Community Add-Ons

Maintainers: FWR Media
No public uploads allowed
Top » Other

Security Pro
for osCommerce Online Merchant v2.2

This add-on is register_globals compatible

Quite recently I was involved in a topic related to customer_testimonials contribution where the "hacking world" had been made aware of an opportunity to hack osCommerce via a vulnerability in the querystring ($_GET/$HTTP_GET_VARS). It is my belief that e.g. information pages has similar issues amongst who knows how many other contributions.

Our response was to "cleanse" the incoming $_GET/$HTTP_GET_VARS. However this approach is a losing game as with security it never makes sense to run around trying to sure up contributions individually.

The concept here (not a new one) is to totally sanitise the incoming ($_GET/$HTTP_GET_VARS) at source (the top of catalog/includes/application_top.php) then to sanitise $_REQUEST by $_REQUEST = $_GET + $_POST (Yes we lost $_COOKIE).

By "sanitise" they key here is that we are ALLOWING certain characters to exist in the querystring NOT trying to clean away some dirty ones.

The danger here of course is that we inadvertently remove a character that is required for a legitimate osCommerce function.

After much testing allowed characters are as follows: -
a-z
A-Z
0-9
.(dot)
-(hyphen)
_(underscore)
{}
space (needed for search)
% (To avoid breaking urlencoded strings used by e.g. payment systems) - Thanks perfectpassion.


We are zealously cleaning here so there is always a risk that some contribution may introduce to the querystring a character that is not allowed, so please ensure that you fully test that all your payment systems etc. are functioning correctly.

Hope it keeps you all safe.

License: Refer to standard osCommerce license.

Legend:  Download   Report

Expand All / Collapse All

Security Pro 2.0 ( r7 ) FWR Media 23 Dec 2010  

The first Security Pro was written back in March 2008 when it became apparent that osCommerce shops were being hacked via the querystring through badly coded contributions like testimonials.
Is it still necessary with the new 2.3.X versions of osCommerce

Yes it is still just as valid. The target of Security Pro is not the core osCommerce coding which we all know is good, the target is the thousands of contributions which are usually poorly written.

This is all new code but the concept remains the same .. with Security Pro installed it is impossible to pass bad characters through the querystring so long as the page loads application_top.php, which all osCommerce pages do.

The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does.
the only exeption to this that I could see was the REQUEST_METHOD and TRACE|TRACK.

The concept is simple but effective. It's a waste of time to try and blacklist the huge number of hacking vectors as the XSS scripts try to do .. the only answer is whitelisting and this is what Security Pro does very well.
What has Changed?

In operation it is pretty much the same .. except ..

* Total rewrite using more modern code ( albeit PHP4 compatible )
* Added to security stregnth by adding some string exclusions like GLOBALS, _REQUEST, base64_encode, UNION
* Fixed a hole where a clever hacker could gain a dangerous double hyphen.
* The XSS .htaccess contribution now has nothing to offer over Security Pro.
* Simplified KISS installation with no database additions required.

Installation

This has been rewritten as KISS contribution ( Keep It Simple Stupid ) so is extremely quick and easy to install.

Additional comment from member adino (2013-09-06):

Thank you for this great contribution!!
Nonetheless, i've spent almost all my day trying to figure out a problem related with OSC search engine.
In my (beautiful) country - Portugal - we use other charactheres than the ones stored in ASCII table, we really "need" to use the charset ISO-8859-1.
well, when i tryed to find any product with an "different" char - like ç, à, é, ã,... - this char where, of course encoded to be in the url but when i tried to GET the value from the url this simply had disappeared !?!! and in the search box the char had disappeared as well.
Finally I saw your contribution (i have tons of modifications in my stores) i noticed your functions:
function cleanseKeyString
function cleanseValueString
both are using:
$cleansed = preg_replace ( "/[^\s{}a-z0-9_\.\-@]/i", "", urldecode ( $string ) );
what is a huge limitation (for other languages) , i have changed both to :
$cleansed = preg_replace ( "/[^\s{}p{L}\p{N}_\.\-]/i", "", urldecode ( $string ) );

Security Pro 1.0.2 FWR Media 6 Mar 2008  
Security Pro FWR Media 18 Feb 2008