Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

security problem?


jjanguda

Recommended Posts

In order to use 'Tell a Friend' feature, users login first.

Once they send an email from website, the email contains session ID as well like this.

 

http://mystore.com/product_info.php?products_id=6&osCsid=5b02957739f406383620a37effff2f1c

 

How do I get rid of &osCsid=5b02957739f406383620a37effff2f1c?

 

 

Thanks for any help.

Link to comment
Share on other sites

Do you have cookies and sessions working correctly on your site? Does the session id disappear from the address bar after a few clicks?

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Thanks for your help.

 

This is excatly what happens.

 

When I use 'tell a friend' feature without login, it will ask me to login. Once I login the page will be automatically moved to tell a friend page. Email that I've typed is already there. If I send it, I'll get a session id in my email.

 

However, if I use tell a friend feature after I login first, then it's ok.. it does not include a session id.

 

This is my catalog/configure.php file and my root folder is public_html.

  define('HTTP_SERVER', 'http://mystore.com'); // eg, http://localhost - should not be empty for productive servers
 define('HTTPS_SERVER', 'https://host100.ipowerweb.com/~username'); // eg, https://localhost - should not be empty for productive servers
 define('ENABLE_SSL', true); // secure webserver for checkout procedure?
 define('HTTP_COOKIE_DOMAIN', 'mystore.com');
 define('HTTPS_COOKIE_DOMAIN', 'host100.ipowerweb.com/~username');
 define('HTTP_COOKIE_PATH', '/');
 define('HTTPS_COOKIE_PATH', '/');
 define('DIR_WS_HTTP_CATALOG', '/');
 define('DIR_WS_HTTPS_CATALOG', '/');
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');

 define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
 define('DIR_FS_CATALOG', '/home/username/public_html/');
 define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
 define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');

 

 

and when I click clickable products a few times, the session id gets disappeared.

Link to comment
Share on other sites

OK, that describes the situation pretty well. I'll experiment and see if I can replicate the problem. Could be a bug.

 

For me it works fine on a test server, no session id.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

One thing confuses me about your post. You say (or imply) that you can compose the email before you log in. Is that true?

 

Do you see the session id in the address bar when you are in the Tell a Friend screen?

 

Last but not least, what version of osC are you running?

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

When I type "[email protected]" in a black box and click a yellow envelope before I login, I'm stuck on login page. (in other words, I can't send an email unless I login first.) On this perticular page, URL contains https:// and a session ID(because it's login page as you know.)

 

Once I login by typing my email address and password, the page automatically moves to the tell_a_friend.php file and the email address that I typed before I logged in (in this case [email protected]) is already filled in.. What I have to do is to type my friend's name and text message for him. and Click Continue button.

In this page, URL also contains the session ID which I saw above..

And this session ID will be included in the email I send to my friend.

 

 

And my osc version is 2.2

 

 

Thanks for your help, AlanR.

 

hope this will help you understand the situation better.

Link to comment
Share on other sites

I tried it on a test server and I don't get the session id when I hit the Tell a Friend screen.

 

Give me a couple minutes and I'll set up a test account and you can tell us if you see any differences between your system an mine.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I found the differences.

Yours:   https://www.tentativa.com/catalog/login.php
Mine:    https://host100.ipowerweb.com/~username/login.php?osCsid=5b02957739f406383620a37effff2f1c

 

 

yours: https://www.tentativa.com/catalog/[email protected]&products_id=24

mine:  https://host100.ipowerweb.com/~username/[email protected]&products_id=15&osCsid=5b02957739f406383620a37effff2f1c

 

Your Message

Hi Test!

Your friend, test test, thought that you would be interested in Disciples: Sacred Lands from Tentativa Test Store.

Test

To view the product click on the link below or copy and paste the link into your web browser:

http://www.tentativa.com/catalog/product_info.php?products_id=24

Regards,

Tentativa Test Store
http://www.tentativa.com/catalog/




my message


Hi test!

Your friend, hyeon jeon, thought that you would be interested in Frantic from MYSTORE.com.

test

To view the product click on the link below or copy and paste the link into your web browser:

http://mystore.com/product_info.php?products_id=15&osCsid=5b02957739f406383620a37effff2f1c

Regards,

mystore.com
http://mystore.com/

 

maybe my configure setting is not good..

Link to comment
Share on other sites

Another thing I'd like to know from your tell a friend feature.. is hyperlink functions.

 

 

http://www.tentativa.com/catalog/product_i...?products_id=24

http://www.tentativa.com/catalog/

 

These two links in the email I got are hyperlinked.. and clickable..

 

But, mine is not.. how can I do that?

 

 

BTW, thanks for your kind help.. I really appreciate it.

