Page 7 of 11

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 11:04 pm
by imagineds
So, then if one of those extensions uses a remote API then what do I do?
And if none of them do, then what?

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 11:17 pm
by straightlight
If one of them do, report it here and I will see what I can do to provide the instructions based on their login page. If none of them do, you'd need to provide the most recent access logs from your webserver so to see where the CSRF attacker originates from as well as knowing the route being used to auto-create accounts on your store.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 11:48 pm
by imagineds
I was able to get Google reCaptcha to work on the site. Had to make an adjustment on the server. So I will just see if that does the trick.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 22, 2018 11:49 pm
by straightlight
Had to make an adjustment on the server
What adjustment? This is simply vague information ...

Re: [RELEASED] CSRF Protection Form

Posted: Fri Mar 23, 2018 10:44 am
by ameliaa
Is this mod really working? I installed on both my sites. Sill receiving registration spam (lots of it), even affiliate spam.

OC Version: 2.0.1.1 and 2.0.3.1
URLs:
https://bit.ly/2pxDAtx
https://bit.ly/2pxgpP6

Re: [RELEASED] CSRF Protection Form

Posted: Fri Mar 23, 2018 6:33 pm
by straightlight
ameliaa wrote:
Fri Mar 23, 2018 10:44 am
Is this mod really working? I installed on both my sites. Sill receiving registration spam (lots of it), even affiliate spam.

OC Version: 2.0.1.1 and 2.0.3.1
URLs:
https://bit.ly/2pxDAtx
https://bit.ly/2pxgpP6
As questioned on the above to other users, are you using any social logins extensions or remote logins to your site?

Re: [RELEASED] CSRF Protection Form

Posted: Sun Mar 25, 2018 5:39 am
by holiday.holiday1
I have a 1.5.4 store, have applied the mod with appropriate changes for 1.5.4, and see the changes have taken effect to the vqcache files for both catalog and admin. But, the __csrf modifications to the <form> markup are only taking effect on the admin side.
Thanks for the help and mod.

Re: [RELEASED] CSRF Protection Form

Posted: Mon Mar 26, 2018 8:37 pm
by simone.pignatti
Hi guys, I've just uploaded v2.0 files in my 1.5.2.1 installation. Nothing happened, it seems it doesn't work at all.
Any advice?
If you like to check my web shop you can visit www (dot) batterfly (dot) com
Thank you.

Re: [RELEASED] CSRF Protection Form

Posted: Mon Mar 26, 2018 10:30 pm
by straightlight
What are your path and line configurations in your XML file since you are using an unsupported version?

Re: [RELEASED] CSRF Protection Form

Posted: Mon Mar 26, 2018 10:31 pm
by simone.pignatti
straightlight wrote:
Mon Mar 26, 2018 10:30 pm
What are your path and line configurations in your XML file since you are using an unsupported version?
I didn't change anything. What do you suggest to edit?

Re: [RELEASED] CSRF Protection Form

Posted: Mon Mar 26, 2018 10:39 pm
by straightlight
You need to edit the XML file for the lines to be looked up. Although, since v1.5x releases are pretty old, I don't provide much support for it. However, it does not indicate nor mean that the extension does not work.

Re: [RELEASED] CSRF Protection Form

Posted: Tue Mar 27, 2018 3:42 am
by ryke-opencart
Thanks for any help you can give. I'm trying to stop a flock of "bad robots" attacking my website. Found your extension and thought i had found my fix. Installed the 2.0 version on my opencart 1.5.5.1 and not working. Had seen a post of someone using and you saying would work on a 1.5 xx or something. Just figured it would work on mine. Checked the header in the source code on my Chrome browser and no <form could be found that replies to CSRF. There was no info or readme file or anything on installing or using. I hope i can even get to work on my opencart version. Any help would be appreciated. Thanks.

Re: [RELEASED] CSRF Protection Form

Posted: Wed Mar 28, 2018 8:30 pm
by straightlight
I have posted an update message on the CSRF page from the Marketplace. v1.5x releases has also been a success to work with this extension. Ensure to configure your XML file with the relative search lines as well as adding the ZDLib output compression set to On in your php.ini or in your .user.ini file and all should be fine. The ZDLib switch is mentioned on the documentation tab from the Marketplace.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 2:44 am
by sfbh
[Edit] Post removed by author.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 3:10 am
by straightlight
in /admin/controller/common/header.php and /catalog/controller/common/header.php (I do not have VQmod installed. I plan to remove the manual entries and convert to an OCmod once it is working)
The package I provided already provide this solution. No need to manually apply the queries since it should automatically propagate through the entire store by using the XML file and the csrf_helper file as long as the lookup lines in the XML (search) is looking for the right location and without conflict.

Note: Do NOT publish the csrf token value on the forum nor on any public websites for security purposes. I would strongly suggest to remove it from your previous post.

The CSRF token is working properly as per your post above. Install the re-captcha module as well and see if the SPAMs and floods keeps increasing on your store afterwards.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 5:32 am
by wildfire67
Can I pay you to install this for me? I found no instructions in the crsf20 file.

Regards

John

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 10:26 am
by sfbh
[Edit] Post removed by author.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 6:05 pm
by straightlight
VQMod must be used with this extension, it is not an OCMod extension are clearly demonstrated from the package delivered on the Marketplace. As for the manual entry, this would be insufficient since the extension is using a propagated method with regular expression from XML in order to protect users against flooders.

Take note that this extension does not protect users against SPAMs but against floods that are caused by spammers. Using re-captcha with CSRF together is the best way to go to get rid of the spammers.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 6:10 pm
by straightlight
The first post has now been updated for users to get more information about what CSRF attackers do.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 29, 2018 7:42 pm
by straightlight
[29-03-2018] - The CSRF helper has been improved with a more stronger algorithm form or string for better protection and also PHP 7+ compatibility.

For users that already installed the recent version, simply replace the system/helper/csrf_helper.php with the new one from the delivered package on the Marketplace. This will NOT affect any customers activities during their visits through the site. The helper file is totally safe to replace without setting the store under maintenance. Ensure to clear the OC cache, however.