Guest Posted June 25, 2011 Share Posted June 25, 2011 I like to remove the ability of folks to inject header errors on the site, i.e. mysite.com/index.php?error_message=dont%20buy%20here! Link to comment Share on other sites More sharing options...
Guest Posted June 25, 2011 Share Posted June 25, 2011 Rob, Read the Security forums. Chris Link to comment Share on other sites More sharing options...
Guest Posted June 25, 2011 Share Posted June 25, 2011 Hi Chris, I thought this WAS the security forum? I did a search of the forums for "error_message" and only found this post and another one on a different topic. Let me know what I'm missing. Link to comment Share on other sites More sharing options...
germ Posted June 25, 2011 Share Posted June 25, 2011 This worked on my WAMP server. In /catalog/includes/header.php find this code: <?php if (isset($HTTP_GET_VARS['error_message']) && tep_not_null($HTTP_GET_VARS['error_message'])) { ?> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="headerError"> <td class="headerError"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['error_message']))); ?></td> </tr> </table> <?php } if (isset($HTTP_GET_VARS['info_message']) && tep_not_null($HTTP_GET_VARS['info_message'])) { ?> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="headerInfo"> <td class="headerInfo"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['info_message']))); ?></td> </tr> </table> <?php } ?> Change to: <?php if ( strpos( $_SERVER['HTTP_REFERER'] , HTTP_SERVER )!== FALSE ) { if (isset($HTTP_GET_VARS['error_message']) && tep_not_null($HTTP_GET_VARS['error_message'])) { ?> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="headerError"> <td class="headerError"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['error_message']))); ?></td> </tr> </table> <?php } if (isset($HTTP_GET_VARS['info_message']) && tep_not_null($HTTP_GET_VARS['info_message'])) { ?> <table border="0" width="100%" cellspacing="0" cellpadding="2"> <tr class="headerInfo"> <td class="headerInfo"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['info_message']))); ?></td> </tr> </table> <?php } } ?> The idea here is that it only displays the error_message and info_message if it was supplied by another page on the site. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there > Link to comment Share on other sites More sharing options...
Guest Posted June 25, 2011 Share Posted June 25, 2011 thanks a ton germ, works like a charm :) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.