Post by straightlight » Thu Mar 29, 2018 6:10 pm

The first post has now been updated for users to get more information about what CSRF attackers do.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Thu Mar 29, 2018 7:42 pm

[29-03-2018] - The CSRF helper has been improved with a more stronger algorithm form or string for better protection and also PHP 7+ compatibility.

For users that already installed the recent version, simply replace the system/helper/csrf_helper.php with the new one from the delivered package on the Marketplace. This will NOT affect any customers activities during their visits through the site. The helper file is totally safe to replace without setting the store under maintenance. Ensure to clear the OC cache, however.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by sfbh » Fri Mar 30, 2018 12:26 am

straightlight wrote:
Sat Jan 28, 2012 1:22 am
// How to test ?
...
Below that line, you should see a new hidden input line. If you try to remove it from XML and retry the page again once the login form posted, you should see an error message that the CSRF protection has failed which means the token was not recognized.
Can you describe how to "remove it from XML" to test that the error message appears?

Newbie

Posts

Joined
Sun Apr 16, 2017 4:51 am

Post by straightlight » Fri Mar 30, 2018 12:39 am

Simply comment out your XML file beginning with <file until </file> like this:

Code: Select all

<!--<file ...
and:

Code: Select all

</file>-->
You can also disable the XML file by renaming the filename extension or to disable it from the VQMod Manager. Although, by doing that, ensure to login to your OC admin first. Then, to click on your store from the dropdown menu when testing.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Fri Mar 30, 2018 1:59 am

sfbh wrote:
Fri Mar 30, 2018 1:37 am
I found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand). Based on this explanation it seems very unlikely that CSRF is being used to create the fake customer and affiliate accounts that I have been experiencing each day. And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.

https://stackoverflow.com/questions/520 ... es-it-work
I found another explanation of CSRF and finally I understand it (previous explanations weren't in plain language that I could understand).
No worries. It is likely on the forum that 99% of the users who reports issues aren't about OC's actual issues in anyhow.
And therefore a CSFR token is not the fix that I need to address this problem. It seems that recaptcha is the appropriate solution to my issue. I hope this helps provide clarity for others.
Here's the version of the clarity that I have. The CSRF does indeed not prevent SPAMs but prevents floods to occur on HTML post forms when spammers attempts to over flood these web forms. That being said, it has also not being said in any case that the CSRF Protection form prevents SPAMs attacks on the Marketplace. While the re-captcha is the additional solution, I have mentioned in multiple places on the forum that also installing the re-captcha along with the CSRF protection to protect against floods & spams were improving protection to the stores.

Due to your lack of understand and false publicity of analysis on the public forum and on MY TOPIC - your post has now been reported in order to be removed.

As to other users in the future to understand the stability of this release, there's nothing wrong with the CSRF Protection Form extension. The extension itself has been delivered for free on the Marketplace and only being charged to those who requires this extension to be installed. The installation itself requires no fee of charge from the Marketplace. So far, I haven't recalled deceiving ANYONE during the custom jobs as I intend to keep it that way.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by ameliaa » Sat Mar 31, 2018 10:56 am

straightlight wrote:
Fri Mar 23, 2018 6:33 pm
ameliaa wrote:
Fri Mar 23, 2018 10:44 am
Is this mod really working? I installed on both my sites. Sill receiving registration spam (lots of it), even affiliate spam.

OC Version: 2.0.1.1 and 2.0.3.1
URLs:
https://bit.ly/2pxDAtx
https://bit.ly/2pxgpP6
As questioned on the above to other users, are you using any social logins extensions or remote logins to your site?
Social logins? You mean like facebook, etc? The answer is no. Login is purely via email.

New member

Posts

Joined
Fri Jan 29, 2010 6:31 pm

Post by straightlight » Sat Mar 31, 2018 9:18 pm

Follow these two posts for full protection enforcement to your site:

- viewtopic.php?f=190&t=203222&p=718991#p718991
- viewtopic.php?f=190&t=203222&p=718991#p719045

Obviously, the 2nd post will be leaded back here but it's just to show that running both together are the best solution to improve your site's protection.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by radi8tor » Sat Apr 14, 2018 3:51 pm

Hi,

I have custom template and this hidden tag was not added automatically to html.

Code: Select all

<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data">
I have edited address_form.twig, return_form.twig, cart.twig, currency.twig, language.twig, contact.twig in my \web\catalog\view\theme\USERNAME\template folder.
And login.twig in \web\catalog\view\theme\default\template folder.

However when checked the results this tag was not working, for example this is what I get:

Code: Select all

<form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data"><?php echo $this->csrf->csrf_form_input(); ?>
Looks like your script does not recognize even the default templates?

Only in OC admin login could I identify that it works:

Code: Select all

<form action="https://..../admin/index.php?route=common/login" method="post" enctype="multipart/form-data"><input type="hidden" name="__csrf" value="....">
Last edited by radi8tor on Sun Apr 15, 2018 1:47 am, edited 1 time in total.

