Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

[contribution] Visual Verify Code (VVC) security


Guest

Recommended Posts

Do you have the GD Library installed in php.

This worked for me got rid of the X and all worked perfectly

 

Original Instructions

echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');

Replace with

echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '">');

(missed closing tag) not to important.

 

Main problem was in step 3

 

3. Add two VVC php files to your site and notify framework

 

c. Place the following statement in your /catalog/includes/filenames.php

define('TABLE_VISUAL_VERIFY_CODE', 'visual_verify_code');

 

-replace the above with the following

c. Place the following statement in your /catalog/includes/filenames.php

define('FILENAME_VISUAL_VERIFY_CODE_DISPLAY', 'vvc_display.php');

 

graeme

Link to comment
Share on other sites

  • 4 weeks later...
  • Replies 112
  • Created
  • Last Reply

Top Posters In This Topic

This worked for me got rid of the X and all worked perfectly

 

Original Instructions

echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');

Replace with

echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '">');

(missed closing tag) not to important.

 

Main problem was in step 3

 

3. Add two VVC php files to your site and notify framework

 

c. Place the following statement in your /catalog/includes/filenames.php

define('TABLE_VISUAL_VERIFY_CODE', 'visual_verify_code');

 

-replace the above with the following

c. Place the following statement in your /catalog/includes/filenames.php

define('FILENAME_VISUAL_VERIFY_CODE_DISPLAY', 'vvc_display.php');

 

graeme

 

Tried those changes and it still shows up as an x for me. http://www.bryanjohnson.ca/guestbook_sign.php

Link to comment
Share on other sites

I did, it still showed as a broken image. However the url of the image is http://www.bryanjohnson.ca/vvc_display.php...o8aicfefe556me6 rather then just http://www.bryanjohnson.ca/vvc_display.php?vvc= as it is on the guestbook page.

4. GD Library

a. The image generation requires that you have the GD library available.

V. Instructions:

Overview:

The process for installing the visual_verify_code (VVC) contribution involves

1) creating a database table for VVC use,

2) updating the language files,

3) installing two files (the VVC drawing php and function php), and lastly

4) updating the pages where you want the visual verify code to reside.

 

Does all of the above apply?

Link to comment
Share on other sites

Does all of the above apply?

 

Yes. I've made all the changes 3 times now. I can see in the database a new code being generated each time I refresh the page as well, but still no image shows. Does it matter what version of GD I have (bundled (2.0.34 compatible))?

Edited by picard102
Link to comment
Share on other sites

Yes. I've made all the changes 3 times now. I can see in the database a new code being generated each time I refresh the page as well, but still no image shows. Does it matter what version of GD I have (bundled (2.0.34 compatible))?

Yours is a later version than mine, so yours should be ok.

 

Both my vvc files have permissions 644, if that helps.

 

Which contribution and version is it?

Link to comment
Share on other sites

Yours is a later version than mine, so yours should be ok.

 

Both my vvc files have permissions 644, if that helps.

 

Which contribution and version is it?

The guestbook is:

http://www.oscommerce.com/community/contributions,1349

VVCode Mod Full Pack

 

and then I installed the VVC contrib when that mod didn't work.

 

The VVC is:

http://addons.oscommerce.com/info/1560

Visual Verify Code(VVC) 2.2

 

 

The permisions are a little diffrent on windows, but I belive they have full read write. When I go to the files directly via the browser I get the red x. http://www.bryanjohnson.ca/vvc_display.php

Edited by picard102
Link to comment
Share on other sites

The guestbook is:

http://www.oscommerce.com/community/contributions,1349

VVCode Mod Full Pack

 

and then I installed the VVC contrib when that mod didn't work.

 

The VVC is:

http://addons.oscommerce.com/info/1560

Visual Verify Code(VVC) 2.2

 

 

The permisions are a little diffrent on windows, but I belive they have full read write. When I go to the files directly via the browser I get the red x. http://www.bryanjohnson.ca/vvc_display.php

I get a blank page in the browser when I access the file directly.

 

Well, it is perplexing. I have not got a guestbook, so I don't know about that addon.

 

I know that the addon 1560 works. Did you undo everything from the 1349 addon, before you installed the 1560 addon?

Link to comment
Share on other sites

I get a blank page in the browser when I access the file directly.

 

Well, it is perplexing. I have not got a guestbook, so I don't know about that addon.

 

I know that the addon 1560 works. Did you undo everything from the 1349 addon, before you installed the 1560 addon?

 

Ya, the install instructions in 1349 are the same as 1560, but I did undo it. I can give you access if you want to take a look at the files?

