TracyS Posted May 22, 2007 Share Posted May 22, 2007 I'm hoping someone here has experienced this and might know what I'm doing wrong. I had Customer Testimonials v1.3 already installed and running. I added the Add On for v1 so that customers can also submit a testimonial for review. I had to tweak it slightly (add a Last Name field). Everything gets posted to the database correctly when I click on Submit - however, I am not given the message that my Testimonial has been submitted. I'm simply given a blank page. Should there be a "redirect" somewhere in the form? I found this link with the submit button - it doesn't have anything between the <a> </a> tags. ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a> I have tried moving that around the submit button to see if it would make any difference, and it doesn't. I did remove the Continue as I didn't need two Continue buttons, and my current Continue button acts as a Back button so it takes you to the last page you were viewing before following the testimonial, rather than back to the home page. So - my submit button source code looks like this: <td align="center" valign="top" class="main"><br><br><a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT); ?></a></td> I've tried a few different variations - leaving out the link to FILENAME_CUSTOMER_TESTIMONIALS completely, having it after the IMAGE_BUTTON_INSERT) bit of code, and as above, wrapping the button inside that link. Is my PHP missing a crucial keystroke or is there somewhere else I should be looking for why it's not returning my anything other than a blank page after clicking Submit ? TIA! :blush: Quote ~Tracy Link to comment Share on other sites More sharing options...
TracyS Posted May 22, 2007 Share Posted May 22, 2007 (edited) Everything gets posted to the database correctly when I click on Submit - however, I am not given the message that my Testimonial has been submitted. I'm simply given a blank page. Should there be a "redirect" somewhere in the form? PS - I just tried it with the original code, including the Continue button, and I get the same result - a blank page upon submission. Everything goes to the database properly - but the site just returns a blank page. This is what is in the URL bar: localhost/mmherbs/customer_testimonials.php?action=insert&osCsid=SessionIDHere Edited May 22, 2007 by TracyS Quote ~Tracy Link to comment Share on other sites More sharing options...
mariemeh Posted May 24, 2007 Share Posted May 24, 2007 in version 1.4 and after... the line looks like this: <td align="center" class="main"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a> <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a></td>'; ?> so I guess that maybe yours might need to look like this: <td align="center" class="main"><?php echo tep_image_submit('button_submityellow.gif', IMAGE_BUTTON_INSERT). ' <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a></td>'; ?> Quote Link to comment Share on other sites More sharing options...
Shanke Posted June 24, 2007 Share Posted June 24, 2007 anyone get this to play nicely with STS4.x ? I get a fatal error when trying to submit from the user side of things... has something to do with STS I think but any help wold be appreciated. Cheers Quote Link to comment Share on other sites More sharing options...
lenamtl Posted July 13, 2007 Share Posted July 13, 2007 Hi, Looking for a way to add a navigation bar to testimonial page, let say I want to have 20 entries per page. any clues? Thanks Quote Lenamtl Link to comment Share on other sites More sharing options...
Floob Posted July 15, 2007 Share Posted July 15, 2007 Could someone confirm if this is multi-language compatible? For example, if someone leaves a testimonial in German (language=de), will users using the site in English (language=en) then find themselves reading a German testimonial? Thanks Floob Quote Link to comment Share on other sites More sharing options...
lenamtl Posted July 28, 2007 Share Posted July 28, 2007 (edited) Hi, I'm not able to edit the box header, I want to remove the round corner on this box, seems that something missing into the code .. any clue? ----------------------------------------------------- message for Floob: yes english will see German testimonials Edited July 28, 2007 by lenamtl Quote Lenamtl Link to comment Share on other sites More sharing options...
bluns1 Posted August 1, 2007 Share Posted August 1, 2007 2.0 Does not currently work with STS Quote Link to comment Share on other sites More sharing options...
bluns1 Posted August 3, 2007 Share Posted August 3, 2007 Does anybody know how I can display multiple testimonials in the module box? I want to display 3 different testimonials inside the box Quote Link to comment Share on other sites More sharing options...
andycatax Posted September 13, 2007 Share Posted September 13, 2007 I am running ultimate seo and others but when i click submit on the testimonials.php page it comes up with this page any ideas how to go to the correct html? http://www.parakeetprint.co.uk/customer_te...p/action/insert Error! Unable to determine the page link! i take it its just a mod rewrite but i dont know how or what i need to do please any help welcome Thanks Quote Link to comment Share on other sites More sharing options...
andycatax Posted September 17, 2007 Share Posted September 17, 2007 I have added the this mod i still have the problem above but i would also like to add the name and location on the testimonial how do i do this? Thanks andy Quote Link to comment Share on other sites More sharing options...
