Jump to content

Demitry

Members
  • Content count

    352
  • Joined

  • Last visited

  • Days Won

    8

Posts posted by Demitry


  1. Quote

    ... but trying to code for all shops in the free versions just takes too much time.

    I totally understand! I have a bunch of addons that I don't care to dedicate time to for a completely dead software. Cheers for doing this update! I appreciate it.


  2. Just an addition/addendum to my previous comment.

    Although there is a folder in the package for osC versions Before_2.3, ..there is a large gap from version 2.2 to the Flatline version, including osC versions 2.3, 2.4, BS Edge, Gold, and everything in between.

    This is no longer an issue for me, but it could be for anyone else who has an osC version that is part of that gap.

     


  3. Quote

    Before_2.3

    Sorry Jack,.. my mistake on that point. I had to look at the package again to see this. I skipped over that folder because I have BS Edge, which is after version 2.3

    UPDATE: I ran a test database optimization after making that change you mentioned and there was no PHP warning. So, it works! Thanks.


  4. Quote

    1) There is a version for "Before 2.3"

    This is not in that package for version 1.8 ...and I have BS Edge as I originally stated, which is after version 2.3.4. The oldest version in that package is Flatline.

    For number two, I had made the fix as I stated, in my post above. I was just letting you know about this as a potential issue for others updating to this latest version because without that PHP function defined, you get a PHP Fatal Error.

    As for number three, thank you for the fix. I have not applied it yet, but will, and I'll test it afterwards. I am on PHP7.2 at this time, so this might be the cause of this PHP warning.

    Thank you for your reply.


  5. @Jack_mcs

    hi Jack,

    I updated all the files for the new 1.8 version of this addon and ran it for the first time last night.

    One of the errors I got was for the tep_draw_bootstrap_button() function for that Update button.

    I have BS Edge and since there is nothing in the package for any osC versions older than Flatline (Frozen), I had to apply the changes for that version to BS Edge.

    However, in doing so, I noticed that Flatline does not have the tep_draw_bootstrap_button() function defined either. I got this function from Zombified Phoenix and the Update button now displays & works as it should.

    The other issue was a PHP warning I got regarding a non-numeric value related to the following file and line. The database optimization summary is also listed below.

    database-optimizer-warning.thumb.png.3aa38ba5fbb332a64c6c5c6c61604da1.png

    database-optimizer-details.png.9476dda9021aec4d972aa7eedfc9ca2a.png

     

    I looked up that line and here it is.

    $dateOrder = date("Y-m-d", time() - ($config['orphan_orders'] * 86400));

    So, three issues:

    1)  There is no package solution for any osC versions older than Flatline (Frozen)

    2)  The tep_draw_bootstrap_button() function does not exist in Flatline for the Update button, which is in the admin/database_optimizer.php file

    3)  The calculation for $dateOrder variable in admin/includes/modules/database_optimizer_common.php on line 165 is producing a PHP warning of a non-numeric value

     

    I should also mention that I have not made any adjustments to the default setting in the configuration part of this addon.


  6. @domiosc

    So, I Googled this and did find a couple of articles on a malware injected into a site using .ico files. Here are the articles:

    https://blog.quttera.com/post/suspicious-icon-files-on-your-website/

    https://www.theregister.com/2015/03/25/blank/

     
    If you do regular back-ups, I would go back to the back-up you did just prior to this problem occurring and compare all folders using a comparison tool. This may not find the issue, but it is a good place to start.
     

  7. Quote

    Is that the App that would write your database configuration to a file?

    yes, that's the same app. However, this addon is based on old MS2.2 code and does not reside in my subdomain, which is BS Edge with PHP7.2

    And, the old MS2.2 site was not affected at all.

    I do have this addon for the BS Edge subdomain, but it is different (designed for the later version of osC) and in my opinion, more secure than the MS2.2 version.

     

     


  8. Quote

    That was a division by zero. 

    ok, thanks Matt.

    The shell scan for viruses and malware came back from the hosting company and it listed a bunch of files with hack related strings that it found. However, all those terms relate to security files and were not responsible for anything malicious.

