doesn't like vqmod but I'm gunna find out if it will pass pci. An error won't make it fail pci lol. Least I hope ..
Edit: not vqmod apparently in another section I'm searching for. (I wish I was better with coding it's probably blatantly obvious)
https://www.lotnllc.com is your one stop shop for all your computer needs!
sorry that's actually my fault I changed the code last minute, and made a mistake. Try this code.Demon5 wrote:Warning: Wrong parameter count for strpos() in /home/xxxxx/public_html/xxxxxx/catalog/controller/common/header.php on line 37Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/xxxxxx/index.php:96) in /home/xxxxxx/public_html/xxxxxx/vqmod/vqcache/vqcache_system_engine_controller.php on line 27
doesn't like vqmod but I'm gunna find out if it will pass pci. An error won't make it fail pci lol. Least I hope ..
Edit: not vqmod apparently in another section I'm searching for. (I wish I was better with coding it's probably blatantly obvious)
Code: Select all
if (isset($this->request->post['redirect'])) {
if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
$redirect_error = true;
} elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
$redirect_error = true;
} else {
$redirect_error = false;
}
if($redirect_error == true){
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
} else {
$this->redirect($this->request->post['redirect']);
}
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
Ugh I had made the changes to my test site one instead of the main one where I was scanning. The demo's seem to keep me at my own site now instead of redirect to mcafeesecure. Rerunning scan now (again). I think it will work.
Man when they have you rescan to check patch they should just rescan that part instead of doing full 2 hour hack attempt..
https://www.lotnllc.com is your one stop shop for all your computer needs!
I appreciate the help and I'm sure the other opencart users will be happy to see that it can be compliant without loss of function.
https://www.lotnllc.com is your one stop shop for all your computer needs!
It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:Xsecrets wrote:Code: Select all
if (isset($this->request->post['redirect'])) { if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){ $redirect_error = true; } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) { $redirect_error = true; } else { $redirect_error = false; } if($redirect_error == true){ $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); } else { $this->redirect($this->request->post['redirect']); } } else { $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); }
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) {
$this->redirect($this->request->post['redirect']);
} else {
$this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
well I just did it quickly and I didn't really want to think too hard. I believe what you have will work, but you would need to add in the HTTPS_SERVER so it would beQphoria wrote:It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:Xsecrets wrote:Code: Select all
if (isset($this->request->post['redirect'])) { if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){ $redirect_error = true; } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) { $redirect_error = true; } else { $redirect_error = false; } if($redirect_error == true){ $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); } else { $this->redirect($this->request->post['redirect']); } } else { $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); }
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) { $this->redirect($this->request->post['redirect']); } else { $this->redirect(HTTP_SERVER . 'index.php?route=common/home'); }
Code: Select all
if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false && strpos($this->request->post['redirect'], HTTPS_SERVER) !== false) {
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
Code: Select all
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], HTTP_SERVER) !== false || strpos($this->request->post['redirect'], HTTPS_SERVER) !== false)) {
yeah you may be right that's why I went the other way with it didn't feel like figuring out the whole not or and crap.Qphoria wrote:Actually I think it should be a grouped "||" for the http or https.. cuz it won't necessarily be both but can be one or the otherCode: Select all
if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], HTTP_SERVER) !== false || strpos($this->request->post['redirect'], HTTPS_SERVER) !== false)) {
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
https://www.lotnllc.com is your one stop shop for all your computer needs!
Already added to 1.5.0 and 1.4.9.5, but it hasn't affected anything in the past anyway. You are the first to comment so I'm not too worried that people weren't using it before this.Demon5 wrote:make sure you include these changes in 1.5.0. Being pci compliant will help make opencart a dominant cart in market. Which would bring more devs to make modules since more people would use. which you could make money off
https://www.lotnllc.com is your one stop shop for all your computer needs!
Hope this helps prove the point that OC is secure enough for PCI compliance. I've not read all of the posts in this thread, but I can confirm that getting this status for the site invovled more server admin changes than anything within the OC framework.
The site:: http://pdr-tools.us
Use it? Like it? Want to support it but don't know how? Send a donation to show your appreciation.
Daniel's PayPal address - donate@opencart.com
Qphoria's Paypal address - qphoria@gmail.com
https://www.lotnllc.com is your one stop shop for all your computer needs!
I am not sure if this is something with the host or with Opencart.Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"
Category "CGI abuses : XSS "
Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword
Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions
Risk factor Medium / CVSS Base Score : 4.3
Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details
I'm actually having a PCI scan done tomorrow on my site so I will share the results of that and compare notes. I am using v1.4.9.6. I have added the following line to my header.tpl file right under the <title> tags:kdmp wrote:I just recently had a hackerguardian scan done and it indicated this for 1.4.9.1:
I am not sure if this is something with the host or with Opencart.Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"
Category "CGI abuses : XSS "
Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword
Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)
An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions
Risk factor Medium / CVSS Base Score : 4.3
Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
Code: Select all
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Will watch for your results.
Kevin
Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details
No issues with OpenCart
There were 4 issues with my hosting but apparently it is a PCI test issue that a lot of webhosts claim are faulty because they only check the version number and not the actual version test.
http://billing.handsonwebhosting.com/kn ... cle&id=258
Apparently the version check the test does finds "OpenSSH" on my server is 4.3 but its patched instead of updated so the version may show 4.3 but has the 5.9 patch. So I've contested the notices.
But nothing warned about opencart or search box or anything.
ControlScan.com is the company that did my scan
They also reported other warnings about ports.. but nothing stopping PCI compliance other than the 4 errors about the openssh that are apparently patched.
Users browsing this forum: No registered users and 122 guests