213 replies to this topic

[rossoe]

Alex

I will be adding some links on the oscommerce header to take the user back to phpbb2 side

do I need to make sure they go through "trans_phpbb"  or can I just create direct links ?

[AlexStudio]

anderskiel, on Jan 19 2007, 03:40 AM, said:

This is sligtly off topic, but could maybe be incorpoated as an antispam measure!

AlexStudio you seem to be quite familiar with this code by now. I seem to be getting an awful lot of spam-users in the forum. Some register to promote websites others just seem to be pointless bot-registrations. Due to the redirecting  for registration i have a feeling that these bots simply search for the

www.yoursite.com/phpbb2/profile.php?mode=register&agreed=true

page. Currently registrations go via the "agree to terms page" to the osc registration page. Then via an ekstra link to phpbb2 registration.
What i'm thinking is... If we change the name of the phpbb2 registration page we might be able to keep the bots trom registration. My problem is that I can't find the place to change that url. Any advise?

Anders

I did find this in my phpBB2 also, I have mine fixed by killing those attempts by the method you mentioned. Here is how I did it:

Find in phpbb2/includes/usercp_registere.php line 37-41:

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
	exit;
}

Add after:

//// BOF osCommerce phpBB2 Integration v1.0
include($phpbb_root_path . 'includes/trans_osc.php');
if ($mode == 'register' && (isset($HTTP_GET_VARS['agreed']) || isset($HTTP_POST_VARS['agreed']))) {
	die("Hacking attempt");
	exit;
}
//// EOF osCommerce phpBB2 Integration v1.0

This will kill all direct accesses to this file.

[AlexStudio]

rossoe, on Jan 19 2007, 04:25 AM, said:

**** UPDATE TO POST ABOVE  ****

I just changed -
'S_LOGIN_ACTION' => append_sid(HTTPS_SERVER . DIR_WS_HTTP_CATALOG . 'login.php?action=process&redirect=portal.php'),

in "page_header" which solved the login from the box on portal front page.
My last problem is any attempt to logoff still takes me back to index.php

I can't understand why if I'm setting   as you told me to - how can it still goto index.php after logging out ??

I am not familiar with portal, so I don't know how exactly the logoff in box is doing.

However, there is an 'ugly' workaround by adding a line in index.php to redirectly users to portal.php, no matter where they came from. Just that the session in store will not be cleanned up and users are still logged in with the store.

[AlexStudio]

rossoe, on Jan 22 2007, 01:37 AM, said:

Alex

I will be adding some links on the oscommerce header to take the user back to phpbb2 side

do I need to make sure they go through "trans_phpbb"  or can I just create direct links ?

Please utilize the trans_phpbb.php and add redirect target to point to what ever file in phpbb2 you want.

[rossoe]

Good idea with the spam bot prevention.

The logoff is just the same as normal phpbb2 - it's in the header which I keep the same. so it's odd that's it's not working as desired when I make the adjustment to login.php

header('Location: ' .HTTPS_SERVER . DIR_WS_HTTP_CATALOG . 'logoff.php?redirect=portal.php&osCsid=' . $osCsid);

Any joy with the amendments to allow admin to delete users ? - as I imagine I'm going to get a few spam one's I'll need to kill.

[AlexStudio]

phpBB2 Integration v1.2 update released.

Changes in v1.2:

• Added to kill hacking attempts which called up register page directly by spam bots.
  
• Added to delete phpBB2 user records when deleting customers in osCom admin.
  
• Commented out deleting user in phpBB admin page. Now can only delete customer and user account at the same time in osCom admin page.

[rossoe]

Superb !  will I be able to update from previous release without too many probs ?  as I can't do a fresh install.

AlexStudio, on Jan 23 2007, 11:14 AM, said:

phpBB2 Integration v1.2 update released.

Changes in v1.2:

• Added to kill hacking attempts which called up register page directly by spam bots.
  
• Added to delete phpBB2 user records when deleting customers in osCom admin.
  
• Commented out deleting user in phpBB admin page. Now can only delete customer and user account at the same time in osCom admin page.

[AlexStudio]

rossoe, on Jan 23 2007, 07:22 PM, said:

Superb !  will I be able to update from previous release without too many probs ?  as I can't do a fresh install.

well yes, it's easy enough and well documented in the install guide. 2 phpBB2 files drop in (might need to modify them manually if phpBB2 heavily modified) and 2 more osCommerce files modified.

[AlexStudio]

rossoe, on Jan 22 2007, 06:59 AM, said:

The logoff is just the same as normal phpbb2 - it's in the header which I keep the same. so it's odd that's it's not working as desired when I make the adjustment to login.php

I think I know why your logoff sends users to index.php. Fine in catalog/trans_phpbb.php line 26:

  } else $forward_page = 'index.php';

Change it to:

  } else $forward_page = 'portal.php';

Hope this works for you.

[rossoe]

thankyou, I'll give that a go tonight. I'm nearly finished with the site now, all I need is the MID from the bank and I'll snap on the protx module. plus a few style template changes on oscommerce side.

check it out - http://www.quantumproduct.co.uk

without your help it would not have been possible for me to get this working so ta

Edited by rossoe, 23 January 2007 - 12:22 PM.

[rossoe]

Alex

when I update to v1.2

the Replace phpbb2/common.php  causes a "hacking attempt" error when I try and login
obviously this is because it's trying to goto portal instead of index.

