Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
For users that already installed the recent version, simply replace the system/helper/csrf_helper.php with the new one from the delivered package on the Marketplace. This will NOT affect any customers activities during their visits through the site. The helper file is totally safe to replace without setting the store under maintenance. Ensure to clear the OC cache, however.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Can you describe how to "remove it from XML" to test that the error message appears?straightlight wrote: ↑Sat Jan 28, 2012 1:22 am// How to test ?
...
Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized.
Code: Select all
<!--<file ...
Code: Select all
</file>-->
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
sfbh wrote: ↑Fri Mar 30, 2018 1:37 amI found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand). Based on this explanation it seems very unlikely that CSRF is being used to create the fake customer and affiliate accounts that I have been experiencing each day. And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.
https://stackoverflow.com/questions/520 ... es-it-work
No worries. It is likely on the forum that 99% of the users who reports issues aren't about OC's actual issues in anyhow.I found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand).
Here's the version of the clarity that I have. The CSRF does indeed not prevent SPAMs but prevents floods to occur on HTML post forms when spammers attempts to over flood these web forms. That being said, it has also not being said in any case that the CSRF Protection form prevents SPAMs attacks on the Marketplace. While the re-captcha is the additional solution, I have mentioned in multiple places on the forum that also installing the re-captcha along with the CSRF protection to protect against floods & spams were improving protection to the stores.And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.
Due to your lack of understand and false publicity of analysis on the public forum and on MY TOPIC - your post has now been reported in order to be removed.
As to other users in the future to understand the stability of this release, there's nothing wrong with the CSRF Protection Form extension. The extension itself has been delivered for free on the Marketplace and only being charged to those who requires this extension to be installed. The installation itself requires no fee of charge from the Marketplace. So far, I haven't recalled deceiving ANYONE during the custom jobs as I intend to keep it that way.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Social logins? You mean like facebook, etc? The answer is no. Login is purely via email.straightlight wrote: ↑Fri Mar 23, 2018 6:33 pmAs questioned on the above to other users, are you using any social logins extensions or remote logins to your site?ameliaa wrote: ↑Fri Mar 23, 2018 10:44 amIs this mod really working? I installed on both my sites. Sill receiving registration spam (lots of it), even affiliate spam.
OC Version: 2.0.1.1 and 2.0.3.1
URLs:
https://bit.ly/2pxDAtx
https://bit.ly/2pxgpP6
- viewtopic.php?f=190&t=203222&p=718991#p718991
- viewtopic.php?f=190&t=203222&p=718991#p719045
Obviously, the 2nd post will be leaded back here but it's just to show that running both together are the best solution to improve your site's protection.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
I have custom template and this hidden tag was not added automatically to html.
Code: Select all
<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data">
And login.twig in \web\catalog\view\theme\default\template folder.
However when checked the results this tag was not working, for example this is what I get:
Code: Select all
<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data"><?php echo $this->csrf->csrf_form_input(); ?>
Only in OC admin login could I identify that it works:
Code: Select all
<form action="https://..../admin/index.php?route=common/login" method="post" enctype="multipart/form-data"><input type="hidden" name="__csrf" value="....">
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Code: Select all
<?php echo $this->csrf->csrf_form_input(); ?>
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Code: Select all
<file name="admin/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
zlib.output_compression is now turned on. No changes:
Code: Select all
<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data">
<div class="form-group">
<label class="control-label" for="input-email">E-Mail Address</label>
<input type="text" name="email" value="" placeholder="E-Mail Address" id="input-email" class="form-control" />
</div>
<div class="form-group">
<label class="control-label" for="input-password">Password</label>
<input type="password" name="password" value="" placeholder="Password" id="input-password" class="form-control" />
<a href="https://..../index.php?route=account/forgotten">Forgotten Password</a></div>
<input type="submit" value="Login" class="btn btn-primary" />
</form>
In the csrf.xml file, remove the block of code:
Code: Select all
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$this->data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
Code: Select all
<file name="catalog/view/theme/*/template/information/*.twig" error="skip">
<operation error="skip">
<search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~]]></search>
<add><![CDATA[$1]]></add>
</operation>
</file>
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?
Disabling the affiliate system won't solved the issue, since customer registrations can still be spammed. This support forum is for the CSRF protection form troubleshooting / inquiries. Not for general support. Is the CSRF token showing on your view source after adding the extension?ameliaa wrote: ↑Mon Apr 16, 2018 1:38 pmI have disabled affiliate registrations so no longer receiving affiliate spam.
For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
The instructions above was simply about adding the information block to see if you were able to see the CSRF input on the view source. Your XML file shows all TWIG folders which hardens the troubleshooting. Instructions unfollowed. In the mean time, you seem to have spaces between [ ~ and ~i ] and also between [ $1 ] . All these instances must not contain any spaces.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
I have updated the script but it still does not work.
Attachments
Users browsing this forum: No registered users and 5 guests