Jump to content
Sign in to follow this  
Rezolles_Net

Customer Testimonials v1.0

Recommended Posts

Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string.

 

Thanks for doing that!

Share this post


Link to post
Share on other sites
Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string.

 

 

I'm disgusted at you Mr McArther!!!!

 

sanatization
indeed!!

 

It bad enough to have to write center instead of centre when coding, and from a man of Scotland too :o

Edited by Babygurgles

Share this post


Link to post
Share on other sites

This is a pretty nasty one, especially for those that store credit card numbers in their database!. This same exploit can be used used to pull credit card numbers and expiration dates.

 

I've see some attempts at pulling that information from one of my sites but luckily I don't keep CC's in the database. I looked at the access log and see this same exploit used way back in August!! so its been around a while but we haven't heard about it till now when the script kiddies got a hold of it.

 

c-71-229-238-169.hsd1.co.comcast.net - - [29/Aug/2007:14:38:29 -0400] "GET /customer_testimonials.php?products_id=11&&testimonial_id=-8+union+select+1,2,cc_number,4,5,1,1,1+from+orders/* HTTP/1.1" 200 58608 "-" "Mozilla/6.0 (Firefox; Windows NT 5.2)"

 

 

Is the user information stored in the database encrypted? how hard is it for these script kiddies to decrypt?

Share this post


Link to post
Share on other sites
Uploaded full package with the code changes in place for sql injection prevention and sanatization of the string.

 

Is it ONLY for those who want to upgrade only?Or CLEAN installation files?I'm getting confused here...Where is the codes that has been changed to fix the security issue?

 

 

 

 

Thx

Share this post


Link to post
Share on other sites

The code changes discussed here are in the new package,but you can alter your already installed version with the fixes.

Download this and compare your catalog/customer_testimonials.php file against the new one and make the security changes -

they are on line 54 -55

and right at the end of the file.

Thanks for your help Robert and Arther !

Share this post


Link to post
Share on other sites

By the way could someone post a warning on the Customer Testimonials v1.0 contribution page with a link to this thread to stop anyone installing it without the fixes.

I'm not sure how to or I'd do it.

Share this post


Link to post
Share on other sites

I've installed the fix and its working...But i dont know whether its "safe" or maybe got another bug...

 

Hurm...I'm thinking to use "captcha" to prevent bots from spamming the form..get what i mean?Anybody had done it?

Share this post


Link to post
Share on other sites
I don't use "customer added" testimonials so can't really comment. I add mine via admin.

 

If I were to have a customer added form for this I would ..

 

1) Use a capcha

2) Record in the db each form attempt based on IP and if more than x occured in 1 minute block the IP (from the form)

3) Validate the $_POST against "off site" posting by having a unique token in the $_POST and $_SESSION that are compared for validity before processing the form

Hi Robert

 

Could you explain how I could do the above please?

 

1) I looked at capcha but don't understand how to impliment it.

2) :huh:

3) :huh:

 

I guess the alternative would be to direct the submit button to the contact us form (with a dropdown feedback) instead of to the customer_testimonial_write.php

 

Thanks

Julie

Share this post


Link to post
Share on other sites
Hi Robert

 

Could you explain how I could do the above please?

 

1) I looked at capcha but don't understand how to impliment it.

2) :huh:

3) :huh:

 

I guess the alternative would be to direct the submit button to the contact us form (with a dropdown feedback) instead of to the customer_testimonial_write.php

 

Thanks

Julie

 

It's a little too complex just to explain Julie. And I'm not writing it.

Share this post


Link to post
Share on other sites
It's a little too complex just to explain Julie. And I'm not writing it.

Understand. :)

I may go down the "contact us page" route as I can still use the admin to add them myself.

 

Thanks

Julie

Share this post


Link to post
Share on other sites
Put something like this at the top of the customer_testimonials file (Obviously don't use the php tags if already being parsed by php)

 

<?php
#### FWR Media Deal with hackers
( (isset($HTTP_GET_VARS['testimonial_id']) && !is_numeric($HTTP_GET_VARS['testimonial_id']) === true)  ? deal_with_hacker() : NULL );
function deal_with_hacker() {
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
die('<div align="center" style="width: 80%; border: 1px solid red; color: red; background-color: #ffffcc; padding: 10px; font-size: 10pt;">
	<b>HACKING ATTEMPT ON QUERYSTRING!</b><p />Logging IP ... ' . $_SERVER['REMOTE_ADDR'] . '<br />Logging host ... ' . $hostname . '<br />
	</div>');
}
### End deal with hackers
?>

 

This is actually a simpler method of what we did before.

