osCommerceCoders.com

Affordable end to end oscommerce solutions with
Search Engine Optimization

Email : osCommerceCoders@gmail.com
Call : +1 818-574-3596 (USA) / +44 (020) 8123-6463 (UK)

Archive for the ‘oScommerce Security’ Category

Patch your Linux server’s installation of bash ASAP to protect it from Shellshock, which was discovered on Sept. 24, 2014.

Contact Us today.

On September 24, a widespread software vulnerability was identified that affects the server you have through us. This vulnerability, now being called “Shellshock,” takes advantage of a vulnerability in bash, making it possible for attackers to send and execute remote commands.

 

We can patch you Virtual Dedicated Server  or Dedicated Server today.

This is a useful Mobile/Tablet/Ipad App for store owners to display the product catalog at events/shows/meetings etc to probable customers when moving around.

This is based on the opensource osCommerce ecommerce store. Existing osCommerce store owners can have their own custom branded mobile App for their customers to download and use.

Customers installs the App to get the latest product information. This helps in branding the ecommerce website and get a loyal customer base.

Push Notifications can also be implemented so that App users are notified when new products are added to the store.

This can also be used a digital product brochure for wholesale customers to check the products and listing of new products in the store.

Additional modules

App User can upload photo to be listed in the photo gallery of the website.
Small games to get user interaction and more App download.
Information/News Module listing latest information of the product industry in general. (Using a wordpress blog backend)
Twitter Widget Integration wherein users can tweet from within the mobile App.
Facebook SDK integration.
Instagram photo gallery integration wherein latest instagram photos are listed of the Store account.
Youtube Video gallery integration listing youtube videos within the App.

 

Please email sales@flugelsoft.com or call at the numbers listed in the menu to get in touch with us.

Link to download the upgrade files is listed here  http://www.oscommerce.com/solutions.

 

If you want our team  to upgrade the store for you, please use the contact us form to get in touch with us.

 

 

If you need help in cleaning and removal of malware and virus from your store as well as securing it we charge a nominal rate of 300 USD.

Please use the contact us form to get in touch with us.

You need to secure oscommerce by doing the following steps

300 USD










1) Remove admin/file_manager.php

2) Remove admin/define_language.php

3) Make backups of your database and site files, saves a great deal of time & effort cleaning up should anything nasty happen.

4) Install the following useful contributions

Prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

htaccess protection http://addons.oscommerce.com/info/6066

Stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on – it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change host

You can use the contribution at http://addons.oscommerce.com/info/6134 to assist with permission settings.

Other steps to be followed

SECURING THE ADMIN:

By re-naming & password protection

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

CODE

require(‘includes/application_top.php’);

add:

CODE

// clean posted vars

reset($_POST);

while (list($key, $value) = each($_POST)) {

if (!is_array($_POST[$key])) {

$_POST[$key] = preg_replace(“/[^ a-zA-Z0-9@%:{}_.-]/i”, “”, urldecode($_POST[$key]));

} else { unset($_POST[$key]); } // no arrays expected

}

following the above steps makes the store secure

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

osC 2.2 version RC1 and RC2.

For the moment two things can and should be done:
A. rename the admin directory
B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure.
After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define(‘DIR_WS_ADMIN’, ‘/renamed_admin_directory/’);
define(‘DIR_FS_ADMIN’, ‘/your/path/to/directory/renamed_admin_directory/’);

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel.

catalog/admin/includes/application_top.php
catalog/admin/login.php

Some additional information and advice on security

Delete admin/filemanager.php and associated links.
Delete admin/define_language.php and associated link in the “Tools” box.
Note: keep a local copy of your site on your computer and after editing files and ensuring the things you have added to your shop are working upload edited files by FTP to your site.

Ensure that your folder permissions are never set higher than 755

Install some security addons

admin/includes/application_top.php Line 146-151

Change:

$redirect = true;
}

if ($redirect == true) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

To:

$redirect = true;
}

if (!isset($login_request) || isset($HTTP_GET_VARS[‘login_request’]) || isset($HTTP_POST_VARS[‘login_request’]) || isset($HTTP_COOKIE_VARS[‘login_request’]) || isset($HTTP_SESSION_VARS[‘login_request’]) || isset($HTTP_POST_FILES[‘login_request’]) || isset($HTTP_SERVER_VARS[‘login_request’])) {
$redirect = true;
}

if ($redirect == true) {
tep_redirect(tep_href_link(FILENAME_LOGIN));
}

admin/login.php Line 10-11

After:

Released under the GNU General Public License
*/

Add:

$login_request = true;

This is because of the free gifts addon of oscommerce store. this is a mysql 5 fix.

