Secure your osCommerce store!

Security question has always been one of the most important things for any e-commerce store owner. In this post we’ll show you some ways to improve the security of your osCommerce 2.2 store and increase safety of your store visitors.

OsCommerce 2.2 engine itself has several vulnerabilities and it’s very important to fix them before thy haven’t been used by some “evil-wishers”. Moreover, as osCommerce is an open-source product thousands of developers are working hard to offer you some addons and contributions that can expand the functionality of your store, add new features and opportunities. But installing any third addon can you be sure that it won’t add several more vulnerabilities to your store?

Let’s start from the basic things.

Remove Install directory

When you are opening your installed osCommerce website for the first time you can see the warning messages at the top of the page. One of them is related to the “install” directory

Warning: Installation directory exists at: …/install. Please remove this directory for security reasons.

You can go two ways from this point:

• Delete the “install” directory from the osCommerce folder on your server (Recommended)
• Rename the “install” folder (to “install1” for example).

Set permissions

Two other warnings are related to the correct CHMOD permissions for the configuration files. Feel free to check the detailed tutorial on how to resolve permissions warning message

Also please note that CHMOD permissions for other directories should be not more than 755. If your hosting demands permissions of 777 on folders it’s time to think about new hosting provider.

Secure administration panel

For the moment two things can be done:

• rename the admin directory
• add the .htaccess protection to the renamed directory

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

	define('DIR_WS_ADMIN', '/renamed_admin_directory/');
	define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can use the Password Protect feature in your web hosting control panel. Please contact your hosting provider for more details.

Remove Filemanager

It has long been known the filemanger is a security risk & should be removed, if used for editing your site it is likely to damage your files, so is a bad utility to keep anyway. Its also been known its a possible hacking route & to make matters worse there now exists a very nasty hack that uses filemanger to gain access to your site.

To remove filemanager please follow the steps below:

1. Open your osCommerce installation directory and delete file_manager.php from catalog/admin folder
2. Open “admin/includes/boxes/tools.php” file and delete the line:

   			'<a href="' . tep_href_link(FILENAME_FILE_MANAGER) . '" class="menuBoxContentLink">' . BOX_TOOLS_FILE_MANAGER . '</a><br>' .
   		

3. It is also known that “admin/define_language.php is vulnerable to the same hacks as filemanger, so should also be removed.

Secure the Forms

Security Pro cleans the query string, however any forms using $_POST are un-affected, if you have any forms using the post method you would be advised to do the following on pages accepting $_POST vars.

Open the file with the form that uses POST method and after:

	require('includes/application_top.php');

add the following:

	// clean posted vars
reset($_POST);
          while (list($key, $value) = each($_POST)) {
                   if (!is_array($_POST[$key])) {
                          $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
                } else { unset($_POST[$key]); } // no arrays expected 
          }

Prevent injection attacks

Security Pro

Main goal of this contribution is to prevent any injection attacks on your osCommerce store via the vulnerability in the query string ($_GET/$HTTP_GET_VARS). It’s a valuable addon for both osCommerce 2.2 and 2.3

About addon(info taken from the addon manual)

The first Security Pro was written back in March 2008 when it became apparent that osCommerce shops were being hacked via the query string through badly coded contributions like testimonials. Is it still necessary with the new 2.3.X versions of osCommerce. Yes it is still just as valid. The target of Security Pro is not the core osCommerce coding which we all know is good, the target is the thousands of contributions which are usually poorly written.

This is all new code but the concept remains the same .. with Security Pro installed it is impossible to pass bad characters through the query string so long as the page loads application_top.php, which all osCommerce pages do.

The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does. the only exception to this that I could see was the REQUEST_METHOD and TRACE|TRACK.

The concept is simple but effective. It’s a waste of time to try and blacklist the huge number of hacking vectors as the XSS scripts try to do .. the only answer is whitelisting and this is what Security Pro does very well.

Installation

The installation procedure is fast and easy so you shouldn’t meet any difficulties here.