navyhost Posted January 23, 2008 Share Posted January 23, 2008 we are running hackersafe and today we got a notification that our customer_tesimonial file is not safe (we have the latest version 2.0) Heres what they said in the description: During our analysis of your web application, ScanAlert was able to generate MySQL database specific error message. An attacker may have the ability to use these database error messages to inject database command syntax that could allow them to modify, add, or delete information from the database. These types of attacks lead to credit card disclosure and system compromise. The error messages generated by the web application indicate that the remote host is running a MySQL database. The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via the web application may cause a database to "throw" an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access (total control of the entire database functionality). This is not an exhaustive test and has not identified all of the forms and variables that may be affected by this vulnerability. Here is a solution they posted: User input should always be validated before being used by back-end databases. Any portion of the HTTP request can be modifyied by the attacker and therefore should be either sanitized or validated server side. There are two ways of resolving this issue: 1. Validating input - THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA. By doing this, you are creating a whitelist of acceptable input that the web application can use. This is very similar to the way firewalls work, that if the input doesn't follow one of the rules it is ultimatly dropped. 2. Sanitizing input - Implement content parsing on data input fields including URL parameters. Remove the following characters from any user or dynamic database input: # ' (escape the single quote) input # " (double quote) input # ) (close parenthesis) input # ( (open parenthesis) input # ; (semi-colon) input # - (dash) input # | (pipe) input On text input it is recommended to append quotes around the user supplied input. Quote Sincerely Mike Link to comment Share on other sites More sharing options...
mblyman Posted January 23, 2008 Share Posted January 23, 2008 we are running hackersafe and today we got a notification that our customer_tesimonial file is not safe (we have the latest version 2.0) I am also running hacker safe and got the exact same vulnerability on the customer_testimonials.php page. In hacker safe you can run a demo and it shows you what the result of a attack to the page would do. Here is the result URL string created by scanalert = http://www.mydomain.com/customer_testimoni...+union+select+1 Result of the URL string Customer Testimonials 1222 - The used SELECT statements have a different number of columns select * FROM customer_testimonials WHERE testimonials_id = 1 union select 1 [TEP STOP] Scan Alert only gives us 72 hours to fix this before they pull their logo from our site and we are not compliant. Please help any one. Quote Link to comment Share on other sites More sharing options...
Guest Posted January 24, 2008 Share Posted January 24, 2008 I am having the exact same problem. It use to be a sev 2 problem now its a sev4 Quote Link to comment Share on other sites More sharing options...
navyhost Posted January 24, 2008 Share Posted January 24, 2008 If no one is able to assist, is anyone able to assist in hiring a programmer to fix this? (it shouldn't cost allot) I have one standing by. Just waiting to see if anyone one can help fix first. Quote Sincerely Mike Link to comment Share on other sites More sharing options...
Guest Posted January 25, 2008 Share Posted January 25, 2008 I'm just going to pull the code out. better than loosing my hacker safe sign! Quote Link to comment Share on other sites More sharing options...
AWWWW.WAHWAH Posted January 27, 2008 Share Posted January 27, 2008 is therecoding for page breaks. Loading hundreds of testimonials on one page takes a long time Quote Link to comment Share on other sites More sharing options...
navyhost Posted January 28, 2008 Share Posted January 28, 2008 I am waiting from a price quote from my programmer. Will keep you guys posted. Hacker safe actually just pulled our hs logo from the site until this is fixed. Quote Sincerely Mike Link to comment Share on other sites More sharing options...
navyhost Posted January 28, 2008 Share Posted January 28, 2008 Looks like I may have a fix for this. Will keep you guys posted after hackersafe completes there audit. Even if you are not using hackersafe it is highly reccomended to have this fixed as a hacker can use this to cause a DOS attack on your server. Quote Sincerely Mike Link to comment Share on other sites More sharing options...
Robbogeordie Posted February 1, 2008 Share Posted February 1, 2008 Hi Mike, Any news on the fix ? Thanks , Chris Quote Link to comment Share on other sites More sharing options...
241 Posted February 7, 2008 Share Posted February 7, 2008 There is a further vulnerability where user information names the encrypted password and email address for every testimonial can be harvested. Quote No longer giving free advice. Please place deposit in meter slot provided. Individual: [=] SME: [==] Corporation: [===] If deposit does not fit one of the slots provided then you are asking too much! Is your Osc dated try Phoenix raising oscommerce from the ashes. Link to comment Share on other sites More sharing options...
Guest Posted February 7, 2008 Share Posted February 7, 2008 I was looking through Supertracker logs and notice some attempted hacking against my testimonials page so i would love to see the results of your tests asap :) Quote Link to comment Share on other sites More sharing options...
Robbogeordie Posted February 7, 2008 Share Posted February 7, 2008 They got in to one of my sites today - I have the code they used to get in and it reveals ALL customer emails (not just those in customer testimonials) ,last names and encrypted passwords . Remove this contribution until there is a security fix be warned - word is out. Quote Link to comment Share on other sites More sharing options...
warrenerjm Posted February 7, 2008 Share Posted February 7, 2008 Hi Does this apply to Customer Testimonials v3 which is a seperate contribution (or has it just been taken from this one?) Thanks Julie Quote Link to comment Share on other sites More sharing options...
241 Posted February 7, 2008 Share Posted February 7, 2008 Hi Does this apply to Customer Testimonials v3 which is a seperate contribution (or has it just been taken from this one?) Thanks Julie Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access. They setup with an open all access user in the database and then have the priveledges to setup databases etc. I will not post the code used here as this will further compound the issue. I have informed a member of the team and requested that all testimonial contributions be disabled until the issue is resolved. Quote No longer giving free advice. Please place deposit in meter slot provided. Individual: [=] SME: [==] Corporation: [===] If deposit does not fit one of the slots provided then you are asking too much! Is your Osc dated try Phoenix raising oscommerce from the ashes. Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.