ComicWisdom Posted September 4, 2006 Posted September 4, 2006 I am converting an online store which I have been running for about a year from html to osc. I am far from being a php expert yet. I thought I would share that method with you and ask a question about it's usefulness in osc at the same time. On my html site, I use cgi frommail scripts that have the mailing address inbedded in them rather than have the email address on the page script. For example I have in my cgi-bin/formmail folder these scripts: storeowner.cgi orderdept.cgi suggestions.cgi etc.... The appropriate email address is embedded inside the cgi script. (These still need work because they are not yet programmed to go to the designed confirmation page, instead they go to a dynamically generated default page.) The question can this be adapted to use in osc? Just between us, remember there are only 10 kinds of people in the world; those who understand binary and those who don't!! Remember, learning is a "do-it-yourself" experience; although, not necessarily a "do-it-BY-yourself" experience. The quickest way to learn is to forget to BACKUP!
pyramids Posted September 4, 2006 Posted September 4, 2006 You can find contact_us.php security update here: http://www.oscommerce.com/community/contributions,3534 Also: Although the contribution http://www.oscommerce.com/community/contributions,3534 does contain some fixes the below is much simpler and cover possible future exploites. Fix: the problem is caused when the input fields are within a if statement that checks to see if the a action isset, then it will filter the inputs. Since it is possible that the condition of no action present in the url then exsists $error = false; if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) { $name = tep_db_prepare_input($HTTP_POST_VARS['name']); $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']); $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']); should be: $_POST['email'] = preg_replace( "/\n/", " ", $_POST['email'] ); $_POST['name'] = preg_replace( "/\n/", " ", $_POST['name'] ); $_POST['email'] = preg_replace( "/\r/", " ", $_POST['email'] ); $_POST['name'] = preg_replace( "/\r/", " ", $_POST['name'] ); $_POST['email'] = str_replace("Content-Type:","",$_POST['email']); $_POST['name'] = str_replace("Content-Type:","",$_POST['name']); $name = tep_db_prepare_input($HTTP_POST_VARS['name']); $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']); $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']); $error = false; if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) { after $error = true; $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR); $enquiry = ""; $name = ""; $email = ""; } add: } else { $enquiry = ""; $name = ""; $email = "";
pyramids Posted September 4, 2006 Posted September 4, 2006 Further more: Add // Remove injected headers $find = array("/bcc\:/i","/Content\-Type\:/i","/cc\:/i","/to\:/i","/\;/i","/\:/i","/\n/i","/\r/i"); $email_address = preg_replace($find, " * ", $HTTP_POST_VARS['email']); $name = preg_replace($find, " * ", $HTTP_POST_VARS['name']); $enquiry = preg_replace($find, " * ", $HTTP_POST_VARS['enquiry']); // end remove injected headers Just above $name = tep_db_prepare_input($name); $email_address = tep_db_prepare_input($email); $enquiry = tep_db_prepare_input($enquiry);
ComicWisdom Posted September 4, 2006 Author Posted September 4, 2006 Thank you, I will defintely give that a try. It will be a while until I can test it, as I said, this store just under development. The store on line is still all html. :rolleyes: Just between us, remember there are only 10 kinds of people in the world; those who understand binary and those who don't!! Remember, learning is a "do-it-yourself" experience; although, not necessarily a "do-it-BY-yourself" experience. The quickest way to learn is to forget to BACKUP!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.