Threat Scanner for osC 2.3.x and BS Edge

for osCommerce Online Merchant v2.3

This contribution is an update of [TiM's osC Solutions] osCommerce Threat Scanner. https://apps.oscommerce.com/m5snQ This is a fantastic tool to find common vulnerabilities and it had not been updated since 2010. So, I made some changes to make this addon compatible with osC v2.3.x and with BS Edge. I did not change much of the core code and most of the credit goes to Tim. The changes I made: ################################### • Changed the header & footer and some html structure in /admin/threat_scanner.php to accommodate osC v2.3.x • Commented out the file_manager.php scan (in /admin/threat_scanner.php), because that file was removed from osC a while back • Changed the installation instructions for osC BS Edge • Changed the installation instructions for osC v2.3.x • Added a screenshot Prerequisite: ################################### You must be at least semi-technical and understand some basic HTML and PHP to make sense of the scan results. How to use: ################################### If your site was hacked and you need to find the problem file and related infection code: • Run the Threat Scanner • Go to the results list past the initial bulleted suggestions • Review each result and compare the current file of that result to the same of a recent back-up file (one prior to your site getting hacked) • When you find added code that does not exist in the same backed-up file (code that is documented as a possible infection by the Threat Scanner), upload the backed-up file to overwrite the infected file on the server • ALWAYS, back-up any and all files to be worked on before attempting repair! Things to note: ################################### • Some of the first 12 bulleted suggestions are based on scanning for older osC code and should only be considered as suggestions. If you understand code, take a look at the code logic of these suggestions in /admin/threat_scanner.php and you will see which ones are of value and which you can overlook. For example: the vulnerability with not removing the /admin/define_language.php file is based on old osC issues with this file. I looked at the MS2.2 version and compared it to the latest version of BS Edge and the only differences are that $HTTP_GET_VARS and $HTTP_POST_VARS were changed to $_GET and $_POST, ..and, file names no longer require definitions. I’m not an expert on site security & vulnerabilities and I cannot tell you whether to remove that file or not. And, I could not get a valid answer from the BS Edge osC forum on this subject. So, basically this is your call. • Some of the first 12 bulleted suggestions also provide links to forums, articles, and addons, some of which are dead links. I did not spend time trying to replace any of those links. So,.. Google is your friend! • I tested this addon with BS Edge (because that’s the new site I’m working on) and, it works great. I did not test this on any of the prior 2.3.x versions. However, after reviewing the code, I noticed that the main difference is that osC v2.3.x has filename definitions and BS Edge does not. So the included instruction sheet for v2.3.x should work without any problems for those versions as well. One new file upload and several minor file changes, No database changes. This is a Full Package. PS: if you know web applications security and can add more vulnerability scan options to this addon, ..Please Do! ..and re-post. Thanks.

Changelog