Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

contact us fix code definition question.

stab

By stab
in General Support

Recommended Posts

stab

stab

Posted
Posted

I'm trying to "install" the contact us fix (to prevent spams) and have come to step 4 where it says.

 

 

4. Contact form issue/ textarea bug.

 

For some reason the stripslashes on line 222 in includes/functions/html_output.php doesn't prevent the following bug:

 

https://www.site/contact_us.php?&name=1&ema...);%3C/script%3E

 

By adding strip_tags in front of the stripslashes on line 222, and also adding strip_tags to line 224 just for the heck of it, the problem is solved.

 

Below is what the modified file should look like.

 

221 if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {

222 $field .= strip_tags(stripslashes($GLOBALS[$name]));

223 } elseif (tep_not_null($text)) {

224 $field .= strip_tags($text);

225 }

 

 

My code on thos lines are: lines 217-231

 

// Output a form pull down menu

function tep_draw_pull_down_menu($name, $values, $default = '', $parameters = '', $required = false) {

$field = '<select name="' . tep_output_string($name) . '"';

 

if (tep_not_null($parameters)) $field .= ' ' . $parameters;

 

$field .= '>';

 

if (empty($default) && isset($GLOBALS[$name])) $default = stripslashes($GLOBALS[$name]);

 

for ($i=0, $n=sizeof($values); $i<$n; $i++) {

$field .= '<option value="' . tep_output_string($values[$i]['id']) . '"';

if ($default == $values[$i]['id']) {

$field .= ' SELECTED';

}

 

How should my fixed code look like??? I kinda feel stupid on this one... :blush:

matrix2223

matrix2223

Posted
Posted

There is a contrib for an enhancement of the contact us page that has this already implimented or you could download the ms2 update 05113 and compare or replace the file the you need to.

stab

stab

Posted
  • Author
Posted

Hmm I compared the includes/functions/html_output.php from the oscommerce-2.2ms2-051113 update and my installed version and the code are the same on those lines so might already have the latest update.

 

From the update-20051113.txt

Contact Us Form XSS Issue

 

http://www.oscommerce.com/community/bugs,2422

 

------------------------------------------------------------------------------

Problem:

By using malicious data it is possible to inject HTML into the page.

 

Solution:

 

Lines 221-225 in catalog/includes/functions/html_output.php must be changed from:

 

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {

 

$field .= stripslashes($GLOBALS[$name]);

 

} elseif (tep_not_null($text)) {

 

$field .= $text;

 

}

 

to:

 

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {

 

$field .= tep_output_string_protected(stripslashes($GLOBALS[$name]));

 

} elseif (tep_not_null($text)) {

 

$field .= tep_output_string_protected($text);

 

}

Line 218-240 is the // Output a form pull down menu

and don't even come close to that code.)

but

I have this on line 169

// Output a form textarea field

function tep_draw_textarea_field($name, $wrap, $width, $height, $text = '', $parameters = '', $reinsert_value = true) {

$field = '<textarea name="' . tep_output_string($name) . '" wrap="' . tep_output_string($wrap) . '" cols="' . tep_output_string($width) . '" rows="' . tep_output_string($height) . '"';

 

if (tep_not_null($parameters)) $field .= ' ' . $parameters;

 

$field .= '>';

 

if ( (isset($GLOBALS[$name])) && ($reinsert_value == true) ) {

$field .= tep_output_string_protected(stripslashes($GLOBALS[$name]));

} elseif (tep_not_null($text)) {

$field .= tep_output_string_protected($text);

}

 

$field .= '</textarea>';

 

return $field;

}

 

 

 

But how do I check what version I have installed to be sure what version I have (I installed from my webmanager a couple weeks ago so I guess It should be the latest version...but you never know)

 

 

 

So in other words.....If I have the latest version I already have this fixed and don't need to bother ?????

matrix2223

matrix2223

Posted
Posted

It really depends on your web host and what they did to the osC files. I wont mention my previous hosts name but they had like the first run of osC ms2. Needless to say this is one reason why I switch host omung other reasons.

 

My self what I did before I got rid of them was I installed a store like you do with a click and then I replaced all the files with the originial file that you downloaded from here. This way all security updates and other bug fixes are in place.

 

My current host has the 051113 updates and Is extemely knowledgible when it comes to osC.

stab

stab

Posted
  • Author
Posted

Thanks.

I have compared the code in the update-20051113.txt and my files (the code sometimes is on a different line but I have installed som contributions) and they are the same as the "change to this" codes in the update-20051113.txt

 

So I'm pretty sure I have the latest version but I'll check with my hosting company to be sure.

They even offer a "PRO web host account" with oscommerce and payment solution integrated in the service

(I use a different service)

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...