Page 5 of 12

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 6:23 am
by pair
I posted here
Post by pair » Fri Feb 23, 2018 12:31 pm but did not get a response from you thats why I'm asking the other user how did he get it resolved...

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 6:25 am
by straightlight
My apologize. This was not intended. I seem to have missed your post. :ponder:

What are the steps you did on your end to install this extension?

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 6:41 am
by pair
Thanks for your reply straightlight. My apology just trying to get this working. Below is what I did
I uploaded via FTP to the following paths:
/system/helper - File csrf_helper.php
and then on
/vqmod/xml - File csrf.xml
Refreshed the cache and checked the page source. The admin works but not the front end .
No errors in the VQManager error log and no header.php in the catalog only vq2-admin_controller_common_header.php
Let me know if any other details are needed.
Regards,

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 6:59 am
by straightlight
The alternate solution was already provided here: viewtopic.php?f=23&t=51859&start=60#p715300

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 7:03 am
by pair
This is what I have in the XML. I'm I missing something?

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<modification>
    <id>CSRF Form Protection</id>
    <version>v2.x and v3.x</version>
    <vqmver required="true">2.6.0</vqmver>
    <author>Straightlight</author>
	
	<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
	
	<file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>

</modification>

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 7:09 am
by straightlight
This is what I have in the XML. I'm I missing something?
The XML looks fine. Ensure to look in your VQMod Manager for unusual lines that it's tracking.

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 7:42 am
by pair
I reinstalled again. Now I'm able to see in the /vqmod/vqcache - vq2-catalog_controller_common_header.php
However in the source code in the front end after deleting the site cache, browser cache etc, I'm still unable to see the csrf
This is what is shows when trying the account register:
<p>If you already have an account with us, please login at the <a href="https://www.MYSITE.com/index.php?route= ... gin">login page</a>.</p>
<form action="https://www.MYSITE.com/index.php?route=account/register" method="post" enctype="multipart/form-data" class="form-horizontal">
<fieldset id="account">

Not sure what to look for as unusual. This is what my vqcache shows as files there:

/vqmod/vqcache/vq2-admin_controller_common_header.php
/vqmod/vqcache/vq2-admin_controller_common_menu.php
/vqmod/vqcache/vq2-admin_controller_extension_installer.php
/vqmod/vqcache/vq2-admin_controller_setting_setting.php
/vqmod/vqcache/vq2-admin_language_english_common_menu.php
/vqmod/vqcache/vq2-admin_model_catalog_product.php
/vqmod/vqcache/vq2-admin_model_sale_order.php
/vqmod/vqcache/vq2-catalog_controller_checkout_cart.php
/vqmod/vqcache/vq2-catalog_controller_checkout_confirm.php
/vqmod/vqcache/vq2-catalog_controller_checkout_success.php
/vqmod/vqcache/vq2-catalog_controller_common_header.php
/vqmod/vqcache/vq2-catalog_controller_information_contact.php
/vqmod/vqcache/vq2-catalog_controller_information_information.php
/vqmod/vqcache/vq2-catalog_controller_module_featured.php
/vqmod/vqcache/vq2-catalog_controller_product_category.php
/vqmod/vqcache/vq2-catalog_controller_product_search.php
/vqmod/vqcache/vq2-catalog_model_catalog_product.php
/vqmod/vqcache/vq2-system_engine_action.php
/vqmod/vqcache/vq2-system_engine_controller.php
/vqmod/vqcache/vq2-system_engine_loader.php
/vqmod/vqcache/vq2-system_library_cart.php
/vqmod/vqcache/vq2-system_library_config.php
/vqmod/vqcache/vq2-system_library_language.php
/vqmod/vqcache/vq2-system_modification_admin_controller_common_menu.php
/vqmod/vqcache/vq2-system_modification_admin_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_common_header.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_product_product.php
/vqmod/vqcache/vq2-system_modification_catalog_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_catalog_model_checkout_order.php
/vqmod/vqcache/vq2-system_modification_system_engine_action.php
/vqmod/vqcache/vq2-system_modification_system_engine_loader.php
/vqmod/vqcache/vq2-system_modification_system_library_config.php
/vqmod/vqcache/vq2-system_modification_system_library_language.php
/vqmod/vqcache/vq2-system_startup.php
/vqmod/vqcache/vq2-admin_view_template_common_header.tpl
/vqmod/vqcache/vq2-admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-admin_view_template_setting_setting.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_checkout_register.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_common_header.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_module_featured.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_product_category.tpl
/vqmod/vqcache/vq2-catalog_view_theme_rpm_template_product_search.tpl
/vqmod/vqcache/vq2-system_modification_admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_rpm_template_account_register.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_rpm_template_common_header.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_rpm_template_product_product.tpl