    There was one file that was not consistent with the findings as the rest. This file is part of an older MS2.2 addon and resides higher up in the directory structure and not in my subdomain. I'm not sure if this is the culprit or not, though as I mentioned before, these .mx regeneration of duplicate .php files has not happened after the third time. here is the line that was found by the hosting company's shell scan.

    "/home/*******/public_html/***renamed-admin***/includes/configuration_cache.php": "hex match,{HEX}php.gzbase64.inject.452.UNOFFICIAL",

     

     

     


  9. Quote

    I belive this is the sequence, because is repeat various times, I confirm next time inyect files:

     

    The one thing I noticed, is that everything you posted is based on HTTP/1.0 -- this is an old protocol. Most everything today has moved to HTTP/2.0. You need to contact your hosting company to find out if their servers are on HTTP/2.0. If they are not, you need to switch to a different hosting company.

    HTTP\2.0 is faster and more secure.

    After doing this, you need to do a site-wide search for HTTP\1 and/or for $_SERVER["SERVER_PROTOCOL"] and manually change related instance of that HTTP\1.0 or HTTP\1.1 to HTTP\2.0. When I had to do this, it was about 25 files.

    Things like this are always a problem when you are upgrading from a much older version to a new one. I believe it is always better to start with the latest version of the CMS and customize it from scratch. Don't keep trying to upgrade from older versions of osC, this software is not designed for that and it will cause you a lot of headaches and time wasted.

    As for the INF field/attribute, I have no idea what that is because it looks like custom code and after looking in advanced_search.php and advanced_search_results.php, I don't see any part of this SQL query in those files. If you are migrating from osC MS2.2 to Zombie Phoenix, search your osC MS2.2 database for this field.

     

     


  10. Quote

    The files are injected, I think there is some vulnerable version 2.2 old file, because this osc is update from 2.2 to phoenix.
    Surely I will have to do a new installation if I do not find the file is affected, I will be checking the access logs and error logs to see if it gives me any clues.

    hi Vicent,

    Please let me know what you find. I have not had another instance of this issue after that last third time. So, for now everything is good. Talk soon.


  11. Quote

    In my casa is point 2.: created similar files .1489c721.ico and edit index.php or create random php file to link this file, I delete, but recreate so a security bug exist need to fix

    hi Vicent,

    My hosting company made a back-up of that subdomain and then ran a shell script to remove all those .mx files. So, I really did not have to do anything. Since that time, there has not been any more incidents of this weird file replication.

    I called my hosting company to try and get some idea of what it was. They said, they thought it was a hack. However, I am not convinced because all scans came up empty and I did a folder comparison to a prior back-up and there was nothing new or different. My hosting company tech support also said this problem was currently occurring with other accounts, non-osC accounts.

    So, for now, all is good. Hope you find what is causing the .ico file replication. It might be a related issue. Use the shell script from this thread to remove all those files from the server, though be sure to back-up first.

     


  12. @ecartz

    Matt, ..you're awesome!!

    I don't know shell scripting ..so this will not only help me, but anyone else who comes across this thread.

    I have not removed these files just yet. I'm still waiting to see if my hosting company comes up with an answer before cleaning that entire sub-domain.

    I did see that stackoverflow.com post when searching for an answer but there were no solutions offered on that post.

    And though I still use Dreamweaver (old habits die hard), this is the first time I've experienced this problem. And you might be right on point with this outdated software. Tough to let go of that comfort pillow. lol

    Thanks Matt.


  13. Update:

    I was given a shell script by my hosting company to clean all of these files out at once, which is a huge help because I had to do it manually the past few times. However, I have not cleared all of these files out just yet. I want to give the hosting company techs plenty of time to figure this problem out before removing it from the server.

    Here is the script in case someone else runs across this same issue.

    find /home/change_to_your_own_directory/public_html/ -type f -name "*.mx" -exec rm -rf {} \;

    Please be very careful before using anything like this, and back-up entire site and all files (along with the .mx file) before running this script. If you don't know what you're doing, don't mess with it!

