Jump to content
Sign in to follow this  
Rezolles_Net

Customer Testimonials v1.0

Recommended Posts

I'm hoping someone here has experienced this and might know what I'm doing wrong.

 

I had Customer Testimonials v1.3 already installed and running. I added the Add On for v1 so that customers can also submit a testimonial for review. I had to tweak it slightly (add a Last Name field).

 

Everything gets posted to the database correctly when I click on Submit - however, I am not given the message that my Testimonial has been submitted. I'm simply given a blank page. Should there be a "redirect" somewhere in the form?

 

I found this link with the submit button - it doesn't have anything between the <a> </a> tags.

'  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a>

 

I have tried moving that around the submit button to see if it would make any difference, and it doesn't. I did remove the Continue as I didn't need two Continue buttons, and my current Continue button acts as a Back button so it takes you to the last page you were viewing before following the testimonial, rather than back to the home page.

 

So - my submit button source code looks like this:

 <td align="center" valign="top" class="main"><br><br><a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT); ?></a></td>

 

I've tried a few different variations - leaving out the link to FILENAME_CUSTOMER_TESTIMONIALS completely, having it after the IMAGE_BUTTON_INSERT) bit of code, and as above, wrapping the button inside that link.

 

Is my PHP missing a crucial keystroke or is there somewhere else I should be looking for why it's not returning my anything other than a blank page after clicking Submit ?

 

TIA! :blush:


~Tracy
 

Share this post


Link to post
Share on other sites
Everything gets posted to the database correctly when I click on Submit - however, I am not given the message that my Testimonial has been submitted. I'm simply given a blank page. Should there be a "redirect" somewhere in the form?

 

PS - I just tried it with the original code, including the Continue button, and I get the same result - a blank page upon submission. Everything goes to the database properly - but the site just returns a blank page.

 

This is what is in the URL bar: localhost/mmherbs/customer_testimonials.php?action=insert&osCsid=SessionIDHere

Edited by TracyS

~Tracy
 

Share this post


Link to post
Share on other sites

in version 1.4 and after... the line looks like this:

 

<td align="center" class="main"><?php echo tep_image_submit('button_submit.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a> <a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a></td>'; ?>

 

so I guess that maybe yours might need to look like this:

 

<td align="center" class="main"><?php echo tep_image_submit('button_submityellow.gif', IMAGE_BUTTON_INSERT). '  <a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, '', 'NONSSL') . '"></a></td>'; ?>

Share this post


Link to post
Share on other sites

anyone get this to play nicely with STS4.x ? I get a fatal error when trying to submit from the user side of things... has something to do with STS I think but any help wold be appreciated.

 

Cheers

Share this post


Link to post
Share on other sites

Hi,

 

Looking for a way to add a navigation bar to testimonial page, let say I want to have 20 entries per page.

 

any clues?

 

Thanks


Lenamtl

Share this post


Link to post
Share on other sites

Could someone confirm if this is multi-language compatible?

 

For example, if someone leaves a testimonial in German (language=de), will users using the site in English (language=en) then find themselves reading a German testimonial?

 

Thanks

 

Floob

Share this post


Link to post
Share on other sites

Hi,

 

I'm not able to edit the box header, I want to remove the round corner on this box, seems that something missing into the code ..

 

any clue?

 

-----------------------------------------------------

message for Floob: yes english will see German testimonials

Edited by lenamtl

Lenamtl

Share this post


Link to post
Share on other sites

Does anybody know how I can display multiple testimonials in the module box? I want to display 3 different testimonials inside the box

Share this post


Link to post
Share on other sites

I am running ultimate seo and others but when i click submit on the testimonials.php page it comes up with this page any ideas how to go to the correct html?

 

http://www.parakeetprint.co.uk/customer_te...p/action/insert

 

Error!

 

Unable to determine the page link!

 

i take it its just a mod rewrite but i dont know how or what i need to do please any help welcome

 

Thanks

Share this post


Link to post
Share on other sites

I have added the this mod i still have the problem above but i would also like to add the name and location on the testimonial how do i do this?

 

Thanks andy

Share this post


Link to post
Share on other sites

we are running hackersafe and today we got a notification that our customer_tesimonial file is not safe (we have the latest version 2.0)

 

Heres what they said in the description:

 

During our analysis of your web application, ScanAlert was able to generate MySQL database specific error message. An attacker may have the ability to use these database error messages to inject database command syntax that could allow them to modify, add, or delete information from the database. These types of attacks lead to credit card disclosure and system compromise.

