Guest Posted August 5, 2006 Share Posted August 5, 2006 Actually I'm wondering if my conf is wrong at some point define('HTTP_SERVER', 'https://www.chillows.co.uk'); // eg, http://localhost - should not be empty for productive servers define('HTTPS_SERVER', 'https://www.chillows.co.uk'); // eg, https://localhost - should not be empty for productive servers define('ENABLE_SSL', true); // secure webserver for checkout procedure? define('HTTP_COOKIE_DOMAIN', '212.241.196.235'); define('HTTPS_COOKIE_DOMAIN', '212.241.196.235'); define('HTTP_COOKIE_PATH', '/catalog/'); define('HTTPS_COOKIE_PATH', '/catalog/'); define('DIR_WS_HTTP_CATALOG', '/catalog/'); define('DIR_WS_HTTPS_CATALOG', '/catalog/'); define('DIR_WS_IMAGES', 'images/'); define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/'); define('DIR_WS_INCLUDES', 'includes/'); define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/'); define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/'); define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/'); define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/'); define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/'); define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/'); define('DIR_FS_CATALOG', '/var/www/vhosts/chillows.co.uk/httpsdocs/catalog/'); define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/'); define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/'); Quote Link to comment Share on other sites More sharing options...
♥Vger Posted August 5, 2006 Share Posted August 5, 2006 Well there are loads of problems with that. 1. You don't have a trusted ssl cert at all - you only have a non-trusted (self-signed) ssl cert made out to Plesk. 2. With Plesk (at least the way your hosts have it set up) you have to use a two folder system and you've put everything in the httpsdocs folder and nothing in the httpdocs folder - so you'll never get any search engine rankings (they don't rank https pages). Basically you need a proper (trusted) ssl cert, and to get your hosts to symbolically link the httpsdocs folder to the httpdocs folder - and then you only need to keep a copy of your files in the httpdocs folder. Vger Quote Link to comment Share on other sites More sharing options...
Guest Posted August 6, 2006 Share Posted August 6, 2006 Well there are loads of problems with that. 1. You don't have a trusted ssl cert at all - you only have a non-trusted (self-signed) ssl cert made out to Plesk. 2. With Plesk (at least the way your hosts have it set up) you have to use a two folder system and you've put everything in the httpsdocs folder and nothing in the httpdocs folder - so you'll never get any search engine rankings (they don't rank https pages). Basically you need a proper (trusted) ssl cert, and to get your hosts to symbolically link the httpsdocs folder to the httpdocs folder - and then you only need to keep a copy of your files in the httpdocs folder. Vger Thanks Vger, whats the best way for me to get a trusted ssl? Can you get one for free? I'll see what I can sort out with the hosting re the httpsdocs folder, I did initially have the store installed in the normal http folder but moved it. How does the symbolic linking work by the way? Is it like a mirroring of the httpsdocs folder? Would all the domain names appear as https in the browser then? Feel a bit better know I've got some feedback from somebody who knows whats going on, thanks again. Mat Quote Link to comment Share on other sites More sharing options...
♥Vger Posted August 6, 2006 Share Posted August 6, 2006 (edited) No, you can't get a Trusted ssl cert for free as they are all commercially sold ssl certificates e.g. Geotrust, GoDaddy, Thawte, VeriSign etc. Your site also has to have its own dedicated ip address to be able to have a full ssl cert on a shared server. Your hosting company has to set up the symbolic link from the httpsdocs to the httpdocs folder - and using Plesk it's not easy to achieve. Any https request is diverted to the httpdocs folder, but fooled into thinking it's in the httpsdocs folder, so it works fine. Vger Edited August 6, 2006 by Vger Quote Link to comment Share on other sites More sharing options...
