Post by straightlight » Sat Jan 28, 2012 1:22 am

This form protection library will allow each customers and administrators to post data from web forms within a forced CSRF generated token. If this token cannot be generated, a CSRF failed message will appear and will automatically exit the session for protection purposes. This add-on will also protect GETs and POSTs data from the admin whether the token comes from URL or from forms. From now on, both uses the same generated token in order to fully protect OpenCart.

http://www.opencart.com/index.php?route ... order=DESC

This topic will also be useful for support when required. Whatever you do when you ask support, do NOT post the generated token ID with it for your own safety and your customers.

Followed are information about what CSRF attackers may collect from websites or via an API: https://www.owasp.org/index.php/Cross-S ... heat_Sheet

[Update: 2021-01-22]: viewtopic.php?f=23&t=51859&start=280#p811611 .
Last edited by straightlight on Fri Jan 22, 2021 9:28 pm, edited 4 times in total.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Thu Feb 02, 2012 12:33 am

[Feb 1st, 2012]
- BugFix: Module contributors were ending up with the module setting key with a duplicated key of the CSRF name and value in the setting table. The duplication has now been removed.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Wed Feb 08, 2012 10:16 pm

It appears there were some missing instructions from the ZIP files. I have now updated the file. The contribution should fully work now. Make sure to read the readme.txt file.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by annelim » Sat Mar 24, 2012 7:45 pm

how is work actually ? any demo? is it support 1.5.2.1 ?

Active Member

Posts

Joined
Fri Oct 28, 2011 5:13 pm

Post by straightlight » Sat Mar 24, 2012 8:03 pm

Simply read the README file's instructions. A demo would only be good for showing the view source with the token in this case which would be kind of useless to demonstrate since once you understand those easy instructions, you won't need to see that demo since the results are about protecting users from one line added on each HTML forms (which almost all of them has already been provided from XML) and, yes, it works on v1.5.2.1 release. ;)

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by annelim » Sat Apr 14, 2012 5:30 pm

error generate from vqmod
Could not resolve path for [admin/view/template/localisation/manufacturer_class_form.tpl]
Could not resolve path for [admin/view/template/localisation/manufacturer_class_list.tpl]
Could not resolve path for [admin/view/template/tool/sqlpatch.tpl] < ---------this wasn't exist in directory
Could not resolve path for [catalog/view/theme/default/template/edit/affiliate.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/forgotten.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/login.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/password.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/payment.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/register.tpl]
Could not resolve path for [catalog/view/theme/default/template/checkout/voucher.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/asiapay.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/authorizenet_sim_index.tpl]
SEARCH NOT FOUND (ABORTING MOD): $this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");

second when click on any link in admin error
Fatal error: Call to a member function csrf_form_input() on a non-object in /home/vqmod/vqcache/vq2-admin_view_template_setting_store_list.tpl on line 22

any solution ? version 1.5.2.1

Active Member

Posts

Joined
Fri Oct 28, 2011 5:13 pm

Post by straightlight » Sat Apr 14, 2012 8:18 pm

From the XML, replace this block:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>
with:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>
Note: This is NOT a bug.

As for the TPL error, of course, the line couldn't be tracked so no specific way for the CSRF object to be found from that point. The correction above should take care of the problem.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by problemchild » Wed Jul 11, 2012 5:40 pm

First of all thank you for addressing the CSRF issue, I have gotten almost everything to work now at the pages I am working on.. the only "little" snag is the javascript POST commands (when adding to cart/wishlist/comparison).

If I understood the previous posts correctly, these javascript POSTS also would need some kind of csrf-code addition to function properly? (like with <form, the <?php echo $this->csrf->csrf_form_input(); ?> code-addition) ???

The parts I think need the addition are located in product.tpl near lines 339&340 and 415&416 in default-theme, and perhaps(may vary if other code additions) in custom theme(in my case Carbon) near lines 328&329, 404&405. Line numbers taken from Notepad++. Code parts in question:

Code: Select all

url: 'index.php?route=checkout/cart/add',
type: 'post',
and

Code: Select all

url: 'index.php?route=product/product/write&product_id=<?php echo $product_id; ?>',
type: 'post',
I ask this because maybe I have missed something/doing something wrong. I am using Windows 7 and latest Firefox(also tested with latest IE). Oh, and my Opencart version is 1.5.2.1. My first ever post to opencart btw, so if you need more information regarding the issue, please let me know.

ps. had still some forms(in checkout/cart.tpl) without the <?php echo $this->csrf->csrf_form_input(); ?> -code, but now really in need of help. Well back to to wondering what I have missed.

Newbie

Posts

Joined
Wed Jul 11, 2012 5:29 pm

Post by straightlight » Sun Jul 15, 2012 4:49 am

It might be possible that missing locations may be involved. When I created the XML file, I did tried to add the:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>
in most places as possible, though.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Alexisander » Thu Nov 08, 2012 10:40 pm

Hello,

As i said in the market:

I use OC 1.5.3.1 and i get this when trying to login in admin:

Fatal error: Call to a member function csrf_form_input() on a non-object in /home/netvoltr/public_html/vqmod/vqcache/vq2-admin_view_template_common_login.tpl on line 16

Why? :) THX!!!

I have tryed what u have wrote a little bit up but no succes, i only use VQmod for captcha code when login as admin. Nothing else motified from core.

Active Member

Posts

Joined
Mon Jul 18, 2011 10:11 pm

Post by straightlight » Thu Nov 08, 2012 10:43 pm

Nothing else motified from core.
Modifying files from core can affect the line target where the XML needs to add content into the vqcache files which I believe may be the reason why you're currently seeing this error message.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Alexisander » Thu Nov 08, 2012 10:45 pm

Also tryed on a fresh install and same error...

Active Member

Posts

Joined
Mon Jul 18, 2011 10:11 pm

Post by straightlight » Thu Nov 08, 2012 10:47 pm

I definitely can't reproduce this problem on a fresh install. Send me a PM for assistance.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Thu Nov 08, 2012 10:56 pm

In the mean time, see if this helps. In system/library/crsf.php file,

replace:

Code: Select all

final class
with:

Code: Select all

class
Will this help from your fresh install ?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Alexisander » Thu Nov 08, 2012 10:57 pm

I have installed OC 1.5.3.1 and vqmod, i have uploaded your files and i get this error. Thats all i have done, i have tryed it on 2 fresh installs.

Active Member

Posts

Joined
Mon Jul 18, 2011 10:11 pm

Post by straightlight » Thu Nov 08, 2012 10:58 pm

Apply the step above and see if it works.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Alexisander » Thu Nov 08, 2012 11:03 pm

same error...

Active Member

Posts

Joined
Mon Jul 18, 2011 10:11 pm

Post by straightlight » Thu Nov 08, 2012 11:04 pm

Can't reproduce either. Send me a PM for assistance.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by limurchick » Fri Jul 11, 2014 4:21 pm

Seems that author forgot to add csrf.php file to archive. :( Any link ???

Newbie

Posts

Joined
Fri Jul 11, 2014 4:21 pm

Post by straightlight » Mon Jul 14, 2014 11:12 pm

The package will be updated soon.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 12 guests