Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Anti-hacker Account Mods, Secure your account pages


spooks

Recommended Posts

border issue

 

change

 

<table border="0" cellspacing="2" cellpadding="2" class="infoBox" width="100%">

 

to

 

<table border="0" cellspacing="1" cellpadding="2" class="infoBox" width="100%">

 

 

 

your heading issue is firefox only, to move all input boxes to allow more space edit

 

<?php $colpos = '<tr><td width="100px">' . tep_draw_separator('pixel_trans.gif', '120px', '1') . '</td></tr>'; ?>

 

increase to 100px to say 140px

 

Those are fixed, thanks.

 

1) Re the login box - I just felt when it was full width it may confuse the new customers (some aren't clever -oops, did I say that?), so I reduced it to 50%. How can I make it display to the right of screen?

2) Wanted to change the heading "Customer Details" to "New Customer Details" - I can't find the text :(

 

Getting there....

 

PS

testing your mod reminds me how many redundant pages there are in checkout, too many places to lose the customer - high time they were improved so thanks.

Edited by tigergirl

I'm feeling lucky today......maybe someone will answer my post!

I do try and answer a simple post when I can just to give something back.

------------------------------------------------

PM me? - I'm not for hire

Link to comment
Share on other sites

Those are fixed, thanks.

 

1) Re the login box - I just felt when it was full width it may confuse the new customers (some aren't clever -oops, did I say that?), so I reduced it to 50%. How can I make it display to the right of screen?

 

just add a column b4, ie

 

 	<td width="50%"></td>

 

HTML Tuition http://www.w3schools.com/html/default.asp

 

2) Wanted to change the heading "Customer Details" to "New Customer Details" - I can't find the text sad.gif

 

 

If defines are'nt in the same name file name in english dir, they will be in english.php

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi,

 

I just installed the v1.5 and I am now seeing these error messages in my log. I do have SecurityPro installed as well:

 

Undefined variable: hex in /home/webmaster/htdocs/catalog/includes/functions/account_secure.php on line 23

Undefined index: password in /home/webmaster/htdocs/catalog/create_account.php on line 18

Undefined index: confirmation in /home/webmaster/htdocs/catalog/create_account.php on line 19

 

I used a file compare program to compare my original with the 1.5v and seemed to have copied everything I could find, any help would be appreciated. Thanks!

 

Joe

Link to comment
Share on other sites

 

 

 

can u say what versions u have php/sql/osC

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Yes, I am using RC2.2A, PHP 5.2.12, and Mysql 5.1.39.

 

 

Are you actually getting errors, or are you talking of notices?

 

in includes/applicaion_top.php

 

change

 

error_reporting(E_ALL);

with:

error_reporting(E_ALL & ~E_NOTICE);

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Just playing around with the PCI scan from mcaffe.

 

I get this error after scan:

 

Potentially Exploitable Blind SQL Injection

 

Here is the text included:

Protocol http Port 80 Read Timeout 10000 Method GET Demo 
Path /advanced_search.php 
Query currency=NOK
keywords=0
search_in_description=(select+1)
categories_id=21
inc_subcat=1
manufacturers_id=10
pfrom=cfoutput
language=en

Headers Referer=http%3A%2F%2Fxxxx.in.no%2Fadvanced_search.php%3Fkeywords%3D0%26search_in_description%3D1%26categories_id%3D21%26inc_subcat%3D1%26manufacturers_id%3D10%26pfrom%3Dcfoutput%26language%3Den 

 

It only prefill the forms, and i dont think it can do anything.

I have installed this addon and all other as explained in the securety tread.

 

Any suggestions.

I would say it is a false positive, but want to hear some opinion on it.

Link to comment
Share on other sites

Also found some improper error handling with this pci scan.

 

When mcaffe scan and try to send a text string to the date field it generate this error at top of page and not as normal osc error.

 

Warning: checkdate() expects parameter 3 to be long, string given in /home/inno/public_html/xxxxx/includes/modules/validate_name_fields.php on line 52

 

The normal error message also show

The date you have entered is invalid, please make corrections.

