Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

New page found on my website

Forestshopkeeper

By Forestshopkeeper
in General Support

Recommended Posts

Forestshopkeeper

Forestshopkeeper

Posted
Posted

My website is http://shoppeintheforest.com

While checking the tool, "who's online", I came across this web address: http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt?

It goes to a page on my website that I have never seen before, but I like a lot. It is as if there should be a link to a page from the categories box, but there is no link. the site, http://cherrygirl.h18.ru/images/cs.txt? takes me to a denied site with everything written in russian.

I am the first to admit I do not understand the path command in the address bar. I would just like to know how to make this page come up in my website. Can you help?

Jim

lindsayanng

lindsayanng

Posted
Posted

well, when i open that link, my browser shows the path:

 

http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt

 

It looks like it is in the index page, but i honestly can no tell you more about it as i am new as well.. i just wanted to show the full url. I have never seen the "cherrygirl" thing. is that a username or something from your cpanel>?

A great place for newbies to start

Road Map to oscommerce File Structure

DO NOT PM ME FOR HELP. My time is valuable, unless i ask you to PM me, please dont. You will get better help if you post publicly. I am not as good at this as you think anyways!

 

HOWEVER, you can visit my blog (go to my profile to see it) and post a question there, i will find time to get back and answer you

 

Proud Memeber of the CODE BREAKERS CLUB!!

Guest

Guest

Posted
Posted
My website is http://shoppeintheforest.com

While checking the tool, "who's online", I came across this web address: http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt?

It goes to a page on my website that I have never seen before, but I like a lot. It is as if there should be a link to a page from the categories box, but there is no link. the site, http://cherrygirl.h18.ru/images/cs.txt? takes me to a denied site with everything written in russian.

I am the first to admit I do not understand the path command in the address bar. I would just like to know how to make this page come up in my website. Can you help?

Jim

search the forum for sql injection, hack attacks and the like.

Forestshopkeeper

Forestshopkeeper

Posted
  • Author
Posted
well, when i open that link, my browser shows the path:

 

http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt

 

It looks like it is in the index page, but i honestly can no tell you more about it as i am new as well.. i just wanted to show the full url. I have never seen the "cherrygirl" thing. is that a username or something from your cpanel>?

The cherrygirl thing was where a session id would normally be. nothing to do with me.

Jim

Guest

Guest

Posted
Posted
My website is http://shoppeintheforest.com

While checking the tool, "who's online", I came across this web address: http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt?

It goes to a page on my website that I have never seen before, but I like a lot. It is as if there should be a link to a page from the categories box, but there is no link. the site, http://cherrygirl.h18.ru/images/cs.txt? takes me to a denied site with everything written in russian.

I am the first to admit I do not understand the path command in the address bar. I would just like to know how to make this page come up in my website. Can you help?

Jim

The page you see comes up when the code converts all of the crap after cPath= to a zero.

Vger

♥Vger

Posted
Posted

It looks as though your site has been hacked via the Open Redirect exploit - so make sure your site is up to date with all security patches and bug fixes.

 

Vger

Guest

Guest

Posted
Posted
My website is http://shoppeintheforest.com

While checking the tool, "who's online", I came across this web address: http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt?

It goes to a page on my website that I have never seen before, but I like a lot. It is as if there should be a link to a page from the categories box, but there is no link. the site, http://cherrygirl.h18.ru/images/cs.txt? takes me to a denied site with everything written in russian.

I am the first to admit I do not understand the path command in the address bar. I would just like to know how to make this page come up in my website. Can you help?

Jim

Open Redirector

http://www.oscommerce.com/community/bugs,2970

------------------------------------------------------------------------------

 

Problem:

 

There is no URL checking being performed on the redirection page, and allows external sources to use the page as an open redirect relay.