lancaster_unik Posted August 10, 2006 Share Posted August 10, 2006 OK i am stuck, stuck and even more stuck! OK i installed the version 3.1 it did not work so i have removed it and installed version 3.0... I think i have confused myself on this issue!! I followed all the instructions on the readme file but i still get the following error when i try and run through a test transaction: Warning: exec() [function.exec]: Unable to fork [E:\sites2\oneAdmin41\shop\cgi-bin TestHash.exe "zOR1mj9kBux14oZkIL/FmCtCX0JPwkxT" "http://URL/shop/checkout_process.php" "http://URL/shop/hsbc_return.php" "Tactical Things order" "Order 06221-045354" "4800" "826" "UK............GBP" "1155225234000" "Auth" "8te9t1dfh5df1u42apfl2q8fo3" "8411 White Cross" "Lancaster" "826" "Lancashire" "Graham" "Wilson" "la1 5fb" "[email protected]" "8411 White add1" "town" "826" "county" "Graham" "Wilson" "la1 5fb" "T" 2>&1] in E:\sites2\oneAdmin41\shop\includes\modules\payment\hsbc.php on line 96 I have attempted to solve this in a couple of ways but niether seems to work. E:\sites2\oneAdmin41\shop\includes\modules\payment\hsbc.php file looks like this: //Function to generate a hash to perform the POST or to check received parameters function getHash($fields) { $cmd=""; reset($fields); while(list($k,$v)=each($fields)) { $cmd.=" \"$v\" "; } //Path where the TestHash.e executable is located $path='E:\sites2\oneAdmin41\shop\cgi-bin'; putenv("LD_LIBRARY_PATH=$path"); //Executes the TestHash to get the hash $cmd="$path TestHash.exe \"".MODULE_PAYMENT_HSBC_HASH."\" $cmd 2>&1"; $ret=exec($cmd, $output); $ret=split(':',$ret); //Returns the hash $hash=trim($ret[1]); return($hash); } Obviously the rest is the same as the standard file. I have used the .exe version of the CPI intergration files. All i have done is copy the 3 executable files into the file "cgi-bin". If i ignore the error and click continue on my order i then get a further error: Warning: exec() [function.exec]: Unable to fork [E:\sites2\oneAdmin41\shop\cgi-bin TestHash.exe "HASH KEY" "UK............GBP" "Order 06221-045354" "4800" "826" "1155225910751" "[email protected]" "8te9t1dfh5df1u42apfl2q8fo3" "10" 2>&1] in E:\sites2\oneAdmin41\shop\includes\modules\payment\hsbc.php on line 96Hacking attempt! I presume that they are related and one occurs because of another. In the admin section i have everything setup correctly that i am pretty sure off. The only thing i can think of is that i am not using a secure connection currently but in my opinion that should not be an issue as the error occurs before any data is passed to HSBC.com/servlet page. Can any one help? I am at my wit ends with this! My server configeration is IIS 6.0 Windows 2k3 MySQL >> Latest Stable PHP >> 5 Any help would be more than greatly appreciated! PS Note: This is a virgin installation of oscommerce MS2.2 so no other contribs installed! Many Thanks Quote Link to comment Share on other sites More sharing options...
♥Vger Posted August 10, 2006 Share Posted August 10, 2006 If you read the HSBC Requirements they will tell you that you have to connect using https - so "Yes" it is an issue. But you also require certain files to be loaded on the shared library of the server you're using, and for cURL to be compiled into php, plus the three files to be loaded into the cgi bin and set to permissions of 755. Vger Quote Link to comment Share on other sites More sharing options...
lancaster_unik Posted August 11, 2006 Share Posted August 11, 2006 If you read the HSBC Requirements they will tell you that you have to connect using https - so "Yes" it is an issue. But you also require certain files to be loaded on the shared library of the server you're using, and for cURL to be compiled into php, plus the three files to be loaded into the cgi bin and set to permissions of 755. Vger OK the cgi bin files have the correct permission. Could you elaborate on the following: "cURL to be compiled into php"? I am not 100% sure what you mean by this. I will shift all the files to a secure connection. Many Thanks for your prompt reply PS: Would the fact that the files are not stored in a secure area really cause the "Unable to Fork..." Quote Link to comment Share on other sites More sharing options...
♥Vger Posted August 11, 2006 Share Posted August 11, 2006 To find out if cURL (which applies basic encryption) is compiled into PHP go to your osCommerce admin panel --> Tools --> Server Info and take a look. It will tell you if cURL is availabel or not. I don't know if the 'unable to fork' error is caused by ssl problems, but it may be caused by the ssl server (if it is seperate) being unable to communicate properly with the non-ssl server. It might help if we knew your URL and who you are hosted with. Vger Quote Link to comment Share on other sites More sharing options...
The Mort Posted August 12, 2006 Share Posted August 12, 2006 I can't get the order_id numbers to match. I get one number on the hsbc page, a slightly different one in the e-mail confirming the order and a different one altogether in admin orders. I seem to be going around in circles with the advice in the forum so would appreciate it if anyone could give my the idiots guide to sorting the order_id's. Thanks Janette Quote Link to comment Share on other sites More sharing options...