     


  14. hi,

    I'm trying to figure out why I keep getting a ton of these .mx files inserted as copies of all the .php files on the sub-domain I am working on. The files look like this:

    .mx.99063925.mx

    though with different numbers for each file,.. and when you open one of these files, its content is identical to one of the .php files I have in the same directory. These .mx files are not generated for any other extension except for .php and each of the .mx file sizes matches the same .php file. They are basically clones of all the .php files.

    I cleaned them out of every folder and a day later they all reappeared. That happened three times now. This file type is commonly associated with email files, but these are not email files and have nothing to do with that. They are also not desktop files as detailed in this article.

    https://www.reviversoft.com/file-extensions/mx

    I called my hosting company several times and they have no idea of what it is. The only thing I was told, was that their higher tier tech support came across this problem once before with a WordPress site and after running a shell script to clean all the .mx files, the issue never came back. They are now trying to figure it out and doing a full site scan.

    I thought it might be a hack, but this is unlikely. I've done a number of scans for viruses & malware and they all came back clean. I have nothing in my error log and no noticeable issue browsing the site. There is also nothing in the console via Chrome Developer Tools. The .mx files just add clutter to the directory structure and nearly double the size of the osC software.

    I searched everywhere on this issue (including osC forums) and could not find anything of value. I'm just wondering if anyone has come across this issue before and how it was resolved?

    Here is an image of FileZilla showing these .mx files.

    mx-files-on-server.thumb.png.df44783d471f09782445c6391e70a4a2.png


  15. Quote

    Although there are some issues on missing language definitions,

    Ugh! I got it. I know exactly what this issue is. The language file is too deep in my laptop directory and was excluded because of this when I zipped the package. I will upload it now as an update. Thank you for letting me know. The only way for me to know this was to download it and unzip it and now I see that this language file is not in there.

    Here it is posted here, if you want to just copy and paste it into your own.

    <?php
    /*
      $Id$
      
      Customer Feedback at Checkout 
      Version 1.0 for BS
      Mod by Demitry
    
      osCommerce, Open Source E-Commerce Solutions
      http://www.oscommerce.com
    
      Copyright (c) 2020 osCommerce
    
      Released under the GNU General Public License
    */
    define('MODULE_CONTENT_CHECKOUT_SUCCESS_CUSTOMER_FEEDBACK_TITLE', 'Customer Feedback at Checkout');
    define('MODULE_CONTENT_CHECKOUT_SUCCESS_CUSTOMER_FEEDBACK_DESCRIPTION', 'Show Customer Feedback Form on the checkout success page.');
    
    define('MODULE_CONTENT_CHECKOUT_SUCCESS_CUSTOMER_FEEDBACK_HEADING', 'And Now, We Need Your Help!');
    define('MODULE_CONTENT_CHECKOUT_SUCCESS_CUSTOMER_FEEDBACK_TEXT_REQUEST', 'What "almost" kept you from completing your purchse today?'); // must be the same text in header_tags module language file
    define('MODULE_CONTENT_CHECKOUT_SUCCESS_CUSTOMER_FEEDBACK_TEXT_MSG_SENT', 'Your message was sent. We truly appreciate you and your business.<br /><br />
    
    Please make any <strong>available selections</strong> on this page and click the Continue button to save your changes.');
    ?>

     

     

     


  16. Quote

    Although there are some issues on missing language definitions, I have managed to sort them out.

    KG, what language file issues. I would certainly like to fix them, but am not sure what you are referring to.

     

    Quote

    It would be nice to have a pop up thank you message upon submitting the feedback.

    If you mean like having the modal window display the "message sent" message, I was not planning on it. The modal closes automatically upon (an error-free) submission and the "message sent" message is displayed on the checkout_success.php page just below the heading title for this module.

    I could add that message to display in the modal, but then the customer would have to manually close that modal and I'm not sure then,.. what would display on the reloaded checkout_success.php page.


  17. Quote

    Add it as a footer script. 

    hi Matt,

    That's actually a pretty good idea that I didn't even think of. Plus, I am already adding a footer script via a header_tags module for the JS validation for that feedback form. So, I'll add the modal and see how that works.