1. Download the addon package and extract the files
2. Open the Security Pro package and go to the “upload > catalog” directory. Then upload the “includes” directory to your osCommerce root. The folder contains a single new file so it won’t harm your store.
3. Now go to “catalog/includes” folder and open the “application_top.php” file
4. Use the Find and Replace tool and locate the line

   			if ($request_type == 'NONSSL') {
   		

   and add the following straight before it:

   				// Security Pro by FWR Media
   				include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
   				$security_pro = new Fwr_Media_Security_Pro;
   				// If you need to exclude a file from cleansing then you can add it like below
   				//$security_pro->addExclusion( 'some_file.php' );
   				$security_pro->cleanse( $PHP_SELF );
   				// End - Security Pro by FWR Media
   		

Thats all. The installation is complete.

How to check if it is working?

You’ve performed some file modifications and uploaded a new file. I’m sure you are willing to test if the addon is working fine. For the test open the advanced search page or use the search box. Into the search input field paste the following mix: [w](o)%3Cr%3Ek|i*n^g. Run the search then and the search query should show the work: “working”.

Monitor site for unauthorised changes

Site Monitor

This contribution will create a record of your files so that they can be checked at a later date. If any files have been added or deleted, or the size, timestamp or permissions were changed, you are notified via email.

The addon can be used for both osCommerce 2.2 or 2.3

Installation

1. Download the contribution and extract the files
2. Depending on your version of osCommerce open oscommercce_2.3 or oscommerce_MS2_or_RC2 folder and copy the admin folder to your osCommerce root. Only files intended for this contribution will be overwritten.
3. Open admin/includes/languages/english.php file and add the following anywhere before the closing ?> tag

   			// sitemonitor text in includes/boxes/sitemonitor.php
   			define('BOX_HEADING_SITEMONITOR', 'SiteMonitor');
   			define('BOX_SITEMONITOR_ADMIN', 'Admin');
   			define('BOX_SITEMONITOR_CONFIG_SETUP', 'Configure');
   			define('IMAGE_EXCLUDE', 'Exclude');
   		

4. Open “admin/includes/filenames.php” file and add the following anywhere before the closing ?> tag

   			define('FILENAME_SITEMONITOR_ADMIN', 'sitemonitor_admin.php');
   			define('FILENAME_SITEMONITOR_CONFIG_SETUP', 'sitemonitor_configure_setup.php');
   			define('FILENAME_SITEMONITOR_CONFIGURE', 'sitemonitor_configure.txt');
   		

5. Open “admin/includes/column_left.php” file and add the following before the closing ?> tag:

   			require(DIR_WS_BOXES . 'sitemonitor.php');
   		

   for osCommerce 2.2 and

   			include(DIR_WS_BOXES . 'sitemonitor.php');
   		

   for osCommerce 2.3
6. Open osCommerce administration panel and go to admin->Sitemonitor->Configure. There you can configure the addon according to your needs.
7. For more configuration settings check the readme.txt file from the addon package.

Block elicit access attempts with IP trap

Secure your site with an IP trap

The contribution works by setting up a trap in a folder that only bad bots, or someone poking around in your site will come across (hackers use the Robots.txt to try and find sensitive file on your server) it then redirects then to a message page that tells them they are blocked, at the same time writing their IP number to file.If they try to return they will only get the blocked message.

Installation

1. Download the addon package and extract the files
2. Open the addon package and go to the “catalog” folder.
3. Upload all files and folders to your osCommerce installation root.
4. Go to the “personal/index.php” file and replace the sample email address with your own one on line:

   			$emailad = 'you@yoursite.com';
   		

   ensure you keep it within the apostrophes.
5. Open “includes/application_top.php” file and find the lines:

   			// include the list of project filenames
   			require(DIR_WS_INCLUDES . 'filenames.php');
   		

   after these lines add:

   			// IP Trap V5
   			include(DIR_WS_INCLUDES . 'secret.php'); 
   		

6. Thats all. The addon is installed.

For more information about the addon configuration please check the “install.txt” file from the addon package.

Htaccess protection

Protect your site via htaccess

This contribution contains scripts that help you protect your site via your htaccess file. It’s a collection of .htaccess scripts to help protect you from the nasties out there. With lots of attacks going on, this file bans lots of bad bots, libwww-perl in particular which will take all your bandwidth. .htaccess cannot be used on a Windows server

1. Download the addon package and extract the files
2. Open htaccess_protection.html file in your browser and use the htaccess scripts adding them to the .htaccess file located in your osCommerce installation.

Usage of htaccess scripts require some advanced skills so if you are not familiar with them please make sure to backup the .htaccess file before performing any modifications