Link to comment
Share on other sites

The installation I linked you to is an absolutely stock install, no changes at all.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

Your configure file looks fine.

 

What version of tell_a_friend.php do you have? Look at the top few lines.

 

Mine is $Id: tell_a_friend.php,v 1.42 2003/06/11 17:35:01 hpdl Exp $

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Link to comment
Share on other sites

I do have the same problem..

 

When I got an email from tell_a_friend.php page, http:// link and my website address are not hyperlinked.. It's a text only...

 

Just in case, here's my tell_a_friend.php file code..

<?php
/*
 $Id: tell_a_friend.php,v 1.42 2003/06/11 17:35:01 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

 require('includes/application_top.php');

 if (!tep_session_is_registered('customer_id') && (ALLOW_GUEST_TO_TELL_A_FRIEND == 'false')) {
   $navigation->set_snapshot();
   tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
 }

 $valid_product = false;
 if (isset($HTTP_GET_VARS['products_id'])) {
$product_info_query = tep_db_query("select pd.products_name, p.products_image from " . TABLE_PRODUCTS . " p, " . TABLE_PRODUCTS_DESCRIPTION . " pd where p.products_status = '1' and p.products_id = '" . (int)$HTTP_GET_VARS['products_id'] . "' and p.products_id = pd.products_id and pd.language_id = '" . (int)$languages_id . "'");
   if (tep_db_num_rows($product_info_query)) {
     $valid_product = true;

     $product_info = tep_db_fetch_array($product_info_query);
   }
 }

 if ($valid_product == false) {
   tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
 }

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_TELL_A_FRIEND);

 if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) {
   $error = false;

   $to_email_address = tep_db_prepare_input($HTTP_POST_VARS['to_email_address']);
   $to_name = tep_db_prepare_input($HTTP_POST_VARS['to_name']);
   $from_email_address = tep_db_prepare_input($HTTP_POST_VARS['from_email_address']);
   $from_name = tep_db_prepare_input($HTTP_POST_VARS['from_name']);
   $message = tep_db_prepare_input($HTTP_POST_VARS['message']);

   if (empty($from_name)) {
     $error = true;

     $messageStack->add('friend', ERROR_FROM_NAME);
   }

   if (!tep_validate_email($from_email_address)) {
     $error = true;

     $messageStack->add('friend', ERROR_FROM_ADDRESS);
   }

   if (empty($to_name)) {
     $error = true;

     $messageStack->add('friend', ERROR_TO_NAME);
   }

   if (!tep_validate_email($to_email_address)) {
     $error = true;

     $messageStack->add('friend', ERROR_TO_ADDRESS);
   }

   if ($error == false) {
     $email_subject = sprintf(TEXT_EMAIL_SUBJECT, $from_name, STORE_NAME);
     $email_body = sprintf(TEXT_EMAIL_INTRO, $to_name, $from_name, $product_info['products_name'], STORE_NAME) . "\n\n";

     if (tep_not_null($message)) {
       $email_body .= $message . "\n\n";
     }
// Show product image in email BOF
      $email_body .= tep_image(HTTP_SERVER . DIR_WS_CATALOG . DIR_WS_IMAGES . $product_info['products_image'], addslashes($product_info['products_name']), SMALL_IMAGE_WIDTH, SMALL_IMAGE_HEIGHT, 'hspace="5" vspace="5"') . "\n";
// Show product image in email EOF

     $email_body .= sprintf(TEXT_EMAIL_LINK, tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id'])) . "\n\n" .
                    sprintf(TEXT_EMAIL_SIGNATURE, STORE_NAME . "\n" . HTTP_SERVER . DIR_WS_CATALOG . "\n");

     tep_mail($to_name, $to_email_address, $email_subject, $email_body, $from_name, $from_email_address);
     
     tep_mail($to_name, STORE_OWNER_EMAIL_ADDRESS , 'Copy of Tell a Friend', $email_body, $from_name, $from_email_address);

     $messageStack->add_session('header', sprintf(TEXT_EMAIL_SUCCESSFUL_SENT, $product_info['products_name'], tep_output_string_protected($to_name)), 'success');

     tep_redirect(tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']));
   }
 } elseif (tep_session_is_registered('customer_id')) {
   $account_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'");
   $account = tep_db_fetch_array($account_query);

   $from_name = $account['customers_firstname'] . ' ' . $account['customers_lastname'];
   $from_email_address = $account['customers_email_address'];
 }

 $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_TELL_A_FRIEND, 'products_id=' . $HTTP_GET_VARS['products_id']));
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE; ?></title>
<base href="<?php echo (($request_type == 'SSL') ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<table width="900" border="0" align="center" cellpadding="0" cellspacing="0">
 <tr>
   <td><img src="images/top_banner.gif" width="900" height="165"></td>
 </tr>
 <tr>
   <td>
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

