Post by idarand » Thu Mar 15, 2018 11:10 pm

I PM-ed you. Thanks

Newbie

Posts

Joined
Thu Mar 15, 2018 7:06 pm

Post by thommy86 » Tue Mar 20, 2018 4:20 am

Does this solution still work with OC 1.5.1.3? What version should I download and where to find the instructions?

Thanks!

Newbie

Posts

Joined
Sun Mar 11, 2012 6:45 am

Post by straightlight » Tue Mar 20, 2018 6:20 am

v1.5x releases are not delivered out of the box. The XML file must be edited, accordingly

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Mar 20, 2018 8:08 pm

For those using the social login extension: https://www.opencart.com/index.php?rout ... n_id=18171 ,

in catalog/controller/extension/d_social_login/callback.php file,

find:

Code: Select all

if (isset($_REQUEST['hauth_start']) || isset($_REQUEST['hauth_done']))
replace with:

Code: Select all

if (isset($_REQUEST['hauth_start']) || isset($_REQUEST['hauth_done']) && !empty($_SESSION['__csrf']))
In catalog/controller/extension/d_social_login/callback_live.php file,

find:

Code: Select all

public function index (){
		$_REQUEST['hauth_done'] = 'Live';

		require_once("system/library/hybrid/auth.php");
		require_once("system/library/hybrid/endpoint.php");
		Hybrid_Endpoint::process();
	}
replace with:

Code: Select all

public function index () {
if (!empty($_SESSION['__csrf'])) {
		$_REQUEST['hauth_done'] = 'Live';

		require_once("system/library/hybrid/auth.php");
		require_once("system/library/hybrid/endpoint.php");
		Hybrid_Endpoint::process();
	}
}
In catalog/controller/extension/module/d_social_login.php file,

find:

Code: Select all

if (isset($this->request->get['provider'])) {
replace with:

Code: Select all

if (isset($this->request->get['provider']) && !empty($this->session->data['__csrf'])) {
Find:

Code: Select all

$this->log->write('Missing application provider.');
replace with:

Code: Select all

$this->log->write('Missing application provider or missing CSRF token.');

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Mar 20, 2018 8:15 pm

For those using this extension: https://www.opencart.com/index.php?rout ... n_id=24825 ,

In catalog/controller/extension/module/oneall.php file,

find:

Code: Select all

if (isset($this->request->post) && !empty($this->request->post['connection_token']))
replace with:

Code: Select all

if (isset($this->request->post) && !empty($this->request->post['connection_token']) && !empty($this->session->data['__csrf']))

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Mar 20, 2018 8:23 pm

For those using this extension: https://www.opencart.com/index.php?rout ... n_id=21672 , starting from v2.x releases,

In catalog/controller/account/socl_login.php file,

find:

Code: Select all

if (isset($soclall_id) && !empty($soclall_id) && isset($this->request->get['network'])) {
replace with:

Code: Select all

if (isset($soclall_id) && !empty($soclall_id) && isset($this->request->get['network']) && !empty($this->session->data['__csrf'])) {
Then, find:

Code: Select all

if ($login_info && ($login_info['total'] > $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) {
replace with:

Code: Select all

if (($login_info && ($login_info['total'] > $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) || (empty($this->session->data['__csrf']))) {

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Mar 20, 2018 8:32 pm

For those using this extension: https://www.opencart.com/index.php?rout ... n_id=27180 , version 3.0.0,

In catalog/controller/module/gluu_sso.php (or catalog/controller/extension/module/gluu_sso.php) file,

find:

Code: Select all

if(!$this->customer->isLogged () and $this->gluu_is_port_working() and !empty($this->request->get['route']) and $this->request->get['route'] == 'account/login'){
replace with:

Code: Select all

if((!$this->customer->isLogged () and $this->gluu_is_port_working() and !empty($this->request->get['route']) and $this->request->get['route'] == 'account/login') (empty($this->session->data['__csrf']))) {
Then, find:

Code: Select all

if( isset( $_REQUEST['session_state'] ) ) {
replace with:

Code: Select all

if (isset($_REQUEST['session_state']) && !empty($_SESSION['__csrf'])) {
Then, find:

Code: Select all

if (is_array ($result) && ! empty ($result['email']))
replace with:

Code: Select all

if (is_array($result) && !empty($result['email']) && !empty($this->session->data['__csrf']))
Then, in the:

Code: Select all

public function admin_login($username) {
method, find:

Code: Select all

if ($user_query->num_rows) {
replace with:

Code: Select all

if ($user_query->num_rows && !empty($this->session->data['__csrf'])) {

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Mar 20, 2018 8:53 pm

For those using this extension: https://www.opencart.com/index.php?rout ... n_id=32842 ,

In vqmod/xml/fb_login_one_page.xml file,

find:

Code: Select all

if(isset($this->request->post['email_address']) && $this->request->post['email_address'] != 'undefined'){
replace with:

Code: Select all

if(isset($this->request->post['email_address']) && $this->request->post['email_address'] != 'undefined' && !empty($this->session->data['__csrf'])){

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Tue Mar 20, 2018 8:57 pm

The last few posts about the extensions are about the use of remote APIs for login / register accounts with social logins. These few provided instructions will increase protection to your store.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by imagineds » Thu Mar 22, 2018 8:10 am

I downloaded the CSRF Protection Form plugin and there were only two files. I have installed them in the corresponding folders but the registration form is still accepting spam registration. What else do I need to do? My store is Version 3.0.2.0.

Thank you.

Newbie

Posts

Joined
Fri Oct 05, 2012 5:57 am

Post by straightlight » Thu Mar 22, 2018 8:19 am

Do you use any social logins extensions / remote APIs for logins on your store?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by imagineds » Thu Mar 22, 2018 8:29 pm

No social login. Sorry to not know, but what would be an example of a remote API? We have a payment gateway.

Newbie

Posts

Joined
Fri Oct 05, 2012 5:57 am

Post by straightlight » Thu Mar 22, 2018 9:02 pm

A gateway that requires a remote login to your site.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by imagineds » Thu Mar 22, 2018 9:21 pm

Authorize.net is the only thing I can think of we're connecting to.

Newbie

Posts

Joined
Fri Oct 05, 2012 5:57 am

Post by straightlight » Thu Mar 22, 2018 9:31 pm

Which Authorize.net? There are three of them (if not more).

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by imagineds » Thu Mar 22, 2018 9:37 pm

AIM.

Newbie

Posts

Joined
Fri Oct 05, 2012 5:57 am

Post by straightlight » Thu Mar 22, 2018 9:40 pm

Which OC version are you using? More information is needed.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by imagineds » Thu Mar 22, 2018 9:41 pm

Version 3.0.2.0

Newbie

Posts

Joined
Fri Oct 05, 2012 5:57 am

Post by straightlight » Thu Mar 22, 2018 9:54 pm

Does Authorize.net AIM requires a user to enter his user profile during checkout? The last time I checked their API, that wasn't required ...

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by imagineds » Thu Mar 22, 2018 9:57 pm

No, it does not. So I am pretty there are any other remote API's that require a user to login. It isn't that complicated a site.

Newbie

Posts

Joined
Fri Oct 05, 2012 5:57 am
Who is online

Users browsing this forum: No registered users and 18 guests