Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security Issue - Customer Ordered on Another's Account


Recommended Posts

I'm panicking here...

 

One of my clients has an osCommerce shopping cart with some modifications (the most recent being the Header Tags SEO and Ultimate SEO URLs).

 

Customer "A" placed an order yesterday. Today, another customer placed an order under Customer A's account. The "Customer" and "Shipping" addresses are the same as Customer A, but the "Bill to" details are that of Customer B. The credit card information was also different than Customer A. Customer B does not have an account. My client spoke with Customer A and he said he did not place the order.

 

I looked at the Who's Online feature and see that it appears as if Customer A is still online, but when I looked up the IP, it seems to be GoogleBot.

 

More details:

  • The two customers are in different states and don't know each other, so it's not like one forgot to log out and the other used his computer.
  • The credit card numbers are different, so I don't think it's someone trying to use Customer A's credit card.
  • Who's Online shows several instances of GoogleBot's IP address. Most are logged in as Guest, but one is logged in as if it's Customer A.
  • There is a note in the second order (of the Customer A and B merge) that doesn't seem to be a spambot or anything (it's relevant to the order).

 

So, I don't know if it has something to do with the session ID (just found a contribution to remove that for search engines, but haven't installed it yet), if it's some funky merging of accounts, if they both tried to create accounts at the exact same time (I know, I'm reaching), if someone hacked into the database, or if it's a glitch with GoogleBot just happening to be logged into Customer A's account somehow.

 

Please help! I'm freaking out!!!

Link to comment
Share on other sites

You must ensure you don`t loose osCsid http://www.oscommerce.com/forums/index.php?sho...c=330479&hl

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

You must ensure you don`t loose osCsid http://www.oscommerce.com/forums/index.php?sho...c=330479&hl

 

First of all, thank you so much for your quick response!

 

So, if I install the SID killer contribution, should that solve the problem? Will that work with the Ultimate SEO URLs contribution?

Link to comment
Share on other sites

First of all, thank you so much for your quick response!

 

So, if I install the SID killer contribution, should that solve the problem? Will that work with the Ultimate SEO URLs contribution?

 

SID killer is a total no no .. do not install it.

 

The usual cause of this is that your sessions are persisting due to incorrect settings. You can tell because the way osCommerce should work is that on the first visit to the site you should see an osCsid (hovering links etc) if you click again and hover the links the sid should be gone .. if not your settings are wrong.

 

Are you willing to put up or pm your website address?

 

Ensure you have set prevent spider session to true in admin->sessions and that spiders.txt is up to date.

 

Ensure that recreate session is set to true in admin .. it is standard practise these days to recreate the session id whenever a user changes state (e.g. logs in).

 

If worst comes to worst and you have a "proper" SSL certificate where the certificate address matches your site ..

 

e.g. cert issued to www.mysite.com .. site access via www.mysite.com

 

Then you can force cookie use as a last resort which ensures safety (albeit at a small cost).

Link to comment
Share on other sites

SID killer is a total no no .. do not install it.

 

The usual cause of this is that your sessions are persisting due to incorrect settings. You can tell because the way osCommerce should work is that on the first visit to the site you should see an osCsid (hovering links etc) if you click again and hover the links the sid should be gone .. if not your settings are wrong.

 

Are you willing to put up or pm your website address?

 

Ensure you have set prevent spider session to true in admin->sessions and that spiders.txt is up to date.

 

Ensure that recreate session is set to true in admin .. it is standard practise these days to recreate the session id whenever a user changes state (e.g. logs in).

 

If worst comes to worst and you have a "proper" SSL certificate where the certificate address matches your site ..

 

e.g. cert issued to www.mysite.com .. site access via www.mysite.com

 

Then you can force cookie use as a last resort which ensures safety (albeit at a small cost).

 

Thank you! So, if I prevent spider sessions, will that prevent them from spidering the site or just prevent them from actually having session IDs? You know, I don't actually see the session IDs added onto the urls, but we have the categories hidden and mostly use the search box and some other links to static pages.

 

I'll PM you the site in a sec!

Link to comment
Share on other sites

You must ensure you don`t loose osCsid http://www.oscommerce.com/forums/index.php?sho...c=330479&hl

 

Sorry Sam, I wasn't sure if you'd check back on this topic so that's why I sent you a PM. Thanks again!

 

Here's what you said for other people's reference:

"No, infact if you simply enable Prevent Spider Sessions in admin that will do the same job. You must go over all your links & check they are correctly done."

Link to comment
Share on other sites

Re: your pm

 

* Session Directory (ignore should be MySQL)

* Force Cookie Use false

* Check SSL Session ID false

* Check User Agent false

* Check IP Address false

* Prevent Spider Sessions true (plus update spiders.txt)

* Recreate Session true

 

 

As much as you need to do this it is not your main problem .. the standard osCommerce links are showing the sid but ALL of the "clever" images are NOT therefore a customer cannot maintain a session.

