Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

header errors error_message


Guest

Recommended Posts

I like to remove the ability of folks to inject header errors on the site, i.e. mysite.com/index.php?error_message=dont%20buy%20here!

Link to comment
Share on other sites

Hi Chris,

 

I thought this WAS the security forum?

 

I did a search of the forums for "error_message" and only found this post and another one on a different topic. Let me know what I'm missing.

Link to comment
Share on other sites

This worked on my WAMP server.

 

In /catalog/includes/header.php find this code:

 

<?php
 if (isset($HTTP_GET_VARS['error_message']) && tep_not_null($HTTP_GET_VARS['error_message'])) {
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tr class="headerError">
   <td class="headerError"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['error_message']))); ?></td>
 </tr>
</table>
<?php
 }

 if (isset($HTTP_GET_VARS['info_message']) && tep_not_null($HTTP_GET_VARS['info_message'])) {
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tr class="headerInfo">
   <td class="headerInfo"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['info_message']))); ?></td>
 </tr>
</table>
<?php
 }
?>

Change to:

 

<?php
 if ( strpos( $_SERVER['HTTP_REFERER'] , HTTP_SERVER )!== FALSE ) {

 if (isset($HTTP_GET_VARS['error_message']) && tep_not_null($HTTP_GET_VARS['error_message'])) {
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tr class="headerError">
   <td class="headerError"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['error_message']))); ?></td>
 </tr>
</table>
<?php
 }

 if (isset($HTTP_GET_VARS['info_message']) && tep_not_null($HTTP_GET_VARS['info_message'])) {
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tr class="headerInfo">
   <td class="headerInfo"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['info_message']))); ?></td>
 </tr>
</table>
<?php
 }

 }
?>

The idea here is that it only displays the error_message and info_message if it was supplied by another page on the site.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...