Dennisra Posted February 8, 2008 Share Posted February 8, 2008 Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string. Thanks for doing that! Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 8, 2008 Share Posted February 8, 2008 (edited) Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string. I'm disgusted at you Mr McArther!!!! sanatization indeed!! It bad enough to have to write center instead of centre when coding, and from a man of Scotland too :o Edited February 8, 2008 by Babygurgles Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Kilaz Posted February 8, 2008 Share Posted February 8, 2008 This is a pretty nasty one, especially for those that store credit card numbers in their database!. This same exploit can be used used to pull credit card numbers and expiration dates. I've see some attempts at pulling that information from one of my sites but luckily I don't keep CC's in the database. I looked at the access log and see this same exploit used way back in August!! so its been around a while but we haven't heard about it till now when the script kiddies got a hold of it. c-71-229-238-169.hsd1.co.comcast.net - - [29/Aug/2007:14:38:29 -0400] "GET /customer_testimonials.php?products_id=11&&testimonial_id=-8+union+select+1,2,cc_number,4,5,1,1,1+from+orders/* HTTP/1.1" 200 58608 "-" "Mozilla/6.0 (Firefox; Windows NT 5.2)" Is the user information stored in the database encrypted? how hard is it for these script kiddies to decrypt? Quote Link to comment Share on other sites More sharing options...
Rezolles_Net Posted February 9, 2008 Author Share Posted February 9, 2008 Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string. Is it ONLY for those who want to upgrade only?Or CLEAN installation files?I'm getting confused here...Where is the codes that has been changed to fix the security issue? Thx Quote Link to comment Share on other sites More sharing options...
Robbogeordie Posted February 9, 2008 Share Posted February 9, 2008 The code changes discussed here are in the new package,but you can alter your already installed version with the fixes. Download this and compare your catalog/customer_testimonials.php file against the new one and make the security changes - they are on line 54 -55 and right at the end of the file. Thanks for your help Robert and Arther ! Quote Link to comment Share on other sites More sharing options...
Robbogeordie Posted February 9, 2008 Share Posted February 9, 2008 By the way could someone post a warning on the Customer Testimonials v1.0 contribution page with a link to this thread to stop anyone installing it without the fixes. I'm not sure how to or I'd do it. Quote Link to comment Share on other sites More sharing options...
Rezolles_Net Posted February 9, 2008 Author Share Posted February 9, 2008 I've installed the fix and its working...But i dont know whether its "safe" or maybe got another bug... Hurm...I'm thinking to use "captcha" to prevent bots from spamming the form..get what i mean?Anybody had done it? Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted February 9, 2008 Share Posted February 9, 2008 I don't use "customer added" testimonials so can't really comment. I add mine via admin. If I were to have a customer added form for this I would .. 1) Use a capcha 2) Record in the db each form attempt based on IP and if more than x occured in 1 minute block the IP (from the form) 3) Validate the $_POST against "off site" posting by having a unique token in the $_POST and $_SESSION that are compared for validity before processing the form Hi Robert Could you explain how I could do the above please? 1) I looked at capcha but don't understand how to impliment it. 2) :huh: 3) :huh: I guess the alternative would be to direct the submit button to the contact us form (with a dropdown feedback) instead of to the customer_testimonial_write.php Thanks Julie Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 9, 2008 Share Posted February 9, 2008 Hi Robert Could you explain how I could do the above please? 1) I looked at capcha but don't understand how to impliment it. 2) :huh: 3) :huh: I guess the alternative would be to direct the submit button to the contact us form (with a dropdown feedback) instead of to the customer_testimonial_write.php Thanks Julie It's a little too complex just to explain Julie. And I'm not writing it. Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
warrenerjm Posted February 9, 2008 Share Posted February 9, 2008 It's a little too complex just to explain Julie. And I'm not writing it. Understand. :) I may go down the "contact us page" route as I can still use the admin to add them myself. Thanks Julie Quote Link to comment Share on other sites More sharing options...