 

Is this improper errorhandling?

Link to comment
Share on other sites

 

 

 

advanced_search.php does not accept any vars, so I`m not sure what its doing, unless yours is modified.

 

advanced_search_result.php accepts the vars input in advanced_search.php via the query string, which should be cleaned by security pro, unless you have modified that page or security pro.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Also found some improper error handling with this pci scan.

 

When mcaffe scan and try to send a text string to the date field it generate this error at top of page and not as normal osc error.

 

Warning: checkdate() expects parameter 3 to be long, string given in /home/inno/public_html/xxxxx/includes/modules/validate_name_fields.php on line 52

 

The normal error message also show

The date you have entered is invalid, please make corrections.

 

Is this improper errorhandling?

 

 

Are you using the drop down? if so how is mcaffe entering text in a field that does not give that option?

 

the purpose of the checkdate is to check the date entered is a valid date (ie not 30-02-2010) param 3 is the year, but uses tep_date_raw to extract that part of the date, so if tep_date_raw is not defined correctly in english.php that could cause an error.

 

I modified the original error messages as that confused some visitors when they entered a date but it was rejected with Date of Birth must be in this format: MM/DD/YYYY yet they did use that format!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Regarding the error message it is because mcaffe remotly trying to post to the form and having text in dob field.

The information they get back is the error message at top Warning:

I will say it is fals positive as no data has been posted, but i am not sure if the error should be there even if the data is wrong, should not this error be generated through OSC error system.

 

Path /create_account.php 
Headers Referer=http%3A%2F%2Fmaleri.in.no%2Fcreate_account.php%3FosCsid%3D24044884a5a7e443cdaf97e3f4b6fa0c
Content-Type=application%2Fx-www-form-urlencoded

Body action=process
gender=m
firstname=0
lastname=0
dob=http://www.mcafeesecure.com/help/scanner/5/rfi?
email_address=0
company=0
street_address=0
suburb=0
postcode=0
city=0
state=0
country=1
telephone=0
fax=0
newsletter=1
password=0
confirmation=0 

Link to comment
Share on other sites

Regarding the advanced_search

 

The files is standard RC2A files and not modifyed. Should there be any modyfications to this that i have overseen..

 

The error stating that

Note: Scanner could execute "select" statement successfully.

 

Its only prefill the form and i dont understand that it can execute any select statment.

May be fals positive to, but i am not sure.

Link to comment
Share on other sites

Regarding the error message it is because mcaffe remotly trying to post to the form and having text in dob field.

The information they get back is the error message at top Warning:

I will say it is fals positive as no data has been posted, but i am not sure if the error should be there even if the data is wrong, should not this error be generated through OSC error system.

 

 

Well its certainly an excepional error, since it could not be created through the form, if you wish to 'catch the error, make this change in validate_name_fields.php

 

after:

 

    if (ACCOUNT_DOB == 'true') {

 

add:

 

$entry_yr = substr(tep_date_raw($dob), 0, 4);

 

then after:

 

 $messageStack->add($messagePage, sprintf(ENTRY_DATE_OF_BIRTH_ERROR,ENTRY_MONTH));
   } 

 

add:

 

 

   if (intval($entry_yr) < 1900) {
	$error = true;$derror = true;

        $messageStack->add($messagePage, sprintf(ENTRY_DATE_OF_BIRTH_ERROR,ENTRY_YEAR));
   } 

 

then change:

 

if (!$derror && checkdate($entry_mth, $entry_day, substr(tep_date_raw($dob), 0, 4)) == false) {

 

to

 

if (!$derror && checkdate($entry_mth, $entry_day, $entry_yr) == false) {

 

you will also need to add a define for ENTRY_YEAR

Edited by spooks

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Regarding the advanced_search

 

The files is standard RC2A files and not modifyed. Should there be any modyfications to this that i have overseen..