Anything else I should try to see if I can get this resolved?

Thanks again for all your help!

Regards,

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 7:54 am
by straightlight
Clear your VQMod cache and revert to the default theme noticing if the CSRF token will also not be showing.

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 12:52 pm
by pair
Hello straightlight, Sorry I couldn't reply sooner. Had to step out.
I tried what you suggested but to no avail. I cleared all the cache's and set in the admin as default template but now I'm not even getting in the VQcache the catalog header. This is what I have now in the VQcache. Still no errors in VQManager or admin error log

/vqmod/vqcache/vq2-admin_controller_common_header.php
/vqmod/vqcache/vq2-admin_controller_common_menu.php
/vqmod/vqcache/vq2-admin_controller_setting_setting.php
/vqmod/vqcache/vq2-admin_language_english_common_menu.php
/vqmod/vqcache/vq2-admin_model_catalog_product.php
/vqmod/vqcache/vq2-admin_model_sale_order.php
/vqmod/vqcache/vq2-catalog_controller_information_contact.php
/vqmod/vqcache/vq2-catalog_controller_module_featured.php
/vqmod/vqcache/vq2-catalog_controller_product_category.php
/vqmod/vqcache/vq2-system_engine_action.php
/vqmod/vqcache/vq2-system_engine_controller.php
/vqmod/vqcache/vq2-system_engine_loader.php
/vqmod/vqcache/vq2-system_library_cart.php
/vqmod/vqcache/vq2-system_library_config.php
/vqmod/vqcache/vq2-system_library_language.php
/vqmod/vqcache/vq2-system_modification_admin_controller_common_menu.php
/vqmod/vqcache/vq2-system_modification_admin_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_common_header.php
/vqmod/vqcache/vq2-system_modification_catalog_controller_product_product.php
/vqmod/vqcache/vq2-system_modification_catalog_model_catalog_product.php
/vqmod/vqcache/vq2-system_modification_system_engine_action.php
/vqmod/vqcache/vq2-system_modification_system_engine_loader.php
/vqmod/vqcache/vq2-system_modification_system_library_config.php
/vqmod/vqcache/vq2-system_modification_system_library_language.php
/vqmod/vqcache/vq2-system_startup.php
/vqmod/vqcache/vq2-admin_view_template_common_header.tpl
/vqmod/vqcache/vq2-admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-admin_view_template_setting_setting.tpl
/vqmod/vqcache/vq2-catalog_view_theme_default_template_module_featured.tpl
/vqmod/vqcache/vq2-catalog_view_theme_default_template_product_category.tpl
/vqmod/vqcache/vq2-system_modification_admin_view_template_common_menu.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_default_template_account_register.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_default_template_common_header.tpl
/vqmod/vqcache/vq2-system_modification_catalog_view_theme_default_template_product_product.tpl

Anything else I should try?
Regards,

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 7:50 pm
by straightlight
Thanks to the forum user: neelgajjar . Since the latest modifications published on the marketplace, CSRF attackers are no longer able to flood POST forms.

@pair: Send me a PM and I will take a look at the issue.

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 8:32 pm
by straightlight
A little tweak to cover your store against outsiders using external APIs with the Opencart's API login and admin orders for those who use the OC Admin API.