  18.  

    Quote

    Rather, a form can have more than one form submit button. By using different names and values the submit buttons can share some if not all of the form GET or POST values. Each button will then be able to perform onclick functions differently.

    I get the concept, but as far as I know an email has to be structured as a form and if I included it as a module in the checkout_success block, then it will become nested inside of that page's order form.

    What I can do is add the module as a request for the customers feed back and when they click on the link (which would be a feedback question), that would open a modal window with the email form inside of it. The modal code would then have to be added to that checkout_success.php page after the main order form.

    Or, I could add it as an on-page form directly on that checkout_success.php page after the main order form. Either way, I would have to alter a core file, which is something I was trying to avoid.

     

     


  19. Hi,

    I’m finishing up a module for the checkout success page. It’s a short email form designed to get customer feedback on their purchase experience right at the final step in the checkout process. I could store their feedback in the database, but this is bad because it will quickly bloat the database.

    There are two issues that I am facing with this modification.

    First: While writing this module, I realized that this checkout_succes page contains all of the modules inside a form. I’m a bit confused about this form because It is designed to update any customer changed data inside of it (such as product notifications and/or PWA keep account), but the button included inside this form is the Continue button, which redirects the user to the index.php page.

    So, if a customer makes changes on this form and does not click the Continue button, but instead closes the browser tab, then all of their changes are not saved to the database, right?

    The point is, many other osC pages apply the Continue button to load the index.php page. Having been on the site, a customer quickly becomes aware of this and may opt to not click that button on the checkout_success page because they are finished shopping and do not want to go to the home page. Additionally, they are likely to believe that their selections on that page are automatically saved upon any changes they make. Why? ..well, because there is no button to save the changes.

    Therefore, shouldn’t that Continue button be renamed to Update Changes or Save Changes? And, there should be a message displayed on the index.php page post redirection, to let the customer know that their changes were saved.

     

    Second: I am now faced with a challenge where (in order to avoid nested forms), I must add my module. I would need to either add it below this form in a separate module block or include it as a button/link to a modular popup. Any ideas on how to better structure this, where I can include the module with the other checkout_success modules and be able to use the related sort order feature to position it where I want?

     

     


  20. Quote

    The fields are there but I don't think the payment modules use them.

    I did not know that. I assumed that they would have been removed if they were not going to be used.

     

    Quote

    My version, which is not the standard one, has an option to split the cc number. It has been a while since I've looked at the original but I thought that was in all of them. When used, the code splits the cc number and stores part in the database and sends the other part in an email. That way, there is no way for hackers to get the whole number should they get access to your database. 

    Ah, that is part of the module, but I could never figure out what that description meant because it did not make much sense to me. Here is the screenshot of it below. Thanks for explaining it.

     

    cc-card-no-option.png.5e3dd6dd099556c6cff2c4765ff60f6f.png


  21. Quote

    If you have a PCI company perform the scan, you have to tell them you do not store cc data on the server, which the cc module does.

    Jack, thank you for the explanation. The CC module adds only the card number, expiration date, and card type to the customers database table, but so do the other CC processing modules. And even the latest version of osC Phoenix has these columns in the customers database table.

     

    Quote

    ... and as long as the split option is used in the module, it should be safe. 

    what do you mean by split option? I could not find anything related to this.

     

    ~~~~

    Quote

    do you plan to release your version?

    Vicent, I did not plan on it because it was removed from osC and introducing it back in as an addon will likely conflict with the underlying purpose of why it was removed in the first place. As Jack said, it was a PCI compliance issue, but I am not 100% sure if this was the only reason. There may have been other security issues that were part of that decision to remove it as well.

    Aside from that, I do not use the left or right columns in the osC layout so, my CSS is not structured for that layout - specifically, when resizing the browser. Here is a screenshot of what my payment page looks like. I am currently just using these modules for testing and only plan on having a CC module (via a merchant account) and a PayPal module as payment options.

     

    payment-page.thumb.png.fecc767600ce3cc8252596cc0b593933.png

×