monito Posted February 13, 2008 Share Posted February 13, 2008 Put something like this at the top of the customer_testimonials file (Obviously don't use the php tags if already being parsed by php) <?php #### FWR Media Deal with hackers ( (isset($HTTP_GET_VARS['testimonial_id']) && !is_numeric($HTTP_GET_VARS['testimonial_id']) === true) ? deal_with_hacker() : NULL ); function deal_with_hacker() { $hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']); die('<div align="center" style="width: 80%; border: 1px solid red; color: red; background-color: #ffffcc; padding: 10px; font-size: 10pt;"> <b>HACKING ATTEMPT ON QUERYSTRING!</b><p />Logging IP ... ' . $_SERVER['REMOTE_ADDR'] . '<br />Logging host ... ' . $hostname . '<br /> </div>'); } ### End deal with hackers ?> This is actually a simpler method of what we did before. It works like a Champ!!!! Thanks a lot; If anyone is interested I have been logging all the IPs that have been trying this hack: I added the following to my .htaccess (I know that it will be hard to get them all, but at least it will pissed them off!!!) order allow,deny deny from 85.25.136.135 deny from 88.84.97.35 deny from 66.207.165.133 deny from 208.127.129.131 deny from 74.134.132.227 deny from 84.112.1.143 deny from 67.163.110.70 deny from 82.131.89.193 deny from 149.159.11.18 deny from 58.109.119.95 deny from 70.173.204.211 deny from 202.74.196.218 deny from 121.62.160.157 deny from 125.160.51.248 deny from 125.162.99.172 deny from 149.159.11.18 deny from 172.192.72.197 deny from 172.194.79.6 deny from 196.217.51.198 deny from 200.65.127.161 deny from 202.152.243.88 deny from 202.162.196.194 deny from 202.74.196.218 deny from 208.127.129.131 deny from 208.78.63.85 deny from 209.33.36.209 deny from 212.142.143.116 deny from 212.71.12.37 deny from 212.71.12.37 deny from 213.254.93.73 deny from 217.50.167.94 deny from 41.249.8.133 deny from 58.109.119.95 deny from 58.65.240.100 deny from 61.197.235.13 deny from 63.251.223.163 deny from 64.27.31.121 deny from 66.207.165.130 deny from 66.207.165.133 deny from 67.163.110.70 deny from 69.120.99.198 deny from 70.144.13.141 deny from 70.145.62.106 deny from 70.173.204.211 deny from 71.119.175.106 deny from 74.134.132.227 deny from 76.25.195.92 deny from 76.67.199.135 deny from 78.106.41.84 deny from 78.162.212.4 deny from 78.174.225.133 deny from 78.183.213.45 deny from 80.132.165.254 deny from 80.199.218.214 deny from 80.199.218.214 deny from 82.131.89.193 deny from 82.43.161.188 deny from 83.233.181.211 deny from 83.248.161.76 deny from 83.248.161.76 deny from 84.112.1.143 deny from 84.112.29.185 deny from 84.26.144.128 deny from 85.105.180.33 deny from 85.177.169.143 deny from 85.177.170.80 deny from 85.194.127.10 deny from 85.198.41.38 deny from 85.25.130.90 deny from 85.30.196.36 deny from 86.123.194.153 deny from 87.126.254.160 deny from 87.68.68.91 deny from 87.97.208.130 deny from 88.50.147.65 deny from 88.50.147.65 deny from 88.84.97.35 deny from 91.198.212.4 deny from 91.66.14.106 deny from 91.92.204.35 deny from 92.233.2.174 deny from 79.126.207.11 allow from all I hope mine is not here...since I have been testing with it... :angry: Quote Link to comment Share on other sites More sharing options...
