Post by pair » Sun Feb 25, 2018 6:23 am

I posted here
Post by pair » Fri Feb 23, 2018 12:31 pm but did not get a response from you thats why I'm asking the other user how did he get it resolved...

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by straightlight » Sun Feb 25, 2018 6:25 am

My apologize. This was not intended. I seem to have missed your post. :ponder:

What are the steps you did on your end to install this extension?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Sun Feb 25, 2018 6:41 am

Thanks for your reply straightlight. My apology just trying to get this working. Below is what I did
I uploaded via FTP to the following paths:
/system/helper - File csrf_helper.php
and then on
/vqmod/xml - File csrf.xml
Refreshed the cache and checked the page source. The admin works but not the front end .
No errors in the VQManager error log and no header.php in the catalog only vq2-admin_controller_common_header.php
Let me know if any other details are needed.
Regards,

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by straightlight » Sun Feb 25, 2018 6:59 am

The alternate solution was already provided here: viewtopic.php?f=23&t=51859&start=60#p715300

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Sun Feb 25, 2018 7:03 am

This is what I have in the XML. I'm I missing something?

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<modification>
    <id>CSRF Form Protection</id>
    <version>v2.x and v3.x</version>
    <vqmver required="true">2.6.0</vqmver>
    <author>Straightlight</author>
	
	<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
	
	<file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>

</modification>

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by straightlight » Sun Feb 25, 2018 7:09 am

This is what I have in the XML. I'm I missing something?
The XML looks fine. Ensure to look in your VQMod Manager for unusual lines that it's tracking.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Sun Feb 25, 2018 7:42 am

I reinstalled again. Now I'm able to see in the /vqmod/vqcache - vq2-catalog_controller_common_header.php
However in the source code in the front end after deleting the site cache, browser cache etc, I'm still unable to see the csrf
This is what is shows when trying the account register:
<p>If you already have an account with us, please login at the <a href="https://www.MYSITE.com/index.php?route= ... gin">login page</a>.</p>
<form action="https://www.MYSITE.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal">
<fieldset id="account">

Not sure what to look for as unusual. This is what my vqcache shows as files there:

/vqmod/vqcache/vq2-admin_controller_common_header.php
/vqmod/vqcache/vq2-admin_controller_common_menu.php
/vqmod/vqcache/vq2-admin_controller_extension_installer.php
/vqmod/vqcache/vq2-admin_controller_setting_setting.php
/vqmod/vqcache/vq2-admin_language_english_common_menu.php
/vqmod/vqcache/vq2-admin_model_catalog_product.php
/vqmod/vqcache/vq2-admin_model_sale_order.php
/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php
/vqmod/vqcache/vq2-catalog_controller_checkout_confirm.php
/vqmod/vqcache/vq2-catalog_controller_checkout_success.php
/vqmod/vqcache/vq2-catalog_controller_common_header.php
/vqmod/vqcache/vq2-catalog_controller_information_contact.php
/vqmod/vqcache/vq2-catalog_controller_information_information.php
/vqmod/vqcache/vq2-catalog_controller_module_featured.php
/vqmod/vqcache/vq2-catalog_controller_product_category.php
/vqmod/vqcache/vq2-catalog_controller_product_search.php
/vqmod/vqcache/vq2-catalog_model_catalog_product.php
/vqmod/vqcache/vq2-system_engine_action.php
/vqmod/vqcache/vq2-system_engine_controller.php
/vqmod/vqcache/vq2-system_engine_loader.php
/vqmod/vqcache/vq2-system_library_cart.php
/vqmod/vqcache/vq2-system_library_config.php
/vqmod/vqcache/vq2-system_library_language.php
/vqmod/vqcache/vq2-system_modification_admin_controller_common_menu.php
/vqmod/vqcache/vq2-system_modification_admin_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_common_header.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_product_product.php
/vqmod/vqcache/vq2-system_modification_catalog_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_catalog_model_checkout_order.php
/vqmod/vqcache/vq2-system_modification_system_engine_action.php
/vqmod/vqcache/vq2-system_modification_system_engine_loader.php
/vqmod/vqcache/vq2-system_modification_system_library_config.php
/vqmod/vqcache/vq2-system_modification_system_library_language.php
/vqmod/vqcache/vq2-system_startup.php
/vqmod/vqcache/vq2-admin_view_template_common_header.tpl
/vqmod/vqcache/vq2-admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-admin_view_template_setting_setting.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_checkout_register.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_common_header.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_module_featured.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_product_category.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_product_search.tpl
/vqmod/vqcache/vq2-system_modification_admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_rpm_template_account_register.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_rpm_template_common_header.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_rpm_template_product_product.tpl

