Mikepo Posted August 21, 2015 Share Posted August 21, 2015 We have visitors using the following url to enter the site http://domain/create_account.php my question is, what are they attempting to do? And is there a vulnerability in the code they are trying? If I try this, the code returns with a account create success page. but no account is created. I'm using 2.3.4 BS gold. anyone care to comment please. Regards Mike osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!) Link to comment Share on other sites More sharing options...
Jack_mcs Posted August 21, 2015 Share Posted August 21, 2015 It is difficult to say without knowing the domain name, but you first need to determine if people are getting to the page because it is listed with the search engines. If not, then it may be hackers trying to get it. But there are two issues: 1 - The create account page should use https not http. If you don't have an ssl cert installed, you should do so. If you do, you need to change your code to force ssl for that page. 2 - Just visiting the create account page should not cause the success page to load. So if that is really what's happening, there is a problem with the code for that page. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Mikepo Posted August 21, 2015 Author Share Posted August 21, 2015 Hi Jack, I have SSL installed, so there is no problem there. the domain is warboyshardware.co.uk I went to the create account page this morning, as I noticed a few people had directly, and the page returned account success, not no account was created. I tried again, just now, and the create account page appeared as normal. So I'm not sure what is happening.. thanks for the reply Mike osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!) Link to comment Share on other sites More sharing options...
Jack_mcs Posted August 21, 2015 Share Posted August 21, 2015 Yes, there is a problem with the ssl for that page. http://warboyshardware.co.uk/create_account.php should not work. It needs to be forced to ssl mode or your customers data is not secure 9same for login.php). I visited that link and it stayed on that page so I can't think of any reason why it sometimes switches to the success page. All I can suggest is that you try to isolate the cause: does it happen in a specific browser? When a link is clicked or types in? If you can get it to reliably fail, it should be easy to isolate. Otherwise, intermittent problems can be near impossible to fix. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Gauravs Posted August 21, 2015 Share Posted August 21, 2015 A> We have visitors using the following url to enter the site B> If I try this, the code returns with a account create success page. but no account is created. Hi Mike, Lot of bots are active on the net which do attempt to create accounts, so any activity showing up directly on create_account.php could be just one of the bots trying to spam and fill user accounts. It's to prevent bots that sites use CAPTCHA etc and prevent creation of accounts. Do you track the visitor path, useragent, IP address information etc using tools like statcounter? If not, suggest to put that in place just to see where the traffic originates from and the activity the bots / users could be doing. Next you mention you tried and got a account success page... well I tried and it remains only on create_account.php page. Would you list the steps to replicate the issue? I can access account success page directly.. but that should not pose any risk / concern as the page contains nothing of importance.. Finally as Jack has pointed out.. the site SSL is not functional... even if I type http://site/create_account.php..it should automatically redirect to https://verson.. please do check the issue with SSL not being enabled properly and fix it to benefit from the feature of encryption. Best Regards,Gaurav Link to comment Share on other sites More sharing options...
Mikepo Posted August 21, 2015 Author Share Posted August 21, 2015 Hi @@Gauravs @@Jack_mcs I tired to replicate the issue but can't, i just typed in the address for the create acccount page and the account success page appeared. As for SSL not functioning correctly, the create account link on the index page forces an SSL connection. I'm using OSc out of the box, with SSL get to true the config file. (version 2.3.4 BS gold) So how do you force a SSL connection if someone just types the page address directly into the browser? thanks for your advice. Mike osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!) Link to comment Share on other sites More sharing options...
Hotclutch Posted August 21, 2015 Share Posted August 21, 2015 You only need to set the configure files correctly, very easy. Both your login and create account pages load in https. Your home page also loads in https. http://www.oscommerce.com/forums/topic/233458-how-to-install-ssl-on-osc-a-simple-1-2-3-instruction/ (6) In includes/configure.php, set the SSL to "true"; it should look something like this near the top, if you assigned the SSL to www.yoursite.com:define('HTTP_SERVER', 'http://www.yoursite.com');define('HTTPS_SERVER', 'https://www.yoursite.com');define('ENABLE_SSL', true); // secure webserver for checkout procedure?define('HTTP_COOKIE_DOMAIN', '.yoursite.com');define('HTTPS_COOKIE_DOMAIN', '.yoursite.com');(7) In admin/includes/configure.php, set the SSL to "true" and add an "s" after all the http's. So it'll look something like this, if assigned to www.yoursite.com:define('HTTP_SERVER', 'https://www.yoursite.com/');define('HTTP_CATALOG_SERVER', 'https://www.yoursite.com/');define('HTTPS_CATALOG_SERVER', 'https://www.yoursite.com/');define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module Link to comment Share on other sites More sharing options...
Mikepo Posted August 21, 2015 Author Share Posted August 21, 2015 @@Hotclutch, I have the configure.php set as you stated, except for 'HTTP_COOKIE_DOMAIN' & 'HTTPS_COOKIE_DOMAIN' which I've left as null define('HTTP_COOKIE_DOMAIN', '');define('HTTPS_COOKIE_DOMAIN', ''); is this OK? what do these parameters actually do. other posts suggest leaving them null is ok. Any further advise please Regards Mike osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!) Link to comment Share on other sites More sharing options...
Hotclutch Posted August 21, 2015 Share Posted August 21, 2015 Not sure to be honest. The default installation has them this way, which i have never had a problem with: define('HTTP_COOKIE_DOMAIN', ''); define('HTTPS_COOKIE_DOMAIN', ''); define('HTTP_COOKIE_PATH', '/'); define('HTTPS_COOKIE_PATH', '/'); Link to comment Share on other sites More sharing options...
Jack_mcs Posted August 22, 2015 Share Posted August 22, 2015 @@Mikepo Setting up the configure file correctly is the first step but that won't fix the problem of someone connecting directly to that page. To correctly fix it, you need to add the following to the .htaccess file in the root of your shop: RewriteCond %{HTTPS} off RewriteCond %{REQUEST_URI} "(.*)/create_account\.php" [OR] RewriteCond %{REQUEST_URI} "(.*)/login\.php" RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Mikepo Posted August 22, 2015 Author Share Posted August 22, 2015 Hi Jack, The RewriteCond's work well, thanks for the advise. That solves the problem of people entering page addresses directly, but the initial issue is still a mystery. Mike osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!) Link to comment Share on other sites More sharing options...
Jack_mcs Posted August 22, 2015 Share Posted August 22, 2015 As mentioned, if you can't reliably cause the problem it will be very difficult to fix. The only way that page can cause the success page to load is if the form on it was submitted, which it isn't when just visiting the page. But there is only one call to the success page in that file so if I were having this problem, I would add some tracking code around that call to see if I could see how it is being called. That's about the only choice you have for an intermittent problem like this. Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.