Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

site visitors enter using http://domain/create_account.php


Mikepo

Recommended Posts

We have visitors using the following url to enter the site

 

http://domain/create_account.php

 

my question is, what are they attempting to do?  And is there a vulnerability in the code they are trying?

 

If I try this, the code returns with a account create success page. but no account is created.

 

I'm using 2.3.4 BS gold.

 

anyone care to comment please.

 

Regards

Mike

 

osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!)

Link to comment
Share on other sites

It is difficult to say without knowing the domain name, but you first need to determine if people are getting to the page because it is listed with the search engines. If not, then it may be hackers trying to get it.

 

But there are two issues:

 

1 - The create account page should use https not http. If you don't have an ssl cert installed, you should do so. If you do, you need to change your code to force ssl for that page.

 

2 - Just visiting the create account page should not cause the success page to load. So if that is really what's happening, there is a problem with the code for that page.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hi Jack,

I have SSL installed, so there is no problem there.

 

the domain is warboyshardware.co.uk

 

I went to the create account page this morning, as I noticed a few people had directly, and the page returned account success, not no account was created.

 

I tried again, just now, and the create account page appeared as normal.  So I'm not sure what is happening..

 

thanks for the reply

Mike

osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!)

Link to comment
Share on other sites

Yes, there is a problem with the ssl for that page. http://warboyshardware.co.uk/create_account.php should not work. It needs to be forced to ssl mode or your customers data is not secure 9same for login.php).

 

I visited that link and it stayed on that page so I can't think of any reason why it sometimes switches to the success page. All I can suggest is that you try to isolate the cause: does it happen in a specific browser? When a link is clicked or types in? If you can get it to reliably fail, it should be easy to isolate. Otherwise, intermittent problems can be near impossible to fix.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

A> We have visitors using the following url to enter the site

 

 B> If I try this, the code returns with a account create success page. but no account is created.

Hi Mike,

 

Lot of bots are active on the net which do attempt to create accounts, so any activity showing up directly on create_account.php could be just one of the bots trying to spam and fill user accounts. It's to prevent bots that sites use CAPTCHA etc and prevent creation of accounts. Do you track the visitor path, useragent, IP address information etc using tools like statcounter? If not, suggest to put that in place just to see where the traffic originates from and the activity the bots / users could be doing.

 

Next you mention you tried and got a account success page... well I tried and it remains only on create_account.php page. Would you list the steps to replicate the issue? I can access account success page directly.. but that should not pose any risk / concern as the page contains nothing of importance..

 

Finally as Jack has pointed out.. the site SSL is not functional... even if I type http://site/create_account.php..it should automatically redirect to https://verson.. please do check the issue with SSL not being enabled properly and fix it to benefit from the feature of encryption.

Best Regards,
Gaurav

Link to comment
Share on other sites

Hi @@Gauravs @@Jack_mcs

 

I tired to replicate the issue but can't, i just typed in the address for the create acccount page and the account success page appeared.

 

As for SSL not functioning correctly, the create account link on the index page forces an SSL connection.  I'm using OSc out of the box, with SSL get to true the config file. (version 2.3.4 BS gold)

 

So how do you force a SSL connection if someone just types the page address directly into the browser?

 

thanks for your advice.

Mike

osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!)

Link to comment
Share on other sites

You only need to set the configure files correctly, very easy. Both your login and create account pages load in https. Your home page also loads in https.

 

http://www.oscommerce.com/forums/topic/233458-how-to-install-ssl-on-osc-a-simple-1-2-3-instruction/

 

(6) In includes/configure.phpset the SSL to "true"; it should look something like this near the top, if you assigned the SSL to www.yoursite.com:
define('HTTP_SERVER', 'http://www.yoursite.com');
define('HTTPS_SERVER', 'https://www.yoursite.com');
define('ENABLE_SSL', true); // secure webserver for checkout procedure?
define('HTTP_COOKIE_DOMAIN', '.yoursite.com');
define('HTTPS_COOKIE_DOMAIN', '.yoursite.com');


(7) In admin/includes/configure.phpset the SSL to "true" and add an "s" after all the http's. So it'll look something like this, if assigned to www.yoursite.com:
define('HTTP_SERVER', 'https://www.yoursite.com/');
define('HTTP_CATALOG_SERVER', 'https://www.yoursite.com/');
define('HTTPS_CATALOG_SERVER', 'https://www.yoursite.com/');
define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

Link to comment
Share on other sites

@@Hotclutch, I have the configure.php set as you stated, except for 'HTTP_COOKIE_DOMAIN' & 'HTTPS_COOKIE_DOMAIN' which I've left as null

 

define('HTTP_COOKIE_DOMAIN', '');
define('HTTPS_COOKIE_DOMAIN', '');

 

is this OK?

 

what do these parameters actually do.  other posts suggest leaving them null is ok.

 

Any further advise please

 

Regards

 

Mike

osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!)

Link to comment
Share on other sites

Not sure to be honest. The default installation has them this way, which i have never had a problem with:

  define('HTTP_COOKIE_DOMAIN', '');
  define('HTTPS_COOKIE_DOMAIN', '');
  define('HTTP_COOKIE_PATH', '/');
  define('HTTPS_COOKIE_PATH', '/');
Link to comment
Share on other sites

@@Mikepo Setting up the configure file correctly is the first step but that won't fix the problem of someone connecting directly to that page. To correctly fix it, you need to add the following to the .htaccess file in the root of your shop:

RewriteCond %{HTTPS} off
RewriteCond %{REQUEST_URI} "(.*)/create_account\.php" [OR]
RewriteCond %{REQUEST_URI} "(.*)/login\.php"
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Hi Jack,

 

The RewriteCond's work well, thanks for the advise.  That solves the problem of people entering page addresses directly, but the initial issue is still a mystery.

 

Mike

osC CE live - developing osC Phoenix adding modules with no core changes(awesome and easy!)

Link to comment
Share on other sites

As mentioned, if you can't reliably cause the problem it will be very difficult to fix. The only way that page can cause the success page to load is if the form on it was submitted, which it isn't when just visiting the page. But there is only one call to the success page in that file so if I were having this problem, I would add some tracking code around that call to see if I could see how it is being called. That's about the only choice you have for an intermittent problem like this. 

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...