<!-- body //-->
<table border="0" width="100%" cellspacing="3" cellpadding="3">
 <tr>
   <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- left_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_left.php'); ?>
<!-- left_navigation_eof //-->
   </table></td>
<!-- body_text //-->
   <td width="100%" valign="top"><?php echo tep_draw_form('email_friend', tep_href_link(FILENAME_TELL_A_FRIEND, 'action=process&products_id=' . $HTTP_GET_VARS['products_id'])); ?><table border="0" width="100%" cellspacing="0" cellpadding="0">
     <tr>
       <td><table border="0" width="100%" cellspacing="0" cellpadding="0">
         <tr>
           <td class="pageHeading"><?php echo sprintf(HEADING_TITLE, $product_info['products_name']); ?></td>
           <td class="pageHeading" align="right"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_contact_us.gif', sprintf(HEADING_TITLE, $product_info['products_name']), HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 if ($messageStack->size('friend') > 0) {
?>
     <tr>
       <td><?php echo $messageStack->output('friend'); ?></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
<?php
 }
?>
     <tr>
       <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
         <tr>
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td class="main"><b><?php echo FORM_TITLE_CUSTOMER_DETAILS; ?></b></td>
               <td class="inputRequirement" align="right"><?php echo FORM_REQUIRED_INFORMATION; ?></td>
             </tr>
           </table></td>
         </tr>
         <tr>
           <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
             <tr class="infoBoxContents">
               <td><table border="0" cellspacing="0" cellpadding="2">
                 <tr>
                   <td class="main"><?php echo FORM_FIELD_CUSTOMER_NAME; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('from_name'); ?></td>
                 </tr>
                 <tr>
                   <td class="main"><?php echo FORM_FIELD_CUSTOMER_EMAIL; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('from_email_address'); ?></td>
                 </tr>
               </table></td>
             </tr>
           </table></td>
         </tr>
         <tr>
           <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
         </tr>
         <tr>
           <td class="main"><b><?php echo FORM_TITLE_FRIEND_DETAILS; ?></b></td>
         </tr>
         <tr>
           <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
             <tr class="infoBoxContents">
               <td><table border="0" cellspacing="0" cellpadding="2">
                 <tr>
                   <td class="main"><?php echo FORM_FIELD_FRIEND_NAME; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('to_name') . ' <span class="inputRequirement">' . ENTRY_FIRST_NAME_TEXT . '</span>'; ?></td>
                 </tr>
                 <tr>
                   <td class="main"><?php echo FORM_FIELD_FRIEND_EMAIL; ?></td>
                   <td class="main"><?php echo tep_draw_input_field('to_email_address') . ' <span class="inputRequirement">' . ENTRY_EMAIL_ADDRESS_TEXT . '</span>'; ?></td>
                 </tr>
               </table></td>
             </tr>
           </table></td>
         </tr>
         <tr>
           <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
         </tr>
         <tr>
           <td class="main"><b><?php echo FORM_TITLE_FRIEND_MESSAGE; ?></b></td>
         </tr>
         <tr>
           <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
             <tr class="infoBoxContents">
               <td><?php echo tep_draw_textarea_field('message', 'soft', 40, 8); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
     <tr>
       <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '10'); ?></td>
     </tr>
     <tr>
       <td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">
         <tr class="infoBoxContents">
           <td><table border="0" width="100%" cellspacing="0" cellpadding="2">
             <tr>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
               <td><?php echo '<a href="' . tep_href_link(FILENAME_PRODUCT_INFO, 'products_id=' . $HTTP_GET_VARS['products_id']) . '">' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . '</a>'; ?></td>
               <td align="right"><?php echo tep_image_submit('button_continue.gif', IMAGE_BUTTON_CONTINUE); ?></td>
               <td width="10"><?php echo tep_draw_separator('pixel_trans.gif', '10', '1'); ?></td>
             </tr>
           </table></td>
         </tr>
       </table></td>
     </tr>
   </table></form></td>
<!-- body_text_eof //-->
   <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="2">
<!-- right_navigation //-->
<?php require(DIR_WS_INCLUDES . 'column_right.php'); ?>
<!-- right_navigation_eof //-->
   </table></td>
 </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php require(DIR_WS_INCLUDES . 'footer.php'); ?>
<!-- footer_eof //-->
<br>
 </td>
 </tr>
 <tr>
   <td> </td>
 </tr>
 <tr>
   <td> </td>
 </tr>
 <tr>
   <td> </td>
 </tr>
</table>
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Link to comment
Share on other sites

Can anyone know how to http:// link in tell_a_friend email?

 

I think it's default.. but the the URL link and website address are not hyperlinked..

 

how can I make this feature work?

 

thanks for any help.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...