 

The error stating that

Note: Scanner could execute "select" statement successfully.

 

Its only prefill the form and i dont understand that it can execute any select statment.

May be fals positive to, but i am not sure.

 

 

Yes, a false posive, since advanced_search.php can do nothing with the data & once the form is submitted that data will be sanitised by security pro

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Well its certainly an excepional error, since it could not be created through the form, if you wish to 'catch the error, make this change in validate_name_fields.php

 

I have made the changes and tryed the demo from mcaffe and it not showing the error now at top, only in the messagestack.

 

I have start a revalidation and se what that says..

thanks.

Link to comment
Share on other sites

Well its certainly an excepional error, since it could not be created through the form, if you wish to 'catch the error, make this change in validate_name_fields.php

 

I have made the changes and tryed the demo from mcaffe and it not showing the error now at top, only in the messagestack.

 

I have start a revalidation and se what that says..

thanks.

Link to comment
Share on other sites

Hello,

 

Will this fix "Review Page" so that no one can put a code like this "[w](o)%3Cr%3Ek|i*n^g"?

 

 

 

 

Add this, then put:

 

  require('includes/functions/account_secure.php');
 clean_post ();

 

at the start of product_reviews_write.php

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Hi there,

 

Desperately looking to get this on my site since my blog and test site were hacked a few weeks ago (thankfully my live site is on a different host so hasn't been hit in the same attack :sweating:). Before I do I have a couple of questions, if you'd be so kind as to give me your thoughts (sorry if these are basic but I'm new to all this and am still trying to pick it all up):

 

1) I have a number of non standard data fields in my create account and edit account which I introduced using the suggestions here (Additional Customer Fields) most of these fields are drop downs, does that therefore make than OK as-is (i.e immune from the attacks this mod protects from)?

2) A couple of the fields though are standard text input fields and therefore need to be protected in some way, is there an easy method for the inclusion of additional customer fields into your contribution?

 

I'd really appreciate any help.

 

Thanks

Daz

Link to comment
Share on other sites

 

1) I have a number of non standard data fields in my create account and edit account which I introduced using the suggestions here (Additional Customer Fields) most of these fields are drop downs, does that therefore make than OK as-is (i.e immune from the attacks this mod protects from)?

2) A couple of the fields though are standard text input fields and therefore need to be protected in some way, is there an easy method for the inclusion of additional customer fields into your contribution?

 

 

 

As you would see if you have a pci scan done, the fact that a input is using a drop down does not stop it being mal-used.

 

However as once added, all inputs are sanitised, whether default ones or new ones, so your new fields will be protected too. smile.gif

 

Your right to query though, there are some silly ideas out there, I`ve seen some disable pasting into fields as their sole security, as someone found that option & put it up as a security measure!! But that sort of thing would just loose you customers (as their usual auto form filling wont work) yet do nothing but stop the most casual hacker!! ohmy.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Apologies if this has been answered already...can't see for looking...in your instructions you mention that

 

•Within the included files, all instances of $HTTP_POST_VARS are replaced with $_POST and $HTTP_GET_VARS with $_GET

 

Is that an instruction for this mod that we should do when manually updating our files or are you just stating that you've done this in your files?

 

Thus far the only issue I seem to be getting is that a customer whos created their own password (alpha numeric only) seems to be having their log in attempt rejected and are forced to reset the password. Checking install again, but has anyone come across this?

Edited by Brooks552
Link to comment
Share on other sites

Is that an instruction for this mod that we should do when manually updating our files or are you just stating that you've done this in your files?

 

 

 

$HTTP_POST_VARS and $HTTP_GET_VARS are depreciated, so you should always replace when editing. Do not mix HTTP_POST_VARS & $_POST etc in a page as can have issue on some servers

 

 

Thus far the only issue I seem to be getting is that a customer whos created their own password (alpha numeric only) seems to be having their log in attempt rejected and are forced to reset the password. Checking install again, but has anyone come across this?

 

 

check your edits and settings esp in password_funcs.php

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...