 

The error messages generated by the web application indicate that the remote host is running a MySQL database.

 

The extent of the damage that can be caused by this vulnerability varies greatly depending on environment and configuration. While input validation via the web application may cause a database to "throw" an error, the database configuration will also play an important role in determining how much it can be altered. A remote attacker may be able to gain access to very sensitive information, or gain administrative access (total control of the entire database functionality).

 

This is not an exhaustive test and has not identified all of the forms and variables that may be affected by this vulnerability.

 

Here is a solution they posted:

 

User input should always be validated before being used by back-end databases. Any portion of the HTTP request can be modifyied by the attacker and therefore should be either sanitized or validated server side.

 

There are two ways of resolving this issue:

1. Validating input - THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA. By doing this, you are creating a whitelist of acceptable input that the web application can use. This is very similar to the way firewalls work, that if the input doesn't follow one of the rules it is ultimatly dropped.

 

2. Sanitizing input - Implement content parsing on data input fields including URL parameters.

 

Remove the following characters from any user or dynamic database input:

# ' (escape the single quote) input

# " (double quote) input

# ) (close parenthesis) input

# ( (open parenthesis) input

# ; (semi-colon) input

# - (dash) input

# | (pipe) input

 

On text input it is recommended to append quotes around the user supplied input.


Sincerely

Mike

Share this post


Link to post
Share on other sites
we are running hackersafe and today we got a notification that our customer_tesimonial file is not safe (we have the latest version 2.0)

 

I am also running hacker safe and got the exact same vulnerability on the customer_testimonials.php page.

In hacker safe you can run a demo and it shows you what the result of a attack to the page would do.

Here is the result

 

URL string created by scanalert = http://www.mydomain.com/customer_testimoni...+union+select+1

 

Result of the URL string

 	
Customer Testimonials

1222 - The used SELECT statements have a different number of columns

select * FROM customer_testimonials WHERE testimonials_id = 1 union select 1

[TEP STOP]

 

Scan Alert only gives us 72 hours to fix this before they pull their logo from our site and we are not compliant. Please help any one.

Share this post


Link to post
Share on other sites

If no one is able to assist, is anyone able to assist in hiring a programmer to fix this? (it shouldn't cost allot)

 

I have one standing by. Just waiting to see if anyone one can help fix first.


Sincerely

Mike

Share this post


Link to post
Share on other sites

is therecoding for page breaks. Loading hundreds of testimonials on one page takes a long time


Remember what the Bible says: He who is without sin, cast the first rock. And I shall smoketh it.

Share this post


Link to post
Share on other sites

I am waiting from a price quote from my programmer. Will keep you guys posted. Hacker safe actually just pulled our hs logo from the site until this is fixed.


Sincerely

Mike

Share this post


Link to post
Share on other sites

Looks like I may have a fix for this. Will keep you guys posted after hackersafe completes there audit.

 

Even if you are not using hackersafe it is highly reccomended to have this fixed as a hacker can use this to cause a DOS attack on your server.


Sincerely

Mike

Share this post


Link to post
Share on other sites

There is a further vulnerability where user information names the encrypted password and email address for every testimonial can be harvested.


No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P


Support The Project
Documentation/Knowledgebase/Discussions
 

Share this post


Link to post
Share on other sites

I was looking through Supertracker logs and notice some attempted hacking against my testimonials page so i would love to see the results of your tests asap :)

Share this post


Link to post
Share on other sites

They got in to one of my sites today - I have the code they used to get in and it reveals ALL customer emails (not just those in customer testimonials) ,last names and encrypted passwords .

Remove this contribution until there is a security fix be warned - word is out.

Share this post


Link to post
Share on other sites
Hi

 

Does this apply to Customer Testimonials v3 which is a seperate contribution (or has it just been taken from this one?)

 

Thanks

Julie

 

Yes it applies to all and is an injection that they can use to then setup a database user which requires no password to gain access.

 

They setup with an open all access user in the database and then have the priveledges to setup databases etc.

 

I will not post the code used here as this will further compound the issue.

 

I have informed a member of the team and requested that all testimonial contributions be disabled until the issue is resolved.


No longer giving free advice. Please place deposit in meter slot provided.  Individual: [=] SME: [==] Corporation: [===]
If deposit does not fit one of the slots provided then you are asking too much! :P


Support The Project
Documentation/Knowledgebase/Discussions
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×