Post by Demon5 » Sun Apr 24, 2011 11:45 pm

Warning: Wrong parameter count for strpos() in /home/xxxxx/public_html/xxxxxx/catalog/controller/common/header.php on line 37Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/xxxxxx/index.php:96) in /home/xxxxxx/public_html/xxxxxx/vqmod/vqcache/vqcache_system_engine_controller.php on line 27

doesn't like vqmod but I'm gunna find out if it will pass pci. An error won't make it fail pci lol. Least I hope ..

Edit: not vqmod apparently in another section I'm searching for. (I wish I was better with coding it's probably blatantly obvious)

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by Xsecrets » Mon Apr 25, 2011 12:23 am

Demon5 wrote:Warning: Wrong parameter count for strpos() in /home/xxxxx/public_html/xxxxxx/catalog/controller/common/header.php on line 37Warning: Cannot modify header information - headers already sent by (output started at /home/xxxxxx/public_html/xxxxxx/index.php:96) in /home/xxxxxx/public_html/xxxxxx/vqmod/vqcache/vqcache_system_engine_controller.php on line 27

doesn't like vqmod but I'm gunna find out if it will pass pci. An error won't make it fail pci lol. Least I hope ..

Edit: not vqmod apparently in another section I'm searching for. (I wish I was better with coding it's probably blatantly obvious)
sorry that's actually my fault I changed the code last minute, and made a mistake. Try this code.

Code: Select all

if (isset($this->request->post['redirect'])) {
                if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
                    $redirect_error = true;
                } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
                    $redirect_error = true;
                } else {
                    $redirect_error = false;
                }
                if($redirect_error == true){
                    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
                } else {
                    $this->redirect($this->request->post['redirect']);
                }
            } else {
                $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
            }
 

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Demon5 » Mon Apr 25, 2011 12:50 am

That fixed the warnings up. Just waiting for the pci scan to complete. Hopefully it works.

Ugh I had made the changes to my test site one instead of the main one where I was scanning. The demo's seem to keep me at my own site now instead of redirect to mcafeesecure. Rerunning scan now (again). I think it will work.

Man when they have you rescan to check patch they should just rescan that part instead of doing full 2 hour hack attempt..

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by Demon5 » Mon Apr 25, 2011 1:21 pm

Good news. That there tiny code change makes opencart pci compliant! Mcafee passes it now.

I appreciate the help and I'm sure the other opencart users will be happy to see that it can be compliant without loss of function.

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by Qphoria » Mon Apr 25, 2011 1:30 pm

Xsecrets wrote:

Code: Select all

if (isset($this->request->post['redirect'])) {
                if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
                    $redirect_error = true;
                } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
                    $redirect_error = true;
                } else {
                    $redirect_error = false;
                }
                if($redirect_error == true){
                    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
                } else {
                    $this->redirect($this->request->post['redirect']);
                }
            } else {
                $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
            }
 
It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:

Code: Select all

if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) {
    $this->redirect($this->request->post['redirect']);
} else {
    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
 

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Xsecrets » Mon Apr 25, 2011 7:55 pm

Qphoria wrote:
Xsecrets wrote:

Code: Select all

if (isset($this->request->post['redirect'])) {
                if(strpos($this->request->post['redirect'], HTTP_SERVER) === false){
                    $redirect_error = true;
                } elseif(strpos($this->request->post['redirect'], HTTPS_SERVER) === false) {
                    $redirect_error = true;
                } else {
                    $redirect_error = false;
                }
                if($redirect_error == true){
                    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
                } else {
                    $this->redirect($this->request->post['redirect']);
                }
            } else {
                $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
            }
 
It's late here and maybe I'm not seeing it.. but couldn't this be simplified to just:

Code: Select all

if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false) {
    $this->redirect($this->request->post['redirect']);
} else {
    $this->redirect(HTTP_SERVER . 'index.php?route=common/home');
}
 
well I just did it quickly and I didn't really want to think too hard. I believe what you have will work, but you would need to add in the HTTPS_SERVER so it would be

Code: Select all

if (isset($this->request->post['redirect']) && strpos($this->request->post['redirect'], HTTP_SERVER) !== false && strpos($this->request->post['redirect'], HTTPS_SERVER) !== false) {
 

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Qphoria » Mon Apr 25, 2011 10:21 pm

Good call

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Qphoria » Tue Apr 26, 2011 8:58 am

Actually I think it should be a grouped "||" for the http or https.. cuz it won't necessarily be both but can be one or the other

Code: Select all

if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], HTTP_SERVER) !== false || strpos($this->request->post['redirect'], HTTPS_SERVER) !== false)) { 

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Xsecrets » Tue Apr 26, 2011 11:27 am

Qphoria wrote:Actually I think it should be a grouped "||" for the http or https.. cuz it won't necessarily be both but can be one or the other

Code: Select all

if (isset($this->request->post['redirect']) && (strpos($this->request->post['redirect'], HTTP_SERVER) !== false || strpos($this->request->post['redirect'], HTTPS_SERVER) !== false)) { 
yeah you may be right that's why I went the other way with it didn't feel like figuring out the whole not or and crap.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Demon5 » Fri May 06, 2011 3:34 am

make sure you include these changes in 1.5.0. Being pci compliant will help make opencart a dominant cart in market. Which would bring more devs to make modules since more people would use. which you could make money off :)