In your catalog/controller/api/login.php file,

find:

Code: Select all

if ($api_info) {
replace with:

Code: Select all

if ($api_info && !empty($this->session->data['__csrf'])) {
Optional steps below to show the error message, find:

Code: Select all

} else {
				$json['error']['key'] = $this->language->get('error_key');
			}
		}
replace with:

Code: Select all

} else {
				$json['error']['key'] = $this->language->get('error_key');
			}
		} else {
		    $json['error']['key'] = $this->language->get('error_login_csrf');
		}
In your catalog/language/<your_language>/api/login.php file, at the bottom of the file, add:

Code: Select all

$_['error_login_csrf'] = 'Either the API login or the CSRF key are invalid!';
This should completely fortify the platform. :)

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 8:45 pm
by straightlight
An additional way to tweak and fortify, that I do recommend adding along with the previous post,

In your admin/controller/sale/order.php file,

find all instances of:

Code: Select all

if ($api_info && $this->user->hasPermission('modify', 'sale/order')) {
replace all with:

Code: Select all

if ($api_info && $this->user->hasPermission('modify', 'sale/order') && !empty($this->session->data['__csrf'])) {
For those who uses Openbay.

In your admin/controller/marketplace/openbay.php file,

find all instances of:

Code: Select all

if (isset($api_info['error']) || isset($api_login['error'])) {
replace all with:

Code: Select all

if ((isset($api_info['error']) || isset($api_login['error'])) || (empty($this->session->data['__csrf']))) {

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 9:18 pm
by k2tec
Pair, this what I did.
Upload the files.
Deleted all vqmodcache files.
Deleted checked.cache and mods.cache
Than go to a page in your catalog, than there will be the file vq2-catalog_controller_common_header.php
with this code in it

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();

Re: [RELEASED] CSRF Protection Form

Posted: Sun Feb 25, 2018 9:25 pm
by straightlight
k2tec wrote:
Sun Feb 25, 2018 9:18 pm
Pair, this what I did.
Upload the files.
Deleted all vqmodcache files.
Deleted checked.cache and mods.cache
Than go to a page in your catalog, than there will be the file vq2-catalog_controller_common_header.php
with this code in it

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();
Thanks for providing your steps. However, do not forget to download the latest release of the system/helper/csrf_helper.php file, as of today's release, if you don't already have it. ;)

Re: [RELEASED] CSRF Protection Form

Posted: Mon Feb 26, 2018 12:10 am
by huubert2
k2tec wrote:
Sun Feb 25, 2018 9:18 pm
Pair, this what I did.
Upload the files.
Deleted all vqmodcache files.
Deleted checked.cache and mods.cache
Than go to a page in your catalog, than there will be the file vq2-catalog_controller_common_header.php
with this code in it

Code: Select all

$data['styles'] = $this->document->getStyles();

			$this->load->helper('csrf_helper');
			
			csrf_start();
			
		$data['scripts'] = $this->document->getScripts();
For me at least the code in vq2-catalog_controller_common_header.php shows up as well. But unfortunately that's the only change I see. Page source in frontend pages does not show any csrf-related changes. I seem to have exactly the same issue Pair is having. We are using different themes though.
I've installed all the updated releases of the extension, cleared the cache more times I can count and each time checked the vqmanager and error log. So far no luck on the frontend and nothing in logs. In admin it works flawlessly since day 1.
OC 2.1.0.2.

Re: [RELEASED] CSRF Protection Form

Posted: Mon Feb 26, 2018 12:54 am
by straightlight
Send me a PM. I will take a look at it.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 15, 2018 10:01 pm
by idarand
Hey. have you managed to solve the issue? I can see the "name=___csrf" at the admin login page but not at the customer registration. Cant PM you because account is brand new. :)

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 15, 2018 10:28 pm
by straightlight
Ensure your file path is valid in the XML file and to use the same block of code as the admin's block for your catalog block in order to track the right line of codes in your TPL files if the alternative solution in the current XML file cannot display the CSRF key on the view source.

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 15, 2018 11:03 pm
by idarand
I added the lines to both of the header.php files manually but still got the same result. So path should be correct. I tried finding any differences in the post forms, the default theme and my theme look identical. Where else can I look why the code can't track my code?

Re: [RELEASED] CSRF Protection Form

Posted: Thu Mar 15, 2018 11:06 pm
by straightlight
Where else can I look why the code can't track my code?
By posting your XML file with the changes you made.