Post by straightlight » Wed Sep 12, 2018 11:39 pm

How I recognize that is really working or no?
Answered already above; by viewing the view-source code once the page has been refreshed with the help of the zlib output . As for Journal2, no words so far about its compatibility.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

F. Rules:

- viewtopic.php?f=176&t=200480
- viewtopic.php?f=176&t=200804


Regards,
Straightlight


Legendary Member
Online

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by PSMDanny » Thu Nov 01, 2018 5:12 am

Hi and thank you for creating this wonderful extension and spending so much time here on helping users (that don't read).

Just wanted to note:
couple of minutes ago I downloaded the extension and started testing on Opencart 3020 with vqmod 2.6.2 Admin test was correct... frontend test was not correct (= no csrf tokens...)

So I started debuging the xml file and found out that in the current downloadable version (csrf.xml) there was code missing for the catalog/controller/common/header.php

So I added following code to the xml and everything seems to be working:
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');

csrf_start();
]]></add>
</operation>
</file>

Thanks again and good luck!

Best Regards,
Danny

Newbie

Posts

Joined
Fri Apr 04, 2014 3:38 am

Post by daeval » Wed Dec 12, 2018 4:18 am

Hello, I downloaded the module but i think that secure_compare function is wrong;
It has to return boolean if session token == __csrf post form value, but function returns a random string being always true, please check it.

Code: Select all

function secure_compare($a, $b) {
	global $csrf_protection_expires;
	
    if (strlen($a) !== strlen($b)) {
		return false;
	}
	
	$randLength = 64;
  
	if (function_exists("random_bytes")) {
		$result = bin2hex(random_bytes($randLength));
    } elseif (function_exists("openssl_random_pseudo_bytes")) {
        $result = bin2hex(openssl_random_pseudo_bytes($randLength));
    } else {
        $result = '';
				
		for ($i = 0; $i < strlen($a); $i++) {
			$result |= ord($a[$i]) ^ ord($b[$i]);
		}
	}
	
	return substr($result, 0, $csrf_protection_expires);
}

Newbie

Posts

Joined
Sat Sep 21, 2013 12:09 am

Post by straightlight » Wed Dec 12, 2018 7:05 pm

There is nothing wrong with the original function. Returning a random string is the goal to protect the HTML forms against CSRF attacks,

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

F. Rules:

- viewtopic.php?f=176&t=200480
- viewtopic.php?f=176&t=200804


Regards,
Straightlight


Legendary Member
Online

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Dave_MMP » Wed Mar 20, 2019 6:39 pm

My OpenCart Version: 2.3.0.2

I've been unable to get this module working correctly. The hidden input field is correctly added to the form however, when simulating a CSRF attack, the request still goes through.

Code: Select all

$this->load->helper('csrf_helper');
csrf_start();
Has been added to "catalog/controller/common/home.php"

If I submit the password change form, entering a valid password, password gets changed (as expected)

If I submit the password change form, without entering any details, I get blocked, with the message "CSRF check failed." - This should not happen, it should simply prompt the user to enter correct details.

If I edit the source of the page, removing the __csrf input, then submit the form with a valid password, the form submits ok and the password is changed. This should not happen!

If I simulate a CSRF attack using this html, the password gets changed to CSRF - This should be blocked!

Code: Select all

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://domain.com/change-password" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="password" value="CSRF" />
      <input type="hidden" name="confirm" value="CSRF" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
If I edit the csrf_check function in the helper, and added:

Code: Select all

var_dump($_SERVER['REQUEST_METHOD']);die();
Just after the global deceleration "global $csrf_protection_expires;", then when I submit the form I see this:

string(3) "GET"

This to me says that the csrf_check function is not running on the POST request, but on the redirect after the password has been changed?

Newbie

Posts

Joined
Wed Mar 20, 2019 6:16 pm
Who is online

Users browsing this forum: No registered users and 9 guests