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by Qphoria » Fri May 06, 2011 4:56 am

Demon5 wrote:make sure you include these changes in 1.5.0. Being pci compliant will help make opencart a dominant cart in market. Which would bring more devs to make modules since more people would use. which you could make money off :)
Already added to 1.5.0 and 1.4.9.5, but it hasn't affected anything in the past anyway. You are the first to comment so I'm not too worried that people weren't using it before this.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Demon5 » Sat May 07, 2011 10:37 pm

*shrugs* My domain draws hacker attention and authorize.net req pci and mcafee was like not unless this thingie fixed lol. Pretty simple fix though aparently

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by Dabnis » Mon May 09, 2011 10:35 pm

Here is a store that I have gained PCI compliance as verified by Trustwave. Logo in footer, click on it for Trustwave confirmation.
Hope this helps prove the point that OC is secure enough for PCI compliance. I've not read all of the posts in this thread, but I can confirm that getting this status for the site invovled more server admin changes than anything within the OC framework.

The site:: http://pdr-tools.us

Newbie

Posts

Joined
Tue Jun 01, 2010 2:05 am

Post by jannypan » Fri May 13, 2011 10:47 am

What do you mean by they are modular and not at the opencart level? Other shopping carts are having to rewrite the payment modules even when they do NOT store credit cards and DO support SSL's in order to pass PA-DSS requirements. According to PA-DSS, the shopping cart vendor is responsible for making sure the payment modules are compliant.

Newbie

Posts

Joined
Fri May 13, 2011 10:42 am

Post by mwd » Fri May 13, 2011 9:05 pm

Am I correct in assuming this has been resolved now and should be marked [solved] to avoid any confusion?

Use it? Like it? Want to support it but don't know how? Send a donation to show your appreciation.
Daniel's PayPal address - donate@opencart.com
Qphoria's Paypal address - qphoria@gmail.com


mwd
Active Member

Posts

Joined
Sat Jan 08, 2011 11:40 pm

Post by Demon5 » Mon May 16, 2011 8:16 am

I can't speak for other payment modules but with authorize.net aim module and these small changes from this thread the cart IS PCI compliant.

https://www.lotnllc.com is your one stop shop for all your computer needs!


User avatar
Active Member

Posts

Joined
Sat Jun 19, 2010 4:12 am
Location - Sacramento, CA

Post by kdmp » Wed Aug 10, 2011 10:52 am

I just recently had a hackerguardian scan done and it indicated this for 1.4.9.1:
Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"

Category "CGI abuses : XSS "

Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword

Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)

An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions


Risk factor Medium / CVSS Base Score : 4.3

Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
I am not sure if this is something with the host or with Opencart.

Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details


Active Member

Posts

Joined
Thu Jun 04, 2009 10:40 am
Location - Ontario, Canada

Post by Qphoria » Wed Aug 10, 2011 11:26 am

kdmp wrote:I just recently had a hackerguardian scan done and it indicated this for 1.4.9.1:
Status Fail (This must be resolved for your device to be compliant).
Plugin "Non-persistent Cross-Site Scripting Vulnerability"

Category "CGI abuses : XSS "

Priority "Medium Priority
Description The following CGI script seem to be vulnerable to XSS non-persistent hole : /index.php
Unsafe arguments : keyword

Unsafe URLs : /index.php?keyword=%2bADw-%2ftitle%2bAD4APA-script%2bAD4-alert(12345)%2bADs
APA-%2fscript%2bAD4&route=product%2fsearch (XSS pattern: +ADw-/title+AD4APA-script+AD4-alert(12345)+ADsAPA-/script+AD4)

An attacker may change 'Content-Type' and 'Charset' for dinamically generated site, include some script in UTF-7 into the page header and execute it for destructive actions


Risk factor Medium / CVSS Base Score : 4.3

Solution
always set 'Content-Type' and 'Charset' for html page via 'meta' tag before any changeable info
I am not sure if this is something with the host or with Opencart.
I'm actually having a PCI scan done tomorrow on my site so I will share the results of that and compare notes. I am using v1.4.9.6. I have added the following line to my header.tpl file right under the <title> tags:

Code: Select all

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
which appears to be what your scan is complaining about. Tho I've tested the XSS they used and it doesn't do anything bad. The server validates that.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by kdmp » Thu Aug 11, 2011 9:03 pm

Thanks Q,

Will watch for your results.

Kevin

Kevin Davidson
Purolator Shipping Module
Canpar Shipping Module
VQMod - Paypal Transaction ID to Payment Details


Active Member

Posts

Joined
Thu Jun 04, 2009 10:40 am
Location - Ontario, Canada

Post by Qphoria » Thu Aug 11, 2011 10:33 pm

I got my results actually

No issues with OpenCart
There were 4 issues with my hosting but apparently it is a PCI test issue that a lot of webhosts claim are faulty because they only check the version number and not the actual version test.
http://billing.handsonwebhosting.com/kn ... cle&id=258

Apparently the version check the test does finds "OpenSSH" on my server is 4.3 but its patched instead of updated so the version may show 4.3 but has the 5.9 patch. So I've contested the notices.

But nothing warned about opencart or search box or anything.

ControlScan.com is the company that did my scan

They also reported other warnings about ports.. but nothing stopping PCI compliance other than the 4 errors about the openssh that are apparently patched.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am
Who is online

Users browsing this forum: No registered users and 122 guests