Is it worth me just sticking with v1.0 ?

I don't want it to be insecure though !

[AlexStudio]

rossoe, on Jan 24 2007, 06:29 AM, said:

Alex

when I update to v1.2

the Replace phpbb2/common.php  causes a "hacking attempt" error when I try and login
obviously this is because it's trying to goto portal instead of index.

Is it worth me just sticking with v1.0 ?

I don't want it to be insecure though !

In your case, the portal stuff is a heavily mod phpBB2. You must do file comparing, not just replace them.

[rossoe]

Cool, I'll have a look - it's actually only the amended common.php file that won't work due to the added hacking security. All the rest of the updates seem to work fine. I'm assuming it is getting upset with the trid being attached to a file other than index.php

oh by the way the change to trans_phpbb.php has totally sorted the logout

AlexStudio, on Jan 23 2007, 11:01 PM, said:

In your case, the portal stuff is a heavily mod phpBB2. You must do file comparing, not just replace them.

[anderskiel]

AlexStudio, on Jan 21 2007, 11:39 PM, said:

I did find this in my phpBB2 also, I have mine fixed by killing those attempts by the method you mentioned. Here is how I did it:

Find in phpbb2/includes/usercp_registere.php line 37-41:

if ( !defined('IN_PHPBB') )
{
	die("Hacking attempt");
	exit;
}

Add after:

//// BOF osCommerce phpBB2 Integration v1.0
include($phpbb_root_path . 'includes/trans_osc.php');
if ($mode == 'register' && (isset($HTTP_GET_VARS['agreed']) || isset($HTTP_POST_VARS['agreed']))) {
	die("Hacking attempt");
	exit;
}
//// EOF osCommerce phpBB2 Integration v1.0

This will kill all direct accesses to this file.

I tried adding the above code, but it gives me "hacking attempt" when using the link from my osC registration page. I had a look at the 1.2 update and found the trans_osc.php file. Edited to my website and uploaded that. How ever i still get killed when following the link in osC registration page. Am I missing something?

Anders

[AlexStudio]

anderskiel, on Jan 25 2007, 12:45 AM, said:

I tried adding the above code, but it gives me "hacking attempt" when using the link from my osC registration page. I had a look at the 1.2 update and found the trans_osc.php file. Edited to my website and uploaded that. How ever i still get killed when following the link in osC registration page. Am I missing something?

Anders

Well, the code added to kill spam bot hackings only works if mode=register&agreed present. This shouldn't be happening if you are registering in osC because the phpBB2/profile.php doesn't take place. The code in 1.0 - 1.2 use catalog/create_account.php instead.

If the link in registration agreement page leads you to profile.php, you missed some file in phpbb2 modification, probably phpbb2/templates/subSilver/agreement.tpl

[AlexStudio]

anderskiel, on Jan 25 2007, 12:45 AM, said:

I had a look at the 1.2 update and found the trans_osc.php file. Edited to my website and uploaded that. How ever i still get killed when following the link in osC registration page. Am I missing something?

If the trans_phpbb.php involved, then it could be the new security check in phpbb2/common.php line 163 - 172, which will kill any attempts with an irregular trid (presumed faking trid). It can be problematic if your osCsid has other characters than a-zA-Z0-9 (normal alphanumeric characters).

[anderskiel]

AlexStudio, on Jan 24 2007, 10:35 PM, said:

Well, the code added to kill spam bot hackings only works if mode=register&agreed present. This shouldn't be happening if you are registering in osC because the phpBB2/profile.php doesn't take place. The code in 1.0 - 1.2 use catalog/create_account.php instead.

Ok I see, I was trying to keep a link from the osC registration form open to those who only want to use the forum not the shop. But i guess that wouldnt work without leaving the /phpBB2/mode=register&agreed=true - link in the form. Or is there anyway of killing all direct entries to the phpBB registration, except those coming from the link in osC registration page?

Thanks

Anders

[AlexStudio]

anderskiel, on Jan 25 2007, 06:54 AM, said:

Ok I see, I was trying to keep a link from the osC registration form open to those who only want to use the forum not the shop. But i guess that wouldnt work without leaving the /phpBB2/mode=register&agreed=true - link in the form. Or is there anyway of killing all direct entries to the phpBB registration, except those coming from the link in osC registration page?

Thanks

Anders

Yes, you can change the parameters with the registration link to get passed. Let's say mode=phpbb_register&agreed_phpbb=true

You will also need to modify your phpbb2/profile.php to handle the new parameters.

[anderskiel]

AlexStudio, on Jan 25 2007, 12:04 AM, said:

Yes, you can change the parameters with the registration link to get passed. Let's say mode=phpbb_register&agreed_phpbb=true

You will also need to modify your phpbb2/profile.php to handle the new parameters.

Not sure exactly what you mean - but i think i have fixed it by adding

if ($_SERVER['HTTP_REFERER'] != "http://www.yourdomaine.com/catalog/create_account.php") 
{
	die("Hacking attempt");
	exit;
}

to the beginning of includes/usercp_register.php

Now i just have to see if the spammers will get around that  

Anders

[anderskiel]

Oops placing it at the top cuts all access to the anything to do with the profile.php  

However moving it down to just below:

	$template->set_filenames(array(
		'body' => 'profile_add_body.tpl')
	);

that should work

Anders