Oscommerce Security - Osc_Sec.php

[ctec2001]

Not sure what was the outcome of the last bit. To put osC_Sec back into the loop again and disable $useIPTRAP ($useIPTRAP = 0;) and repeat the ban attempt you did earlier to see if you can trigger the blocked.php page.

 

Taipo,

 

I was able to get IPTRAP to function the way it should. I did disable $useIPTRAP=0 as instructed. Will this degrade osc_sec any by leaving the IPTRAP disabled?

 

Thanks,

 

Mike

[Taipo]

Just the process of elimination mostly. Now that I know its functioning with $useIPTRAP disabled, I have a better idea where to look in the code. Will get back to you shortly.

[ctec2001]

Just the process of elimination mostly. Now that I know its functioning with $useIPTRAP disabled, I have a better idea where to look in the code. Will get back to you shortly.

 

Taipo,

 

I really appreciate your help in this matter. I understand php but not at a level you have done with this contribution. I am using the banipaddress for now and it writes to the htaccess.

 

Is this safe to have the .htaccess writeable?

 

I guess if you have it in your contribution as an option, then it must be.

 

Thanks again,

 

Mike

[Taipo]

osC_Sec 2.6[r5]

Whats New?

- A fix up of the IP Trap interaction

- Added code to deal with register_globals vulnerabilities

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://addons.oscommerce.com/info/7834

[Taipo]

Try that release out Mike.

[Taipo]

Wait one, I've got another coming out in 5 mins. Try this one instead.

[Taipo]

Ok this time.

[ctec2001]

Ok this time.

 

Hi Taipo,

 

I installed the new release. Please let me know if this is correct...

 

1. In osc_sec I have the $useIPTRAP = 1

- When I attempt to perform an illegal access to the site I get my ip blocked and an email sent to me from IPTrap, which is a good thing and I also get redirected to blocked.php which lets me know that I have been banned and my ip is written to the banned folder.

 

2. When I attempt and illegal access (For ie. http://www.gordonimports.com/store/index.php/login.php) I do get an email sent from osc_sec which is a good thing but in Firefox it brings up the page 'Problem loading page' and on the page it states:

 

The page isn't redirecting properly

 

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

This problem can sometimes be caused by disabling or refusing to accept cookies.

 

- Is this a normal operation?

- In IE8 it just hang and doesn't display anything. It is like in an internal loop.

- However, when I attempt to access the store normally, I get redirected to the blocked.php page which let me know that my ip has been banned.

 

Does it seem like it is working the way it should?

 

Thank you for you support and efforts to help me in this,

 

Mike

[Taipo]

The loop after ban is not correct. Are you using the latest one I put out, er, version 2.6[r6] it came out earlier today.

 

I guess the next question I need to ask is what other settings do you have enabled in osC_Secs osc.php settings?

[Taipo]

osC_Sec 2.6[r7]

Whats New?

- Clean up of ban reasons

- Fixed the expired cookie browser test

- Added more GET request banned items

- Fixed a bug in the blacklists that could cause a ban of a legitimate site request

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://addons.oscommerce.com/info/7834

[ctec2001]

The loop after ban is not correct. Are you using the latest one I put out, er, version 2.6[r6] it came out earlier today.

 

I guess the next question I need to ask is what other settings do you have enabled in osC_Secs osc.php settings?

 

Taipo,

 

Just an FYI, you forgot to change the version # in the osc_sce.php, it still reads [r6]. Just thought you might want to know.

 

Any how, to answer your question, I did set up the newer version [r6] and then now the [r7]. I am still getting the same results with the exception of IE8 just now pops up a blank page. Firefox still displays the same message as my previous post.

 

The store is not in the root directory but rather a folder in the root. Will that make a difference?

 

My setting are as follows:

 

$timestampOffset = -8; # Set the time offset from GMT, example: a setting of -10 is GMT-10 which is Tahiti

$httphost = "www.gordonimports.com"; # enter your site host without http:// using this format www.yourwebsite.com

$nonGETPOSTReqs = 1; # 1 = Prevent security bylass attacks via forged requests, 0 = let it as it is

$chkPostLocation = 1; # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)

$GETcleanup = 1; # 1 = Clean up $_GET variables, 0 = don't cleanup. Set this to 0 if this causes errors (for example with another addon)

$testExpiredCookie = 1; # 1 = Checks to see if the browser understands what to do with an expired cookie, 0 = don't check

$arbitrarysession_block = 1; # 1 = Prevents arbitrary session injections, 0 = leave it as it is

 

/**

* This section of settings is to allow osC_Sec.php

* to ban an IP address if it breaks the rules

*

* Choose either $banipaddress to add to htaccess

* or $useIPTRAP if you are using the IP Trap addon

**/

 

$banipaddress = 0; # 1 = adds ip to htaccess for permanent ban, 0 = calls a page die if injection detected

$htaccessfile = $dirFScatalog . ".htaccess"; # remember to change the write access of .htaccess to a writable setting

 

$useIPTRAP = 1; # 1 = add IPs to the IP Trap contribution, 0 = leave it off

$ipTrappedURL = $dirFScatalog . "banned/IP_Trapped.txt"; # If you are using IP Trap make sure this is pointing to the IP_Trapped.txt file