The Mort Posted August 12, 2006 Share Posted August 12, 2006 I can't get the order_id numbers to match. I get one number on the hsbc page, a slightly different one in the e-mail confirming the order and a different one altogether in admin orders. I seem to be going around in circles with the advice in the forum so would appreciate it if anyone could give my the idiots guide to sorting the order_id's. Thanks Janette Fiddled a bit more and now the order number from hsbc and the one that is e-mailed to the person placing the order match but the one showing in the admin orders and on the customers history page is just a 0 !?!?!? J Quote Link to comment Share on other sites More sharing options...
lancaster_unik Posted August 15, 2006 Share Posted August 15, 2006 OK the cgi bin files have the correct permission. Could you elaborate on the following: "cURL to be compiled into php"? I am not 100% sure what you mean by this. I will shift all the files to a secure connection. Many Thanks for your prompt reply PS: Would the fact that the files are not stored in a secure area really cause the "Unable to Fork..." OK.... I am having serious problems with getting this working on a Windows Server. If possible could somebody who has the |HSBC module running on a Windows platform contact me via email. I have been in converstations with Vger who was very helpfull but unfortunatly he does not run on a windows platform. As i promised with Vger i will post the solution when we get it working so that any future "windows runners" can install this great mod, problem free! Many Thanks Graham Quote Link to comment Share on other sites More sharing options...
Weirfire Posted August 16, 2006 Share Posted August 16, 2006 I'm looking for the HSBC contribution which used mhash and mcrypt but I cant find it on the contributions list. Has any still got a copy? Thanks Stephen Weir Quote Link to comment Share on other sites More sharing options...
jhdesign Posted August 16, 2006 Share Posted August 16, 2006 What are the server/setup requirements for running this paymet module? I get the infamous HACKING ATTEMPT! error I also added the hashcode output so I get this now but I'm not sure what it means: Hacking atempt! - orderHash=WRfZoUdA0X9hDr1BeBKkpTzwWhE= hash=line 1 Any help is appreciated! Quote Link to comment Share on other sites More sharing options...
lancaster_unik Posted August 17, 2006 Share Posted August 17, 2006 OK the cgi bin files have the correct permission. Could you elaborate on the following: "cURL to be compiled into php"? I am not 100% sure what you mean by this. I will shift all the files to a secure connection. Many Thanks for your prompt reply PS: Would the fact that the files are not stored in a secure area really cause the "Unable to Fork..." OK you need to give the cmd.exe read and execute privilages via the internet guest user. After you have done this your error message will transform from the infamous "unable to fork" to the more famous "hacking attempt" I am now going to add the Hash output and try to debug that! Quote Link to comment Share on other sites More sharing options...
lancaster_unik Posted August 17, 2006 Share Posted August 17, 2006 OK... I added to the hsbc_return.php if ($order_hash!=$hash) die ("Hacking atempt! - orderHash=".$order_hash." hash=".$hash); and it returned Hacking atempt! - orderHash=RPLPyssj4XWsZTunXgZCK96B8Tk= hash= Can anyone help me debug Graham Quote Link to comment Share on other sites More sharing options...
Weirfire Posted August 17, 2006 Share Posted August 17, 2006 I did the same thing myself. I think it means that the hash isn't being generated properly. Make sure your server can compile c files. I've got my site on shared hosting and I'm currently trying to figure a way of using mhash and mcrypt instead of using the cgibin files such as TestHash. If anyone still has the module somewhere please PM me. OK... I added to the hsbc_return.php if ($order_hash!=$hash) die ("Hacking atempt! - orderHash=".$order_hash." hash=".$hash); and it returned Hacking atempt! - orderHash=RPLPyssj4XWsZTunXgZCK96B8Tk= hash= Can anyone help me debug Graham Quote Link to comment Share on other sites More sharing options...
lancaster_unik Posted August 17, 2006 Share Posted August 17, 2006 I did the same thing myself. I think it means that the hash isn't being generated properly. Make sure your server can compile c files. I've got my site on shared hosting and I'm currently trying to figure a way of using mhash and mcrypt instead of using the cgibin files such as TestHash. If anyone still has the module somewhere please PM me. Yeah im running a windows based IIS server. I am a bit out of my depth when you start talking about compiling C files! Any Help? Quote Link to comment Share on other sites More sharing options...
jhdesign Posted August 18, 2006 Share Posted August 18, 2006 What is needed for HSBC? IS SSL required? can it be shared? I'm getting hackattempt right now. Quote Link to comment Share on other sites More sharing options...