 

Sessions in osCommerce are dictated by the use of function tep_href_link() which has to be used religiously for all links.

 

It is a common issue where "web designers" who have no knowledge outside of basic html and flash consistently break sites through lack of knowledge (not that I know who did yours).

Link to comment
Share on other sites

Re: your pm

 

* Session Directory (ignore should be MySQL)

* Force Cookie Use false

* Check SSL Session ID false

* Check User Agent false

* Check IP Address false

* Prevent Spider Sessions true (plus update spiders.txt)

* Recreate Session true

 

 

As much as you need to do this it is not your main problem .. the standard osCommerce links are showing the sid but ALL of the "clever" images are NOT therefore a customer cannot maintain a session.

 

Sessions in osCommerce are dictated by the use of function tep_href_link() which has to be used religiously for all links.

 

It is a common issue where "web designers" who have no knowledge outside of basic html and flash consistently break sites through lack of knowledge (not that I know who did yours).

 

Thanks, I'm the "web designer", but I don't have a lot of php skills (obviously). :( The links in there weren't to actual products, just static pages. Does that matter for the sessions? We'll be adding the categories back in which should generate the id.

Link to comment
Share on other sites

If u read through the thread I detailed u will see each & every link must keep the seesion, regardless of purpose, otherwise u get your issue.

 

The thread details all the conditions that can create problems.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

If u read through the thread I detailed u will see each & every link must keep the seesion, regardless of purpose, otherwise u get your issue.

 

The thread details all the conditions that can create problems.

 

Thank you again, Sam! I've changed all the links I found to the php coded versions instead!

Link to comment
Share on other sites

Hi,

 

The possibility of customers picking up the details/shopping cart information of another customer are quite frightening. Is there any way to prove/test the integrity of the oscid (probably on a test site?)?

 

I’d also really appreciate any comments as to whether or not the situations described below are as expected.

 

 

The following appears to the situation my live and test sites (all have Recreate Session = true)):-

 

Live Site:

ENABLE_SSL = false (config.php)

FORCE COOKIE USE = true (in admin)

 

The oscid is occasionally shown in the URL, normally on the 2nd click, disappears on subsequent clicks.

 

Test Site:

ENABLE_SSL = false

FORCE COOKIE USE = false

 

I’ve never noticed the oscid in the URL.

 

 

Test Site:

ENABLE_SSL = true (shared SSL)

FORCE COOKIE USE = false

 

The oscid is shown in the URL on SSL pages and the first NONSSL page afterwards but not at any other time.

Logging on, logging off, then logging on again as with a different email address, the oscid is the same each time.

 

 

Thank you for any help that may be forthcoming.

Link to comment
Share on other sites

Hi,

 

The possibility of customers picking up the details/shopping cart information of another customer are quite frightening. Is there any way to prove/test the integrity of the oscid (probably on a test site?)?

 

I’d also really appreciate any comments as to whether or not the situations described below are as expected.

 

 

The following appears to the situation my live and test sites (all have Recreate Session = true)):-

 

Live Site:

ENABLE_SSL = false (config.php)

FORCE COOKIE USE = true (in admin)

 

The oscid is occasionally shown in the URL, normally on the 2nd click, disappears on subsequent clicks.

 

Test Site:

ENABLE_SSL = false

FORCE COOKIE USE = false

 

I’ve never noticed the oscid in the URL.

 

 

Test Site:

ENABLE_SSL = true (shared SSL)

FORCE COOKIE USE = false

 

The oscid is shown in the URL on SSL pages and the first NONSSL page afterwards but not at any other time.

Logging on, logging off, then logging on again as with a different email address, the oscid is the same each time.

 

 

Thank you for any help that may be forthcoming.

 

Hi,

 

One of the guys said that the osCsid will show up on the first link (after you get to the site), but disappear for subsequent links. I went through and changed all links that I'd added in the site from the typical html link to use the php version (the tep_href_link function). Maybe they'll have suggestions on how to test for it - that was a terrifying situation, but we found out that both customers were legit. I would suggest you get a site certificate and use SSL for your live site, though! :) On the plus side, I've worked on several osCommerce sites and have never seen this issue before (over the past 4 or 5 years).

Link to comment
Share on other sites

If u read through the thread I detailed u will see each & every link must keep the seesion, regardless of purpose, otherwise u get your issue.

 

The thread details all the conditions that can create problems.

 

Hi,

 

New thought... What about adding links into the product description fields? (Sam, I've been searching through your thread, but haven't seen reference to this.)