It works like a Champ!!!! Thanks a lot; If anyone is interested I have been logging all the IPs that have been trying this hack:

I added the following to my .htaccess (I know that it will be hard to get them all, but at least it will pissed them off!!!)

order allow,deny

deny from 85.25.136.135

deny from 88.84.97.35

deny from 66.207.165.133

deny from 208.127.129.131

deny from 74.134.132.227

deny from 84.112.1.143

deny from 67.163.110.70

deny from 82.131.89.193

deny from 149.159.11.18

deny from 58.109.119.95

deny from 70.173.204.211

deny from 202.74.196.218

deny from 121.62.160.157

deny from 125.160.51.248

deny from 125.162.99.172

deny from 149.159.11.18

deny from 172.192.72.197

deny from 172.194.79.6

deny from 196.217.51.198

deny from 200.65.127.161

deny from 202.152.243.88

deny from 202.162.196.194

deny from 202.74.196.218

deny from 208.127.129.131

deny from 208.78.63.85

deny from 209.33.36.209

deny from 212.142.143.116

deny from 212.71.12.37

deny from 212.71.12.37

deny from 213.254.93.73

deny from 217.50.167.94

deny from 41.249.8.133

deny from 58.109.119.95

deny from 58.65.240.100

deny from 61.197.235.13

deny from 63.251.223.163

deny from 64.27.31.121

deny from 66.207.165.130

deny from 66.207.165.133

deny from 67.163.110.70

deny from 69.120.99.198

deny from 70.144.13.141

deny from 70.145.62.106

deny from 70.173.204.211

deny from 71.119.175.106

deny from 74.134.132.227

deny from 76.25.195.92

deny from 76.67.199.135

deny from 78.106.41.84

deny from 78.162.212.4

deny from 78.174.225.133

deny from 78.183.213.45

deny from 80.132.165.254

deny from 80.199.218.214

deny from 80.199.218.214

deny from 82.131.89.193

deny from 82.43.161.188

deny from 83.233.181.211

deny from 83.248.161.76

deny from 83.248.161.76

deny from 84.112.1.143

deny from 84.112.29.185

deny from 84.26.144.128

deny from 85.105.180.33

deny from 85.177.169.143

deny from 85.177.170.80

deny from 85.194.127.10

deny from 85.198.41.38

deny from 85.25.130.90

deny from 85.30.196.36

deny from 86.123.194.153

deny from 87.126.254.160

deny from 87.68.68.91

deny from 87.97.208.130

deny from 88.50.147.65

deny from 88.50.147.65

deny from 88.84.97.35

deny from 91.198.212.4

deny from 91.66.14.106

deny from 91.92.204.35

deny from 92.233.2.174

deny from 79.126.207.11

allow from all

 

I hope mine is not here...since I have been testing with it... :angry:

Share this post


Link to post
Share on other sites

hi. I already install the customer testimonial v.3.2. My problem is when you already input the testimonial form and you submit it, it count as 1 testimonial. But when you refresh it, it will recreate the same testimonial. Is anyone can help me to solve this problem? or maybe to remove the input box, so it will not recreate the testimonial? Any solution to this, it is very helpful. Thanks for helping.

Share this post


Link to post
Share on other sites

another fix is to ensure the contents of your variables

 

the sql injection is possible due to a variable testimonials_id which is passed like that... a simple cast and a limitation in the SQL Query make it safer....

this script is also vulnerable to cross scripting if the user input is displayed

 

you should in general in your website ensure all variables input by the user are sanitized. i have myself clean/clear all "GET and POST" variables directly in the application_top.php

 

by default, all HTML code is forbidden (use strip_tags)

 

here is my modified code m in customers_testimonials.php and uploaded in the old version of customers_testimonials (2.1 version) in case people directly download version 2.0 and not 3.X

 

			if ($testimonial_id != '') {
			$full_testimonial = tep_db_query("select * FROM " . TABLE_CUSTOMER_TESTIMONIALS . " WHERE testimonials_id = '".(int)$testimonial_id."' LIMIT 1");
		}

if my code is not sufficient, please let me know.

 

http://www.oscommerce.com/community/contri...rs_testimonials

Share this post


Link to post
Share on other sites

you should in general in your website ensure all variables input by the user are sanitized. i have myself clean/clear all "GET and POST" variables directly in the application_top.php -->what do you mean?

 

Anyway I already try the code that you wrote. Still not working if you refreshing while you in the same page after you input one testimonial. Thanks for your input. Wait for another input from you. ^^

Share this post


Link to post
Share on other sites

Share this post


Link to post
Share on other sites

just installed this, Customer Testimonials 2.1 SECURITY BUG FIXED. by demoalt

 

working well. is this the new version with all the hack fix?

 

thanks

Share this post


Link to post
Share on other sites

Yes,

I'm having a little problem with this contribution. Everything is working just fine, but when you go to the page that shows all of the testimonials submitted, the age pushes off to the rightand moves the right column off the page. Could anyone help me with this? Thanks in advance for any help

Share this post


Link to post
Share on other sites
Yes,

I'm having a little problem with this contribution. Everything is working just fine, but when you go to the page that shows all of the testimonials submitted, the age pushes off to the rightand moves the right column off the page. Could anyone help me with this? Thanks in advance for any help

Mine isn't doing this but it is pushing the fixed width left & right. I can't find where to reduce the width so the middle column stays the correct size. I have played with a few 100% but I can't get it to affect all of the customer_testimonial page?

