Post by Cleo » Mon Oct 05, 2015 11:38 am

Hello

I have an extension that I bought a while ago for customer can submit an offer on product but I wasn't using it because it was conflicting with my security software. Now I would like to start using it but I'm wondering if this extension is safe because it open a window with a form that customer have to fill and that form is using:
$offervalue = $_GET["data"];
and
method="post"

Is it risky to use this kind of form? I mean is it dangerous for injections since it is using GET and POST?

Tks

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by qahar » Mon Oct 05, 2015 4:43 pm

It's too early to decide does the extension have security issue or not.
I would suggest you to contact the developer and tell him about your security software result.
I'm sure the developer would happy to increase their ext security.

User avatar
Expert Member

Posts

Joined
Tue Jun 29, 2010 10:24 pm
Location - Indonesia

Post by Cleo » Tue Oct 06, 2015 5:10 am

Hello qahar

Thank you for the reply.

I don't think that the extension have security issue, maybe I didn't ask the question properly!

I was wondering if using those GET and POST value in an opening window was risky for injection?

My security software is Crawlprotect which is mostly adding rules in the .htaccess and one of those rules doesn't accept those GET and POST (at least it's what I think) and the guy who developped crawlprotect is away for a while so I cannot ask him for help. Maybe if I could find someone who is know .htaccess very well I would be able to fix the conflict!

As for the developer who made the Make an offer extension it would be the last person I would ask because I had enough problem with him! :crazy:

Regards

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by qahar » Tue Oct 06, 2015 3:47 pm

Two think as a note:
- Why open new windows if you can use modal and AJAX
- Using method="post" on html form while grab all data with $offervalue = $_GET["data"] doesn't make it POST, it's use GET.

Related to general GET n POST I would suggest you read:
- http://stackoverflow.com/questions/1984 ... -the-other
- http://security.stackexchange.com/quest ... n-security

Since GET expose data through URL, POST is used to send data from form. Plus use SSL that help encrypt POST data.
But the most crucial question is not either use GET or POST increase security, but how the code sanitize user input.
Even if you send form data using POST on SSL, but the parameter is thrown as is to database without further sanitize; that is huge security issue. Specially when it related to database change.

I only know the basic thing, may be other can help you here

User avatar
Expert Member

Posts

Joined
Tue Jun 29, 2010 10:24 pm
Location - Indonesia

Post by Cleo » Tue Oct 06, 2015 8:26 pm

@qahar

Thank you again for the reply.
- Why open new windows if you can use modal and AJAX
It's the way the extension was created!
- Using method="post" on html form while grab all data with $offervalue = $_GET["data"] doesn't make it POST, it's use GET.
Ok, thanks for the explanation, as you can see I know nothing about programing, I was asking about GET and POST because I remember seeing something about it in that thread: http://forum.opencart.com/viewtopic.php?f=179&t=130853

I just looked at the source of that opening window and I saw that it is using:

Code: Select all

input type="hidden" value=
So maybe it is what crawlprotect is blocking!
There is a place in cp where we can add the value/variable used on our site to tell cp not to block those, so maybe I can try to add it and see what will happen.

Tks
Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am

Post by straightlight » Sat Oct 10, 2015 10:35 am

Opencart did evolved regarding the use of JSON over jQuery. When calling PHP, it encodes an array into a JSON envelope as it can perform background operations rather than requiring the browser to open a new window which is one way to see fit as more secured than opening new windows. :)

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Cleo » Sun Oct 11, 2015 9:13 am

@straightlight

I have no idea if the extension is using JSON or jQuery! When you click on the button Make an offer a little window open on the page and you fill the form there.

I tried a few more thing but it didn't work :( Problem is that I know nothing about programming so I have no idea what exactly cp is blocking!

The only way I would be able to use the extension is by removing crawlprotect but since my site was hacked a while ago I feel more secure with it and I have no idea how I could make it as secure as it is right now without it!

Wish I could find someone who knows crawlprotect and could fix it for me, I wouldn't mind to pay to get it fix.

Tks

Cleo

Opencart v1.5.4.1 fr/en
Theme: Custom
vqmod-2.6.0
PHP: 7.3 (ea-php73)


User avatar
Active Member

Posts

Joined
Wed Mar 09, 2011 5:19 am
Who is online

Users browsing this forum: Majestic-12 [Bot] and 31 guests