Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Flaw v.2.2 milestone 2 ???


strandel

Recommended Posts

A customer reported when he visited the oscommerce shop that he saw the content of another customer in the shopping cart (products and name of the customer).

 

I ckecked it. The customer said the truth. All data he mentioned in the e-mail to me were correct.

 

How is it possible that person (a) can see the content of the shopping cart of customber (b)? Is this a session problem? What can I do to prevent such things in the future?

 

Help is very much appreciated.

 

Regards Hans

Link to comment
Share on other sites

Its possible if there was a URL listed on a search engine with a valid session_id appended to it - there are settings in admin->configuration->sessions to prevent this. It is also good to force cookies.

 

Matti

Link to comment
Share on other sites

Thanks for the fast reply. I will ajust the session settings. Take care.

 

Regards Hans

What is your setting for

 

define('STORE_SESSIONS', ''); // leave empty '' for default handler or set to 'mysql'

 

This should be

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I don't recommend Force Cookies, though that is one solution. You can turn on the "check IP" or "check user agent", but I've had trouble with "check IP" with some customers and had to leave it off.

 

Note that for session reuse to happen, user A would need to save the URL with the osCid in it and someone else would have to use it. This typically doesn't happen with search engines which, even if they do get a session ID, have no user info in their carts.

 

I agree with AlanR that storing the sessions in the database is best and may solve this problem for you.

Link to comment
Share on other sites

Thanks everybody for the help.

 

I changed the line

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

So far everything runs smoothly.

Link to comment
Share on other sites

I am still facing the problem even tho the configure file has define to :

 

define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

pls advice and help, thks

Link to comment
Share on other sites

DO this and gurrented to work.

 

- go to admin>sessions>

set every single attribute to False EXCEPT 'Prevent spider sessions'

- first attribute says the folder to be used to store sessions. hmm... may be its tmp(by default)

go to admin folder of your site using ftp or locally and see if you have "THAT" folder there. if not then create that.

right click on the folder and change the mode to 777 or set all to be writable, executable, readable etc..

 

do same even if teh folder is there. change the mode to 777. usinga ftp client.

then open inlcudes/configure.php

 

check that code of the lines pp were talking abt is this

 ?define('USE_PCONNECT', 'false'); // use persistent connections?
?define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

post the message back if it works or not anyways. if not then also pm me, i will try to help u by checking some stuff. i am sure it will solve it.

 

BTW forcing cookies is never a good idea.

 

thanks,

dan

Link to comment
Share on other sites

  • 6 months later...
DO this and gurrented to work.

 

- go to admin>sessions>

set every single attribute to False EXCEPT 'Prevent spider sessions'

- first attribute says the folder to be used to store sessions. hmm... may be its tmp(by default)

go to admin folder of your site using ftp or locally and see if you have "THAT" folder there. if not then create that.

right click on the folder and change the mode to 777 or set all to be writable, executable, readable etc..

 

do same even if teh folder is there. change the mode to 777. usinga  ftp client.

then open inlcudes/configure.php

 

check that code of the lines pp were talking abt is this

  define('USE_PCONNECT', 'false'); // use persistent connections?
 define('STORE_SESSIONS', 'mysql'); // leave empty '' for default handler or set to 'mysql'

 

post the message back if it works or not anyways. if not then also pm me, i will try to help u by checking some stuff. i am sure it will solve it.

 

BTW forcing cookies is never a good idea.

 

thanks,

dan

 

I received the following email from one of my customers today:

 

"I was going to order by credit card but when I got to payment," 24 oxo beef cubes" popped up on my order list ( I didn;t order 24 oxo cubes!) so I decided to order by mail."

 

Obviously people are sharing carts. I have done everything you said. I phoned the customer and she is going to get back to me later today. I want to see if the OSCID is in her bookmark or not.

 

Any other ideas how to stop this problem.

 

Thanks,

 

Donna

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...