♥Vger Posted August 18, 2006 Share Posted August 18, 2006 SSL can be shared, but if you are paying all that money to use HSBC secure e-Payments then I'd spend the few extra pounds and have full ssl installed. Vger Quote Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2006 Share Posted August 24, 2006 SSL can be shared, but if you are paying all that money to use HSBC secure e-Payments then I'd spend the few extra pounds and have full ssl installed. Vger Hi all, thanks for the tips previously Vger, I've installed a SSL cert for my site now, a trial one from Thawte but I get a message popping up when hitting the site saying there is a mismatch between www.chillows.co.uk and chillow.co.uk - I cant work out what I've done wrong there. I'm also getting the hacking attempt, could this be because of the above mentioned problem on my cert? Not going to give up on this one! https://www.chillows.co.uk/catalog/ Quote Link to comment Share on other sites More sharing options...
ribs Posted August 24, 2006 Share Posted August 24, 2006 Hi, The SSL error you are getting is exactly as you said. The SSL was issued to chillows.co.uk but your site's URL is www.chillows.co.uk. You could change the configure.php file and remove the www from the HTTPS_CATALOG_SERVER path, this will at least cure that problem. With regards to the HSBC hacking attempt problem, unfortunately the SSL is not the problem and this is most likely caused by the Hash key not be generated or is incorrect. Good luck Neil Westlake Quote Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2006 Share Posted August 24, 2006 Hi, The SSL error you are getting is exactly as you said. The SSL was issued to chillows.co.uk but your site's URL is www.chillows.co.uk. You could change the configure.php file and remove the www from the HTTPS_CATALOG_SERVER path, this will at least cure that problem. With regards to the HSBC hacking attempt problem, unfortunately the SSL is not the problem and this is most likely caused by the Hash key not be generated or is incorrect. Good luck Neil Westlake Hi thanks Neil, I've created a new cert now that matches up the domain, I may be wrong but I think this is just because I am using a Thawte Test CA root for now. I only see HTTPS_CATALOG_SERVER in the admin configure.php and there is no path at all in this currently, aI also spotted that in both I can see that define('ENABLE_SSL_CATALOG') is set to false. Should this be set to true? Quote Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2006 Share Posted August 24, 2006 Hi thanks Neil, I've created a new cert now that matches up the domain, I may be wrong but I think this is just because I am using a Thawte Test CA root for now. I only see HTTPS_CATALOG_SERVER in the admin configure.php and there is no path at all in this currently, aI also spotted that in both I can see that define('ENABLE_SSL_CATALOG') is set to false. Should this be set to true? Ahh whoops, looks like I just uploaded blank configure files to my site! Not a good move Quote Link to comment Share on other sites More sharing options...
ribs Posted August 24, 2006 Share Posted August 24, 2006 Your configure file should be set as follows: define('HTTP_SERVER', 'http://www.chillows.co.uk'); // define('HTTP_CATALOG_SERVER', 'http://www.chillows.co.uk'); define('HTTPS_CATALOG_SERVER', 'https://www.chillows.co.uk'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module It doesn't matter if you use a non trusted root certifcate, all HSBC is interested in is seeing a post from a https URL. Neil Westlake Quote Link to comment Share on other sites More sharing options...
Guest Posted August 24, 2006 Share Posted August 24, 2006 Your configure file should be set as follows: define('HTTP_SERVER', 'http://www.chillows.co.uk'); // define('HTTP_CATALOG_SERVER', 'http://www.chillows.co.uk'); define('HTTPS_CATALOG_SERVER', 'https://www.chillows.co.uk'); define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module It doesn't matter if you use a non trusted root certifcate, all HSBC is interested in is seeing a post from a https URL. Neil Westlake OK, thats good to know about the root cert. I've got the above settings in now although I could only find the above settings verbatim in the admin configure file, but I'm still getting the hacking attempt. I'm wondering what is the first step of tackling this message, I've changed the PHP to display the hashes as per previous posts in this topic, they dont appear to match! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.