Jump to content

rule

Members
  • Content count

    65
  • Joined

  • Last visited

  • Days Won

    1

rule last won the day on August 26 2018

rule had the most liked content!

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. rule

    AIM and SIM have reached End of Life

    Any progress? Is no one really using this gateway anymore? They are huge.
  2. rule

    XSS & SQL Vulnerabilities

    @ecartz After allowing the request, the search page loads with "There is no product that matches the search criteria" and [removed]alert('SAINT')[removed] in the search box.
  3. rule

    XSS & SQL Vulnerabilities

    @ecartz Thank you for picking this up. Below is what NoScript returns when trying to access the URL mentioned in point 1. NoScript detected a potential Cross-Site Scripting attack from [...] to http://domain.com. Suspicious data: (URL) http://domain.com/advanced_search_result.php?keywords=[removed]alert('SAINT')[removed] How would you troubleshoot this deeper?
  4. rule

    XSS & SQL Vulnerabilities

    1. We got alerted to a potential XSS vulnerability in the following scenario. /advanced_search_result.php?keywords=[removed]alert('SAINT')[removed] Solution: cross-site scripting can be fixed by modifying the application's code on the server to HTML-encode user-supplied characters which have special meaning when rendered in a browser. That is, change < to <, > to >, & to &, and " to ". Some web application programming languages contain functions for this purpose, such as htmlspecialchars() in PHP. Doesn't osC already use htmlspecialchars? 2. On another note, there is also an integer-based SQL injection vulnerability in products_id parameter when the following is used. /product-name-p-4413.html?action=add_product We do use Ultimate SEO to rewrite the stock URLs but would that be true of default settings as well? Solution: all user-supplied parameters should be checked for illegal characters, such as a single quote ('), before being used in an SQL query. Any insight on addressing the two above issues would be greatly appreciated. These could well be false positives.
  5. rule

    HoneyPot Captcha

    Is it possible to extend the module by including a filter to catch domain names used by spammers for emails, i.e. similar to the bad words filter but for account creation rather than contact form? The same domain names seem to be used over and over again.
  6. rule

    HoneyPot Captcha

    @Jack_mcs Unfortunately, this latest change does not improve the situation. We are still seeing about 15 new fake accounts each day. More importantly, using CSF to blacklist IP addresses also appears to be futile.
  7. rule

    ULTIMATE Seo Urls 5 - by FWR Media

    Noticing quite a few of the following in our error log. PHP Fatal error: Uncaught Error: Call to a member function store() on boolean in /home/xxx/public_html/includes/modules/ultimate_seo_urls5/main/usu5.php:78 Stack trace: #0 [internal function]: Usu_Main->__destruct() #1 {main} thrown in /home/xxx/public_html/includes/modules/ultimate_seo_urls5/main/usu5.php on line 78 Line 78 reads as follows. $this->getVar( 'cache' )->store( $this->getVar( 'registry' )->store() ); Is this a PHP 7.2 related error yet again?
  8. rule

    Feedback for raiwa

    You are only making things worse for yourself by misleading everyone here. Why didn't you mention that the purchased add-ons contained errors and how you said that PHP notices and warnings weren't important? Free support through 20 emails? This is ridiculous. Most of those state how your time costs 75 euros per request and that questions must be asked in the forum. As mentioned previously, anyone who wishes to know the truth is welcome to PM us. We will also happily point you to those osCommerce devs that really care about their customers and deserve all the money they humbly ask for.
  9. rule

    Database Optimizer

    Security support for 7.0 ends in 40 days. Could you possibly upgrade the add-on?
  10. rule

    ULTIMATE Seo Urls 5 - by FWR Media

    New issue discovered: when using a module that is not located in root (e.g. /ext/modules/content/product_info/) and changing the shop language, SEO URLs rewrites the URL as if it were in root thereby leading to a 404. Could SEO URLs be forced to use the original tep_href_link in such cases?
  11. rule

    Database Optimizer

    Removed the first line right after the installation as it threw a different error. Removing the second line doesn't change anything. Given that the cron job worked previously when we were on PHP 5.6 it is probably safe to say that the current issue is related to PHP 7.2.
  12. rule

    Feedback for raiwa

    We do not recommend purchasing any add-ons from Rainer Schmied (raiwa) if you expect subsequent support. Our experience is that this developer views his customers as cash cows that are not worth his time unless money (65 euros seems to be the favorite amount) is paid for each request. For further details, please feel free to PM us.
  13. rule

    Database Optimizer

    Latest CE on PHP 7.2 and the script does run via tools but additionally throws the following 2 errors. [09-Oct-2018 20:09:41 UTC] PHP Warning: Use of undefined constant DATABASE_OPTIMIZER_OPTIMIZE - assumed 'DATABASE_OPTIMIZER_OPTIMIZE' (this will throw an Error in a future version of PHP) in /home/langbrid/public_html/izbushka/includes/modules/database_optimizer.php on line 25 [09-Oct-2018 20:09:41 UTC] PHP Warning: Use of undefined constant MYSQL_ASSOC - assumed 'MYSQL_ASSOC' (this will throw an Error in a future version of PHP) in /home/langbrid/public_html/izbushka/includes/modules/database_optimizer.php on line 42
  14. rule

    Database Optimizer

    @Jack_mcs Seeing the following error when the cron job is run. [09-Oct-2018 05:00:01 UTC] PHP Warning: mysqli_error() expects parameter 1 to be mysqli, null given in /home/xxx/public_html/izbushka/includes/functions/database.php on line 55 line 55: $result = mysqli_query($$link, $query) or tep_db_error($query, mysqli_errno($$link), mysqli_error($$link)); The following is printed in the confirmation email. Content-type: text/html; charset=UTF-8 <font color="#000000"><strong> - <br /><br />SHOW TABLES LIKE 'supertracker'<br /><br /><small><font color="#ff0000">[TEP STOP]</font></small><br /><br /></strong></font> Could you please help fixing this?
  15. rule

    ULTIMATE Seo Urls 5 - by FWR Media

    @clustersolutions Thank you for chiming in. This is probably in response to stripping the URL endings. I wish we could take your advice and implement it but lack of MySQL knowledge prevents us from even trying. On a separate note, does anyone run this add-on together with the KissIT Image Thumbnailer. Strangely enough, the thumbnail for the main product image stopped being fetched after we installed the SEO URLs. Could this be due to the rewrites or a conflict of functions?
×