Link to comment
Share on other sites

I get the same problem. The images do not load and the GD Library is enabled. I used this contribution some time ago and did not have this problem.

 

Any help would be great.

Jamie

I forgot to mention in pm, try removing the vvc file that is in the includes folder.

Link to comment
Share on other sites

I narrowed it down to a problem in my applications top file. There was an extra empty line at the bottom of it that screwed things up for some reason. Seems to be working now. Odd.

 

Thanks for all the help in tracking this down. Not sure if this is going to help anyone else though.

Link to comment
Share on other sites

I narrowed it down to a problem in my applications top file. There was an extra empty line at the bottom of it that screwed things up for some reason. Seems to be working now. Odd.

 

Thanks for all the help in tracking this down. Not sure if this is going to help anyone else though.

 

Thank goodness you pinned it.

Link to comment
Share on other sites

So has anyone come up with an answer for why this does not work on the contact us page?

 

It works fine on create account, but in Contact Us, you fill in the fields and ignore the VCC and it still goes through fine.

 

I would love to get this working as the contact us page is where I get the majority of spam (mostly porn links which are so annoying)!

 

Anyone?

Link to comment
Share on other sites

So has anyone come up with an answer for why this does not work on the contact us page?

 

It works fine on create account, but in Contact Us, you fill in the fields and ignore the VCC and it still goes through fine.

 

I would love to get this working as the contact us page is where I get the majority of spam (mostly porn links which are so annoying)!

 

Anyone?

Did you do both edits on the page?

Link to comment
Share on other sites

Did you do both edits on the page?

 

Hi Coopco

 

I'm not sure what you mean. I read through the posts above, but I thought they referred to getting the image to display properly. Which edits are you referring to - could you tell me which post, thanks.

 

I did edit the contact_us.php file as per the original instructions, if that's what you meant?

 

Cheers

Sol

Link to comment
Share on other sites

Hi Coopco

 

I'm not sure what you mean. I read through the posts above, but I thought they referred to getting the image to display properly. Which edits are you referring to - could you tell me which post, thanks.

 

I did edit the contact_us.php file as per the original instructions, if that's what you meant?

 

Cheers

Sol

The contact us page had two edits. Were both done correctly?

Link to comment
Share on other sites

The contact us page had two edits. Were both done correctly?

 

 

Hi Coopco

 

I could only find one edit for the contact us page:

 

Original Instructions
echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');
Replace with
echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '">');
(missed closing tag) not to important.

 

I have made that change but still the form submits without the VVC being used.

 

Could you please tell me which is the other edit?

 

You don't mean this one do you> ?

 

Main problem was in step 3

3. Add two VVC php files to your site and notify framework

c. Place the following statement in your /catalog/includes/filenames.php
define('TABLE_VISUAL_VERIFY_CODE', 'visual_verify_code');

-replace the above with the following
c. Place the following statement in your /catalog/includes/filenames.php
define('FILENAME_VISUAL_VERIFY_CODE_DISPLAY', 'vvc_display.php');

 

Because if so, I have checked this and my code is correct in the filenames.php file.

 

Can you tell me (or even better, paste the code here) where the other edit is?

 

Thanks

Sol

Link to comment
Share on other sites

Hi Coopco

 

I could only find one edit for the contact us page:

 

Original Instructions
echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');
Replace with
echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '">');
(missed closing tag) not to important.

 

I have made that change but still the form submits without the VVC being used.

 

Could you please tell me which is the other edit?

 

You don't mean this one do you> ?

 

Main problem was in step 3

3. Add two VVC php files to your site and notify framework

c. Place the following statement in your /catalog/includes/filenames.php
define('TABLE_VISUAL_VERIFY_CODE', 'visual_verify_code');

-replace the above with the following
c. Place the following statement in your /catalog/includes/filenames.php
define('FILENAME_VISUAL_VERIFY_CODE_DISPLAY', 'vvc_display.php');

 

Because if so, I have checked this and my code is correct in the filenames.php file.

 

Can you tell me (or even better, paste the code here) where the other edit is?

