Making your shop “bulletproof”…

By | August 29, 2008

Nice post in the offical osCommerce forum from user “Spooks” talking about security implications for osCommerce stores…

You can prevent any injection attacks with Security Pro:
http://addons.oscommerce.com/info/5752

You can monitor sites for unauthorised changes with SiteMonitor:
http://addons.oscommerce.com/info/4441

You can block elicit access attempts with IP trap:
http://addons.oscommerce.com/info/5914

You can add htaccess protection:
http://addons.oscommerce.com/info/6066

You can stop Cross Site Scripting attacks with Anti XSS:
http://addons.oscommerce.com/info/6044

Also make sure that all files, except for the two configure.php files have permissions no higher than 644. The permissions for the two configure.php files will vary according to the server your site is on – it could be 644, 444 or 400 which is correct. Permissions on folders should be no higher than 755. If your hosting setup demands permissions of 777 on folders then change hosts. You can add http://addons.oscommerce.com/info/6134 to assist with permission settings.

Do it now, avoid getting that nasty addition to your listings in google: ‘This site might damage your computer’ or find all your customers data has been posted on a hackers bulletin board somewhere, etc etc

Good work Spooks!

11 thoughts on “Making your shop “bulletproof”…

  1. Edene

    I initially visited this blog for more information
    about the Discount Coupon….it has now become somewhat
    of an addiction. Yours is now one of the blogs/sites
    I check on a daily basis….and there’s always something
    informative, useful or just plain fun-to-know waiting there.
    Much appreciated!

  2. Gary Post author

    Edene – many thanks for your kind words 😀

  3. enigma1

    Gary, have you actually checked the code of these contributions you recommend? or you just copied a post from the osC forum?

    they are bulletproof alright… if I could only persuade my competitors to use them.

  4. Gary Post author

    I have not personally tested any of these. if you do, post back…

  5. enigma1

    I checked some of those, I know the security monitor and its principles are good. However others like the security pro, ip trap, htaccess protection, anti XSS, in my opinion only give a false impression to the store owner and may lead to the opposite results.

    Briefly, lets take for instance the security pro. It arbitrarily processes all /GET /POST parameters. So if someone sets a URL say http://www.example.com/index.php?something=51, it will process the something=51 although none of the osc scripts will ever use it. Now apply this by 1000 posted parameters with garbage and you can see where this is going. Also an attacker can activate register globals with that module. IP trap now, well this thing is a honeypot for trouble; when properly exploited it can be used by competitor sites to boost their position. It can go like this. Attack bot accesses robots.txt disallowed directories listed, then verifies that a ban ip is successful. Then for each visitor on the competitor sites, html tags like images or links are exposed to customers pointing to the disallowed directories on the other server. The customer’s browser accesses these, getting a ban without even knowing it. I hope you get the picture. htaccess protection has a long list of ips to ban outright including entire countries. You never ban ips like that especially on a permanent basis. I see lots of stores on the osc forum requesting feedback, that deploy these modules and are totally unaware of the consequences. They will even block ips if the user agent is blank, or the referrer is missing. Personally I never expose the browser or referrer when I visit various sites. Why someone should expose the browser version? It is dangerous to say the least as the server knowing that, can now exploit certain things.

    Here is an article on my site that gives some detailed information regarding security.
    http://www.asymmetrics.com/filtering-incoming-parameters.asp

  6. Sam

    You seem to be saying that some of these contrib’s may have holes so best not apply, leaving the holes they fill wide open!! Even if they do have holes, some protection is better than none, in any case I`ve yet to hear of anyone that has applied all these & still got hacked.

    Security pro process the GET not POST, ensuring only allowed chars are passed, its one of the first I always add.

    If you care to look there is an instance recently of a site with a bad version of testimonials that was attacked, but as they also had Security pro the attack was nullified, so much for your assertion it does nothing!!

    As to the htacces, yes it does ban some countries & that is detailed so up to the installer, if that country may have customers its easily removed, but if your a UK store that sells only to the UK then why care about banning countries you cant/wont sell to.

    I feel your scenario for a competitor to use the IP banning maliciously is unlikely, as the cost, once found out, would make the benefit miniscule.

  7. enigma1

    If you have a piece of code that has a problem then you fix that code. So if you have a contribution that causes a problem you fix the contribution. You don’t go and start doing unnecessary things like striping characters from variables you don’t know about. osC has filtering functions in place and as you know when applied properly the parameters are safe for the dbase and the variables throughout the scripts. In the case of customers testimonials just an integer cast is enough. I see no point deploying modules that may damage the site’s functionality or exposure. That’s not what I call security but quick and dirty hacks.

    As far I can tell whoever bans IPs has the troubles and honestly I do not see anything malicious about it. And at the top of that good luck figuring out what’s going on if you going down the ban path. Especially for a merchant who wonders why his site all of a sudden got removed from the search engines or he sees no sales.

  8. Java Roasters

    I just looked at the IP Trapper contributions and it could be better. If you don’t want someone to find a directory then don’t have

    Disallow: catalog/personal
    Disallow: catalog/includes
    Disallow: catalog/cgi-bin

    In your robots.txt file.

    You need to make an additional robots.txt file in each of the directories and add this to it;

    User-agent: *
    Disallow: /

    It is a much better way of doing it. Also don’t allow directory listing in .htaccess and rename your admin also.

  9. enigma1

    JR, the whole point of the ip trap was to deploy a honeypot via the robots.txt from the code and comments I read. The directories are exposed intentionally. Honeypots have their uses but blindly banning the IPs because of the restricted directories??.

    The problem I see is that these contributions were not built targeting the real objectives of ecommerce (like maximizing sales) and instead trying to capitalize on mistakes of other useful contributions like customer testimonials. It’s now what? 7 years since Gary posted the first version of the module? Nothing new though happens all the time. The Products Extra Images is another example I remember. The fact is, whoever is on the top page of SEs will do sales and banning IPs and entire countries from your sites will never get you there. So fix the code of contributions you integrate and update the contributions.

  10. Gary Post author

    Frankly, I’m surprised that contribution even still exists. I’ve asked for it to be removed (years ago) along with another contribution that is defunct.

    There are loads of contributions that people insist on, which I feel are worthless. All that matters for any ecomm site owner, is getting qualified traffic onto the site…

  11. enigma1

    Having a separate table that lists testimonial content is a plus for e-commerce sites because they present the customer experience about a product or service the store carries. That can generate useful traffic. In my opinion the addon is a useful one, but obviously every piece of s/w needs maintenance and updates for new versions of PHP,MySQL and the like.

    At the end, is up to the store owners to either know howto, or to hire a professional to integrate contributions to their sites.

    Instead what is happening they, or someone else just drops the files on the server without consideration leading to all these hacks and side effects we see.

Comments are closed.