[RELEASED] CSRF Protection Form

Post Reply

285 posts

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Sat Jan 28, 2012 1:22 am

This form protection library will allow each customers and administrators to post data from web forms within a forced CSRF generated token. If this token cannot be generated, a CSRF failed message will appear and will automatically exit the session for protection purposes. This add-on will also protect GETs and POSTs data from the admin whether the token comes from URL or from forms. From now on, both uses the same generated token in order to fully protect OpenCart.

http://www.opencart.com/index.php?route ... order=DESC

This topic will also be useful for support when required. Whatever you do when you ask support, do NOT post the generated token ID with it for your own safety and your customers.

// How to test ?
Once installed for the first time, clear all cache and cookies from browser. Close your browser, re-open your browser and go to the admin section. Then, go to your view source of your browser and search for: <form . Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized. In other words, DON"T remove it for your own safety and customers. You may try the same step on the front-end. From the header, you should already notice the same result.

Note: If you use a custom template or use an admin contribution that requires a form usage, just assure to check for each:

Code: Select all

<form

and add to the next line:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>

This will set protection to your web forms. As for the rest of the web forms within the core, all has now been protected.

Followed are information about what CSRF attackers may collect from websites or via an API: https://www.owasp.org/index.php/Cross-S ... heat_Sheet

Last edited by straightlight on Thu Mar 29, 2018 6:09 pm, edited 2 times in total.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

Regards,
Straightlight
Programmer / Opencart Tester

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Thu Feb 02, 2012 12:33 am

[Feb 1st, 2012]
- BugFix: Module contributors were ending up with the module setting key with a duplicated key of the CSRF name and value in the setting table. The duplication has now been removed.

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Wed Feb 08, 2012 10:16 pm

It appears there were some missing instructions from the ZIP files. I have now updated the file. The contribution should fully work now. Make sure to read the readme.txt file.

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

annelim

Active Member

Posts

116

Joined

Fri Oct 28, 2011 5:13 pm

Post by annelim » Sat Mar 24, 2012 7:45 pm

how is work actually ? any demo? is it support 1.5.2.1 ?

annelim

Active Member

Posts

116

Joined

Fri Oct 28, 2011 5:13 pm

Re: [RELEASED] CSRF Protection Form

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Sat Mar 24, 2012 8:03 pm

Simply read the README file's instructions. A demo would only be good for showing the view source with the token in this case which would be kind of useless to demonstrate since once you understand those easy instructions, you won't need to see that demo since the results are about protecting users from one line added on each HTML forms (which almost all of them has already been provided from XML) and, yes, it works on v1.5.2.1 release.

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

annelim

Active Member

Posts

116

Joined

Fri Oct 28, 2011 5:13 pm

Post by annelim » Sat Apr 14, 2012 5:30 pm

error generate from vqmod
Could not resolve path for [admin/view/template/localisation/manufacturer_class_form.tpl]
Could not resolve path for [admin/view/template/localisation/manufacturer_class_list.tpl]
Could not resolve path for [admin/view/template/tool/sqlpatch.tpl] < ---------this wasn't exist in directory
Could not resolve path for [catalog/view/theme/default/template/edit/affiliate.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/forgotten.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/login.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/password.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/payment.tpl]
Could not resolve path for [catalog/view/theme/default/template/edit/register.tpl]
Could not resolve path for [catalog/view/theme/default/template/checkout/voucher.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/asiapay.tpl]
Could not resolve path for [catalog/view/theme/default/template/payment/authorizenet_sim_index.tpl]
SEARCH NOT FOUND (ABORTING MOD): $this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");

second when click on any link in admin error
Fatal error: Call to a member function csrf_form_input() on a non-object in /home/vqmod/vqcache/vq2-admin_view_template_setting_store_list.tpl on line 22

any solution ? version 1.5.2.1

annelim

Active Member

Posts

116

Joined

Fri Oct 28, 2011 5:13 pm

Re: [RELEASED] CSRF Protection Form

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Sat Apr 14, 2012 8:18 pm

From the XML, replace this block:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "', serialized = '0'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>

with:

Code: Select all

<operation>
			<search position="after"><![CDATA[$this->db->query("INSERT INTO " . DB_PREFIX . "setting SET store_id = '" . (int)$store_id . "', `group` = '" . $this->db->escape($group) . "', `key` = '" . $this->db->escape($key) . "', `value` = '" . $this->db->escape($value) . "'");]]></search>
			<add><![CDATA[
			}
			]]>
			</add>
		</operation>

Note: This is NOT a bug.

As for the TPL error, of course, the line couldn't be tracked so no specific way for the CSRF object to be found from that point. The correction above should take care of the problem.

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

problemchild

Newbie

Posts

Joined

Wed Jul 11, 2012 5:29 pm

Post by problemchild » Wed Jul 11, 2012 5:40 pm

First of all thank you for addressing the CSRF issue, I have gotten almost everything to work now at the pages I am working on.. the only "little" snag is the javascript POST commands (when adding to cart/wishlist/comparison).

If I understood the previous posts correctly, these javascript POSTS also would need some kind of csrf-code addition to function properly? (like with <form, the <?php echo $this->csrf->csrf_form_input(); ?> code-addition)

The parts I think need the addition are located in product.tpl near lines 339&340 and 415&416 in default-theme, and perhaps(may vary if other code additions) in custom theme(in my case Carbon) near lines 328&329, 404&405. Line numbers taken from Notepad++. Code parts in question:

Code: Select all

url: 'index.php?route=checkout/cart/add',
type: 'post',

and

Code: Select all

url: 'index.php?route=product/product/write&product_id=<?php echo $product_id; ?>',
type: 'post',

I ask this because maybe I have missed something/doing something wrong. I am using Windows 7 and latest Firefox(also tested with latest IE). Oh, and my Opencart version is 1.5.2.1. My first ever post to opencart btw, so if you need more information regarding the issue, please let me know.

ps. had still some forms(in checkout/cart.tpl) without the <?php echo $this->csrf->csrf_form_input(); ?> -code, but now really in need of help. Well back to to wondering what I have missed.

problemchild

Newbie

Posts

Joined

Wed Jul 11, 2012 5:29 pm

Re: [RELEASED] CSRF Protection Form

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Sun Jul 15, 2012 4:49 am

It might be possible that missing locations may be involved. When I created the XML file, I did tried to add the:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>

in most places as possible, though.

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

Alexisander

Active Member

Posts

116

Joined

Mon Jul 18, 2011 10:11 pm

Post by Alexisander » Thu Nov 08, 2012 10:40 pm

Hello,

As i said in the market:

I use OC 1.5.3.1 and i get this when trying to login in admin:

Fatal error: Call to a member function csrf_form_input() on a non-object in /home/netvoltr/public_html/vqmod/vqcache/vq2-admin_view_template_common_login.tpl on line 16

Why?

THX!!!

I have tryed what u have wrote a little bit up but no succes, i only use VQmod for captcha code when login as admin. Nothing else motified from core.

Alexisander

Active Member

Posts

116

Joined

Mon Jul 18, 2011 10:11 pm

Re: [RELEASED] CSRF Protection Form

straightlight

Legendary Member

Posts

17494

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Thu Nov 08, 2012 10:43 pm

Nothing else motified from core.

Modifying files from core can affect the line target where the XML needs to add content into the vqcache files which I believe may be the reason why you're currently seeing this error message.