 

Thanks

Sol

The readme I have says

 

>>>>(* Begin /catalog/contact_us.php and /catalog/tell_a_friend.php sections. *)

 

5. Update the /catalog/contact_us.php in two places:

a. Locate the text near line 30 that ends with a bracket and is:

 

if (tep_validate_email($email_address) == false) {

$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);

}

 

 

i. Add the following after that above bracket:

 

//VISUAL VERIFY CODE start

require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

 

$code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . $HTTP_GET_VARS['osCsid'] . "'");

$code_array = tep_db_fetch_array($code_query);

$code = $code_array['code'];

 

tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

 

$user_entered_code = $HTTP_POST_VARS['visual_verify_code'];

if (!(strcasecmp($user_entered_code, $code) == 0)) { //make the check case insensitive

$error = true;

$messageStack->add('contact', VISUAL_VERIFY_CODE_ENTRY_ERROR);

}

//VISUAL VERIFY CODE stop

 

 

 

b. Locate the text somehwere near line 125 (135-140 after the above mod) that ends with "</tr>" and is:

 

<td class="main"><?php echo tep_draw_input_field('name'); ?></td>

</tr>

<tr>

<td class="main"><?php echo ENTRY_EMAIL; ?></td>

</tr>

<tr>

<td class="main"><?php echo tep_draw_input_field('email'); ?></td>

</tr>

 

 

i. Add the following after the above "</tr>":

 

<!-- VISUAL VERIFY CODE-- START-->

<tr>

<td class="main"><?php echo VISUAL_VERIFY_CODE_CATEGORY; ?></td>

</tr>

<tr>

<td><table border="0" width="100%" cellspacing="1" cellpadding="2" class="infoBox">

<tr class="infoBoxContents">

<td><table border="0" cellspacing="2" cellpadding="2">

 

<tr>

<td class="main"><?php echo VISUAL_VERIFY_CODE_TEXT_INSTRUCTIONS; ?></td>

<td class="main"><?php echo tep_draw_input_field('visual_verify_code'); ?></td>

 

<td class="main">

<?php

//can replace the following loop with $visual_verify_code = substr(str_shuffle (VISUAL_VERIFY_CODE_CHARACTER_POOL), 0, rand(3,6)); if you have PHP 4.3

$visual_verify_code = "";

for ($i = 1; $i <= rand(3,6); $i++){

$visual_verify_code = $visual_verify_code . substr(VISUAL_VERIFY_CODE_CHARACTER_POOL, rand(0, strlen(VISUAL_VERIFY_CODE_CHARACTER_POOL)-1), 1);

}

$vvcode_oscsid = $HTTP_GET_VARS['osCsid'];

tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'");

$sql_data_array = array('oscsid' => $vvcode_oscsid, 'code' => $visual_verify_code);

tep_db_perform(TABLE_VISUAL_VERIFY_CODE, $sql_data_array);

$visual_verify_code = "";

echo('<img src="' . FILENAME_VISUAL_VERIFY_CODE_DISPLAY . '?vvc=' . $vvcode_oscsid . '"');

?>

</td>

<td class="main"><?php echo VISUAL_VERIFY_CODE_BOX_IDENTIFIER; ?></td>

</tr>

</table></td>

</tr>

</table></td>

</tr>

<!-- VISUAL VERIFY CODE-- STOP -->

 

 

c. END of /catalog/contact_us.php mod.

Link to comment
Share on other sites

Thank you for your reply.

 

Yes, I have both of those edits....

 

Any other suggestions?

 

I appreciate your time.

Cheers

At this stage, I think it will not work on an RC version shop. My store is updated to RC1. My test site is RC2a.

 

I found that on the test shop, if I copy the contact_us.php file from the 2.2 version of VVC that it does work.

 

I did do some tests on your contact us page, so I hope that is ok. Nice shop too.

 

It is late so I will have to investigate further at another time.

Link to comment
Share on other sites

At this stage, I think it will not work on an RC version shop. My store is updated to RC1. My test site is RC2a.

 

I found that on the test shop, if I copy the contact_us.php file from the 2.2 version of VVC that it does work.

 

I did do some tests on your contact us page, so I hope that is ok. Nice shop too.

 

It is late so I will have to investigate further at another time.

It is the meging of the code at the top of the file that is the problem.

 

The RC2a file has

 

require('includes/application_top.php');

 

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

 

$error = false;

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

$name = tep_db_prepare_input($HTTP_POST_VARS['name']);

$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);

$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

 

if (tep_validate_email($email_address)) {

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

 

tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));

} else {

$error = true;

 

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);

}

 

 

The vvc code is supposed to go in here

 

}

 

$breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_CONTACT_US));

?>

 

However, the file that comes with the contrib is like this:

 

require('includes/application_top.php');

 

require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

 

$error = false;

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {

$name = tep_db_prepare_input($HTTP_POST_VARS['name']);

$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);

$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

 

if (tep_validate_email($email_address) == false) {

$error = true;

$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);

}

 

//VISUAL VERIFY CODE start

require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

 

$code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . tep_session_id($HTTP_GET_VARS[tep_session_name()]) . "'");

$code_array = tep_db_fetch_array($code_query);

$code = $code_array['code'];

 

tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

 

$user_entered_code = $HTTP_POST_VARS['visual_verify_code'];

if (!(strcasecmp($user_entered_code, $code) == 0)) { //make the check case insensitive

$error = true;

$messageStack->add('contact', VISUAL_VERIFY_CODE_ENTRY_ERROR);

}

//VISUAL VERIFY CODE stop

 

if ($error == false) {

tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);

tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));

}

}

 

$breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_CONTACT_US));

?>

 

So if anyone can sort this out, and post the fix, it would be great.

