[RELEASED] CSRF Protection Form

Noted, thank you for this extension!

straightlight wrote: ↑

Sat Aug 22, 2020 2:55 am

The times when and where it won't be secured is when the header is not being called from the controller from installed extensions you might be using.

I followed all the instructions but still received the spam sign ups, but there was 1 final part missing - the most obvious!
This:

khnaz35 wrote: ↑

Fri May 15, 2020 6:32 pm

Lastly don't forget to turn on the reCaptcha from store settings

First off thanks for this extension .. A quick question for you..

Would everything work the same if I convert/rewrite the vQmod xml file to OCmod xml file and leave the helper file as is? Or does this only work on VQmod?

I don't like using both OCmod and VQmod so all my modifications are OCmod at the moment

PS just converted it to OCmod and it seems to work on admin but not on front end on 3.0.3.2 for me too.

you have the csrf_help initiate on admin controller but not on the catalog controller, should this be in the xml file too?
PPS yup adding the code above seems to make it work, now the csrf secret value shows up

supak111 wrote: ↑

Fri Dec 04, 2020 6:22 am

First off thanks for this extension .. A quick question for you..

Would everything work the same if I convert/rewrite the vQmod xml file to OCmod xml file and leave the helper file as is? Or does this only work on VQmod?

I don't like using both OCmod and VQmod so all my modifications are OCmod at the moment

PS just converted it to OCmod and it seems to work on admin but not on front end on 3.0.3.2 for me too.

you have the csrf_help initiate on admin controller but not on the catalog controller, should this be in the xml file too?

Code: Select all

	<file path="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search><![CDATA[$data['scripts']]]></search>
            <add position="before"><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>

PPS yup adding the code above seems to make it work, now the csrf secret value shows up

Excellent, good work!

straightlight wrote: ↑

Fri Dec 04, 2020 8:14 pm

Excellent, good work!

You might wanna update your extension in the marketplace.

Also do you want me to post up my converted OCmod version of it on the marketplace so people can use it since some people prefer OCmod over VQmod?

supak111 wrote: ↑

Sat Dec 05, 2020 8:36 am

straightlight wrote: ↑

Fri Dec 04, 2020 8:14 pm

Excellent, good work!

You might wanna update your extension in the marketplace.

Also do you want me to post up my converted OCmod version of it on the marketplace so people can use it since some people prefer OCmod over VQmod?

Send me your version in PM and I'll take a look at it.

@supak111
I'd appreciate your ocmod version as I have no idea how to install this extension in my 3.0.2 and 3.0.6 installations.
Straightlight is talking about overwriting existing files of a library, which library?
The zip I downloaded contains only 2 files, one xml file which seems to need VQmod which I do not have installed and a csrf_helper.php
That's all to make it run?
Many thanks for eventually answering.

The zip I downloaded contains only 2 files, one xml file which seems to need VQmod which I do not have installed and a csrf_helper.php

You do need it installed.

Ok, I succeeded to install VQmode and the CSRF script.
This is a multi shop. I suppose I need to install some of the files to the other installations as well, don't I?
Which ones, please?
If this is not considered abuse, may I ask one more question which is related to the contact forms that come usually with OpenCart.
We had increasing volumes of spam submissions of these contact forms and installing ReCaptcha did not resolve anything.
Then I took the contact forms completely away. This did not resolve anything neither!
Then I went into the code of catalog/controller/information/contact.php and disabled the line $mail->send(); in function index.
That resolved the problem absolutely.
But what absurdity! Is there a more elegant way to prevent these submissions which are obviously done by scripts that submit the contact form without going through a browser! Perhaps by cURL or whatever, I have no idea. It is odd.
Solution?

If you are using Cpanel enable cpanel hulk brute force protection and put all those countries/Ips into black list.
Enable extra firewall on your server as well as enable spam filter on your mail server.