 

Solution:

 

Lines 27-29 in catalog/redirect.php must be changed from:

 

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

 

to:

 

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {

$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");

if (tep_db_num_rows($check_query)) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

}

 

--------------------------------------------------------------------------------------

Source

 

But, as Vger suggests, don't stop there. Apply all patches and updates.

Guest

Guest

Posted
Posted
My website is http://shoppeintheforest.com

While checking the tool, "who's online", I came across this web address: http://shoppeintheforest.com/index.php?cPa...u/images/cs.txt?

It goes to a page on my website that I have never seen before, but I like a lot. It is as if there should be a link to a page from the categories box, but there is no link. the site, http://cherrygirl.h18.ru/images/cs.txt? takes me to a denied site with everything written in russian.

I am the first to admit I do not understand the path command in the address bar. I would just like to know how to make this page come up in my website. Can you help?

Jim

Out of curiosity, if anyone knows, would the fact that the user shows up in "who's online" mean the redirect attempt did not work? Would it also mean that the visitor is likely to be a potential customer who clicked on a malicious link (and should not be blocked) or a hacker trying to see if the redirect will work?

Forestshopkeeper

Forestshopkeeper

Posted
  • Author
Posted
Open Redirector

http://www.oscommerce.com/community/bugs,2970

------------------------------------------------------------------------------

 

Problem:

 

There is no URL checking being performed on the redirection page, and allows external sources to use the page as an open redirect relay.

 

Solution:

 

Lines 27-29 in catalog/redirect.php must be changed from:

 

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

 

to:

 

if (isset($HTTP_GET_VARS['goto']) && tep_not_null($HTTP_GET_VARS['goto'])) {

$check_query = tep_db_query("select products_url from " . TABLE_PRODUCTS_DESCRIPTION . " where products_url = '" . tep_db_input($HTTP_GET_VARS['goto']) . "' limit 1");

if (tep_db_num_rows($check_query)) {

tep_redirect('http://' . $HTTP_GET_VARS['goto']);

}

}

 

--------------------------------------------------------------------------------------

Source

 

But, as Vger suggests, don't stop there. Apply all patches and updates.

Thanks for the really good information. I checked the redirect.php file and it is current. I have been making all of the patches and updates. Quite Frankly I was not so much concerned about the possibility of the hack (though I should have been) as seeing what should be the catalog page of my website for the first time. The page that is shown is the page that should come up when you click on "catalog" in the navigation bar in the header. Instead, when you click on catalog, you go to the welcome page. Can you tell me which file contains the code for the href for catalog? Home goes to index and so does catalog. I created a definition of FILENAME_CATEGORIES that goes to index.php/cPath=categories, but I don't know where to plug it in to make the Categories page come up. Any help will be appreciated.

 

Jim

Forestshopkeeper

Forestshopkeeper

Posted
  • Author
Posted
Thanks for the really good information. I checked the redirect.php file and it is current. I have been making all of the patches and updates. Quite Frankly I was not so much concerned about the possibility of the hack (though I should have been) as seeing what should be the catalog page of my website for the first time. The page that is shown is the page that should come up when you click on "catalog" in the navigation bar in the header. Instead, when you click on catalog, you go to the welcome page. Can you tell me which file contains the code for the href for catalog? Home goes to index and so does catalog. I created a definition of FILENAME_CATEGORIES that goes to index.php/cPath=categories, but I don't know where to plug it in to make the Categories page come up. Any help will be appreciated.

 

Jim

I found it. It is in the application_top.php file. Now when a customer clicks on "Catalog" the Categories Page comes up. Thanks everyone for your help.

Jim

Guest

Guest

Posted
Posted
Thanks for getting back with me. Actually, the page goes back to the index page with no path at all with anything but the http://cherrygirl.18h.ru/images/cs.txt.

That is the only path that goes to the Categories page other than cPath=index.php?cPath=categories.

 

Jim

Try cPath=0

 

I think that's what the code serves up if there are letters instead of numbers after cPath=.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...