Anything else I should try to see if I can get this resolved?

Thanks again for all your help!

Regards,

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by straightlight » Sun Feb 25, 2018 7:54 am

Clear your VQMod cache and revert to the default theme noticing if the CSRF token will also not be showing.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by pair » Sun Feb 25, 2018 12:52 pm

Hello straightlight, Sorry I couldn't reply sooner. Had to step out.
I tried what you suggested but to no avail. I cleared all the cache's and set in the admin as default template but now I'm not even getting in the VQcache the catalog header. This is what I have now in the VQcache. Still no errors in VQManager or admin error log

/vqmod/vqcache/vq2-admin_controller_common_header.php
/vqmod/vqcache/vq2-admin_controller_common_menu.php
/vqmod/vqcache/vq2-admin_controller_setting_setting.php
/vqmod/vqcache/vq2-admin_language_english_common_menu.php
/vqmod/vqcache/vq2-admin_model_catalog_product.php
/vqmod/vqcache/vq2-admin_model_sale_order.php
/vqmod/vqcache/vq2-catalog_controller_information_contact.php
/vqmod/vqcache/vq2-catalog_controller_module_featured.php
/vqmod/vqcache/vq2-catalog_controller_product_category.php
/vqmod/vqcache/vq2-system_engine_action.php
/vqmod/vqcache/vq2-system_engine_controller.php
/vqmod/vqcache/vq2-system_engine_loader.php
/vqmod/vqcache/vq2-system_library_cart.php
/vqmod/vqcache/vq2-system_library_config.php
/vqmod/vqcache/vq2-system_library_language.php
/vqmod/vqcache/vq2-system_modification_admin_controller_common_menu.php
/vqmod/vqcache/vq2-system_modification_admin_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_common_header.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_product_product.php
/vqmod/vqcache/vq2-system_modification_catalog_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_system_engine_action.php
/vqmod/vqcache/vq2-system_modification_system_engine_loader.php
/vqmod/vqcache/vq2-system_modification_system_library_config.php
/vqmod/vqcache/vq2-system_modification_system_library_language.php
/vqmod/vqcache/vq2-system_startup.php
/vqmod/vqcache/vq2-admin_view_template_common_header.tpl
/vqmod/vqcache/vq2-admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-admin_view_template_setting_setting.tpl
/vqmod/vqcache/vq2-catalog_view_theme_default_template_module_featured.tpl
/vqmod/vqcache/vq2-catalog_view_theme_default_template_product_category.tpl
/vqmod/vqcache/vq2-system_modification_admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_default_template_account_register.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_default_template_common_header.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_default_template_product_product.tpl

Anything else I should try?
Regards,

Newbie

Posts

Joined
Tue Nov 27, 2012 11:21 am

Post by straightlight » Sun Feb 25, 2018 7:50 pm

Thanks to the forum user: neelgajjar . Since the latest modifications published on the marketplace, CSRF attackers are no longer able to flood POST forms.

@pair: Send me a PM and I will take a look at the issue.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Sun Feb 25, 2018 8:32 pm

A little tweak to cover your store against outsiders using external APIs with the Opencart's API login and admin orders for those who use the OC Admin API.

