[RELEASED] CSRF Protection Form

Quote

Post by straightlight » Sat Jan 28, 2012 1:22 am

This form protection library will allow each customers and administrators to post data from web forms within a forced CSRF generated token. If this token cannot be generated, a CSRF failed message will appear and will automatically exit the session for protection purposes. This add-on will also protect GETs and POSTs data from the admin whether the token comes from URL or from forms. From now on, both uses the same generated token in order to fully protect OpenCart.

http://www.opencart.com/index.php?route ... order=DESC

This topic will also be useful for support when required. Whatever you do when you ask support, do NOT post the generated token ID with it for your own safety and your customers.

// How to test ?
Once installed for the first time, clear all cache and cookies from browser. Close your browser, re-open your browser and go to the admin section. Then, go to your view source of your browser and search for: <form . Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized. In other words, DON"T remove it for your own safety and customers. You may try the same step on the front-end. From the header, you should already notice the same result.

Note: If you use a custom template or use an admin contribution that requires a form usage, just assure to check for each:

Code: Select all

<form
and add to the next line:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>
This will set protection to your web forms. As for the rest of the web forms within the core, all has now been protected.

Followed are information about what CSRF attackers may collect from websites or via an API: https://www.owasp.org/index.php/Cross-S ... heat_Sheet
Last edited by straightlight on Thu Mar 29, 2018 6:09 pm, edited 2 times in total.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Thu Feb 02, 2012 12:33 am

[Feb 1st, 2012]
- BugFix: Module contributors were ending up with the module setting key with a duplicated key of the CSRF name and value in the setting table. The duplication has now been removed.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Wed Feb 08, 2012 10:16 pm

It appears there were some missing instructions from the ZIP files. I have now updated the file. The contribution should fully work now. Make sure to read the readme.txt file.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by annelim » Sat Mar 24, 2012 7:45 pm

how is work actually ? any demo? is it support 1.5.2.1 ?
annelim
Active Member
Posts
116
Joined
Fri Oct 28, 2011 5:13 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Sat Mar 24, 2012 8:03 pm

Simply read the README file's instructions. A demo would only be good for showing the view source with the token in this case which would be kind of useless to demonstrate since once you understand those easy instructions, you won't need to see that demo since the results are about protecting users from one line added on each HTML forms (which almost all of them has already been provided from XML) and, yes, it works on v1.5.2.1 release. ;)

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by annelim » Sat Apr 14, 2012 5:30 pm

error generate from vqmod
Could not resolve path for [admin/view/template/localisation/manufacturer_class_form.tpl]
Could not resolve path for [admin/view/template/localisation/manufacturer_class_list.tpl]
Could not resolve path for [admin/view/template/tool/sqlpatch.tpl] < ---------this wasn't exist in directory
Could not resolve path for [catalog/view/theme/default/template/edit/affiliate.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/forgotten.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/login.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/password.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/payment.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/register.tpl]
Could not resolve path for [catalog/view/theme/default/template/checkout/voucher.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/asiapay.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/authorizenet_sim_index.tpl]
SEARCH NOT FOUND (ABORTING MOD): $this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");

second when click on any link in admin error
Fatal error: Call to a member function csrf_form_input() on a non-object in /home/vqmod/vqcache/vq2-admin_view_template_setting_store_list.tpl on line 22

any solution ? version 1.5.2.1
annelim
Active Member
Posts
116
Joined
Fri Oct 28, 2011 5:13 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Sat Apr 14, 2012 8:18 pm

From the XML, replace this block:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>
with:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>
Note: This is NOT a bug.

As for the TPL error, of course, the line couldn't be tracked so no specific way for the CSRF object to be found from that point. The correction above should take care of the problem.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by problemchild » Wed Jul 11, 2012 5:40 pm

First of all thank you for addressing the CSRF issue, I have gotten almost everything to work now at the pages I am working on.. the only "little" snag is the javascript POST commands (when adding to cart/wishlist/comparison).

