Post by MasterCATZ » Mon Sep 16, 2019 4:55 am

Security issue If OpenCart looses access to database , how can I secure this up?
5 days ago I was hit with a sql ransomware


Warning: mysqli::__construct(): (HY000/2002): Connection refused in /var/www/html/system/library/db/mysqli.php on line 7Warning: DB\MySQLi::__construct(): Couldn't fetch mysqli in /var/www/html/system/library/db/mysqli.php on line 10Warning: DB\MySQLi::__construct(): Couldn't fetch mysqli in /var/www/html/system/library/db/mysqli.php on line 10
Fatal error: Uncaught Exception: Error: <br />Error No: in /var/www/html/system/library/db/mysqli.php:10 Stack trace: #0 /var/www/html/system/library/db.php(31): DB\MySQLi->__construct('sql.locationhere', 'opencart', 'PlainTextPasswordhere', 'opencartdbnamehere', '3306') #1 /var/www/html/system/framework.php(80): DB->__construct('mysqli', 'sql.locationhere, 'opencart', 'PlainTextPasswordhere', 'opencartdbnamehere', '3306') #2 /var/www/html/system/startup.php(104): require_once('/var/www/html/s...') #3 /var/www/html/index.php(19): start('catalog') #4 {main} thrown in /var/www/html/system/library/db/mysqli.php on line 10

Newbie

Posts

Joined
Mon May 13, 2019 4:58 pm

Post by thekrotek » Mon Sep 16, 2019 7:18 am

Probably you have wrong credentials or any other basic data, which is required to connect.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by letxobnav » Mon Sep 16, 2019 9:55 am

Then stop displaying errors/warnings and notices on production sites.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by letxobnav » Mon Sep 16, 2019 12:34 pm

In order to show the maintenance page when we cannot get a database connection and not some strange error message not intended for customers or a mere blank page, we simply store the html of the maintenance page in an include folder and show it as static html when there is no DB connection in startup.php

I.e. in the age of fake-news we introduce fake-maintenance (Trump will probably claim he invented that phrase)

Code: Select all

	if (!$this->db->connected()) {
		error_log('Error (01): Database not connected, maintenance page shown.');
		ob_start();
		include(DIR_INCLUDES.'maintenance-en.html');
		$maintenance_page = ob_get_clean();
		echo $maintenance_page;
		exit();
	}


I mean, we like to know when we have a problem but we do not necessarily like the customers to know.

and once again, never ever echo any error/warning/notice messages in production.
It is not only a potential security risk, it also looks bad for your customers and your search engine indexed page listings.

Crystal Light Centrum Taiwan
Extensions: MailQueue | SUKHR | VBoces

“Data security is paramount at [...], and we are committed to protecting the privacy of anyone who is associated with our [...]. We’ve made a lot of improvements and will continue to make them.”
When you know your life savings are gone.


User avatar
Expert Member

Posts

Joined
Fri Aug 18, 2017 4:35 pm
Location - Taiwan

Post by paulfeakins » Mon Sep 16, 2019 6:09 pm

MasterCATZ wrote:
Mon Sep 16, 2019 4:55 am
Security issue If OpenCart looses access to database , how can I secure this up?
5 days ago I was hit with a sql ransomware
1. It looks like passwords are hardcoded rather than set in config.php? Why?
2. Turn off errors in production.
3. Contact these guys.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Legendary Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by OpenCode » Thu Mar 26, 2020 2:51 am

@ letxobnav where do I place this?
there is two startup.php one on system/startup.php
and the other one on catalog/controller/startup/startup.php
letxobnav wrote:
Mon Sep 16, 2019 12:34 pm
In order to show the maintenance page when we cannot get a database connection and not some strange error message not intended for customers or a mere blank page, we simply store the html of the maintenance page in an include folder and show it as static html when there is no DB connection in startup.php

I.e. in the age of fake-news we introduce fake-maintenance (Trump will probably claim he invented that phrase)

Code: Select all

	if (!$this->db->connected()) {
		error_log('Error (01): Database not connected, maintenance page shown.');
		ob_start();
		include(DIR_INCLUDES.'maintenance-en.html');
		$maintenance_page = ob_get_clean();
		echo $maintenance_page;
		exit();
	}


I mean, we like to know when we have a problem but we do not necessarily like the customers to know.

and once again, never ever echo any error/warning/notice messages in production.
It is not only a potential security risk, it also looks bad for your customers and your search engine indexed page listings.
Thanks for your response in advance!

New member

Posts

Joined
Fri Jun 07, 2013 9:31 am

Post by hacjsu » Sat Oct 10, 2020 4:32 am

i solved the problem, i have change somes files to error show false and the startup.php

// Error Reporting
ini_set('display_errors',1);
ini_set('display_startup_erros',1);
error_reporting(E_ALL);

to

// Error Reporting
ini_set('display_errors',off);
ini_set('display_startup_erros',off);
error_reporting(false);

it worked for me

New member

Posts

Joined
Sat Oct 07, 2017 9:16 am
Who is online

Users browsing this forum: gunownergear and 49 guests