kelly236 Posted August 3, 2011 Posted August 3, 2011 Hi everyone, I'm really worried now, I just received this error from a scan on my website, I don't want to mention which file this is on but, does anyone know anything about this? The following resources may be vulnerable to SQL injection (on HTTP headers) : and it says the solution is: Modify the affected cgi scripts so that they properly escape arguments. I'm not that knowledgeable, Please help me, I can't have my site go down, I don't know what to do!! Kelly
kelly236 Posted August 3, 2011 Author Posted August 3, 2011 Is there anyone that knows anything about this?
satish Posted August 4, 2011 Posted August 4, 2011 Apply security pro contrib. Plus htaccess in images folder. Satish Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site. Check My About US For who am I and what My company does.
Taipo Posted August 4, 2011 Posted August 4, 2011 What version of osCommerce are you running Kelly? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
kelly236 Posted August 4, 2011 Author Posted August 4, 2011 It's an old 2.2 version, I do have several contributions such as FWR Security Pro but I don't know how to do exclusions since I fear I might break something and my site has been live now for several years, I also have SEO urls contribution which I think might help with the injections but I'm not sure, Satish commented above to add an htaccess in my image directory? how can I do that? also how can I Make sure that every sensitive form transmits content over HTTPS I have https set in my config file for both http: and https: but I still get that warning so maybe there is another way of doing this, I apologize for my lack of knowledge and I truly appreciate you taking time to help me, Thank you so much for any help. Kelly What version of osCommerce are you running Kelly?
Taipo Posted August 4, 2011 Posted August 4, 2011 Filename: .htaccess Content: Options All -Indexes <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe){:content:}quot;> Order Deny,Allow Deny from all </FilesMatch> If you have the latest version of FWR Medias SEO URLs installed, then osCommerce 2.2x's faulty $PHP_SELF code which has been causing 'most' of the problems, will be 'patched enough' to at least prevent the admin permissions bypass exploit. Because there are other ways into the older versions of osCommerce, like via FCKEditor, it is also a good idea to install htpasswd protection on your admin directory as well (assuming FCKEditor is in the admin directory). The HTTPS mixed content warning is probably more to do with some other content in your template, like an image for example, that is linked from the http:// rather than https:// - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
kelly236 Posted August 5, 2011 Author Posted August 5, 2011 Taipo, Thank you so much for taking time to help me, I can't begin to tell you how much I appreciate your time, so does that htaccess file go into my images directory and can I add that to my admin as well? I already have one in there and I'm not what that all means in it, I don't think it's a good idea to post it or should I? (so you can see it) as for FCKEditor I don't think I have that but again not knowing too much about this cart I've look all through the admin directory and can't find any reference to it, I also have the login in my header file and I just got this error about logins; The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. Thanks again for your help and any information you can provide on this, I know you must be busy and I don't want to take up too much of your time, also is there also a way I can update this old cart without breaking it? Thanks, Kelly Filename: .htaccess Content: Options All -Indexes <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe){:content:}quot;> Order Deny,Allow Deny from all </FilesMatch> If you have the latest version of FWR Medias SEO URLs installed, then osCommerce 2.2x's faulty $PHP_SELF code which has been causing 'most' of the problems, will be 'patched enough' to at least prevent the admin permissions bypass exploit. Because there are other ways into the older versions of osCommerce, like via FCKEditor, it is also a good idea to install htpasswd protection on your admin directory as well (assuming FCKEditor is in the admin directory). The HTTPS mixed content warning is probably more to do with some other content in your template, like an image for example, that is linked from the http:// rather than https://
Taipo Posted August 5, 2011 Posted August 5, 2011 so does that htaccess file go into my images directory and can I add that to my admin as well? I already have one in there and I'm not what that all means in it, I don't think it's a good idea to post it or should I? (so you can see it) Yes place a file called .htaccess in your images directory and drop the content above into it. The type of htaccess protection you need for your admin directory though employs an htpasswd file. Most shared webserver control panels have the facility installed in the control panel to allow you to protect folders/directories. If your control panel has such a function for protecting folders then that is probably the htpasswd function. In that case password protect your admin directory and you will be fine. ...I just got this error about logins; The remote web server contains several HTML form fields containing an input of type 'password' which transmit their information to a remote web server in cleartext. Sure that may be the case, but the actual security issues with osCommerce 2.2x versions are not really associated with someones ability or not to sniff out login credentials in an outgoing data send. The primary security hole as stated above was inadvertently patched when you installed Ultimate SEO URLs 5.0 by FWR Media. If you want to double up on that security then also install osC_Sec an addon I wrote that covers the admin bypass exploit but also picks up on all the other security vulnerabilities as well aside from what needs to be done with securing the admin directory with htpasswd protection. ...is there also a way I can update this old cart without breaking it? What is discussed above is the bare minimum needed to update the security of your cart. There is a lot more that can be done but that really depends on how much time you have and your level of code patching skills. Thanks again for your help and any information you can provide on this You're welcome, glad to be of assistance - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