 

/**

* Email settings: Don't use if your

* Web Service Provider limits how

* many emails per hour

**/

 

$emailenabled = 1; # 1 = send yourself an email notification of injection attack, 0 = don't

$youremail = "ctec2001@yahoo.com"; # set your email address here so that the server can send you a notification of any action taken and why

$fromemail = "securityscript@gordonimports.com"; # set up an email like securityscript@yourdomain.com where the attack notifications will come from

 

$diagenabled = 0; # 1 = automatically send an email to the developer with the ban IP address and the reason for the ban to help improve osC_Sec, 0 = don't

$diagemail = "oscsecdiagnostic@aol.com"; # this is the email of the developer of osC_Sec.php (see readme.htm)

 

Thank you for your help. I don't mean to make more work for you and do apologize.

 

Mike

[Taipo]

Sorry about that, I uploaded the wrong file. Try again, the proper file is now uploaded.

[Taipo]

Try these setting changes (leaving the rest as they are):

 

$chkPostLocation = 0;        # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)
$arbitrarysession_block = 0; # 1 = Prevents arbitrary session injections, 0 = leave it as it is

 

My guess is one of them is causing the loop 'perhaps'.

[Taipo]

osC_Sec 2.6[r8]

Whats New?

- Added a check for magic quotes

- Banned a few SQL injection and malicious moz-binding strings

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://www.oscommerce.com/community/contributions,7834

[ctec2001]

Try these setting changes (leaving the rest as they are):

 

$chkPostLocation = 0;        # 1 = Check to see if cookies and referer are set before accepting post vars, 0; don't (especially if using Paypal)
$arbitrarysession_block = 0; # 1 = Prevents arbitrary session injections, 0 = leave it as it is

 

My guess is one of them is causing the loop 'perhaps'.

 

Taipo,

 

I have done as instructed but seem to have the same problem with out the loop. I get all the emails and everything, so I guess it will be ok. The ip address does get banned which is a good thing.

 

Is there a way to test the absolute path to the blocked.php page. May it can be tested instead of using the variables.

 

As always thank you,

 

Mike

[Taipo]

I would assume the blocked.php file would be in the root catalog? ( http://www.somesite.com/catalog/blocked.php )

 

If not then edit these lines below to the full domain path. Change the two occurrences of:

   header( "Location: " . $http_server . $http_Catalog . "blocked.php" );

 

To:

 

   header( "Location: http://www.yourdomainname/pathto/blocked.php" );

 

Email me at rohepotae@gmail.com how this goes.

[Taipo]

I just ran a test on your site testing one of the blacklisted items from osC_Sec and the blocked page came up with no loop. Upon reloading the site it went straight to blocked as it should.

[Taipo]

osC_Sec 2.6[r9]

Whats New?

- Fixed issue with phpSelfFix

- Fixed issues with IPTrap function

- Fixed issues with scrubGET

 

NOTE: With this upgrade you will NOT need to update osc.php. Just replace the osc_sec.php in this package with the one on your site and you are up to date.

 

Download from: http://www.oscommerce.com/community/contributions,7834

[ctec2001]

I just ran a test on your site testing one of the blacklisted items from osC_Sec and the blocked page came up with no loop. Upon reloading the site it went straight to blocked as it should.

 

Taipo,

 

Did you get a blank screen after testing the script or did the blocked.php page come up. Or did you get a blank page after testing the script and then try to access the store and the blocked.php page comes up.

 

The second one is what I get.

 

Thanks,

 

Mike

[Taipo]

When I did it, it went straight to the blocked.php page (this was on the 'other' site you are developing).

[Peper]

Need help please Taipo - anyone

 

I recently installed this addon as I was using other ban ip and so on from other contributions

Problem is I'm seeing now a whole lot of "GET" errors in my servers error log - all links to products but hundreds of them - seems to be spiders from yahoo, msn and so on calling the product

 

I have set in osc.php $GETcleanup = 0;

and $httphost = "www.domain.com";

 

My catalog is in sub domain using shop.domain.com

 

Any help with this please

[Taipo]

Can you send me an example of the errors, PM me if you want.

[♥mattjt83]

Hi Taipo,

 

I have been installing updates to osc-sec.php whenever you update it. The last update made my checkout not function properly (I use the dynamo effects checkout). With the latest update, the shipping module will not load unless I am a logged in customer. Normally, the you can checkout without having to sign in if it is your first time shopping at our site. This is the first update to have this negative effect on my site. Is there something I can fix to make it work properly or should I just keep using the second to last version? Thanks

 

Matt

[Taipo]

A couple of questions for you to assist me.

 

1/ What is the URL to download the dynamo effects addon so I can take a look at it?

2/ Are you using 2.69a or 2.7 of osC_Sec?

3/ What settings do you have enabled in the osc.php file?

4/ What other addons are you using?

[Taipo]

ps I had a look at what I believe is your site (from another discussion where you left your URL) and I can see the shipping table upon checking out. Perhaps try viewing it on another computer or a different browser, it may just be something more local to your internet client perhaps.