unyil Posted February 15, 2008 Share Posted February 15, 2008 hi. I already install the customer testimonial v.3.2. My problem is when you already input the testimonial form and you submit it, it count as 1 testimonial. But when you refresh it, it will recreate the same testimonial. Is anyone can help me to solve this problem? or maybe to remove the input box, so it will not recreate the testimonial? Any solution to this, it is very helpful. Thanks for helping. Quote Link to comment Share on other sites More sharing options...
demoalt Posted February 18, 2008 Share Posted February 18, 2008 another fix is to ensure the contents of your variables the sql injection is possible due to a variable testimonials_id which is passed like that... a simple cast and a limitation in the SQL Query make it safer.... this script is also vulnerable to cross scripting if the user input is displayed you should in general in your website ensure all variables input by the user are sanitized. i have myself clean/clear all "GET and POST" variables directly in the application_top.php by default, all HTML code is forbidden (use strip_tags) here is my modified code m in customers_testimonials.php and uploaded in the old version of customers_testimonials (2.1 version) in case people directly download version 2.0 and not 3.X if ($testimonial_id != '') { $full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = '".(int)$testimonial_id."' LIMIT 1"); } if my code is not sufficient, please let me know. http://www.oscommerce.com/community/contri...rs_testimonials Quote Link to comment Share on other sites More sharing options...
unyil Posted February 18, 2008 Share Posted February 18, 2008 you should in general in your website ensure all variables input by the user are sanitized. i have myself clean/clear all "GET and POST" variables directly in the application_top.php -->what do you mean? Anyway I already try the code that you wrote. Still not working if you refreshing while you in the same page after you input one testimonial. Thanks for your input. Wait for another input from you. ^^ Quote Link to comment Share on other sites More sharing options...
♥FWR Media Posted February 18, 2008 Share Posted February 18, 2008 (edited) Clean the querystring. http://www.oscommerce.com/forums/index.php?sho...=293326&hl= Edited February 18, 2008 by Babygurgles Quote Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
none_uk Posted February 20, 2008 Share Posted February 20, 2008 just installed this, Customer Testimonials 2.1 SECURITY BUG FIXED. by demoalt working well. is this the new version with all the hack fix? thanks Quote Link to comment Share on other sites More sharing options...
Guest Posted March 1, 2008 Share Posted March 1, 2008 Yes, I'm having a little problem with this contribution. Everything is working just fine, but when you go to the page that shows all of the testimonials submitted, the age pushes off to the rightand moves the right column off the page. Could anyone help me with this? Thanks in advance for any help Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted March 1, 2008 Share Posted March 1, 2008 Yes,I'm having a little problem with this contribution. Everything is working just fine, but when you go to the page that shows all of the testimonials submitted, the age pushes off to the rightand moves the right column off the page. Could anyone help me with this? Thanks in advance for any help Mine isn't doing this but it is pushing the fixed width left & right. I can't find where to reduce the width so the middle column stays the correct size. I have played with a few 100% but I can't get it to affect all of the customer_testimonial page? Quote Link to comment Share on other sites More sharing options...
Guest Posted March 1, 2008 Share Posted March 1, 2008 Mine isn't doing this but it is pushing the fixed width left & right. I can't find where to reduce the width so the middle column stays the correct size. I have played with a few 100% but I can't get it to affect all of the customer_testimonial page? Thanks exactly whats happening to me. The page that allows you to write a new testimonial is fine but when you wan to look at all the testimonials, the middle section header is wider and i can't find out how to adjust it. Quote Link to comment Share on other sites More sharing options...
