Talk to me about anything. If you’d like to work with me, or
even if you just need a hug, I’ll get back to you shortly.

Please enter your name


Say something!

Type the characters you see in the picture below.

Captcha needed

+1  (818) 574-3596 
+44 (020) 8123-6463
+91 (0)   9864011106

osCommerceCoders.com

Affordable end to end oscommerce solutions with
Search Engine Optimization

Archive for the ‘oScommerce Security’ Category

Security issue with admin directory for shops using osc2.2 RC1 and RC2

osC 2.2 version RC1 and RC2.

For the moment two things can and should be done:
A. rename the admin directory
B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure.
After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define(‘DIR_WS_ADMIN’, ‘/renamed_admin_directory/’);
define(‘DIR_FS_ADMIN’, ‘/your/path/to/directory/renamed_admin_directory/’);

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel.

catalog/admin/includes/application_top.php
catalog/admin/login.php

Some additional information and advice on security

Delete admin/filemanager.php and associated links.
Delete admin/define_language.php and associated link in the “Tools” box.
Note: keep a local copy of your site on your computer and after editing files and ensuring the things you have added to your shop are working upload edited files by FTP to your site.

Ensure that your folder permissions are never set higher than 755

Install some security addons

admin/includes/application_top.php Line 146-151

Change:

$redirect = true;
}

if ($redirect == true) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

To:

$redirect = true;
}

if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
$redirect = true;
}

if ($redirect == true) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

admin/login.php Line 10-11

After:

Released under the GNU General Public License
*/

Add:

$login_request = true;

oScommerce Security

1054 – Unknown column ‘fg.products_id’ in ‘on clause’

This is because of the free gifts addon of oscommerce store. this is a mysql 5 fix.

Need to change 2 files

Fix 3 files:
shopping_cart.php
Edit the line to:
$gift_query = tep_db_query(“SELECT fg.*, p.products_id, p.products_model, p.products_price, p.products_image, p.products_status, pd.products_name FROM (” . TABLE_CARROT . ” fg, ” . TABLE_PRODUCTS . ” p)
LEFT JOIN ” . TABLE_PRODUCTS_DESCRIPTION . ” pd ON (pd.products_id=fg.products_id)
WHERE pd.language_id = ‘”.$languages_id.”‘ AND p.products_id = fg.products_id AND p.products_status = ’1′ ORDER BY fg.threshold ASC”);

admin/gift_add.php
Edit the line to:
$gift_query = tep_db_query(“SELECT fg.*, p.products_id, pd.products_name FROM (” . TABLE_CARROT . ” fg, products p)
LEFT JOIN products_description pd ON (pd.products_id=fg.products_id)
WHERE pd.language_id = ‘”.$languages_id.”‘
AND p.products_id = fg.products_id
ORDER BY fg.threshold ASC”);

If you need commercial support in fixing it you can use the contact us form in the site.

oScommerce Security, oScommerce Upgrade

Spam Emails Being Sent from oscommerce

customer database are being sent spam emails from the osCommerce store.

Many oscommerce stores which is not secure are having this issue

Solution

Passoword protect with htaccess

http://code.google.com/p/oscmax2/source/diff?spec=svn169&r=169&format=side&path=/trunk/catalog/admin/includes/application_top.php

For a nominal fee of 50 usd we will secure the site for spam emails from oscommerce store

oScommerce Security

Securing oscommerce stores and prevent being hacked

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

You need to secure oscommerce by doing the following steps

200 USD


1) Remove admin/file_manager.php
2) Remove admin/define_language.php
3) Make backups of your database and site files, saves a great deal of time & effort cleaning up should anything nasty happen.
4) Install the following useful contributions

Prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

htaccess protection http://addons.oscommerce.com/info/6066

Stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on – it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change host

You can use the contribution at http://addons.oscommerce.com/info/6134 to assist with permission settings.

Other steps to be followed

SECURING THE ADMIN:

By re-naming & password protection

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

CODE
require(‘includes/application_top.php’);

add:
CODE

// clean posted vars
reset($_POST);
while (list($key, $value) = each($_POST)) {
if (!is_array($_POST[$key])) {
$_POST[$key] = preg_replace(“/[^ a-zA-Z0-9@%:{}_.-]/i”, “”, urldecode($_POST[$key]));
} else { unset($_POST[$key]); } // no arrays expected
}

following the above steps makes the store secure

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

oScommerce Security, osCommerce Services

Iframe codes in oscommerce stores

There has been a recent increase of attacks on osCommerce websites using old versions.

Hackers exploit a vulnerability that is usually used for uploading product pictures to the /images directory.

Php files are uploaded in the images directory and executed.

CUstomer and order details are displayed and also emailed to the hackers email address.

Sometimes traces are left by the hacker.
PHP files show up in the images directory (though sometimes they’re deleted after being run).

Gengerally, the following code iframe is added to every product_description and categories_description

We have a process to clean up the database and clean up the images directory

150 USD


oScommerce Issues, oScommerce Security, osCommerce Services

Oscommerce security

Prevent any injection attacks Security Pro

http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor

http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap

http://addons.oscommerce.com/info/5914

htaccess protection

http://addons.oscommerce.com/info/6066

Cross Site Scripting attacks with Anti XSS

http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.
Permissions on folders should be no higher than 755.
http://addons.oscommerce.com/info/6134 to assist with permission settings.

oScommerce Security
Contact Us
Name*
Email*
Phone*
Services*
Message*
Security Code* b46c6
 
 

REACH US



You can email us at oscommercecoders@gmail.com


or Click here to contact us or call us at +1 - 818-574-3596

TAG CLOUD

RECENT

Sponsors