Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Hack attempt - is there a way to prevent this?


Guest

Recommended Posts

@puggybelle

I had an attack on one of my sites yesterday ...

I also have a Keyword Search Report on this site. I hadn't checked it in a while, but after reading your post, I went to check it out. Guess what? Same thing here ...

34848730_ScreenCapture-05-18-2019.jpg.74f38283c8efcb74649832e102e8e639.jpg

That's just part of one page! There are over 20 pages of this!

Thank you for reporting this ... I wouldn't have thought to look at this.

Malcolm

Link to comment
Share on other sites

  • Replies 50
  • Created
  • Last Reply
2 hours ago, ArtcoInc said:

Thank you for reporting this ... I wouldn't have thought to look at this. 

What did you check in your database?  I really didn't know what else to look at, other than make sure the 'search_queries' table was empty after deleting the report.

Then, of course, I put the maxlength limit on the search field here, there and everywhere.  Now I'm thinking it should be even shorter than what I assigned.

My keyword report resembled yours.  I had one entry, though, that was probably eight lines of code alone.

Should I check anything else?  This stuff always shakes me up.

- Andrea

Link to comment
Share on other sites

1 hour ago, pete2007 said:

Is there anyway we can turn off the search queries being saved to our databases?

It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers.

Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db.

Reviews is another one that is targeted by hackers.

 

Link to comment
Share on other sites

29 minutes ago, JcMagpie said:

It's not just search, any form on your website that allows the visitor to enter text that is saved to your database is a backdoor for hackers.

Search is easy, just remove osC search and replace it with google search nothing saved on your db by this, or limit text input to just on or 2 words. All forms should have some sort of captcha and text cleanser built in to prevent saving scripts to db.

Reviews is another one that is targeted by hackers.

Thank you for your reply, where about's can I limit the text for the search?

Link to comment
Share on other sites

As the input filed is controled by function html_output.php we can not control directly. So in the template file of the search simply add a bit of js to limit input.

<script>
  $("input").attr("maxlength", 20)
  </script>

You should let your customers know a limit is set.

image.thumb.png.085ddbd5daecf220f19b63f816d1ac1f.png

 

Link to comment
Share on other sites

@ArtcoIncThe r87 dot com is a site on godaddy. You could report it as a spammer and/or block its IP's. Although the whois for it lists quite a few similar names so I suspect this guy wouldn't be easily stopped.

13 hours ago, puggybelle said:

Should I check anything else?  This stuff always shakes me up.

Limiting the search string probably won't make a difference since they can type directly into the url. Many times the hackers will enter some invalid command so that an error is displayed that gives them more details about the database. You can test your site here to see if that is the case. Also be sure that anything entered in the search does not show up on the page after the search. This doesn't occur with the CE version but might with older versions. 

If your search doesn't require any special characters, then I suggest you change this code in the advanced_search_result.php file

    if (isset($_GET['keywords'])) {
      $keywords = tep_db_prepare_input($_GET['keywords']);
    }

to this

    if (isset($_GET['keywords'])) {
      $keywords = preg_replace('/[^\w]/', '', $_GET['keywords']);
      $keywords = tep_db_prepare_input($keywords);
    }

That will remove everything from the search string other than letters and numbers.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

@pete2007

11 hours ago, pete2007 said:

Is there anyway we can turn off the search queries being saved to our databases?

Out of the box, osC does not save search queries in the database. I'm using an add-on called SmartSuggest that, amongst other things, creates a new database table and saves the search queries. I find this important since I can now see what people are searching for, and use that information to either adjust the text on my site, or adjust my product lines (if I sell apples, and people are searching for oranges ... ).

M

Link to comment
Share on other sites

A simple string scrubbing function using, https://www.php.net/manual/en/function.preg-replace.php

function ScrubInput($input)
{
  // allow only letters
  //$scrub = preg_replace("/[^a-zA-Z]/", "", $input);
  
  // allow only letters and numbers
  //$scrub = preg_replace("/[^a-zA-Z0-9]/", "", $input);

  //  allow only letters, numbers, and whitespace
  $scrub = preg_replace("/[^a-zA-Z0-9\s]/", "", $input);
  
  // Let's get rid of all CAPS
  $scrub = strtolower($scrub);
  
  // limit input to 40 chars
  $scrub = substr($scrub, 0, 40);

  // Let's get rid of all CAPS
  $scrub = strtolower($scrub);


  return $scrub;
}

// test the function
echo ScrubInput("iaja this 1237412~! is  @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\"");

?>

Result:

iaja this 1237412 is how it works ok

 

Link to comment
Share on other sites

@Jack_mcs @JcMagpie

Any way to keep apostrophes, quotation marks, dashes, letters and numbers?  LOL.

My buyers really need to use quotation marks in some circumstances, in order to find the exact name or phrase. 

When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe. 

Smart buyers are going to include the apostrophe...get no search results...and leave.  These edits are only making search more difficult.

And after viewing my keywords search report for months now....buyers need all the help they can get!

Is there a way to sanitize against the inclusion of weird characters that always accompany a malicious code string, but preserve the other ones I mentioned?

