[RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Tue Apr 17, 2018 5:11 am

Is your zlib compression level set to 8 from php.ini?

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.

F. Rules:

- viewtopic.php?f=176&t=200480
- viewtopic.php?f=176&t=200804

Regards,
Straightlight

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

ameliaa

New member

Posts

Joined

Fri Jan 29, 2010 6:31 pm

Post by ameliaa » Thu Apr 19, 2018 12:40 pm

straightlight wrote: ↑
Tue Apr 17, 2018 5:11 am
Is your zlib compression level set to 8 from php.ini?

How much do I need to pay you to get the mod to work on both my sites?

ameliaa

New member

Posts

Joined

Fri Jan 29, 2010 6:31 pm

Re: [RELEASED] CSRF Protection Form

New member

Posts

Joined

Thu Feb 01, 2018 6:21 pm

Post by radi8tor » Thu Apr 19, 2018 6:20 pm

Now I set it to 8 but no change on page index.php?route=information/contact

Code: Select all

zlib.output_compression = On;
zlib.output_compression_level = 8;

New member

Posts

Joined

Thu Feb 01, 2018 6:21 pm

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Thu Apr 19, 2018 8:11 pm

In your catalog/controller/information/contact.php file, below the index() line,

add:

Code: Select all

if (!empty($this->session->data['user_token'])) {
    echo 'test123';
}

Then, login to your OC admin and select your store. Visit your contact us page. On the top-left end side of your store, do you see: test123?

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

New member

Posts

Joined

Thu Feb 01, 2018 6:21 pm

Post by radi8tor » Fri Apr 20, 2018 2:10 am

No it is not displayed on that page.

However I have seen now that I have contact.php under /storage/modification/catalog/controller/information/ as well.
Maybe this is the reason of that vQmod does not update contact.php.
How should I include this path in csrf.xml?

New member

Posts

Joined

Thu Feb 01, 2018 6:21 pm

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Fri Apr 20, 2018 2:37 am

VQMod only starts from the public_html folder root path. Besides, VQMod is not compatible with OCMod path detections.

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

snowbird

Newbie

Posts

Joined

Thu Sep 21, 2017 11:06 pm

Post by snowbird » Mon May 21, 2018 8:28 pm

OC: 2.3.0.2

I have managed to install the CSRF Protection Extension, but it seems that it does not run the CSRF_check function properly, so that every bot keeps on spamming my site.

I could find out that for my installation on the contact form $_SERVER['REQUEST_METHOD'] is GET and not POST, so "if ($_SERVER['REQUEST_METHOD'] !== 'POST') {" is not working as it should and it does not run the csrf_check until the end, but returns. It is not checking if the token is correct or not and allows all bots to send me spam. Of course $_POST['__csrf'] will not work, too, so i am lost how to get it work.

Thank you for your help.

snowbird

Newbie

Posts

Joined

Thu Sep 21, 2017 11:06 pm

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Tue May 29, 2018 3:03 am

See these solutions that must work together: viewtopic.php?f=20&t=203309&p=719351#p719351 . However, HTML Forms should only use POST requests, not GET requests.

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

Newbie

Posts

Joined

Sat Jan 07, 2017 5:12 am

Post by 4elements » Sat Sep 08, 2018 10:20 am

After you upload the folders what do you do? These are the only directions I see:

Instructions: All new files, upload them all (override the CSRF library if you already have it). Install the admin extension module called: CSRF Protection, edit the module, enable the module (and the log if you want for monitoring purposes).

Where is the "CSRF Protection" module? When I search for it, it takes me back to the page with the two folders.

Newbie

Posts

Joined

Sat Jan 07, 2017 5:12 am

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Sat Sep 08, 2018 8:27 pm

On the Marketplace, you simply need to download the latest release of the CSRF extension. Then, to upload the files. Ensure from your php.ini file that the zlib compression and output are on. Once viewing the view source on your browser, after clearing the OC cache: viewtopic.php?f=176&p=733002#p718325 , see the __csrf line(s). When so, you can disable the zlib output if you want but don't disable its compression.

