Spiceworld Posted November 29, 2002 Posted November 29, 2002 Hi I've had a couple of people contact me about entering my site and being able to view another persons details. I have turned off the cache feature, and no files reside in the cache control bit of tools. Any help badly needed. Cheers in advance
zzfritz Posted November 30, 2002 Posted November 30, 2002 a couple of people contact me about entering my site and being able to view another persons details And you believed them? Did they explain how they accomplished this, and exactly what they viewed? It is a very implausible report, but if verified we would be very concerned. But details are needed ...
sfatula Posted November 30, 2002 Posted November 30, 2002 One way for this to happen is if someone posts a link to your site, and keeps the session ID in the link. Think about it. If I click on the now public link, and the osCsid=A, and I shop for a while, and now checkout, meanwhile, you click on the public link, you now also have the same session ID. Meaning, you will have access to my info. This typically only happens when a link is posted to a popular place as two people must be using the same session ID at the same time. It happened on my site. Steve
Paul_C Posted November 30, 2002 Posted November 30, 2002 One way for this to happen is if someone posts a link to your site, and keeps the session ID in the link. Think about it. If I click on the now public link, and the osCsid=A, and I shop for a while, and now checkout, meanwhile, you click on the public link, you now also have the same session ID. Meaning, you will have access to my info. This typically only happens when a link is posted to a popular place as two people must be using the same session ID at the same time. It happened on my site. I discovered this issue over at tek-tips forums a little while ago, and it's happened to me a couple times there since. I always suspected that osCommerce (and just about any other session using site) was susceptible as well. Only ways I can think to limit this would be a) Drop the session id if the refering url is not from your domain B) Require ip persistence; drop the session if the users ip address changes c) Require cookies; the session id never gets passed (or picked up) from the url "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson
Guest Posted November 30, 2002 Posted November 30, 2002 One way for this to happen is if someone posts a link to your site, and keeps the session ID in the link. Remember that Session ID's do (should) expire.
Spiceworld Posted November 30, 2002 Author Posted November 30, 2002 Thanks for the replies, item b above sounds good, how would i go about that. The info i got off the bloke was that he entered the site and viewed the account of a man that had just signed up, and ordered. If thats any help. He phoned the man to tell him that he could see all his details and he has since phoned to tell us to delete his account, so i don't want this to happen again if i can do something about it. But i still have praise for oscommerce, as since changing over to it, instead of a few orders a month, we are now getting 1 or 2 a day. Cheers in advance Richard
Guest Posted November 30, 2002 Posted November 30, 2002 Make sure that the two users are not using a caching proxy server. Many large ISP's are using these nowadays to cut down on bandwidth. However it causes problems on occasion with settings being passed incorrectly. Someone above suggested requiring IP Persistance. This won't work in the modern Internet. Large companies like AOL feed all their users through a limited amount of Proxy Servers. These are round-robin servers so a user can access your page from IP-A on page one and IP-B on page two and back to IP-A on page three. For people who are still on dial-up connections (read: the majority of your potential customers) this is the way it will be for quite some time. AOL has 12 proxy servers and 40 million customers in the USA and more abroad and they are just one large company. Add in MSN, Earthlink, BT, NTL, or whoever your large provider is in your country and they work the same way. The best way would be to eliminate the Sessionhash from the URL and store it as a cookie on the end-user's machine. Simply set the same expiration time for the cookie. You can then verify that with the session stored on the server. Storing the session in MySQL would also be the preferred way as long as the Session table is of a HEAP tabletype since there won't be any latency in retrieving the information.
Paul_C Posted November 30, 2002 Posted November 30, 2002 There are problems with every solution I posted. Security has always come with the tradeoff of limiting functionality. a) Not all browsers pass the refering url B) AOL users notoriously change ip addresses page to page (note: most other dialup users I know keep an ip until they logoff and dialup again), and this does nothing if the parties involved are behind the same NAT router. c) A lot of people think that all cookies are bad and disable them (though this really would be the best method, IMHO) Remember that Session ID's do (should) expire. True, they do. Each time I found myself logged in as another user at tek-tips it was because they had come to one of my sites from there, and I just happened to be checking and following back some of my refering urls at the time. Personally I vote for absolutely requiring cookies. This may turn some people off, but directing them to a nice explanation of the security issues involved should help convince some of them. The others are probably too paranoid to be buying things online anyway :wink: "It's a damn poor mind that can only think of one way to spell a word." -- Andrew Jackson
Guest Posted November 30, 2002 Posted November 30, 2002 Cookies are the best solution nowadays. With any major site requiring cookies for any kind of functionality, I don't think it is a problem with most people nowadays.