- Andrea

 

 

Link to comment
Share on other sites

It will depend on your osCommerce version, and what add-ons you have that put stuff to database, but any decent DB code should disable (usually escape, not removal) any special characters that might be interpreted as database commands. That way, the string content can't be used to run commands, but it still might interfere with searches. For example, escaping an apostrophe so that it can't be used to end a field and add SQL commands (change it to a literal apostrophe, not a delimiter for SQL commands), might prevent searching for "A Bug's Life", but I'm not sure in this code. I haven't looked lately, but there may be ways around that problem.

Link to comment
Share on other sites

just put the chars you want to not remove in the [] and you be fine , see i have added ' and - after the 9

$scrub = preg_replace("/[^a-zA-Z0-9'-\w\ ]/", "", $input);

this will give

Result:

iaja'-'- this 1237412 is @^*() how -=+_

from

echo ScrubInput("iaja'-'- this 1237412~! is  @#$%^&*() how -=+_] it [{};:/ works .,>?OKAMNBVCXZLKJHG'\"");

Please check before using on live site. only tested in sandbox.

 

Link to comment
Share on other sites

6 hours ago, puggybelle said:

Any way to keep apostrophes, quotation marks, dashes, letters and numbers?  LOL.

For the code I posted, use

     $keywords = preg_replace('/[^ \w-\'\"]/', '', $_GET['keywords']);
 

 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

14 hours ago, puggybelle said:

When the edits are made, you can't even find the test product A Bug's Life unless you leave out the apostrophe.

I don't think this has anything to do with the edits as on a stock osC you still will get no results! Try your self on a clean BS4 in stall

https://www.jcmagpie.com/advanced_search_result.php?keywords=A+Bugs+Life

 

image.thumb.png.9998955389f911075e788f1885c11d4e.png

Compare that to a google search box output

image.thumb.png.c9178ac592a4cf6dc504d1e0391604b4.png

and you get a result every time, try it your self. https://www.justfastfood.com/

image.png.debcef8a03ff059c82ec192ec9c4c945.png

 

Link to comment
Share on other sites

Well, you could always replace your osC search with Google (with the term site:yoursite.com) or some other well-known search engine. (Are there any others left these days?) You will likely lose any storage of search terms, although there's no reason you couldn't save a search string (suitably sanitized, first) in your database before passing it on to Google. I'm assuming that there is no problem with sessions, etc. if you pop out to an external search engine from a logged-in store, so check out that early in the process.

Link to comment
Share on other sites

On 1/8/2019 at 6:00 PM, puggybelle said:

Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC

So going back to the original post of what if some one uses a form to inject script into the db? Look's like no cleaning is done before input is saved to db in official osC or CE.

Script used in create account form is simply passed over to each page and saved into db.

image.png.2f5c75c7fbf70ac90eafe615315da14c.png

No scrubing is done when it is pulled out to display,

image.png.001d7c43e1607ae6b3377091c4943606.png

And db is just taking the data presented to it.

image.png.c99ef19849d6b014d063efecc8959f55.png

The test script used was the one origionaly posted and used as a test ( can do no harm as it not active on it's own) Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC

So looks like some method of scrubing all forms and input boxes is needed not just the search. Or have I missed somthing?

 

Link to comment
Share on other sites

malicious/problematic code has already been filtered out in this example:

Bob Smith"__sCRiPt sRC=//jb.gy/i__/sC
244 Whatever St"__sCRiPt sRC=//jb.gy/i__/sCrIpT_

 

Link to comment
Share on other sites

@raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)?

And if so... is it enough? This is definitely out of my skill range - it really is just a question.

Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars?

Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form

Link to comment
Share on other sites

how would it handle stuff like

&lt;script src=&quot;google.com&quot;&gt;

and

&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x20;&#x73;&#x72;&#x63;&#x3d;&#x22;&#x67;&#x6f;&#x6f;&#x67;&#x6c;&#x65;&#x2e;&#x63;&#x6f;&#x6d;&#x22;&#x3e;

 

Phoenix support now at https://phoenixcart.org/forum/
App created for phoenix
TinyMCE editor for admin

 

Link to comment
Share on other sites

45 minutes ago, greasemonkey said:

@raiwa is this cleaned by tep_draw_input_field (which is sanitizing with stripslashes)?

And if so... is it enough? This is definitely out of my skill range - it really is just a question.

Reading about SQL injections (again I'm not sure I understand it clearly) should we not be using PDO (as in 2.4) or at minimum htmlspecialchars?

Source: https://stackoverflow.com/questions/29678806/secure-all-inputs-in-php-form

I guess this input example has been cleaned with: tep_db_prepare_input:

  function tep_db_prepare_input($string) {
    if (is_string($string)) {
      return trim(tep_sanitize_string(stripslashes($string)));
    } elseif (is_array($string)) {
      foreach($string as $key => $value) {
        $string[$key] = tep_db_prepare_input($value);
      }
      return $string;
    } else {
      return $string;
    }
  }

which uses tep_sanitize_string:

  function tep_sanitize_string($string) {
    $patterns = array ('/ +/','/[<>]/');
    $replace = array (' ', '_');
    return preg_replace($patterns, $replace, trim($string));
  }

If it is enough I do not know neither.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...