Hi all
I just got a quite scaring message from my new customer who wanted to register at my on-line shop. The customer said that when he was registering his account at my on-line shop he could see two addresses (billing and delivery address) of my client from Switzerland. He could choose any of those addresses or add a new one! He told me exactly what the addresses were and they were correct!
How is it possible?! I was trying to simulate opening a new account and I didn't see anything like that. I don't know what to do now. It seems like a serious security issue. Have you experienced anything like that? Is Opencart reliable at all? I don't know what to think.
Dariusz
I just got a quite scaring message from my new customer who wanted to register at my on-line shop. The customer said that when he was registering his account at my on-line shop he could see two addresses (billing and delivery address) of my client from Switzerland. He could choose any of those addresses or add a new one! He told me exactly what the addresses were and they were correct!
How is it possible?! I was trying to simulate opening a new account and I didn't see anything like that. I don't know what to do now. It seems like a serious security issue. Have you experienced anything like that? Is Opencart reliable at all? I don't know what to think.
Dariusz
Last edited by brytanix on Sun Feb 13, 2011 10:30 pm, edited 1 time in total.
If you are hosted on a shared server this could be the issue and not related to OpenCart.
Ask you hoster how the temp or tmp and cache folders on that server are setup.
Is there another OpenCart store running on that same server as well?
Always mention version of your OpenCart!
Ask you hoster how the temp or tmp and cache folders on that server are setup.
Is there another OpenCart store running on that same server as well?
Always mention version of your OpenCart!
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Hii2Paq wrote:If you are hosted on a shared server this could be the issue and not related to OpenCart.
Ask you hoster how the temp or tmp and cache folders on that server are setup.
Is there another OpenCart store running on that same server as well?
Always mention version of your OpenCart!
Thank you very much for your reply. Yes, there are another two OpenCart shops running on the same server. I feel a sort of relief thinking that it might be a problem not related to Opencart. I am going to contact the administrator of the server. I'll let you know the outcome. I run the latest version of OpenCart.
Hi!
I contacted my administrator and here it is what he answered:
I contacted my administrator and here it is what he answered:
Well, I feel confused really. Whatever the cause of the problem is it's a serious security issue and should be investigated further.No - it's not possible for any account to access session files created by any other account, unless the permissions are incorrect which they aren't.
Opencart has a silly standard php.ini file which creates an effectively unlimited session length but it would still be a software error causing what your client saw.
I've given your account its own session directory which will make any future troubleshooting easier.
are the 2 seperate stores on the same domain? have you not even used a sub domain?
If so they should not be because sessions are ment to be used over the domain and will interfere with each other.
one installation of opencart on one domain name or use sub domains.
If so they should not be because sessions are ment to be used over the domain and will interfere with each other.
one installation of opencart on one domain name or use sub domains.
OpenCart®
Project Owner & Developer.
Yes, there are 3 separate stores on the same domain. Despite the fact that on two stores, the products are the same but they are shipped from two different wholesalers depending on a country the products are being shipped to. The third shop offers a service related to the products in first two shops.Daniel wrote:are the 2 seperate stores on the same domain?
If so they should not be because sessions are ment to be used over the domain and will interfere with each other.
one installation of opencart on one domain name.
Do you remember? I wanted to set up a multi-store using sub-domains. I stuck during the configuration of the multi-store. I was trying to find any documentation on how to set up a multi-store but there wasn't much about that. I asked for help on the Forum but it seemed that nobody knew how to use multi-store and I didn't get any answer. Then, I wrote two e-mails to you but you never replied to them.
Do you think that installing those shops on subdomains would help or it should be separate domains?
hes able to see other peoples addresses because hes logged in on one of the shops with customer id = x and then just goes to shop 2 without even needing to re-log in because the system thinks that session is already logged in.
I have already told you to use sub domains. using different folders is a bad idea because cookies are set over a domain name like any other script out there.
shop1.domain.com
shop2.domain.com
or just buy more domain names is the better idea.
I'm pretty sure its been mentioned many times you can not uses folders to run multiple shops and you must use sub domains.
I have already told you to use sub domains. using different folders is a bad idea because cookies are set over a domain name like any other script out there.
shop1.domain.com
shop2.domain.com
or just buy more domain names is the better idea.
I'm pretty sure its been mentioned many times you can not uses folders to run multiple shops and you must use sub domains.
OpenCart®
Project Owner & Developer.
I use the latest version of OpenCart.
The other reason why I have been using folders is that when you use subdomains, you have to purchase separate SSL certificate for every single subdomain. When you use folders then one SSL certificate is sufficient for all shops installed in folders. I'll have to change for subdomains though.
