Community Add-Ons

Whats New?
- Removal of items in blacklists that can lead to false positives

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Removal of items in blacklists that can lead to false positives

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Fixed a bug in the getshield() function which could allow for partial filter bypassing
- Recoded the getRealIP() to work more efficiently

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Fixed time outs issues caused by code changes in 5.0.6 that have affected some configurations of osCommerce

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- osC_Sec now checks the the server user-agent for malicious code
- Corrected an issue with the fix_server_vars() function
- PHP-CGI query string parameter vulnerability request attempts are now filtered
- Addition blacklist items to capture XSS attempts
- Trimmed up sections of osC_Sec to lower overheads
- osC_Sec now filters requests and queries irregardless of request method

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Improved email handling
- Better handling of configuration constants
- Worked out some of the bugs in osC_Sec interacting with IP Trap
- Fixed an issue with case issues and hex encoded filtering
- osC_Sec now tests for hexcode encoded database injection attempts

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

osC_Sec 5.0.4

Whats New?
- Added xml.php and xml2.php to the file bypass list to avoid some conflicts related to those old xml addons
- Improved the way osC_Sec finds the directory path of the shop catalog
- Updated the database injection blacklist
- getShield() now checks for hex encoded attack vectors

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Fixed issues causing conflicts with some addons concerning the postShield() function
- Fixed issues causing conflicts with some addons concerning the ipTrap function

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Fixed issues causing conflicts with some addons concerning the postShield() function

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

Whats New?
- Added extra checks in $checkfilename
- Fixed an issue where files contain extra '.'. i.e. file.name.php
- Fix phpSelfFix() function
- Fixed whitespace issue with $this->_httphost
- More additions to the dbShield() function to protect against database injection attempts
- Fixed a number of issues with dbShield() to prevent false positives
- Removed base64_decode aspect of dbShield() due to it causing errors in some configurations
- More additions to getShield() function to detect local file read attempts
- Remake of the postShield() function
- Remake of the cookieShield() function
- Fixed an error in ipTrapped()

New Install instructions: see the readme.htm, as per usual, all updates contain the complete package

Updating:
Replace the osc_sec.php file in your catalogs /includes/ directory with the one in the /includes/ directory of this zip file.

Please report any bugs to the discussion forums at http://goo.gl/dQ3jH or email rohepotae@gmail.com

osC_Sec is a 'security include' addon that gets down to the point quick smart.

The primary function of osC_Sec is to provide a specific security patch to the known security issues that have plagued osCommerce based websites. osC_Sec also provides a filtering system to catch and prevent typical database attacks as well as attempt to upload files and use remotely hosted files to do damage to your website content.

Features:
- Contains the code patch for the admin login bypass exploit
- Checks user input for obsfuscated base_64 encoded strings
- Matches all user input POST variables against a blacklist
- Matches all user input GET variables against a blacklist
- Catch attempts to remotely or locally read or include malicious files
- Filter for MYSQL database injection attempts
- Filter for noDB injection attempts
- Filter cookies for HTTP response splitting and database injection attempts
- Set the correct filename for $PHP_SELF
- Matches all site URLs against a blacklist
- Filters all GET queries against a whitelist of allowed characters
- Checks all server requests types for malformed requests
- Optional writes the IP address of banned requests to the htaccess file, thus preventing further access to the site by that IP
- Prevents direct loading of the osc_Sec files
- Prevent spamming via Tell A Friend scripts
- Lower the information signature leaked by webservers to attackers as part of their intel gathering
- Get the real ip address
- Blocks bad web spidering (DEV)
- Written in PHP 4.x class format
- Optional email notification of attack attempts
- Compatible with IP Trap and Sitemonitor
and more....

Who should use it?
- Users of Oscommerce versions earlier than 2.3
- If your site has been hacked before
- If your site gets heavy attention from malware exploiters and you wish to lower the bandwidth being used by these attacks.

See readme.htm for install instructions

osC_Sec is a 'security include' addon that gets down to the point quick smart.

The primary function of osC_Sec is to provide a specific security patch to the known security issues that have plagued osCommerce based websites. osC_Sec also provides a filtering system to catch and prevent typical database attacks as well as attempt to upload files and use remotely hosted files to do damage to your website content.

Features:
- Checks user input for obsfuscated base_64 encoded strings
- Matches all user input POST variables against a blacklist
- Matches all user input GET variables against a blacklist
- Catch attempts to remotely or locally read or include malicious files
- Filter for MYSQL database injection attempts
- Filter for noDB injection attempts
- Filter cookies for HTTP response splitting and database injection attempts
- Set the correct filename for $PHP_SELF
- Matches all site URLs against a blacklist
- Filters all GET queries against a whitelist of allowed characters
- Checks all server requests types for malformed requests
- Optional writes the IP address of banned requests to the htaccess file, thus preventing further access to the site by that IP
- Prevents direct loading of the osc_Sec files
- Prevent spamming via Tell A Friend scripts
- Lower the information signature leaked by webservers to attackers as part of their intel gathering
- Get the real ip address
- Blocks bad web spidering (DEV)
- Written in PHP 4.x class format
- Optional email notification of attack attempts
- Compatible with IP Trap and Sitemonitor
and more....

Who should use it?
- Users of Oscommerce versions earlier than 2.3
- If your site has been hacked before
- If your site gets heavy attention from malware exploiters and you wish to lower the bandwidth being used by these attacks.

See readme.htm for install instructions