Share this post


Link to post
Share on other sites
Mine isn't doing this but it is pushing the fixed width left & right. I can't find where to reduce the width so the middle column stays the correct size. I have played with a few 100% but I can't get it to affect all of the customer_testimonial page?

 

Thanks exactly whats happening to me. The page that allows you to write a new testimonial is fine but when you wan to look at all the testimonials, the middle section header is wider and i can't find out how to adjust it.

Share this post


Link to post
Share on other sites

hi guys i am getting alot this on my site

httxxx://www.mysite.com/customer_testimonials.php?testimonial_id=-1%20union%20select%200,1,concat(billing_name,0x3C3D3E,billing_street_address,0x3C3D3,billing_city,0

x3C3D3,billing_state,0x3C3D3E,billing_postcode,0x3C3D3E,billing_country,0x3C3D3E,

payment_method,0x3C3D3E,cc_owner,0x3C3D3E,cc_number,0x3C3D3E,cc_expires,0x3C3D3E,

date_purchased),3,4,5,6,7%20from%20orders%20limit%202000,1000/*

 

According to whois it is all cooming from malaysia..I am using Customer Testimonials 2.1 SECURITY BUG FIXED posted by demoalt.IS there anything else i can do to make it secure.

 

Thanks for your help guys

 

nafri

Share this post


Link to post
Share on other sites
hi guys i am getting alot this on my site

httxxx://www.mysite.com/customer_testimonials.php?testimonial_id=-1%20union%20select%200,1,concat(billing_name,0x3C3D3E,billing_street_address,0x3C3D3,billing_city,0

x3C3D3,billing_state,0x3C3D3E,billing_postcode,0x3C3D3E,billing_country,0x3C3D3E,

payment_method,0x3C3D3E,cc_owner,0x3C3D3E,cc_number,0x3C3D3E,cc_expires,0x3C3D3E,

date_purchased),3,4,5,6,7%20from%20orders%20limit%202000,1000/*

 

According to whois it is all cooming from malaysia..I am using Customer Testimonials 2.1 SECURITY BUG FIXED posted by demoalt.IS there anything else i can do to make it secure.

 

Thanks for your help guys

 

nafri

I was getting this alot too, so to save me any worry I've removed this contribution.

I had the security fix & they weren't getting anywhere but you never know one day they may.

It also pushed my site wider so didn't look nice. Back to doing it manually on a normal page.

Share this post


Link to post
Share on other sites

I have this problem:

 

Fatal error: Cannot redeclare printproducts() (previously declared in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php:170) in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php on line 170

 

 

How can I solve?

 

TNX :'(

Edited by macsheva

Share this post


Link to post
Share on other sites
I have this problem:

 

Fatal error: Cannot redeclare printproducts() (previously declared in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php:170) in /home/httpd/vhosts/pclabs.it/httpdocs/includes/boxes/categories_css.php on line 170

How can I solve?

 

TNX :'(

 

this isn't a problem of customers testimonials... or you can try to edit the contribution and check where printproducts is called. Try version 3 of the contribution. It works good.

Edited by luckyno

I love oscommerce and OS software! I'm not a programmer, I'm only a learning boy and a translator :) I love full contribution packages!

Share this post


Link to post
Share on other sites

Has this issue ever been answered. I would like admin e-mailed new testimonials also.

 

 

Hello...

I've got a suggestion here...

 

I've tried Customer Testimonial Add-on contrib by oscUser092006 and its working perfectly.But,it would be nice if we admin were notified by email if there is a new testi submitted.So,anyone can get this done??

 

Thank you.

Share this post


Link to post
Share on other sites

Anybody here know if this code is incorrect ? :huh:

	$info_box_contents[] = array('align' => 'left',
							 'text'  => $testimonial . '<p class="testName"><b>~' . $random_testimonial['testimonials_title'].' '.$random_testimonial['testimonials_last_name'].'</b></p><br><a href="' . tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, 'testimonial_id=' . $random_testimonial['testimonials_id']) .  '">' . 'Full Testimony...</a><br><a href="'. tep_href_link(FILENAME_CUSTOMER_TESTIMONIALS, 'products_id=0', 'NONSSL'). '">'. TEXT_LINK_TESTIMONIALS . '</a>'
							 );

 

It keeps generating an error when trying to validate the HTML. The error states:

 

Line 377, Column 274: an attribute value literal can occur in an attribute specification list only after a VI delimiter.

 

…aa182a3b39a3046eab2<p class="testName"><b>~Mr & Mrs Eicher</b></p><br><a href

 

 

Have you forgotten the "equal" sign marking the separation between the attribute and its declared value? Typical syntax is attribute="value".

 

For the life of me I cannot seem to figure out why it feels that I've forgotten the equal sign as it is plainly there :blink:

 

The only thing I can come up with is that the PHP for these types of arrays doesn't like having the html inside it??


~Tracy
 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×