The other reason why I have been using folders is that when you use subdomains, you have to purchase separate SSL certificate for every single subdomain. When you use folders then one SSL certificate is sufficient for all shops installed in folders. I'll have to change for subdomains though.
yes, but even in this case as far as I know customers are not store specific, so there would not be a way to duplicate a customer_id, so even if he does remain logged in he should never see someone elses information. He would simply still be logged in and have his own customer information available. I can't understand at all how you would come by another customers information. The only way I can see that is if both people are actually using the same computer. Even then if the browser has been closed it should destroy the session.Daniel wrote:hes able to see other peoples addresses because hes logged in on one of the shops with customer id = x and then just goes to shop 2 without even needing to re-log in because the system thinks that session is already logged in.
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
The customer who reported the problem lives in the UK, the person whose personal details were seen lives in Switzerland so they don't use the same computer.:-)Xsecrets wrote:yes, but even in this case as far as I know customers are not store specific, so there would not be a way to duplicate a customer_id, so even if he does remain logged in he should never see someone elses information. He would simply still be logged in and have his own customer information available. I can't understand at all how you would come by another customers information. The only way I can see that is if both people are actually using the same computer. Even then if the browser has been closed it should destroy the session.Daniel wrote:hes able to see other peoples addresses because hes logged in on one of the shops with customer id = x and then just goes to shop 2 without even needing to re-log in because the system thinks that session is already logged in.
The funny thing is that the customer from Switzerland made his order 1 month ago and haven't visited my shop since then.
Can you set your own sessions directory for opencart or do you have to use the default?brytanix wrote:No - it's not possible for any account to access session files created by any other account, unless the permissions are incorrect which they aren't.
Opencart has a silly standard php.ini file which creates an effectively unlimited session length but it would still be a software error causing what your client saw.
I've given your account its own session directory which will make any future troubleshooting easier.
/home/useraccount/ocsessions/
/home/useraccount/public_html/
Thanks
This didn't work and was changed back to just:Daniel wrote:in fact i don't know what version you are using because this was fixed ages ago:
session_set_cookie_params(0, str_replace('\\', '/', rtrim(dirname($_SERVER['PHP_SELF']))));
session_set_cookie_params(0, '/');
There was no good reason for it to not work.. the code looked perfect but no cookies were ever being set
I don't know. Maybe. I used the documentation provided at OpenCart website. I didn't do anything more as I have no clue about those things and I was very careful as I didn't want to mess up my installation.Daniel wrote:i'm pretty sure you have modified the code to try to link accounts accross multiple stores and somethings gone wrong.
As I didn't get any help from anybody with setting up the multistore I uninstalled it. What I noticed is that despite the fact I uninstalled the multistore there are some files left in my main directory. As I wasn't sure what belonged to my installations and what was just a rubbish left after uninstalling the multistore, I left everything as it was. Maybe those files which are left there causes the security issues. You will probably know.
However, I took seriously this security incident and what you said and I am reinstated my two shops in different subdomains.
If you could tell me what files are remains after multistore installation I could remove them and we could see what happens then.
Last edited by brytanix on Tue Feb 22, 2011 11:10 pm, edited 1 time in total.
in the config.php add these lines:
define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');
for the admin config add something to the cookie_unique_name
in session.php change to this
session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);
the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.
define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');
for the admin config add something to the cookie_unique_name
in session.php change to this
session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);
the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.
Would it not be smart to do this default so when logging out of your store front you would not be logged out of your Admin?zrxraver wrote:in the config.php add these lines:
define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');
for the admin config add something to the cookie_unique_name
in session.php change to this
session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);
the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
i2Paq wrote:Would it not be smart to do this default so when logging out of your store front you would not be logged out of your Admin?zrxraver wrote:in the config.php add these lines:
define('COOKIE_DOMAIN', 'www.shops.nl');
define('COOKIE_PATH','/firstshop');
define('COOKIE_UNIQUE_NAME','first_shop_name');
for the admin config add something to the cookie_unique_name
in session.php change to this
session_name(COOKIE_UNIQUE_NAME);
session_set_cookie_params(1*24*60*60, COOKIE_PATH, COOKIE_DOMAIN);
the 1*24*60*60 means 24 hours (in seconds) lifetime for the cookie, change it to your needs.
logging out of the store front has no effect whatso ever on the admin.
one relies on customer_id and the other is user_id.
they won't get mixed up.
OpenCart®
Project Owner & Developer.
Who is online
Users browsing this forum: No registered users and 31 guests