Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

updating shop with security fixes


Guest

Recommended Posts

Hi there, I first downloaded osC in 2005.

 

I am aware there is a weakness in the Contact Us form and think one of the contributions with maybe a picture in it should stop spamming.

 

Is there a place to check for other security fixes / anouncements that have been made for osC in the last couple of years?

 

Thanks

Link to comment
Share on other sites

  • 2 weeks later...
I am aware there is a weakness in the Contact Us form

 

I found this osc max contact us fix

 

and adapted it with the code from this site sending spam through contact forms

 

to produce this chunck of code, to be added to functions.php:

function preprocessHeaderField($value)
{
 //Remove line feeds
 $ret = str_replace("\r", "", $value);
 $ret = str_replace("\n", "", $ret);

 // Remove injected headers
 $find = array("/to\:/i",
			"/cc\:/i", 
			"/bcc\:/i", 
			"/Mime\-Type\:/i", 
			"MIME\-Version:/i",
			"Content\-Transfer\-Encoding:/i", 
			"charset=:/i",
			"/Content\-Type\:/i" 
			);

$ret = preg_replace($find, "", $ret);
return $ret;
}

 

add this to contact_us.php after include application_top.php

$_POST['name']	 = preprocessHeaderField($_POST['name']);
$_POST['tel']	  = preprocessHeaderField($_POST['tel']);
$_POST['email']	= preprocessHeaderField($_POST['email']);
$_POST['subject']  = preprocessHeaderField($_POST['subject']);
$_POST['enquiry']  = preprocessHeaderField($_POST['enquiry']);

 

Thanks to Edith Karnitsch for helping me with the additional injection fields to check.

 

ally

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...