Post by brytanix » Sun Feb 13, 2011 10:25 am

Hi all

I just got a quite scaring message from my new customer who wanted to register at my on-line shop. The customer said that when he was registering his account at my on-line shop he could see two addresses (billing and delivery address) of my client from Switzerland. He could choose any of those addresses or add a new one! He told me exactly what the addresses were and they were correct!

How is it possible?! I was trying to simulate opening a new account and I didn't see anything like that. I don't know what to do now. It seems like a serious security issue. Have you experienced anything like that? Is Opencart reliable at all? I don't know what to think.

Dariusz
Last edited by brytanix on Sun Feb 13, 2011 10:30 pm, edited 1 time in total.

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by i2Paq » Sun Feb 13, 2011 7:39 pm

If you are hosted on a shared server this could be the issue and not related to OpenCart.

Ask you hoster how the temp or tmp and cache folders on that server are setup.

Is there another OpenCart store running on that same server as well?

Always mention version of your OpenCart!

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

UPGRADE to 2.x: Contemplate before thou begins!

Our FREE search: Find your answer FAST!.

BUGs?: Known BUGS for All OC Versions.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by brytanix » Sun Feb 13, 2011 10:25 pm

i2Paq wrote:If you are hosted on a shared server this could be the issue and not related to OpenCart.

Ask you hoster how the temp or tmp and cache folders on that server are setup.

Is there another OpenCart store running on that same server as well?

Always mention version of your OpenCart!
Hi

Thank you very much for your reply. Yes, there are another two OpenCart shops running on the same server. I feel a sort of relief thinking that it might be a problem not related to Opencart. I am going to contact the administrator of the server. I'll let you know the outcome. I run the latest version of OpenCart.

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by brytanix » Mon Feb 14, 2011 12:30 am

Hi!

I contacted my administrator and here it is what he answered:
No - it's not possible for any account to access session files created by any other account, unless the permissions are incorrect which they aren't.

Opencart has a silly standard php.ini file which creates an effectively unlimited session length but it would still be a software error causing what your client saw.

I've given your account its own session directory which will make any future troubleshooting easier.
Well, I feel confused really. Whatever the cause of the problem is it's a serious security issue and should be investigated further.

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by Daniel » Mon Feb 14, 2011 12:34 am

are the 2 seperate stores on the same domain? have you not even used a sub domain?

If so they should not be because sessions are ment to be used over the domain and will interfere with each other.

one installation of opencart on one domain name or use sub domains.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Qphoria » Mon Feb 14, 2011 12:54 am

Still with all of that none of it makes any sense as to why customer A can see customer B's addresses

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by brytanix » Mon Feb 14, 2011 1:15 am

Daniel wrote:are the 2 seperate stores on the same domain?

If so they should not be because sessions are ment to be used over the domain and will interfere with each other.

one installation of opencart on one domain name.
Yes, there are 3 separate stores on the same domain. Despite the fact that on two stores, the products are the same but they are shipped from two different wholesalers depending on a country the products are being shipped to. The third shop offers a service related to the products in first two shops.

Do you remember? I wanted to set up a multi-store using sub-domains. I stuck during the configuration of the multi-store. I was trying to find any documentation on how to set up a multi-store but there wasn't much about that. I asked for help on the Forum but it seemed that nobody knew how to use multi-store and I didn't get any answer. Then, I wrote two e-mails to you but you never replied to them.

Do you think that installing those shops on subdomains would help or it should be separate domains?

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by brytanix » Mon Feb 14, 2011 1:35 am

Qphoria wrote:Still with all of that none of it makes any sense as to why customer A can see customer B's addresses
Well, I don't know what to say. Qphoria, do you think installing shops on different sub domains would help?

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by Daniel » Mon Feb 14, 2011 1:53 am

hes able to see other peoples addresses because hes logged in on one of the shops with customer id = x and then just goes to shop 2 without even needing to re-log in because the system thinks that session is already logged in.

I have already told you to use sub domains. using different folders is a bad idea because cookies are set over a domain name like any other script out there.

shop1.domain.com
shop2.domain.com

or just buy more domain names is the better idea.

I'm pretty sure its been mentioned many times you can not uses folders to run multiple shops and you must use sub domains.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by Daniel » Mon Feb 14, 2011 1:56 am

in fact i don't know what version you are using because this was fixed ages ago:

session_set_cookie_params(0, str_replace('\\', '/', rtrim(dirname($_SERVER['PHP_SELF']))));

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by brytanix » Mon Feb 14, 2011 2:01 am

I use the latest version of OpenCart.

The other reason why I have been using folders is that when you use subdomains, you have to purchase separate SSL certificate for every single subdomain. When you use folders then one SSL certificate is sufficient for all shops installed in folders. I'll have to change for subdomains though.