If I understood the previous posts correctly, these javascript POSTS also would need some kind of csrf-code addition to function properly? (like with <form, the <?php echo $this->csrf->csrf_form_input(); ?> code-addition) ???

The parts I think need the addition are located in product.tpl near lines 339&340 and 415&416 in default-theme, and perhaps(may vary if other code additions) in custom theme(in my case Carbon) near lines 328&329, 404&405. Line numbers taken from Notepad++. Code parts in question:

Code: Select all

url: 'index.php?route=checkout/cart/add',
type: 'post',
and

Code: Select all

url: 'index.php?route=product/product/write&product_id=<?php echo $product_id; ?>',
type: 'post',
I ask this because maybe I have missed something/doing something wrong. I am using Windows 7 and latest Firefox(also tested with latest IE). Oh, and my Opencart version is 1.5.2.1. My first ever post to opencart btw, so if you need more information regarding the issue, please let me know.

ps. had still some forms(in checkout/cart.tpl) without the <?php echo $this->csrf->csrf_form_input(); ?> -code, but now really in need of help. Well back to to wondering what I have missed.
problemchild
Newbie
Posts
1
Joined
Wed Jul 11, 2012 5:29 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Sun Jul 15, 2012 4:49 am

It might be possible that missing locations may be involved. When I created the XML file, I did tried to add the:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>
in most places as possible, though.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by Alexisander » Thu Nov 08, 2012 10:40 pm

Hello,

As i said in the market:

I use OC 1.5.3.1 and i get this when trying to login in admin:

Fatal error: Call to a member function csrf_form_input() on a non-object in /home/netvoltr/public_html/vqmod/vqcache/vq2-admin_view_template_common_login.tpl on line 16

Why? :) THX!!!

I have tryed what u have wrote a little bit up but no succes, i only use VQmod for captcha code when login as admin. Nothing else motified from core.
Alexisander
Active Member
Posts
116
Joined
Mon Jul 18, 2011 10:11 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Thu Nov 08, 2012 10:43 pm

Nothing else motified from core.
Modifying files from core can affect the line target where the XML needs to add content into the vqcache files which I believe may be the reason why you're currently seeing this error message.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by Alexisander » Thu Nov 08, 2012 10:45 pm

Also tryed on a fresh install and same error...
Alexisander
Active Member
Posts
116
Joined
Mon Jul 18, 2011 10:11 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Thu Nov 08, 2012 10:47 pm

I definitely can't reproduce this problem on a fresh install. Send me a PM for assistance.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Thu Nov 08, 2012 10:56 pm

In the mean time, see if this helps. In system/library/crsf.php file,

replace:

Code: Select all

final class
with:

Code: Select all

class
Will this help from your fresh install ?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by Alexisander » Thu Nov 08, 2012 10:57 pm

I have installed OC 1.5.3.1 and vqmod, i have uploaded your files and i get this error. Thats all i have done, i have tryed it on 2 fresh installs.
Alexisander
Active Member
Posts
116
Joined
Mon Jul 18, 2011 10:11 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Thu Nov 08, 2012 10:58 pm

Apply the step above and see if it works.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by Alexisander » Thu Nov 08, 2012 11:03 pm

same error...
Alexisander
Active Member
Posts
116
Joined
Mon Jul 18, 2011 10:11 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Thu Nov 08, 2012 11:04 pm

Can't reproduce either. Send me a PM for assistance.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by limurchick » Fri Jul 11, 2014 4:21 pm

Seems that author forgot to add csrf.php file to archive. :( Any link ???
limurchick
Newbie
Posts
1
Joined
Fri Jul 11, 2014 4:21 pm
Top

Re: [RELEASED] CSRF Protection Form

Quote

Post by straightlight » Mon Jul 14, 2014 11:12 pm

The package will be updated soon.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer

straightlight
Administrator
Posts
13344
Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Top
Post Reply
Return to “Free Contributions”
Who is online

Users browsing this forum: No registered users and 8 guests