New member

Posts

Joined
Thu Feb 01, 2018 6:21 pm

Post by straightlight » Sat Apr 14, 2018 11:49 pm

Do NOT post the CSRF token value on the public forum. Use the latest CSRF extension release, you are using an old version.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by radi8tor » Sun Apr 15, 2018 1:50 am

I did install the latest version available: Mar, 29 2018
XML is dated Feb, 25 2018 in the installer ZIP.

Where is the latest release available?

New member

Posts

Joined
Thu Feb 01, 2018 6:21 pm

Post by straightlight » Sun Apr 15, 2018 5:44 am

According to this line of code:

Code: Select all

<?php echo $this->csrf->csrf_form_input(); ?>
This is not the updated version as this is no longer needed since the two latest updates on the Marketplace. The first post of this topic mentions where to download the CSRF Extension. The location did not changed but the extension was updated at least twice since. Although, ensure your zlib.output_compression is set to On in your php.ini or .user.ini file.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by radi8tor » Sun Apr 15, 2018 3:06 pm

I have seen this part in your XML:

Code: Select all

	<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
Is it OK that only admin/controller/common/header.php is updated by vQmod? For normal operation catalog/controller/common/header.php should not be updated as well?

zlib.output_compression is now turned on. No changes:

Code: Select all

            <form action="https://..../index.php?route=account/login" method="post" enctype="multipart/form-data">
              <div class="form-group">
                <label class="control-label" for="input-email">E-Mail Address</label>
                <input type="text" name="email" value="" placeholder="E-Mail Address" id="input-email" class="form-control" />
              </div>
              <div class="form-group">
                <label class="control-label" for="input-password">Password</label>
                <input type="password" name="password" value="" placeholder="Password" id="input-password" class="form-control" />
                <a href="https://..../index.php?route=account/forgotten">Forgotten Password</a></div>
              <input type="submit" value="Login" class="btn btn-primary" />
                          </form>
Currently it is only working for OC admin login form.

New member

Posts

Joined
Thu Feb 01, 2018 6:21 pm

Post by straightlight » Sun Apr 15, 2018 10:33 pm

With OC v3.x releases, the catalog header file won't propagate the CSRF due to the implementation of the TWIG engine. From the original and delivered XML file on the Marketplace, it should contain the blocks with the regular expressions on automatically placing the hidden CSRF input for each theme sub-folders where TWIG files are located but I will post a demonstration anyways.

In the csrf.xml file, remove the block of code:

Code: Select all

<file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$this->data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
replace with:

Code: Select all

<file name="catalog/view/theme/*/template/information/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
In this case, we're testing the contact us page. Once applying this change, clear your OC cache from the OC admin: viewtopic.php?f=176&p=718325#p718325 and see from the view source on the contact us page if the CSRF input does show.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by radi8tor » Mon Apr 16, 2018 1:59 am

For me it has no effect, CSRF form does not included in: https://..../index.php?route=information/contact

New member

Posts

Joined
Thu Feb 01, 2018 6:21 pm

Post by straightlight » Mon Apr 16, 2018 6:42 am

Please post your XML file and your php.ini file configuration.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by ameliaa » Mon Apr 16, 2018 1:38 pm

I have disabled affiliate registrations so no longer receiving affiliate spam.

For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?

New member

Posts

Joined
Fri Jan 29, 2010 6:31 pm

Post by radi8tor » Mon Apr 16, 2018 1:54 pm

Here you go.

New member

Posts

Joined
Thu Feb 01, 2018 6:21 pm

Post by straightlight » Mon Apr 16, 2018 6:47 pm

ameliaa wrote:
Mon Apr 16, 2018 1:38 pm
I have disabled affiliate registrations so no longer receiving affiliate spam.

For customer registrations, I have stopped receiving fake registrations on one website (opencart 2.0.1.1). However, I am still receiving a ton of fake registrations on another site (opencart 2.0.3.1). Any idea why the mod is working on one site, but not the other?
Disabling the affiliate system won't solved the issue, since customer registrations can still be spammed. This support forum is for the CSRF protection form troubleshooting / inquiries. Not for general support. Is the CSRF token showing on your view source after adding the extension?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Mon Apr 16, 2018 6:49 pm

radi8tor wrote:
Mon Apr 16, 2018 1:54 pm
Here you go.
The instructions above was simply about adding the information block to see if you were able to see the CSRF input on the view source. Your XML file shows all TWIG folders which hardens the troubleshooting. Instructions unfollowed. In the mean time, you seem to have spaces between [ ~ and ~i ] and also between [ $1 ] . All these instances must not contain any spaces.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by radi8tor » Mon Apr 16, 2018 8:41 pm

I do not see any spaces on the mentioned locations.
I have updated the script but it still does not work.

New member

Posts

Joined
Thu Feb 01, 2018 6:21 pm
Who is online

Users browsing this forum: No registered users and 28 guests