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by Xsecrets » Mon Feb 14, 2011 2:17 am

Daniel wrote:hes able to see other peoples addresses because hes logged in on one of the shops with customer id = x and then just goes to shop 2 without even needing to re-log in because the system thinks that session is already logged in.
yes, but even in this case as far as I know customers are not store specific, so there would not be a way to duplicate a customer_id, so even if he does remain logged in he should never see someone elses information. He would simply still be logged in and have his own customer information available. I can't understand at all how you would come by another customers information. The only way I can see that is if both people are actually using the same computer. Even then if the browser has been closed it should destroy the session.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by brytanix » Mon Feb 14, 2011 2:23 am

Xsecrets wrote:
Daniel wrote:hes able to see other peoples addresses because hes logged in on one of the shops with customer id = x and then just goes to shop 2 without even needing to re-log in because the system thinks that session is already logged in.
yes, but even in this case as far as I know customers are not store specific, so there would not be a way to duplicate a customer_id, so even if he does remain logged in he should never see someone elses information. He would simply still be logged in and have his own customer information available. I can't understand at all how you would come by another customers information. The only way I can see that is if both people are actually using the same computer. Even then if the browser has been closed it should destroy the session.
The customer who reported the problem lives in the UK, the person whose personal details were seen lives in Switzerland so they don't use the same computer.:-)

The funny thing is that the customer from Switzerland made his order 1 month ago and haven't visited my shop since then.

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by scanreg » Mon Feb 14, 2011 3:57 am

brytanix wrote:
No - it's not possible for any account to access session files created by any other account, unless the permissions are incorrect which they aren't.

Opencart has a silly standard php.ini file which creates an effectively unlimited session length but it would still be a software error causing what your client saw.

I've given your account its own session directory which will make any future troubleshooting easier.
Can you set your own sessions directory for opencart or do you have to use the default?

/home/useraccount/ocsessions/
/home/useraccount/public_html/

Thanks

Active Member

Posts

Joined
Thu May 06, 2010 12:15 am

Post by Qphoria » Mon Feb 14, 2011 4:03 am

Daniel wrote:in fact i don't know what version you are using because this was fixed ages ago:

session_set_cookie_params(0, str_replace('\\', '/', rtrim(dirname($_SERVER['PHP_SELF']))));
This didn't work and was changed back to just:
session_set_cookie_params(0, '/');

There was no good reason for it to not work.. the code looked perfect but no cookies were ever being set

OpenCart 2.0.x Mod Update Info

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Daniel » Mon Feb 14, 2011 1:44 pm

i'm pretty sure you have modified the code to try to link accounts accross multiple stores and somethings gone wrong.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm

Post by brytanix » Mon Feb 14, 2011 2:07 pm

Daniel wrote:i'm pretty sure you have modified the code to try to link accounts accross multiple stores and somethings gone wrong.
I don't know. Maybe. I used the documentation provided at OpenCart website. I didn't do anything more as I have no clue about those things and I was very careful as I didn't want to mess up my installation.

As I didn't get any help from anybody with setting up the multistore I uninstalled it. What I noticed is that despite the fact I uninstalled the multistore there are some files left in my main directory. As I wasn't sure what belonged to my installations and what was just a rubbish left after uninstalling the multistore, I left everything as it was. Maybe those files which are left there causes the security issues. You will probably know.

However, I took seriously this security incident and what you said and I am reinstated my two shops in different subdomains.

If you could tell me what files are remains after multistore installation I could remove them and we could see what happens then.
Last edited by brytanix on Tue Feb 22, 2011 11:10 pm, edited 1 time in total.

New member

Posts

Joined
Fri Dec 31, 2010 7:55 am

Post by zrxraver » Tue Feb 22, 2011 2:06 pm

in the config.php add these lines:

define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');

for the admin config add something to the cookie_unique_name

in session.php change to this

session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);

the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.

Active Member

Posts

Joined
Fri Oct 30, 2009 5:36 am

Post by i2Paq » Tue Feb 22, 2011 7:55 pm

zrxraver wrote:in the config.php add these lines:

define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');

for the admin config add something to the cookie_unique_name

in session.php change to this

session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);

the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.
Would it not be smart to do this default so when logging out of your store front you would not be logged out of your Admin?

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

UPGRADE to 2.x: Contemplate before thou begins!

Our FREE search: Find your answer FAST!.

BUGs?: Known BUGS for All OC Versions.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Daniel » Wed Feb 23, 2011 12:32 am

i2Paq wrote:
zrxraver wrote:in the config.php add these lines:

define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');

for the admin config add something to the cookie_unique_name

in session.php change to this

session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);

the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.
Would it not be smart to do this default so when logging out of your store front you would not be logged out of your Admin?

logging out of the store front has no effect whatso ever on the admin.

one relies on customer_id and the other is user_id.

they won't get mixed up.

OpenCart®
Project Owner & Developer.
OpenCart commercial support now available!


User avatar
Administrator

Posts

Joined
Fri Nov 03, 2006 6:57 pm
Who is online

Users browsing this forum: No registered users and 13 guests