Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Contact Us Form Security Possible Solution


ComicWisdom

Recommended Posts

Posted

I am converting an online store which I have been running for about a year from html to osc. I am far from being a php expert yet.

 

I thought I would share that method with you and ask a question about it's usefulness in osc at the same time.

 

On my html site, I use cgi frommail scripts that have the mailing address inbedded in them rather than have the email address on the page script.

 

For example I have in my cgi-bin/formmail folder these scripts:

storeowner.cgi

orderdept.cgi

suggestions.cgi

etc....

 

The appropriate email address is embedded inside the cgi script. (These still need work because they are not yet programmed to go to the designed confirmation page, instead they go to a dynamically generated default page.)

 

The question can this be adapted to use in osc?

Just between us, remember there are only 10 kinds of people in the world; those who understand binary and those who don't!!

 

Remember, learning is a "do-it-yourself" experience; although, not necessarily a "do-it-BY-yourself" experience.

 

The quickest way to learn is to forget to BACKUP!

Posted

You can find contact_us.php security update here:

http://www.oscommerce.com/community/contributions,3534

 

Also:

 

Although the contribution http://www.oscommerce.com/community/contributions,3534 does contain

some fixes the below is much simpler and cover possible future exploites.

 

 

Fix:

the problem is caused when the input fields are within a if statement that checks

to see if the a action isset, then it will filter the inputs. Since it is possible that the condition

of no action present in the url then

exsists

  $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

should be:

$_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] );
$_POST['name'] = preg_replace( "/\n/", " ", $_POST['name'] );
$_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] );
$_POST['name'] = preg_replace( "/\r/", " ", $_POST['name'] );
$_POST['email'] = str_replace("Content-Type:","",$_POST['email']);
$_POST['name'] = str_replace("Content-Type:","",$_POST['name']);

$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

 $error = false;
 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

after

	$error = true;
  $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
  $enquiry = "";
  $name = "";
  $email = "";
  }

add:

} else {
	  $enquiry = "";
	  $name = "";
	  $email = "";

Posted

Further more:

 

Add

// Remove injected headers
$find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/\;/i","/\:/i","/\n/i","/\r/i");

$email_address = preg_replace($find, " * ", $HTTP_POST_VARS['email']);
$name = preg_replace($find, " * ", $HTTP_POST_VARS['name']);
$enquiry = preg_replace($find, " * ", $HTTP_POST_VARS['enquiry']);
// end remove injected headers

 

Just above

$name = tep_db_prepare_input($name);
$email_address = tep_db_prepare_input($email);
$enquiry = tep_db_prepare_input($enquiry);

Posted

Thank you, I will defintely give that a try. It will be a while until I can test it, as I said, this store just under development. The store on line is still all html.

 

:rolleyes:

Just between us, remember there are only 10 kinds of people in the world; those who understand binary and those who don't!!

 

Remember, learning is a "do-it-yourself" experience; although, not necessarily a "do-it-BY-yourself" experience.

 

The quickest way to learn is to forget to BACKUP!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...