as well as multidimensional arrays */ function scrubster( $nodes ) { if ( is_array( $nodes ) ) { foreach( $nodes as $key=>$value ) { if ( is_array( $value ) ) { scrubster( $value ); } else { $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) ); } } } else { $nodes = preg_replace('/[^\w\s?,äöüÄÖÜ€ß=@%:{}\/.-]/i', '', urldecode( $nodes ) ); } return $nodes; } - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.