Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Customer Testimonials v1.0


Rezolles_Net

Recommended Posts

I'm hoping someone here has experienced this and might know what I'm doing wrong.

 

I had Customer Testimonials v1.3 already installed and running. I added the Add On for v1 so that customers can also submit a testimonial for review. I had to tweak it slightly (add a Last Name field).

 

Everything gets posted to the database correctly when I click on Submit - however, I am not given the message that my Testimonial has been submitted. I'm simply given a blank page. Should there be a "redirect" somewhere in the form?

 

I found this link with the submit button - it doesn't have anything between the <a> </a> tags.

'  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a>

 

I have tried moving that around the submit button to see if it would make any difference, and it doesn't. I did remove the Continue as I didn't need two Continue buttons, and my current Continue button acts as a Back button so it takes you to the last page you were viewing before following the testimonial, rather than back to the home page.

 

So - my submit button source code looks like this:

 <td align="center" valign="top" class="main"><br><br><a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT); ?></a></td>

 

I've tried a few different variations - leaving out the link to FILENAME_CUSTOMER_TESTIMONIALS completely, having it after the IMAGE_BUTTON_INSERT) bit of code, and as above, wrapping the button inside that link.

 

Is my PHP missing a crucial keystroke or is there somewhere else I should be looking for why it's not returning my anything other than a blank page after clicking Submit ?

 

TIA! :blush:

~Tracy
 

Link to comment
Share on other sites

  • Replies 215
  • Created
  • Last Reply

Top Posters In This Topic

Everything gets posted to the database correctly when I click on Submit - however, I am not given the message that my Testimonial has been submitted. I'm simply given a blank page. Should there be a "redirect" somewhere in the form?

 

PS - I just tried it with the original code, including the Continue button, and I get the same result - a blank page upon submission. Everything goes to the database properly - but the site just returns a blank page.

 

This is what is in the URL bar: localhost/mmherbs/customer_testimonials.php?action=insert&osCsid=SessionIDHere

Edited by TracyS

~Tracy
 

Link to comment
Share on other sites

in version 1.4 and after... the line looks like this:

 

<td align="center" class="main"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a> <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a></td>'; ?>

 

so I guess that maybe yours might need to look like this:

 

<td align="center" class="main"><?php echo tep_image_submit('button_submityellow.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a></td>'; ?>
Link to comment
Share on other sites

  • 1 month later...

anyone get this to play nicely with STS4.x ? I get a fatal error when trying to submit from the user side of things... has something to do with STS I think but any help wold be appreciated.

 

Cheers

Link to comment
Share on other sites

  • 3 weeks later...

Could someone confirm if this is multi-language compatible?

 

For example, if someone leaves a testimonial in German (language=de), will users using the site in English (language=en) then find themselves reading a German testimonial?

 

Thanks

 

Floob

Link to comment
Share on other sites

  • 2 weeks later...

Hi,

 

I'm not able to edit the box header, I want to remove the round corner on this box, seems that something missing into the code ..

 

any clue?

 

-----------------------------------------------------

message for Floob: yes english will see German testimonials

Edited by lenamtl

Lenamtl

Link to comment
Share on other sites

  • 1 month later...

I am running ultimate seo and others but when i click submit on the testimonials.php page it comes up with this page any ideas how to go to the correct html?

 

http://www.parakeetprint.co.uk/customer_te...p/action/insert

 

Error!

 

Unable to determine the page link!

 

i take it its just a mod rewrite but i dont know how or what i need to do please any help welcome

 

Thanks

Link to comment
Share on other sites

  • 4 months later...

we are running hackersafe and today we got a notification that our customer_tesimonial file is not safe (we have the latest version 2.0)

 

Heres what they said in the description:

 

During our analysis of your web application, ScanAlert was able to generate MySQL database specific error message. An attacker may have the ability to use these database error messages to inject database command syntax that could allow them to modify, add, or delete information from the database. These types of attacks lead to credit card disclosure and system compromise.

 

The error messages generated by the web application indicate that the remote host is running a MySQL database.

 

The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via the web application may cause a database to "throw" an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access (total control of the entire database functionality).

 

This is not an exhaustive test and has not identified all of the forms and variables that may be affected by this vulnerability.

 

Here is a solution they posted:

 

User input should always be validated before being used by back-end databases. Any portion of the HTTP request can be modifyied by the attacker and therefore should be either sanitized or validated server side.

 

There are two ways of resolving this issue:

1. Validating input - THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA. By doing this, you are creating a whitelist of acceptable input that the web application can use. This is very similar to the way firewalls work, that if the input doesn't follow one of the rules it is ultimatly dropped.

 

2. Sanitizing input - Implement content parsing on data input fields including URL parameters.

 

Remove the following characters from any user or dynamic database input:

# ' (escape the single quote) input

# " (double quote) input

# ) (close parenthesis) input

# ( (open parenthesis) input

# ; (semi-colon) input

# - (dash) input

# | (pipe) input

 

On text input it is recommended to append quotes around the user supplied input.

Sincerely

Mike

Link to comment
Share on other sites

we are running hackersafe and today we got a notification that our customer_tesimonial file is not safe (we have the latest version 2.0)

 

I am also running hacker safe and got the exact same vulnerability on the customer_testimonials.php page.

In hacker safe you can run a demo and it shows you what the result of a attack to the page would do.

Here is the result

 

URL string created by scanalert = http://www.mydomain.com/customer_testimoni...+union+select+1

 

Result of the URL string

 	
Customer Testimonials

1222 - The used SELECT statements have a different number of columns

select * FROM customer_testimonials WHERE testimonials_id = 1 union select 1

[TEP STOP]

 

Scan Alert only gives us 72 hours to fix this before they pull their logo from our site and we are not compliant. Please help any one.

Link to comment
Share on other sites

If no one is able to assist, is anyone able to assist in hiring a programmer to fix this? (it shouldn't cost allot)

 

I have one standing by. Just waiting to see if anyone one can help fix first.

Sincerely

Mike

Link to comment
Share on other sites

Looks like I may have a fix for this. Will keep you guys posted after hackersafe completes there audit.

 

Even if you are not using hackersafe it is highly reccomended to have this fixed as a hacker can use this to cause a DOS attack on your server.

Sincerely

Mike

Link to comment
Share on other sites

There is a further vulnerability where user information names the encrypted password and email address for every testimonial can be harvested.

No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P

Is your Osc dated try Phoenix  raising oscommerce from the ashes.

Link to comment
Share on other sites

I was looking through Supertracker logs and notice some attempted hacking against my testimonials page so i would love to see the results of your tests asap :)

Link to comment
Share on other sites

They got in to one of my sites today - I have the code they used to get in and it reveals ALL customer emails (not just those in customer testimonials) ,last names and encrypted passwords .

Remove this contribution until there is a security fix be warned - word is out.

Link to comment
Share on other sites

Hi

 

Does this apply to Customer Testimonials v3 which is a seperate contribution (or has it just been taken from this one?)

 

Thanks

Julie

 

Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access.

 

They setup with an open all access user in the database and then have the priveledges to setup databases etc.

 

I will not post the code used here as this will further compound the issue.

 

I have informed a member of the team and requested that all testimonial contributions be disabled until the issue is resolved.

No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P

Is your Osc dated try Phoenix  raising oscommerce from the ashes.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...