Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

USING OsCOMMERCE TO SEND SPAM 'ALERT'


storm

Recommended Posts

I have just recieved an email from my ISP regarding the amount of spam spawning from my OsCommerce account, part of the email is below in italics, as you can see my ISP is asking me to remove any vunerabilities in the script.

The content of the 'contact_us.php' file (below in red) is there for your perusal.

Is there a way of ensuring that these scripts that the spamers are using can be modified as my ISP recommends.

Incidently, I don't know where the scripts they are refering to are located, and I can't see anyhting refering to one in the code.

Obviously this is very urgent as my ISP has the right to ban me, so any early help would be more than appreciated.

 

 

It appears the Spam has been sent via an insecurity in a vulnerable scripts on your system. In this case /catalog/includes/languages/english/contact_us.php

 

We would ask that you review the code on your website to remove any vulnerabilities that may allow the scripts to be abused to send emails.

 

<?php

/*

$Id: contact_us.php,v 1.7 2002/11/19 01:48:08 dgw_ Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

define('HEADING_TITLE', 'Contact Us');

define('NAVBAR_TITLE', 'Contact Us');

define('TEXT_SUCCESS', 'Your enquiry has been successfully sent to the Store Owner.');

define('EMAIL_SUBJECT', 'Enquiry from ' . STORE_NAME);

 

define('ENTRY_NAME', 'Full Name:');

define('ENTRY_EMAIL', 'E-Mail Address:');

define('ENTRY_ENQUIRY', 'Enquiry:');

?>

Link to comment
Share on other sites

I have just recieved an email from my ISP regarding the amount of spam spawning from my OsCommerce account, part of the email is below in italics, as you can see my ISP is asking me to remove any vunerabilities in the script.

The content of the 'contact_us.php' file (below in red) is there for your perusal.

Is there a way of ensuring that these scripts that the spamers are using can be modified as my ISP recommends.

Incidently, I don't know where the scripts they are refering to are located, and I can't see anyhting refering to one in the code.

Obviously this is very urgent as my ISP has the right to ban me, so any early help would be more than appreciated.

It appears the Spam has been sent via an insecurity in a vulnerable scripts on your system. In this case /catalog/includes/languages/english/contact_us.php

 

We would ask that you review the code on your website to remove any vulnerabilities that may allow the scripts to be abused to send emails.

 

<?php

/*

$Id: contact_us.php,v 1.7 2002/11/19 01:48:08 dgw_ Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright ? 2002 osCommerce

 

Released under the GNU General Public License

*/

 

define('HEADING_TITLE', 'Contact Us');

define('NAVBAR_TITLE', 'Contact Us');

define('TEXT_SUCCESS', 'Your enquiry has been successfully sent to the Store Owner.');

define('EMAIL_SUBJECT', 'Enquiry from ' . STORE_NAME);

 

define('ENTRY_NAME', 'Full Name:');

define('ENTRY_EMAIL', 'E-Mail Address:');

define('ENTRY_ENQUIRY', 'Enquiry:');

?>

 

read through this:

 

http://www.oscommerce.com/community/contri...arch,contact_us

:-)

Monika

 

addicted to writing code ... can't get enough of databases either, LOL!

 

my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum

 

Interactive Media Award July 2007 ~ category E-Commerce

my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ...

Link to comment
Share on other sites

 

 

Thanx for the prompt reply - I have dl the contribution and am looking at the '2. Disallow emails to be sent FROM your domain.' portion - my problem is the instruction are to:

 

At the top of contact_us.php find:

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

 

Replace it with:

 

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && tep_email_isfromdomain($_POST['email']))

{

$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR);

}

elseif (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

 

 

In my contact_us.php file as you can see below there is not the code you are refering to in there.

What would you suggest I do?

 

 

<?php

/*

$Id: contact_us.php,v 1.7 2002/11/19 01:48:08 dgw_ Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

define('HEADING_TITLE', 'Contact Us');

define('NAVBAR_TITLE', 'Contact Us');

define('TEXT_SUCCESS', 'Your enquiry has been successfully sent to the Store Owner.');

define('EMAIL_SUBJECT', 'Enquiry from ' . STORE_NAME);

 

define('ENTRY_NAME', 'Full Name:');

define('ENTRY_EMAIL', 'E-Mail Address:');

define('ENTRY_ENQUIRY', 'Enquiry:');

?>

Link to comment
Share on other sites

Thanx for the prompt reply - I have dl the contribution and am looking at the '2. Disallow emails to be sent FROM your domain.' portion - my problem is the instruction are to:

 

At the top of contact_us.php find:

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

 

Replace it with:

 

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && tep_email_isfromdomain($_POST['email']))

{

$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR);

}

elseif (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

In my contact_us.php file as you can see below there is not the code you are refering to in there.

What would you suggest I do?