Edited by Coopco
Link to comment
Share on other sites

It is the meging of the code at the top of the file that is the problem.

 

 

So if anyone can sort this out, and post the fix, it would be great.

Was hoping that there would be an answer to this.

 

Perhaps I should put my one of daughters photo in my profile.

Link to comment
Share on other sites

Was hoping that there would be an answer to this.

 

Perhaps I should put my one of daughters photo in my profile.

 

Hi, I had the same problem, but when I checked the logic in the "if (tep_validate_email($email_address)) {" I found that as long as the e-mal address was ok the form was sent before the security cod was checked. So I moved the e-mail function and the redirect. Here is the hole "if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {" statement:

 

if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
   $name = tep_db_prepare_input($HTTP_POST_VARS['name']);
   $email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
   $enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

   if (tep_validate_email($email_address)) {

   } else {
     $error = true;	  
     $messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
   }
//VISUAL VERIFY CODE start
 require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

   $code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . tep_session_id($HTTP_GET_VARS[tep_session_name()]) . "'");
   $code_array = tep_db_fetch_array($code_query);
   $code = $code_array['code'];

   tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

   $user_entered_code = $HTTP_POST_VARS['visual_verify_code'];
   if (!(strcasecmp($user_entered_code, $code) == 0)) {    //make the check case insensitive
       $error = true;
       $messageStack->add('contact', VISUAL_VERIFY_CODE_ENTRY_ERROR);
   }
//VISUAL VERIFY CODE stop

if (!$error){
	tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);
	tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
 	}
 }

 

I hope this is the solution fore you to!

Regards

Ivan

Link to comment
Share on other sites

I hope this is the solution fore you to!

Regards

Ivan

 

Well, this is a good theory.... I tried it and - nope, the email on my contact_us file still goes through WITHOUT the VCC even being entered!

 

Curious how this can work for the others but not this page!

 

Here is my current contact us header (with Ivan's updated format) and I confess I have few skills to solve this issue, so hoping there is a genius out there ? Otherwise, search for another solution?

 

<?php
/*
 $Id: contact_us.php 1739 2007-12-20 00:52:16Z hpdl $

 osCommerce, Open Source E-Commerce Solutions
 [url="http://www.oscommerce.com"]http://www.oscommerce.com[/url]

 Copyright © 2003 osCommerce

 Released under the GNU General Public License
*/

 require('includes/application_top.php');

 require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CONTACT_US);

 $error = false;


if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'send')) {
$name = tep_db_prepare_input($HTTP_POST_VARS['name']);
$email_address = tep_db_prepare_input($HTTP_POST_VARS['email']);
$enquiry = tep_db_prepare_input($HTTP_POST_VARS['enquiry']);

if (tep_validate_email($email_address)) {

} else {
$error = true;
$messageStack->add('contact', ENTRY_EMAIL_ADDRESS_CHECK_ERROR);
}
//VISUAL VERIFY CODE start
require(DIR_WS_FUNCTIONS . 'visual_verify_code.php');

$code_query = tep_db_query("select code from visual_verify_code where oscsid = '" . tep_session_id($HTTP_GET_VARS[tep_session_name()]) . "'");
$code_array = tep_db_fetch_array($code_query);
$code = $code_array['code'];

tep_db_query("DELETE FROM " . TABLE_VISUAL_VERIFY_CODE . " WHERE oscsid='" . $vvcode_oscsid . "'"); //remove the visual verify code associated with this session to clean database and ensure new results

$user_entered_code = $HTTP_POST_VARS['visual_verify_code'];
if (!(strcasecmp($user_entered_code, $code) == 0)) { //make the check case insensitive
$error = true;
$messageStack->add('contact', VISUAL_VERIFY_CODE_ENTRY_ERROR);
}
//VISUAL VERIFY CODE stop

if (!$error){
tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_SUBJECT, $enquiry, $name, $email_address);
tep_redirect(tep_href_link(FILENAME_CONTACT_US, 'action=success'));
}









 }

 $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_CONTACT_US));
?>

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...