sfatula Posted November 30, 2002 Posted November 30, 2002 You can also write the code to check the session ID vs the table of sessions. If it does not exist, do not use the session ID, generate another. I have code that does this, but it won't work with standard OSC, I have a very heavily modified version. It doesn't matter much to me if they post with the session id, and most people will anyway as they will not understand what it means. While it is easy to SAY require cookies, I find a lot of people shop my site with them disabled. Sure, make them have cookies, lose customers. Not 99% by any means, but still significant, at least for me. Your mileage may vary. Steve
linusk Posted December 11, 2002 Posted December 11, 2002 I've modified the following function in /catalog/includes/function/sessions.php I have define('STORE_SESSIONS', 'mysql'); set in configure.php Basically, what I am trying to do is to check for referer. If It is not from the host server, then I will set the value to NULL, that will cause the function to return FALSE. I tried to log on to an account (USER) copy the link with the sessionID. I then used another browser to access the link (was browsing some other sites), and it turns out that I am unable to view the account of the USER I've logged in as. An issue I have is cleaning up this sessionID, not sure if it is necessary. Another issue is, if the current user (USER) is accessing his account, using the same sessionID, he'll not be able to continue, instead he'll be asked to log in again. I guess that's the tradeoff. Any idea what other kinds of pitfalls am I heading for? Please don't flame me if I'm doing something silly, I've juz working on oscommerce 2 weeks ago and this is my first PHP experience :wink: function _sess_read($key) { $qid = tep_db_query("select value from " . TABLE_SESSIONS . " where sesskey = '" . $key . "' and expiry > '" . time() . "'"); $value = tep_db_fetch_array($qid); $url = parse_url($GLOBALS['HTTP_REFERER']); if (trim($url['host']) != $GLOBALS['SERVER_NAME']) { $value = ''; } if ($value['value']) { return $value['value']; } return false; } Basically added the following $url = parse_url($GLOBALS['HTTP_REFERER']); if (trim($url['host']) != $GLOBALS['SERVER_NAME']) { $value = ''; }
Guest Posted December 11, 2002 Posted December 11, 2002 Any idea what other kinds of pitfalls am I heading for? The problem with this method is that not all browsers honor HTTP_REFERER. You will block these out. Another problem is if you use payment gateways, some of them wont have a REFERER field set and you will block them out aswell. This could have an effect on your payment modules or not. Depends. In any case, you dont need coding, PHP provides a way to do this, look for session.referer_check here: http://www.php.net/manual/en/ref.session.php
linusk Posted December 12, 2002 Posted December 12, 2002 Hi david, thanks for the info. Looks like forcing the user to use cookies is the safest though not friendliest method.... so is this the way to do it? ini_set ('session.use_cookies, 1); :?: Need to try that out. Linusk
Spiceworld Posted December 13, 2002 Author Posted December 13, 2002 So any ideas on this as i have just had it happen again!!! I really want to get this sorted as soon as possible, as i'm losing customers over it. I don't use SSL at the moment, but would this stop it if i did? If anyone can help me with this quickly it would be appreciated. Cheers Richard
Guest Posted July 8, 2003 Posted July 8, 2003 I have the same issue... and am using a secure server, so no that doesn't fix the problem... One thing I do see is when looking in Tools - Cache Control Warning: SAFE MODE Restriction in effect. The script whose uid is 1514 is not allowed to access /tmp/ owned by uid 0 in **URL**/cache.php on line 82 Fatal error: Call to a member function on a non-object in **URL**/cache.php on line 83 Could this be causing the issue? I've had 8 orders on the site and 4 of these have caused this issue... Here's my problem details... straight from the customers mouth... Hello, Can anyone tell me why this is happening... I've had to close the site while I work out whats going on... Sometimes people are placing orders without an account and it's shoing up on someone elses account. Is it a problem with the BUY NOW option? =========================================== I have revisited your site in order to try to work out how the error occurred. In reply to your request for an explanation as to how I made an order with your company causing the order to be processed throuugh someone else's account. This is what I did in order to buy the phone cover. I selected the phone cover I wanted and said that I wanted to buy it. I now know that I should have been told that I must create an account. I was not asked to do this yesterday. After stating that I wanted to buy the phone cover I began to fill in my details. There was already a shipping address. I cannot remember the name and address but it was definitely female and we think it might have been Alison. At the time I thought it was strange but thought that it was a fictitious name and address. I did not know what to do as it seemed peculiar to have a name and address already there. I changed the shipping address to mine so that the shipping address and the delivery address were both mine. I filled in my bank details as I usually do when using the Internet. How can we see someone else's address? Is someone else now going to have my name and address? I logged on to your site again a few minutes ago and this time I was told I could not buy the phone cover as I did not have an account. So I created an account tonight to follow the process through. I did not actually order anything tonight it was simply an exercise. The answer to the question as to how I managed to order something using someone else's account seems to be the fact that I was allowed to order without creating an account of my own and was put through to the account of another customer. =============================================== I also have another response from a customer... =============================================== Yes I did. I found the page via Google, but must admit that I was surprised to see other address details in there. I was careful to put in my correct address and card details. I would flag that you have a security problem if Google can pick up web pages which logically should only be available to the logged in party. =============================================== Anyone know why this is happening? _________________ Cheers, Simon
arzooloo Posted December 14, 2009 Posted December 14, 2009 I have also had this occur today. A customer advised that she was called by another customer as they could see her details. She had shopped in the morning and made a purchase and the person that saw her details had done an advanced search on the same product and came accross her details. I am a newbie so i trawl these forums for answers to everything and do not know how to code. I have checked my settings and found the following Session Directory /tmp Force Cookie Use False (but just changed this to true after redaing this post) Check SSL Session ID False Check User Agent False Check IP Address False Prevent Spider Sessions False Recreate Session False Use Cache false Cache Directory /tmp/ Store Page Parse Time false Log Destination /var/log/www/tep/page_parse_time.log Log Date Format %d/%m/%Y %H:%M:%S Display The Page Parse Time true Store Database Queries false are these settings OK? Thanks, Penny
♥FWR Media Posted December 14, 2009 Posted December 14, 2009 You should never need to force cookie use if osCommerce is set up correctly. Prevent Spider Sessions True Recreate Session True Ensure that includes/spiders.txt is up to date. Browse your site .. does the osCsid disappear after a click .. if not your configuration is wrong. Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.