In your catalog/controller/api/login.php file,

find:

Code: Select all

if ($api_info) {
replace with:

Code: Select all

if ($api_info && !empty($this->session->data['__csrf'])) {
Optional steps below to show the error message, find:

Code: Select all

} else {
				$json['error']['key'] = $this->language->get('error_key');
			}
		}
replace with:

Code: Select all

} else {
				$json['error']['key'] = $this->language->get('error_key');
			}
		} else {
		    $json['error']['key'] = $this->language->get('error_login_csrf');
		}
In your catalog/language/<your_language>/api/login.php file, at the bottom of the file, add:

Code: Select all

$_['error_login_csrf'] = 'Either the API login or the CSRF key are invalid!';
This should completely fortify the platform. :)

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Sun Feb 25, 2018 8:45 pm

An additional way to tweak and fortify, that I do recommend adding along with the previous post,

In your admin/controller/sale/order.php file,

find all instances of:

Code: Select all

if ($api_info && $this->user->hasPermission('modify', 'sale/order')) {
replace all with:

Code: Select all

if ($api_info && $this->user->hasPermission('modify', 'sale/order') && !empty($this->session->data['__csrf'])) {
For those who uses Openbay.

In your admin/controller/marketplace/openbay.php file,

find all instances of:

Code: Select all

if (isset($api_info['error']) || isset($api_login['error'])) {
replace all with:

Code: Select all

if ((isset($api_info['error']) || isset($api_login['error'])) || (empty($this->session->data['__csrf']))) {

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by k2tec » Sun Feb 25, 2018 9:18 pm

Pair, this what I did.
Upload the files.
Deleted all vqmodcache files.
Deleted checked.cache and mods.cache
Than go to a page in your catalog, than there will be the file vq2-catalog_controller_common_header.php
with this code in it

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();

User avatar
Active Member

Posts

Joined
Mon Apr 12, 2010 8:06 pm

Post by straightlight » Sun Feb 25, 2018 9:25 pm

k2tec wrote:
Sun Feb 25, 2018 9:18 pm
Pair, this what I did.
Upload the files.
Deleted all vqmodcache files.
Deleted checked.cache and mods.cache
Than go to a page in your catalog, than there will be the file vq2-catalog_controller_common_header.php
with this code in it

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();
Thanks for providing your steps. However, do not forget to download the latest release of the system/helper/csrf_helper.php file, as of today's release, if you don't already have it. ;)

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by huubert2 » Mon Feb 26, 2018 12:10 am

k2tec wrote:
Sun Feb 25, 2018 9:18 pm
Pair, this what I did.
Upload the files.
Deleted all vqmodcache files.
Deleted checked.cache and mods.cache
Than go to a page in your catalog, than there will be the file vq2-catalog_controller_common_header.php
with this code in it

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();
For me at least the code in vq2-catalog_controller_common_header.php shows up as well. But unfortunately that's the only change I see. Page source in frontend pages does not show any csrf-related changes. I seem to have exactly the same issue Pair is having. We are using different themes though.
I've installed all the updated releases of the extension, cleared the cache more times I can count and each time checked the vqmanager and error log. So far no luck on the frontend and nothing in logs. In admin it works flawlessly since day 1.
OC 2.1.0.2.

Newbie

Posts

Joined
Sat Feb 17, 2018 9:52 pm

Post by straightlight » Mon Feb 26, 2018 12:54 am

Send me a PM. I will take a look at it.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by idarand » Thu Mar 15, 2018 10:01 pm

Hey. have you managed to solve the issue? I can see the "name=___csrf" at the admin login page but not at the customer registration. Cant PM you because account is brand new. :)

Newbie

Posts

Joined
Thu Mar 15, 2018 7:06 pm

Post by straightlight » Thu Mar 15, 2018 10:28 pm

Ensure your file path is valid in the XML file and to use the same block of code as the admin's block for your catalog block in order to track the right line of codes in your TPL files if the alternative solution in the current XML file cannot display the CSRF key on the view source.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by idarand » Thu Mar 15, 2018 11:03 pm

I added the lines to both of the header.php files manually but still got the same result. So path should be correct. I tried finding any differences in the post forms, the default theme and my theme look identical. Where else can I look why the code can't track my code?

Newbie

Posts

Joined
Thu Mar 15, 2018 7:06 pm

Post by straightlight » Thu Mar 15, 2018 11:06 pm

Where else can I look why the code can't track my code?
By posting your XML file with the changes you made.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 19 guests