Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

CONTACT VUNERABILITY & NAME ERROR

chooch

By chooch
in General Support

Recommended Posts

chooch

chooch

Posted
Posted

Hi

 

there is simply too much misinformation about the vunerability in the contact.php page

 

after reading pages upon pages i can't for the life of me work out why someone hasn't put a clear and concise file letting amateurs (like me) know what to do, as well as letting people who are new oscommerce know of the problem.

 

i) can someone please advise on what the best solution is to fix the sceurity hole in the contact page

 

ii) does that also have to be done to all pages that have a text field? if so, please can someone clarify what these pages are (by name)

 

iii) at the moment when contact page is used, if you press enter without typing anything (or by leaving the name blank) an error message for the email address comes up - is it possible to fix this so that the 'name' and 'subject' cannot be left blank?

 

your help is appreciated, i hope someone can finally point me in the right direction

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites
Vger

♥Vger

Posted
Posted

I have read the posts about this, and as yet not one of them has actually pointed to a proven abuse of the contact_us script. Until I see some proof that this is a hack, and not just some panicky people reporting spam mail which is spoofing their mail address, I am not going to get into a lather about it.

 

Vger

Link to comment
Share on other sites
chooch

chooch

Posted
  • Author
Posted
I have read the posts about this, and as yet not one of them has actually pointed to a proven abuse of the contact_us script.  Until I see some proof that this is a hack, and not just some panicky people reporting spam mail which is spoofing their mail address, I am not going to get into a lather about it.

 

Vger

well you have an online store... have you made any chn=anges to your contact us page, or other pages with text field?

 

thanks

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites
dahui

dahui

Posted
Posted
well you have an online store... have you made any chn=anges to your contact us page, or other pages with text field?

 

thanks

 

I think Vger is very right!

 

I read many many posts about this an in the end it is most likey a robot or spider comming around and cuasing traffic fear and probs

 

but I must admit that a general information to take on that issue and how to approch it maybe of a teammmeber or a very experinced would eliminate 80% of the posts on that

 

dahui

Link to comment
Share on other sites
chooch

chooch

Posted
  • Author
Posted
I think Vger is very right!

 

I read many many posts about this an in the end it is most likey a robot or spider comming around and cuasing traffic fear and probs

 

but I must admit that a general information to take on that issue and how to approch it maybe of a teammmeber or a very experinced would eliminate 80% of the posts on that

 

dahui

true, i agree...

 

it's a bit of a surprise that no-one from oscommerce has put out an official statement on this

Upon receiving fixes and advice, too many people don't bother to post updates informing the forum of how it went. Until of course they need help again on other issues and they come running back!

 

Why receive the information you require in good faith for free, only to then have the attitude to ignore the people who gave it to you?

 

There's no harm in saying, 'Thanks, it worked'. On the contrary, it creates a better atmosphere.

 

CHOOCH

Link to comment
Share on other sites
AlanR

AlanR

Posted
Posted

I have not had the problem myself but from all accounts it seems like a bot attack.

 

See: http://www.oscommerce.com/forums/index.php?sho...ndpost&p=695124

 

If it's a bot attack and if someone is in a panic over it and they want a quick and dirty fix without worrying about coding they can change the contact_us.php file name in three places (or maybe a couple more if they're running multiple languages).

 

First off, change the name of contact_us.php to something else. Maybe contact_store.php or whatever, even contact__us.php.

 

Change the link in the column left box to match.

 

Then remembering whatever name you're using

 

In includes/filenames.php, line 33 change contact_us.php to the new name

 

Then last, change the name of the language contact_us.php.

 

For english it's /catalog/includes/languages/english/contact_us.php

 

Pretty simple but remember that this stops a bot that's looking for that specific file, not a real person.

 

The vulnerability is best fixed using one of the posted fixes see:

 

http://www.oscommerce.com/community/contributions,2976

 

But for a newbie or someone reluctant to mess around with code this is a simple fix that will stop bot attacks. It won't stop a human who manually uses the links.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites
Guest

Guest

Posted
Posted
I have not had the problem myself but from all accounts it seems like a bot attack.

 

See: http://www.oscommerce.com/forums/index.php?sho...ndpost&p=695124

 

If it's a bot attack and if someone is in a panic over it and they want a quick and dirty fix without worrying about coding they can change the contact_us.php file name in three places (or maybe a couple more if they're running multiple languages).

 

First off, change the name of contact_us.php to something else. Maybe contact_store.php or whatever, even contact__us.php.

 

Change the link in the column left box to match.

 

Then remembering whatever name you're using

 

In includes/filenames.php, line 33 change contact_us.php to the new name

 

Then last, change the name of the language contact_us.php.

 

For english it's /catalog/includes/languages/english/contact_us.php

 

Pretty simple but remember that this stops a bot that's looking for that specific file, not a real person.

 

The vulnerability is best fixed using one of the posted fixes see:

 

http://www.oscommerce.com/community/contributions,2976

 

But for a newbie or someone reluctant to mess around with code this is a simple fix that will stop bot attacks. It won't stop a human who manually uses the links.

I will try your advise and change my contact_us page name cause 'god knows' I have put every other fix that has been given both here and as contributions in and nothing works. I would like to say - I understand how these people feel - I keep getting unwanted emails (heaps of them) being dumped in my email account with all the tell tale signs of spam/spiders/bots whatever???? (xxxxxx@ourstore.com.au) but my business is being affected because I have be put on several spam blocks which stops my customers getting email confirmations of orders and accounts. This is extremely annoying and very difficult to explain to customers. Yes I would have to say, I am very suprised nobody is taking this really seriously. I know I am not being hacked persay, but it is bloody annoying and I have done everything I can - now I will try changing the name altogether. Maybe somebody can put a fix in the next release to stop this happening. :wacko:

Link to comment
Share on other sites
  • 2 months later...
interfaSys

interfaSys

Posted
Posted

I've modified the contact_us page so that it doesn't send anything anymore (no form, no button, no function), but spams are still getting through. The bots must be using some other page and call tep_mail directly.

Olivier

interfaSys s?rl

-----------------------

You'll love to use our solutions!

Rich Internet Applications and Usability

Link to comment
Share on other sites
AlanR

AlanR

Posted
Posted
I've modified the contact_us page so that it doesn't send anything anymore (no form, no button, no function), but spams are still getting through. The bots must be using some other page and call tep_mail directly.

Have you made the changes detailed within the 051113 update? There are two which address the issue.

 

http://www.oscommerce.com/solutions/downloads

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites
interfaSys

interfaSys

Posted
Posted
Have you made the changes detailed within the 051113 update? There are two which address the issue.

 

http://www.oscommerce.com/solutions/downloads

Yep, that's the first thing I did, then I modified contact_us, but there are also other pages that call tep_mail. The easiest and most unconvenient thing to do is to disable emailing altogether.

Olivier

interfaSys s?rl

-----------------------

You'll love to use our solutions!

Rich Internet Applications and Usability

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...