Thread: [PATCH] Blocking those pesky hackers
View Single Post
  #1  
Old 04-01-2008, 11:24 AM
 
intel352 intel352 is offline
 

X-Wizard
   
Join Date: Dec 2005
Posts: 1,071
 
Default [PATCH] Blocking those pesky hackers
My wife's X-Cart website has been showing a large number of Users Online for the past few weeks, but the purchases aren't nearly equaling the number of visitors.

I decided to check out the type of traffic that she's getting, and found that many are hackers/bots that are trying to exploit different areas of the website. One such exploit that I've seen 20 of in the past hour, is: /help.php?section=http://myweddingphotos.by.ru/image.php?

The url that the hackers are passing varies. Many are trying to see if they can execute a remote inclusion apparently, and since this is the most popular attempt on our store right now, I've written some code to block such attempts, and ban the user (bans use the Stop List module, if it's enabled).

As mentioned above, the Stop List module is used if detected to record bans, but if it's not enabled, that's fine, the patch will only block *immediate* hack attempts. When Stop List is enabled, that is when an IP ban will occur.

The attached zip file has a .patch file and a .sql file. You can apply both patches via the Patch/Upgrade section of the X-Cart Administration.

Additionally, this is for 4.1, I have not tested on any older versions of X-Cart.

NOTE: If you happen to block yourself from your own store, the blocked IPs are only blocked from the customer section, so you can still login to your admin section, go to the Stop List section, and delete your IP address

Once I enabled this mod, I noticed that our Users Online started being a bit more accurate, as this mod blocks the hack attempts before they get logged as a visitor.

This code only bans based on a "http://" value being passed in the query string. I'm not aware of X-Cart passing a full url to itself in any query string parameters, but you need to be responsible for your own store by testing this thoroughly.
No need to ban your users because you didn't test the patch out.

I would specifically recommend testing multi-language websites, as that redirect method might pass a complete url, but I don't believe it does.
Attached Files
File Type: zip patch_security.zip (1.1 KB, 647 views)
__________________
-Jon Langevin
WARNING: Unethical developer - NOT RECOMMENDED
See details here
Reply With Quote