Re: Security Patch

[paulM]

Quote:

Originally Posted by bdneuman

you just put the variable in application_top to make the initial definition?

Actually I would not add it to application_top myself, but I don't really know osCMax so application_top might be the best file to add it to. (so maybe Michael can make this clear for you after all )

(I would add it to configure_bts.php, but I'm not sure if osCMax even has a configure_bts file, and for safety application_top is at least as good of course).

If you set the variables to '', the script will be safer because it won't be possible to inject malicious code into variables anymore (assuming normal flow).

Quote:

Do you remove any of the variables from the various templates files then?

No.

(just to be clear, I would use it as an addition to msasek's fix, so not i.s.o.)

[goaskmom]

Couple of questions here. I have a couple of stores. One running MAX 1.5 and one running MAX 1.7. I'm all fixed on the 1.7 one. The 1.5 version, I noticed that in some of the template folders, there is no popup.tpl.php file, but only the main_page.tpl.php file. Do I just update what's there and not worry about anything else?

Also, I'm in a good or bad habit of copying and renaming all files before I change anything, so I always have a copy of the original. If I rename main_page.tpl.php to mainpageorig.old, and then fix the main_page.tpl.php file, am I okay, or am I still very vulnerable because the actual code that's being exploited is still on my server under a different name? So, I guess the question is, is this security risk in the actual code, or is it linked to the filename as well?

Am I okay having the original, renamed, and the modified version still on my server?

I asked Mom and she didn't know.

[paulM]

Quote:

Originally Posted by swdave

//Protection application_top
$javascript = '';
$content = '';
$content_template = '';
$boxLink = '';
etc...

good idea by itself, but it doesn't work (at least not with a standard BTS version), because the above sets the variables and that causes the script to preform actions which it shouldn't. So (allthough it might not really be neccessary if you've done msasek's fix and the .htaccess fix) I would add:

Code:

unset($javascript,$content,$content_template,$boxLink);

to application_top instead. This destroys the variables and thus any malicious code inside it too.
( anyone knows any more vars to add to the above list?)

I would like to repeat this one:

Quote:

Originally Posted by swdave

.httaccess in templates dir

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

it really increases security a lot (especially because register_globals has to be enabled for osC unfortunately)

@goaskmom: about the differences between MAX versions I don't know anything. I would just do a search for $javascript and $content_template inside the whole templates (sub)folders if I were you, and make sure the "basename fixes" are applied to all instances you find.

Unfixed renamed files on the server of course can allways be a security risk, allthough it's very unlikely these would/could be exploited (who knows the names of these files?), I would not take the risk on a live store.

Paul

[danberlyoung]

We have an osC shop set up and have BTS installed. We were hacked by the "SpyKids from Brazil" No real damage done but scared the heck out of us.

Anybody else get hit?