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

Newbie

Posts

Joined

Sat Jan 07, 2017 5:12 am

Post by 4elements » Sun Sep 09, 2018 1:21 am

May I have an exact link please. Because when I search for CSRF in the marketplace, all I get is this, which is what I already downloaded and all that is in there are two folders,

https://www.opencart.com/index.php?rout ... SRF%20v3.2

Thanks.

Newbie

Posts

Joined

Sat Jan 07, 2017 5:12 am

Re: [RELEASED] CSRF Protection Form

Newbie

Posts

Joined

Sat Jan 07, 2017 5:12 am

Post by 4elements » Sun Sep 09, 2018 5:48 am

Also, my php.ini file doesn't have a zlib or output value

Newbie

Posts

Joined

Sat Jan 07, 2017 5:12 am

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Sun Sep 09, 2018 8:44 pm

4elements wrote: ↑
Sun Sep 09, 2018 5:48 am
Also, my php.ini file doesn't have a zlib or output value

You simply need to add it.

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

New member

Posts

Joined

Sat Sep 14, 2013 4:54 am

Post by ddpneu » Wed Sep 12, 2018 7:50 pm

Hello,
you have written that your CSRF is compatible with OC 2.3.0.2 but it isn´t. Do you have version which is?

Thank you.

New member

Posts

Joined

Sat Sep 14, 2013 4:54 am

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Wed Sep 12, 2018 8:18 pm

ddpneu wrote: ↑
Wed Sep 12, 2018 7:50 pm
Hello,
you have written that your CSRF is compatible with OC 2.3.0.2 but it isn´t. Do you have version which is?

Thank you.

Inaccurate analysis. I have done installations for users as a custom job who uses various OC v2.x releases and it works as it should. Ensure to have the zlib compression in your php.ini file as already recommended with OC installations in order to use page compressions and to monitor your CSRF installation protection with the help of the zlib output in your php.ini file.

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

New member

Posts

Joined

Sat Sep 14, 2013 4:54 am

Post by ddpneu » Wed Sep 12, 2018 8:26 pm

Hi,
but your xml file contains only TWIG modifications which isn´t for OC 2.x.
This is example what you have there

Code: Select all

<file name="catalog/view/theme/*/template/account/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
	
	<file name="catalog/view/theme/*/template/affiliate/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>

So it can´t work for OC 2.x. Am I right?

Thanks.

New member

Posts

Joined

Sat Sep 14, 2013 4:54 am

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location

Canada, ON

Post by straightlight » Wed Sep 12, 2018 8:31 pm

XML files are nowhere to be said that one version cannot work with another. It has always been about tweaking the codes. As you can see from the posted example, it uses .twig extensions. All you need to do is to rename them to .tpl extensions when using lower versions than OC 3.x and to refresh your page noticing the __crsf hidden input on your browser's view source.

Legendary Member

Posts

Joined

Mon Nov 14, 2011 11:38 pm

Location - Canada, ON

Re: [RELEASED] CSRF Protection Form

New member

Posts

Joined

Sat Sep 14, 2013 4:54 am

Post by ddpneu » Wed Sep 12, 2018 8:48 pm

Ok. But in xml you have just code for admin to inicialized:

Code: Select all

<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>

But nowhere is code for CATALOG which is most important for us.

And also you have installation instruction:

Instructions: All new files, upload them all (override the CSRF library if you already have it). Install the admin extension module called: CSRF Protection, edit the module, enable the module (and the log if you want for monitoring purposes).

But there is no module in admin to install. You have just two files to upload (xml and system *.php) so I don´t understand how should I see the module in Admin anyway.

Thanks.

New member

Posts

Joined

Sat Sep 14, 2013 4:54 am

Re: [RELEASED] CSRF Protection Form

Legendary Member

Posts