Page 6 of 10

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 6:20 am
by straightlight
v1.5x releases are not delivered out of the box. The XML file must be edited, accordingly

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 8:08 pm
by straightlight
For those using the social login extension: https://www.opencart.com/index.php?rout ... n_id=18171 ,

in catalog/controller/extension/d_social_login/callback.php file,

find:

Code: Select all

if (isset($_REQUEST['hauth_start']) || isset($_REQUEST['hauth_done']))
replace with:

Code: Select all

if (isset($_REQUEST['hauth_start']) || isset($_REQUEST['hauth_done']) && !empty($_SESSION['__csrf']))
In catalog/controller/extension/d_social_login/callback_live.php file,

find:

Code: Select all

public function index (){
		$_REQUEST['hauth_done'] = 'Live';

		require_once("system/library/hybrid/auth.php");
		require_once("system/library/hybrid/endpoint.php");
		Hybrid_Endpoint::process();
	}
replace with:

Code: Select all

public function index () {
if (!empty($_SESSION['__csrf'])) {
		$_REQUEST['hauth_done'] = 'Live';

		require_once("system/library/hybrid/auth.php");
		require_once("system/library/hybrid/endpoint.php");
		Hybrid_Endpoint::process();
	}
}
In catalog/controller/extension/module/d_social_login.php file,

find:

Code: Select all

if (isset($this->request->get['provider'])) {
replace with:

Code: Select all

if (isset($this->request->get['provider']) && !empty($this->session->data['__csrf'])) {
Find:

Code: Select all

$this->log->write('Missing application provider.');
replace with:

Code: Select all

$this->log->write('Missing application provider or missing CSRF token.');

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 8:15 pm
by straightlight
For those using this extension: https://www.opencart.com/index.php?rout ... n_id=24825 ,

In catalog/controller/extension/module/oneall.php file,

find:

Code: Select all

if (isset($this->request->post) && !empty($this->request->post['connection_token']))
replace with:

Code: Select all

if (isset($this->request->post) && !empty($this->request->post['connection_token']) && !empty($this->session->data['__csrf']))

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 8:23 pm
by straightlight
For those using this extension: https://www.opencart.com/index.php?rout ... n_id=21672 , starting from v2.x releases,

In catalog/controller/account/socl_login.php file,

find:

Code: Select all

if (isset($soclall_id) && !empty($soclall_id) && isset($this->request->get['network'])) {
replace with:

Code: Select all

if (isset($soclall_id) && !empty($soclall_id) && isset($this->request->get['network']) && !empty($this->session->data['__csrf'])) {
Then, find:

Code: Select all

if ($login_info && ($login_info['total'] > $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) {
replace with:

Code: Select all

if (($login_info && ($login_info['total'] > $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) || (empty($this->session->data['__csrf']))) {

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 8:32 pm
by straightlight
For those using this extension: https://www.opencart.com/index.php?rout ... n_id=27180 , version 3.0.0,

In catalog/controller/module/gluu_sso.php (or catalog/controller/extension/module/gluu_sso.php) file,

find:

Code: Select all

if(!$this->customer->isLogged () and $this->gluu_is_port_working() and !empty($this->request->get['route']) and $this->request->get['route'] == 'account/login'){
replace with:

Code: Select all

if((!$this->customer->isLogged () and $this->gluu_is_port_working() and !empty($this->request->get['route']) and $this->request->get['route'] == 'account/login') (empty($this->session->data['__csrf']))) {
Then, find:

Code: Select all

if( isset( $_REQUEST['session_state'] ) ) {
replace with:

Code: Select all

if (isset($_REQUEST['session_state']) && !empty($_SESSION['__csrf'])) {
Then, find:

Code: Select all

if (is_array ($result) && ! empty ($result['email']))
replace with:

Code: Select all

if (is_array($result) && !empty($result['email']) && !empty($this->session->data['__csrf']))
Then, in the:

Code: Select all

public function admin_login($username) {
method, find:

Code: Select all

if ($user_query->num_rows) {
replace with:

Code: Select all

if ($user_query->num_rows && !empty($this->session->data['__csrf'])) {

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 8:53 pm
by straightlight
For those using this extension: https://www.opencart.com/index.php?rout ... n_id=32842 ,

In vqmod/xml/fb_login_one_page.xml file,

find:

Code: Select all

if(isset($this->request->post['email_address']) && $this->request->post['email_address'] != 'undefined'){
replace with:

Code: Select all

if(isset($this->request->post['email_address']) && $this->request->post['email_address'] != 'undefined' && !empty($this->session->data['__csrf'])){

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 20, 2018 8:57 pm
by straightlight
The last few posts about the extensions are about the use of remote APIs for login / register accounts with social logins. These few provided instructions will increase protection to your store.

Re: [RELEASED] CSRF Protection Form - Not Working?

Posted: Thu Mar 22, 2018 8:10 am
by imagineds
I downloaded the CSRF Protection Form plugin and there were only two files. I have installed them in the corresponding folders but the registration form is still accepting spam registration. What else do I need to do? My store is Version 3.0.2.0.

Thank you.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 8:19 am
by straightlight
Do you use any social logins extensions / remote APIs for logins on your store?

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 8:29 pm
by imagineds
No social login. Sorry to not know, but what would be an example of a remote API? We have a payment gateway.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:02 pm
by straightlight
A gateway that requires a remote login to your site.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:21 pm
by imagineds
Authorize.net is the only thing I can think of we're connecting to.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:31 pm
by straightlight
Which Authorize.net? There are three of them (if not more).

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:37 pm
by imagineds
AIM.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:40 pm
by straightlight
Which OC version are you using? More information is needed.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:41 pm
by imagineds
Version 3.0.2.0

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:54 pm
by straightlight
Does Authorize.net AIM requires a user to enter his user profile during checkout? The last time I checked their API, that wasn't required ...

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 9:57 pm
by imagineds
No, it does not. So I am pretty there are any other remote API's that require a user to login. It isn't that complicated a site.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 10:07 pm
by straightlight
Then, the issue is not with Authorize.net AIM but with something else on your site. Check your extensions.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 10:28 pm
by imagineds
I will private message you the extensions enabled.