Page 1 of 9

[RELEASED] CSRF Protection Form

Posted: Sat Jan 28, 2012 1:22 am
by straightlight
This form protection library will allow each customers and administrators to post data from web forms within a forced CSRF generated token. If this token cannot be generated, a CSRF failed message will appear and will automatically exit the session for protection purposes. This add-on will also protect GETs and POSTs data from the admin whether the token comes from URL or from forms. From now on, both uses the same generated token in order to fully protect OpenCart.

http://www.opencart.com/index.php?route ... order=DESC

This topic will also be useful for support when required. Whatever you do when you ask support, do NOT post the generated token ID with it for your own safety and your customers.

// How to test ?
Once installed for the first time, clear all cache and cookies from browser. Close your browser, re-open your browser and go to the admin section. Then, go to your view source of your browser and search for: <form . Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized. In other words, DON"T remove it for your own safety and customers. You may try the same step on the front-end. From the header, you should already notice the same result.

Note: If you use a custom template or use an admin contribution that requires a form usage, just assure to check for each:

Code: Select all

<form
and add to the next line:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>
This will set protection to your web forms. As for the rest of the web forms within the core, all has now been protected.

Followed are information about what CSRF attackers may collect from websites or via an API: https://www.owasp.org/index.php/Cross-S ... heat_Sheet

Re: [RELEASED] CSRF Protection Form

Posted: Thu Feb 02, 2012 12:33 am
by straightlight
[Feb 1st, 2012]
- BugFix: Module contributors were ending up with the module setting key with a duplicated key of the CSRF name and value in the setting table. The duplication has now been removed.

Re: [RELEASED] CSRF Protection Form

Posted: Wed Feb 08, 2012 10:16 pm
by straightlight
It appears there were some missing instructions from the ZIP files. I have now updated the file. The contribution should fully work now. Make sure to read the readme.txt file.

Re: [RELEASED] CSRF Protection Form

Posted: Sat Mar 24, 2012 7:45 pm
by annelim
how is work actually ? any demo? is it support 1.5.2.1 ?

Re: [RELEASED] CSRF Protection Form

Posted: Sat Mar 24, 2012 8:03 pm
by straightlight
Simply read the README file's instructions. A demo would only be good for showing the view source with the token in this case which would be kind of useless to demonstrate since once you understand those easy instructions, you won't need to see that demo since the results are about protecting users from one line added on each HTML forms (which almost all of them has already been provided from XML) and, yes, it works on v1.5.2.1 release. ;)

Re: [RELEASED] CSRF Protection Form

Posted: Sat Apr 14, 2012 5:30 pm
by annelim
error generate from vqmod
Could not resolve path for [admin/view/template/localisation/manufacturer_class_form.tpl]
Could not resolve path for [admin/view/template/localisation/manufacturer_class_list.tpl]
Could not resolve path for [admin/view/template/tool/sqlpatch.tpl] < ---------this wasn't exist in directory
Could not resolve path for [catalog/view/theme/default/template/edit/affiliate.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/forgotten.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/login.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/password.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/payment.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/register.tpl]
Could not resolve path for [catalog/view/theme/default/template/checkout/voucher.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/asiapay.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/authorizenet_sim_index.tpl]
SEARCH NOT FOUND (ABORTING MOD): $this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");

second when click on any link in admin error
Fatal error: Call to a member function csrf_form_input() on a non-object in /home/vqmod/vqcache/vq2-admin_view_template_setting_store_list.tpl on line 22

any solution ? version 1.5.2.1

Re: [RELEASED] CSRF Protection Form

Posted: Sat Apr 14, 2012 8:18 pm
by straightlight
From the XML, replace this block:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>
with:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>
Note: This is NOT a bug.

As for the TPL error, of course, the line couldn't be tracked so no specific way for the CSRF object to be found from that point. The correction above should take care of the problem.

Re: [RELEASED] CSRF Protection Form

Posted: Wed Jul 11, 2012 5:40 pm
by problemchild
First of all thank you for addressing the CSRF issue, I have gotten almost everything to work now at the pages I am working on.. the only "little" snag is the javascript POST commands (when adding to cart/wishlist/comparison).

If I understood the previous posts correctly, these javascript POSTS also would need some kind of csrf-code addition to function properly? (like with <form, the <?php echo $this->csrf->csrf_form_input(); ?> code-addition) ???

The parts I think need the addition are located in product.tpl near lines 339&340 and 415&416 in default-theme, and perhaps(may vary if other code additions) in custom theme(in my case Carbon) near lines 328&329, 404&405. Line numbers taken from Notepad++. Code parts in question:

Code: Select all

url: 'index.php?route=checkout/cart/add',
type: 'post',
and

Code: Select all

url: 'index.php?route=product/product/write&product_id=<?php echo $product_id; ?>',
type: 'post',
I ask this because maybe I have missed something/doing something wrong. I am using Windows 7 and latest Firefox(also tested with latest IE). Oh, and my Opencart version is 1.5.2.1. My first ever post to opencart btw, so if you need more information regarding the issue, please let me know.

ps. had still some forms(in checkout/cart.tpl) without the <?php echo $this->csrf->csrf_form_input(); ?> -code, but now really in need of help. Well back to to wondering what I have missed.

Re: [RELEASED] CSRF Protection Form

Posted: Sun Jul 15, 2012 4:49 am
by straightlight
It might be possible that missing locations may be involved. When I created the XML file, I did tried to add the:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>
in most places as possible, though.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:40 pm
by Alexisander
Hello,

As i said in the market:

I use OC 1.5.3.1 and i get this when trying to login in admin:

Fatal error: Call to a member function csrf_form_input() on a non-object in /home/netvoltr/public_html/vqmod/vqcache/vq2-admin_view_template_common_login.tpl on line 16

Why? :) THX!!!

I have tryed what u have wrote a little bit up but no succes, i only use VQmod for captcha code when login as admin. Nothing else motified from core.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:43 pm
by straightlight
Nothing else motified from core.
Modifying files from core can affect the line target where the XML needs to add content into the vqcache files which I believe may be the reason why you're currently seeing this error message.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:45 pm
by Alexisander
Also tryed on a fresh install and same error...

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:47 pm
by straightlight
I definitely can't reproduce this problem on a fresh install. Send me a PM for assistance.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:56 pm
by straightlight
In the mean time, see if this helps. In system/library/crsf.php file,

replace:

Code: Select all

final class
with:

Code: Select all

class
Will this help from your fresh install ?

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:57 pm
by Alexisander
I have installed OC 1.5.3.1 and vqmod, i have uploaded your files and i get this error. Thats all i have done, i have tryed it on 2 fresh installs.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 10:58 pm
by straightlight
Apply the step above and see if it works.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 11:03 pm
by Alexisander
same error...

Re: [RELEASED] CSRF Protection Form

Posted: Thu Nov 08, 2012 11:04 pm
by straightlight
Can't reproduce either. Send me a PM for assistance.

Re: [RELEASED] CSRF Protection Form

Posted: Fri Jul 11, 2014 4:21 pm
by limurchick
Seems that author forgot to add csrf.php file to archive. :( Any link ???

Re: [RELEASED] CSRF Protection Form

Posted: Mon Jul 14, 2014 11:12 pm
by straightlight
The package will be updated soon.