Community Add-Ons

No public uploads allowed
Top » Other

Security Pro 2.0 ( r7 )
for osCommerce Online Merchant v2.3

Security Pro 2.0

Effective Querystring Protection Against Hacking by Whitelisting

The first Security Pro was written back in March 2008 when it became apparent that osCommerce shops were being hacked via the querystring through badly coded contributions like testimonials.
Is it still necessary with the new 2.3.X versions of osCommerce

Yes it is still just as valid. The target of Security Pro is not the core osCommerce coding which we all know is good, the target is the thousands of contributions which are usually poorly written.

This is all new code but the concept remains the same .. with Security Pro installed it is impossible to pass bad characters through the querystring so long as the page loads application_top.php, which all osCommerce pages do.

The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does.
the only exeption to this that I could see was the REQUEST_METHOD and TRACE|TRACK.

The concept is simple but effective. It's a waste of time to try and blacklist the huge number of hacking vectors as the XSS scripts try to do .. the only answer is whitelisting and this is what Security Pro does very well.
What has Changed?

In operation it is pretty much the same .. except ..

* Total rewrite using more modern code ( albeit PHP4 compatible )
* Added to security stregnth by adding some string exclusions like GLOBALS, _REQUEST, base64_encode, UNION
* Fixed a hole where a clever hacker could gain a dangerous double hyphen.
* The XSS .htaccess contribution now has nothing to offer over Security Pro.
* Simplified KISS installation with no database additions required.


This has been rewritten as KISS contribution ( Keep It Simple Stupid ) so is extremely quick and easy to install.

Legend:  Download   Report

Expand All / Collapse All

security Pro ( r11 ) 19 Jul 2012  

Security Pro 2.0 r11


osCommerce versions: 2.2 through 2.3.2

PHP versions: 4 through 5.4.4


Easy upgrade from r7 - overwrite one single file.

Code rewritten to one new class

Added @ to allowed characters which allows compatibility with version 2.3.2.

Added ability to cleanse the keys of the _GET superglobal as well as the values ( PCI reasons )

Added the ability to add file exclusions in application_top.php as an array: -
$security_pro->addExclusions( array )

Added the ability to chain add exclusions in application_top.php
$security_pro->addExclusion( 'some_file.php' )
->addExclusion( 'some_other_file.php' );

Functionality other than this remains the same

Support thread:

Security Pro 2.0 ( r7 ) 23 Dec 2010