<?php

/*

$Id: contact_us.php,v 1.7 2002/11/19 01:48:08 dgw_ Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright ? 2002 osCommerce

 

Released under the GNU General Public License

*/

 

define('HEADING_TITLE', 'Contact Us');

define('NAVBAR_TITLE', 'Contact Us');

define('TEXT_SUCCESS', 'Your enquiry has been successfully sent to the Store Owner.');

define('EMAIL_SUBJECT', 'Enquiry from ' . STORE_NAME);

 

define('ENTRY_NAME', 'Full Name:');

define('ENTRY_EMAIL', 'E-Mail Address:');

define('ENTRY_ENQUIRY', 'Enquiry:');

?>

 

I suggest you open the catalog/contact_us.php ... what you posted here is your language file :thumbsup:

:-)

Monika

 

addicted to writing code ... can't get enough of databases either, LOL!

 

my toolbox: Textpad - Compare and Merge - phpMyAdmin - WS_FTP - Photoshop - How to search the forum

 

Interactive Media Award July 2007 ~ category E-Commerce

my advice on the forum is for free, PMs where you send me work are considered consultation which I charge for ...

Link to comment
Share on other sites

  • 1 year later...

Hi all

 

Just going through the Contact us Fix and under

 

"2. Disallow emails to be sent FROM your domain."

 

at the bottom it says

"Somewhere in /includes/languages/english/english.php add:

define('ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR', 'Your E-Mail Address appears to be from ' . HTTP_SERVER . '. To contact us, please use your valid email address.');"

 

I dont believe I have the above file in my version of osCommerce, is there another file I can insert the definition into to have the same effect?

 

I believe I'm running osCommerce V 1.22

 

 

 

Below is the full instructions of the fix, thanks

 

2. Disallow emails to be sent FROM your domain.

 

Commonly the script that send out spam emails is sent from your own domain. To stop that from happening with the contact us form, make the following changes.

 

At the top of catalog/includes/configure.php find:

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

 

Replace it with:

define('HTTP_COOKIE_DOMAIN', 'www.yourdomain.com');

define('HTTP_MAIL_DOMAIN', 'yourdomain.com');

 

At the top of contact_us.php find:

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

 

Replace it with:

 

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send') && tep_email_isfromdomain($_POST['email']))

{

$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR);

}

elseif (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

 

At the top of /includes/functions/validations.php add this function:

function tep_email_isfromdomain($email) {

list($username,$domain)=split('@',$email);

$domain = strtolower($domain);

if ($domain == '' . HTTP_MAIL_DOMAIN . ''){

return true;

}else{

return false;

}

}

 

Somewhere in /includes/languages/english/english.php add:

define('ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR', 'Your E-Mail Address appears to be from ' . HTTP_SERVER . '. To contact us, please use your valid email address.');

 

Somewhere in /includes/languages/dutch/dutch.php add:

define('ENTRY_EMAIL_ADDRESS_ISFROMDOMAIN_ERROR', 'U geeft een email adres op van ' . HTTP_SERVER . '. Om contact met ons op te nemen, dient u een geldig email adres op te geven.');');

Link to comment
Share on other sites

If you are really using osc v1.22 the first thing I would I suggest you to do is upgrade it to 2.22 060817 update release. Or if it is a typo or misunderstnading of your osc version, then depends on your shop's language, replace the file name english.php to YOURLANGUAGE.php, eg, french.php, spanish.php etc.

 

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

If you are really using osc v1.22 the first thing I would I suggest you to do is upgrade it to 2.22 060817 update release. Or if it is a typo or misunderstnading of your osc version, then depends on your shop's language, replace the file name english.php to YOURLANGUAGE.php, eg, french.php, spanish.php etc.

 

Ken

 

Yes I am indeed using an old version, I was hoping it could be fixed without haveing to do a full upgrade (haven't researched into it but I'm guessing there will be some work [customisation etc] involved to get everything working as it was).

 

cheers

Link to comment
Share on other sites

This may help make the upgrade easier for you:

http://www.oscommerce.com/community/contri...h,osc+2.2+patch

 

On further inspection it seems I have been mistaken as to the version of oscommerce I believe from the "reademe.txt" (below) that my version is indeed osCommerce 2.2 milestone 2 (2003)

 

"$Id: README,v 1.3 2003/07/12 09:38:07 hpdl Exp $

 

osCommerce 2.2 Milestone 2 Release Notes

Copyright © osCommerce 2003

 

Saturday 12th July, 2003"

 

Right, thanks for the help guys, Guess I first need to work my way through the 2003 and 2005 patches

Link to comment
Share on other sites

  • 1 month later...

I have solved my above problem in a way which I think is simplier and that nobody has mentioned. What I did was create a new page in the same way as you would create a FAQ/Ordering/About us page and just replaced the standard oscommerce "contact_us.php" and associated pages thus removing the email fields that can be abused.

 

Its worked pretty well so far AFAIK.

Link to comment
Share on other sites

I have solved my above problem in a way which I think is simplier and that nobody has mentioned. What I did was create a new page in the same way as you would create a FAQ/Ordering/About us page and just replaced the standard oscommerce "contact_us.php" and associated pages thus removing the email fields that can be abused.

 

Its worked pretty well so far AFAIK.

in other words you don't have a contact us form anymore. And this is a good solution?

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...