 

In the product description fields, if you add a link (to another page on the site, for example) with html, it works, BUT, I've noticed that if you add the tep_href_link function in there (with the php tags), it doesn't work. I've got one shop using the html wysiwyg editor and it didn't work that way either (either way, I edit the source code).

 

Won't this break the SID?

Link to comment
Share on other sites

Hi,

 

New thought... What about adding links into the product description fields? (Sam, I've been searching through your thread, but haven't seen reference to this.)

 

In the product description fields, if you add a link (to another page on the site, for example) with html, it works, BUT, I've noticed that if you add the tep_href_link function in there (with the php tags), it doesn't work. I've got one shop using the html wysiwyg editor and it didn't work that way either (either way, I edit the source code).

 

Won't this break the SID?

 

For a "seperate" php file to maintain session it has to call includes/application_top.php at the top and includes/application_bottom.php at the bottom.

Link to comment
Share on other sites

Hi,

 

New thought... What about adding links into the product description fields? (Sam, I've been searching through your thread, but haven't seen reference to this.)

 

In the product description fields, if you add a link (to another page on the site, for example) with html, it works, BUT, I've noticed that if you add the tep_href_link function in there (with the php tags), it doesn't work. I've got one shop using the html wysiwyg editor and it didn't work that way either (either way, I edit the source code).

 

Won't this break the SID?

 

If I understand your question there's actually a contribution made by Steve Lionel called Embed Link with SID in Description, which I think would do the trick just fine, you'll find it here.

Link to comment
Share on other sites

Thank you Robert!

 

I know this is a stupid question, but I've been awake for a very long time... What about links to pdf files that open in new windows? Is that an issue, too?

 

 

Chris - I installed Steve Lionel's contribution (very cool, extremely easy to install). One of the sites I'm working on is osCMAX, so it has a lot of extra stuff in there. I installed his contribution for adding links in product descriptions and altered it a little to work in articles, too. The only thing I didn't see was a way to make it work for the Define Mainpage contribution. That one lets you edit the Home page, Conditions, Shipping, and Privacy pages in the backend, but as it turns out, the content is written to certain files rather than added as database entries. I searched through the topic and it sounded like they kind of mentioned similar situations, but it seems that my client won't be able to edit these pages through the backend if she wants links in them.

 

Anyone come across that one? Jeez, I should change my username to OftenConfused.

Link to comment
Share on other sites

Two customers ordering from same happens if by chance they got hold of same oscid.

generally if spider session kill not set to true then spider caches url with oscid.

 

Now if customer come thru search engine they get this oscid in the url.

 

 

Suggestion :

1)Kill spider session id(thru admin).

2)Recreate session as true.

 

Satish

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Link to comment
Share on other sites

Two customers ordering from same happens if by chance they got hold of same oscid.

generally if spider session kill not set to true then spider caches url with oscid.

 

Now if customer come thru search engine they get this oscid in the url.

 

 

Suggestion :

1)Kill spider session id(thru admin).

2)Recreate session as true.

 

Satish

Thanks Satish! That totally explains how it was possible to have that happen! :)

Link to comment
Share on other sites

  • 3 years later...

I'm panicking here...

 

One of my clients has an osCommerce shopping cart with some modifications (the most recent being the Header Tags SEO and Ultimate SEO URLs).

 

Customer "A" placed an order yesterday. Today, another customer placed an order under Customer A's account. The "Customer" and "Shipping" addresses are the same as Customer A, but the "Bill to" details are that of Customer B. The credit card information was also different than Customer A. Customer B does not have an account. My client spoke with Customer A and he said he did not place the order.

 

I looked at the Who's Online feature and see that it appears as if Customer A is still online, but when I looked up the IP, it seems to be GoogleBot.

 

 

I know that this thread is old, but I have the same problem as SometimesConfused in my osCommerce.

 

I made all the changes you suggested.

 

Yesterday I set the "Force Cookie Use" to True, but my client has another error. He received 2 money deposit from clients but the orders arent save in the database. I think it was caused by the "Force Cookie Use", so I set now the variables like you said:

 

 

* Session Directory (ignore should be MySQL)

* Force Cookie Use false

* Check SSL Session ID false

* Check User Agent false

* Check IP Address false

* Prevent Spider Sessions true

* Recreate Session true

 

These errors occurred since a malware infected my hosting (via .htaccess), but I cleaned it and restaured a complete backup copy of the osCommerce, but the errors come back again. I dont know if SometimesConfused fix the error but I need solve this problem :unsure: . I have been working this osCommerce long time ago but never take an error like this. If those changes dont take effect, I am going to reubicate the osCommerce in another hosting and... at a last attempt, I am thinking in change the clients fields, incorporing in the customers table the address details (saving 1 step in the shopping process).

 

Any suggest?

 

Thanks for all

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...