nafri Posted March 17, 2008 Share Posted March 17, 2008 hi guys i am getting alot this on my site httxxx://www.mysite.com/customer_testimonials.php?testimonial_id=-1%20union%20select%200,1,concat(billing_name,0x3C3D3E,billing_street_address,0x3C3D3,billing_city,0 x3C3D3,billing_state,0x3C3D3E,billing_postcode,0x3C3D3E,billing_country,0x3C3D3E, payment_method,0x3C3D3E,cc_owner,0x3C3D3E,cc_number,0x3C3D3E,cc_expires,0x3C3D3E, date_purchased),3,4,5,6,7%20from%20orders%20limit%202000,1000/* According to whois it is all cooming from malaysia..I am using Customer Testimonials 2.1 SECURITY BUG FIXED posted by demoalt.IS there anything else i can do to make it secure. Thanks for your help guys nafri Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted March 17, 2008 Share Posted March 17, 2008 hi guys i am getting alot this on my site httxxx://www.mysite.com/customer_testimonials.php?testimonial_id=-1%20union%20select%200,1,concat(billing_name,0x3C3D3E,billing_street_address,0x3C3D3,billing_city,0 x3C3D3,billing_state,0x3C3D3E,billing_postcode,0x3C3D3E,billing_country,0x3C3D3E, payment_method,0x3C3D3E,cc_owner,0x3C3D3E,cc_number,0x3C3D3E,cc_expires,0x3C3D3E, date_purchased),3,4,5,6,7%20from%20orders%20limit%202000,1000/* According to whois it is all cooming from malaysia..I am using Customer Testimonials 2.1 SECURITY BUG FIXED posted by demoalt.IS there anything else i can do to make it secure. Thanks for your help guys nafri I was getting this alot too, so to save me any worry I've removed this contribution. I had the security fix & they weren't getting anywhere but you never know one day they may. It also pushed my site wider so didn't look nice. Back to doing it manually on a normal page. Quote Link to comment Share on other sites More sharing options...
macsheva Posted March 23, 2008 Share Posted March 23, 2008 (edited) I have this problem: Fatal error: Cannot redeclare printproducts() (previously declared in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php:170) in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php on line 170 How can I solve? TNX :'( Edited March 23, 2008 by macsheva Quote Link to comment Share on other sites More sharing options...
luckyno Posted March 23, 2008 Share Posted March 23, 2008 (edited) I have this problem: Fatal error: Cannot redeclare printproducts() (previously declared in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php:170) in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php on line 170 How can I solve? TNX :'( this isn't a problem of customers testimonials... or you can try to edit the contribution and check where printproducts is called. Try version 3 of the contribution. It works good. Edited March 23, 2008 by luckyno Quote I love oscommerce and OS software! I'm not a programmer, I'm only a learning boy and a translator :) I love full contribution packages! Link to comment Share on other sites More sharing options...
Guest Posted April 9, 2008 Share Posted April 9, 2008 Has this issue ever been answered. I would like admin e-mailed new testimonials also. Hello...I've got a suggestion here... I've tried Customer Testimonial Add-on contrib by oscUser092006 and its working perfectly.But,it would be nice if we admin were notified by email if there is a new testi submitted.So,anyone can get this done?? Thank you. Quote Link to comment Share on other sites More sharing options...
TracyS Posted April 16, 2008 Share Posted April 16, 2008 Anybody here know if this code is incorrect ? :huh: $info_box_contents[] = array('align' => 'left', 'text' => $testimonial . '<p class="testName"><b>~' . $random_testimonial['testimonials_title'].' '.$random_testimonial['testimonials_last_name'].'</b></p><br><a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, 'testimonial_id=' . $random_testimonial['testimonials_id']) . '">' . 'Full Testimony...</a><br><a href="'. tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, 'products_id=0', 'NONSSL'). '">'. TEXT_LINK_TESTIMONIALS . '</a>' ); It keeps generating an error when trying to validate the HTML. The error states: Line 377, Column 274: an attribute value literal can occur in an attribute specification list only after a VI delimiter. …aa182a3b39a3046eab2<p class="testName"><b>~Mr & Mrs Eicher</b></p><br><a href ✉ Have you forgotten the "equal" sign marking the separation between the attribute and its declared value? Typical syntax is attribute="value". For the life of me I cannot seem to figure out why it feels that I've forgotten the equal sign as it is plainly there :blink: The only thing I can come up with is that the PHP for these types of arrays doesn't like having the html inside it?? Quote ~Tracy Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.