Need to change 2 files

Fix 3 files:
shopping_cart.php
Edit the line to:
$gift_query = tep_db_query(“SELECT fg.*, p.products_id, p.products_model, p.products_price, p.products_image, p.products_status, pd.products_name FROM (” . TABLE_CARROT . ” fg, ” . TABLE_PRODUCTS . ” p)
LEFT JOIN ” . TABLE_PRODUCTS_DESCRIPTION . ” pd ON (pd.products_id=fg.products_id)
WHERE pd.language_id = ‘”.$languages_id.”‘ AND p.products_id = fg.products_id AND p.products_status = ‘1’ ORDER BY fg.threshold ASC”);

admin/gift_add.php
Edit the line to:
$gift_query = tep_db_query(“SELECT fg.*, p.products_id, pd.products_name FROM (” . TABLE_CARROT . ” fg, products p)
LEFT JOIN products_description pd ON (pd.products_id=fg.products_id)
WHERE pd.language_id = ‘”.$languages_id.”‘
AND p.products_id = fg.products_id
ORDER BY fg.threshold ASC”);

If you need commercial support in fixing it you can use the contact us form in the site.

customer database are being sent spam emails from the osCommerce store.

Many oscommerce stores which is not secure are having this issue

Solution

Passoword protect with htaccess

http://code.google.com/p/oscmax2/source/diff?spec=svn169&r=169&format=side&path=/trunk/catalog/admin/includes/application_top.php

For a nominal fee of 50 usd we will secure the site for spam emails from oscommerce store

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

You need to secure oscommerce by doing the following steps

200 USD










1) Remove admin/file_manager.php
2) Remove admin/define_language.php
3) Make backups of your database and site files, saves a great deal of time & effort cleaning up should anything nasty happen.
4) Install the following useful contributions

Prevent any injection attacks with Security Pro http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap http://addons.oscommerce.com/info/5914

htaccess protection http://addons.oscommerce.com/info/6066

Stop Cross Site Scripting attacks with Anti XSS http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.

The permissions for the two configure.php files will vary according to the server your site is on – it could be 644, 444 or 400 which is correct.

Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change host

You can use the contribution at http://addons.oscommerce.com/info/6134 to assist with permission settings.

Other steps to be followed

SECURING THE ADMIN:

By re-naming & password protection

FORMS:

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

after:

CODE
require(‘includes/application_top.php’);

add:
CODE

// clean posted vars
reset($_POST);
while (list($key, $value) = each($_POST)) {
if (!is_array($_POST[$key])) {
$_POST[$key] = preg_replace(“/[^ a-zA-Z0-9@%:{}_.-]/i”, “”, urldecode($_POST[$key]));
} else { unset($_POST[$key]); } // no arrays expected
}

following the above steps makes the store secure

If you need help in doing all the above we charge a nominal rate of 200 USD.

Please use the contact us form to get in touch with us.

There has been a recent increase of attacks on osCommerce websites using old versions.

Hackers exploit a vulnerability that is usually used for uploading product pictures to the /images directory.

Php files are uploaded in the images directory and executed.

CUstomer and order details are displayed and also emailed to the hackers email address.

Sometimes traces are left by the hacker.
PHP files show up in the images directory (though sometimes they’re deleted after being run).

Gengerally, the following code iframe is added to every product_description and categories_description

We have a process to clean up the database and clean up the images directory

150 USD











Prevent any injection attacks Security Pro
http://addons.oscommerce.com/info/5752

Monitor sites for unauthorised changes with SiteMonitor
http://addons.oscommerce.com/info/4441

Block elicit access attempts with IP trap
http://addons.oscommerce.com/info/5914

htaccess protection
http://addons.oscommerce.com/info/6066

Cross Site Scripting attacks with Anti XSS
http://addons.oscommerce.com/info/6044

Make sure that all files, except for the two configure.php files have permissions no higher than 644.
Permissions on folders should be no higher than 755.
http://addons.oscommerce.com/info/6134 to assist with permission settings.

Sponsors