Taipo Posted August 5, 2011 Posted August 5, 2011 Here is a slight change to the .htaccess file for your images directory. IndexIgnore * Options All -Indexes <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe){:content:}quot;> Order Deny,Allow Deny from all </FilesMatch> If this code causes an internal error message then try commenting out either IndexIgnore * or Options All -Indexes At least one of those directives should work if not both of them. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
kelly236 Posted August 5, 2011 Author Posted August 5, 2011 Taipo, As I've stated before I have installed several contributions and my skills are getting better, but I',m not great yet, so please let me know (when you have time) about any other things I could incorporate into my site for security. I will install the one you sent me this weekend, You are truly a great person, I hope you have a wonderful weekend where ever you are, THANK YOU SO MUCH!! for all your help, you are an Angel oxoxox!! Kelly Here is a slight change to the .htaccess file for your images directory. IndexIgnore * Options All -Indexes <FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe){:content:}quot;> Order Deny,Allow Deny from all </FilesMatch> If this code causes an internal error message then try commenting out either IndexIgnore * or Options All -Indexes At least one of those directives should work if not both of them.
germ Posted August 5, 2011 Posted August 5, 2011 how can I Make sure that every sensitive form transmits content over HTTPS? I have https set in my config file for both http: and https: but I still get that warning so maybe there is another way of doing this. Kelly If you want the form to be HTTPS you need to be sure it's coded to use it. An example (from a 2.2 login page): <?php echo tep_draw_form('login', tep_href_link(FILENAME_LOGIN, 'action=process', 'SSL')); ?> Notice the 3rd parameter to the tep_href_link() function is 'SSL' If that is missing, or the SSL on the site isn't working correctly, the form data gets transmitted to the server in cleartext. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
Taipo Posted August 6, 2011 Posted August 6, 2011 please let me know (when you have time) about any other things I could incorporate into my site for security. Below are a selection of patches for you to consider along with my notes. Sanitize Parameters - This is a fix up of coding in 2.2 to bring it up to the standard set in 2.3.1 where if its an integer then it is defined as so in the code. This makes it much more difficult for attackers to inject code into user inputs. Code Cleanup - Although this is mostly fixing of mispelt words, there are a number of changes in the cleanup that also improve the sites security. Administration Tool Log-In Update - This is the first half of the main patch for the admin bypass exploit security hole. If you have installed osC_Sec and completed all the instruction then you would have already patched this part of the security vulnerability. Add Customer Session Token to Forms - This is designed to make it very difficult for attackers to remote POST data via the input forms on your site. Many of the follow up exploits of osCommerce 2.2x come by way of posted data from remotely hosted forms. Update PHP_SELF Value - This is the other half of the main patch for the admin bypass exploit security hole. If you have installed osC_Sec or FWR Medias latest Ultimate SEO URL 5 addon then you would have already patched this part of the security vulnerability. Update Password Hashing to Phpass - A better method of password hashing, validation and storage. Add Support for Basic HTTP Authentication - If you have not already installed directory protection on your admin directory then try this one out if you wish. It is the method used in 2.3.1 to log into the admin directory. You can also change the name of the admin directory as is promoted by others on this site, but unbreakable authentication is by far the best option. Secondly, what this also allows is for you to log in once rather than twice (once with htpasswd and the second with the osCommerce login) which the standard apache htpasswd protection does. This patch integrates it all into one login. Aside from the advantage of a one stop login, htpasswd authentication which is what this is, is the best protection of the admin directory. So if your web host offers it via control panel then use that to install it, if not, then use this method here. On a rolling scale, straight htpasswd authentication like that presented via the control panels is the most secure, secondly is this method above which integrates both the login from osCommerce and apaches http authentication. Improve IP Address Detection - The usual method of detecting the site visitors IP address is $_SERVER['REMOTE_ADDR'] however this does not always report the correct IP address of site visitor. This patch fixes 'most' of the issues concerning this. As always back up your site files before patching anything. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.