Page 6 of 19
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 15, 2018 11:10 pm
by idarand
I PM-ed you. Thanks
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 4:20 am
by thommy86
Does this solution still work with OC 1.5.1.3? What version should I download and where to find the instructions?
Thanks!
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 6:20 am
by straightlight
v1.5x releases are not delivered out of the box. The XML file must be edited, accordingly
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 8:08 pm
by straightlight
For those using the social login extension:
https://www.opencart.com/index.php?rout ... n_id=18171 ,
in catalog/controller/extension/d_social_login/callback.php file,
find:
Code: Select all
if (isset($_REQUEST['hauth_start']) || isset($_REQUEST['hauth_done']))
replace with:
Code: Select all
if (isset($_REQUEST['hauth_start']) || isset($_REQUEST['hauth_done']) && !empty($_SESSION['__csrf']))
In catalog/controller/extension/d_social_login/callback_live.php file,
find:
Code: Select all
public function index (){
$_REQUEST['hauth_done'] = 'Live';
require_once("system/library/hybrid/auth.php");
require_once("system/library/hybrid/endpoint.php");
Hybrid_Endpoint::process();
}
replace with:
Code: Select all
public function index () {
if (!empty($_SESSION['__csrf'])) {
$_REQUEST['hauth_done'] = 'Live';
require_once("system/library/hybrid/auth.php");
require_once("system/library/hybrid/endpoint.php");
Hybrid_Endpoint::process();
}
}
In catalog/controller/extension/module/d_social_login.php file,
find:
Code: Select all
if (isset($this->request->get['provider'])) {
replace with:
Code: Select all
if (isset($this->request->get['provider']) && !empty($this->session->data['__csrf'])) {
Find:
Code: Select all
$this->log->write('Missing application provider.');
replace with:
Code: Select all
$this->log->write('Missing application provider or missing CSRF token.');
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 8:15 pm
by straightlight
For those using this extension:
https://www.opencart.com/index.php?rout ... n_id=24825 ,
In catalog/controller/extension/module/oneall.php file,
find:
Code: Select all
if (isset($this->request->post) && !empty($this->request->post['connection_token']))
replace with:
Code: Select all
if (isset($this->request->post) && !empty($this->request->post['connection_token']) && !empty($this->session->data['__csrf']))
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 8:23 pm
by straightlight
For those using this extension:
https://www.opencart.com/index.php?rout ... n_id=21672 , starting from v2.x releases,
In catalog/controller/account/socl_login.php file,
find:
Code: Select all
if (isset($soclall_id) && !empty($soclall_id) && isset($this->request->get['network'])) {
replace with:
Code: Select all
if (isset($soclall_id) && !empty($soclall_id) && isset($this->request->get['network']) && !empty($this->session->data['__csrf'])) {
Then, find:
Code: Select all
if ($login_info && ($login_info['total'] > $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) {
replace with:
Code: Select all
if (($login_info && ($login_info['total'] > $this->config->get('config_login_attempts')) && strtotime('-1 hour') < strtotime($login_info['date_modified'])) || (empty($this->session->data['__csrf']))) {
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 8:32 pm
by straightlight
For those using this extension:
https://www.opencart.com/index.php?rout ... n_id=27180 , version 3.0.0,
In catalog/controller/module/gluu_sso.php (or catalog/controller/extension/module/gluu_sso.php) file,
find:
Code: Select all
if(!$this->customer->isLogged () and $this->gluu_is_port_working() and !empty($this->request->get['route']) and $this->request->get['route'] == 'account/login'){
replace with:
Code: Select all
if((!$this->customer->isLogged () and $this->gluu_is_port_working() and !empty($this->request->get['route']) and $this->request->get['route'] == 'account/login') (empty($this->session->data['__csrf']))) {
Then, find:
Code: Select all
if( isset( $_REQUEST['session_state'] ) ) {
replace with:
Code: Select all
if (isset($_REQUEST['session_state']) && !empty($_SESSION['__csrf'])) {
Then, find:
Code: Select all
if (is_array ($result) && ! empty ($result['email']))
replace with:
Code: Select all
if (is_array($result) && !empty($result['email']) && !empty($this->session->data['__csrf']))
Then, in the:
Code: Select all
public function admin_login($username) {
method, find:
replace with:
Code: Select all
if ($user_query->num_rows && !empty($this->session->data['__csrf'])) {
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 8:53 pm
by straightlight
For those using this extension:
https://www.opencart.com/index.php?rout ... n_id=32842 ,
In vqmod/xml/fb_login_one_page.xml file,
find:
Code: Select all
if(isset($this->request->post['email_address']) && $this->request->post['email_address'] != 'undefined'){
replace with:
Code: Select all
if(isset($this->request->post['email_address']) && $this->request->post['email_address'] != 'undefined' && !empty($this->session->data['__csrf'])){
Re: [RELEASED] CSRF Protection Form
Posted: Tue Mar 20, 2018 8:57 pm
by straightlight
The last few posts about the extensions are about the use of remote APIs for login / register accounts with social logins. These few provided instructions will increase protection to your store.
Re: [RELEASED] CSRF Protection Form - Not Working?
Posted: Thu Mar 22, 2018 8:10 am
by imagineds
I downloaded the CSRF Protection Form plugin and there were only two files. I have installed them in the corresponding folders but the registration form is still accepting spam registration. What else do I need to do? My store is Version 3.0.2.0.
Thank you.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 8:19 am
by straightlight
Do you use any social logins extensions / remote APIs for logins on your store?
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 8:29 pm
by imagineds
No social login. Sorry to not know, but what would be an example of a remote API? We have a payment gateway.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:02 pm
by straightlight
A gateway that requires a remote login to your site.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:21 pm
by imagineds
Authorize.net is the only thing I can think of we're connecting to.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:31 pm
by straightlight
Which Authorize.net? There are three of them (if not more).
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:37 pm
by imagineds
AIM.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:40 pm
by straightlight
Which OC version are you using? More information is needed.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:41 pm
by imagineds
Version 3.0.2.0
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:54 pm
by straightlight
Does Authorize.net AIM requires a user to enter his user profile during checkout? The last time I checked their API, that wasn't required ...
Re: [RELEASED] CSRF Protection Form
Posted: Thu Mar 22, 2018 9:57 pm
by imagineds
No, it does not. So I am pretty there are any other remote API's that require a user to login. It isn't that complicated a site.