Hi khnaz35, thanks for caring!
I am not on cPanel. We have some russian/ucranian/indian customers, so .... that's not an option.
I was hoping for the CFSR script to block these robot submissions but seemingly I am unable to have it installed.
Even with a "VQMODDED Startup" the xml does not throw the __cfsr parameter into my forms on the customer side. Not in the main shop nor in the dependent shops (I have a multi shop setup). Consequently we receive fake account registrations as always. It seems I did not install the scripts correctly (though the admin login form is showing the token in its source code).

docroesner wrote: ↑

Mon Jan 04, 2021 1:29 am

Hi khnaz35, thanks for caring!
I am not on cPanel. We have some russian/ucranian/indian customers, so .... that's not an option.
I was hoping for the CFSR script to block these robot submissions but seemingly I am unable to have it installed.
Even with a "VQMODDED Startup" the xml does not throw the __cfsr parameter into my forms on the customer side. Not in the main shop nor in the dependent shops (I have a multi shop setup). Consequently we receive fake account registrations as always. It seems I did not install the scripts correctly (though the admin login form is showing the token in its source code).

You need to enable the Zlib Compression Output on your domain as well as look up to your XML file paths inside the XML to ensure all routes are pointing to the right locations compared to your physical paths on your server. Another way would be to use the VQMod Manager extension to look at the logs which automatically generates error outputs when the case.

Hello Straightlight,
I enabled zlib.compression_output in .htaccess.
Regarding the file paths: I have some customized templates. I have now deleted the customized account/register.twig for testing purposes.
Of course I cleared the cache on the server and in my browser, Safari.
Nevertheless calling index.php?route=account/register into the browser, no hidden input field is visible containing the csrf token.
The error log of the VQMod Manager is empty even though it says error logging be enabled.
What makes me wonder is that my modules' list displays VQMod Manager as disabled. In the manager I see no way to enable this.
However, inside the manager it displays VQMOD CORE, VQMod Manager Menu Shortcut and CSRF Form Protection as enabled.
All this on the main shop (shop_id=0). The most fake account registrations however originate from shop_id=1 - that would be the next step to have all this setup there, a different domain on the same server.
Any advice?

docroesner wrote: ↑

Mon Jan 04, 2021 8:52 am

Hello Straightlight,
I enabled zlib.compression_output in .htaccess.
Regarding the file paths: I have some customized templates. I have now deleted the customized account/register.twig for testing purposes.
Of course I cleared the cache on the server and in my browser, Safari.
Nevertheless calling index.php?route=account/register into the browser, no hidden input field is visible containing the csrf token.
The error log of the VQMod Manager is empty even though it says error logging be enabled.
What makes me wonder is that my modules' list displays VQMod Manager as disabled. In the manager I see no way to enable this.
However, inside the manager it displays VQMOD CORE, VQMod Manager Menu Shortcut and CSRF Form Protection as enabled.
All this on the main shop (shop_id=0). The most fake account registrations however originate from shop_id=1 - that would be the next step to have all this setup there, a different domain on the same server.
Any advice?

The extension shows as enabled in your VQMod Manager. Therefore, you just need to find the right paths in the XML file for the __csrf to load from view source. In the mean time, ensure to try the zlib.compression_output in your php.ini or .user.ini file instead of .htaccess to notice the difference.

Yes there are only 2 files in the vQmod version of this extension. You must have vQmod installed.
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer

VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI

PS only tested on 3.0.3.2, should work on all oc 3xxx

supak111 wrote: ↑

Tue Jan 05, 2021 8:02 am

Yes there are only 2 files in the vQmod version of this extension. You must have vQmod installed.
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer

VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI

PS only tested on 3.0.3.2, should work on all oc 3xxx

I would suggest send this version to Straightlight
And let upload both mod under the same extension link so it would be easy for new user to download and install there prefer mod.

I sent it to him a while back, don't see that he posted it on the marketplace yet

supak111 wrote: ↑

Tue Jan 05, 2021 8:13 am

I sent it to him a while back, don't see that he posted it on the marketplace yet

I see may be he didn't get time yet for that,
Since there was allot of development happening for OC 4.x

I did took time to look at it. As it was delivered, I was told the VQMod version was converted into the OCMod release. Ironic, I then took a look at the csrf_helper file, it was modified compared to the VQMod version. In addition, since the paths in the XML file might need to modified, however, I figured it would be more time consuming for each users having to reinstall a package each times a path needs to be modified in the first place rather than troubleshooting one XML file and test each paths until the __csrf token does show with the compression on.

@supak111: I have downloaded this OCmod version and will try it on a test installation of OC. Many thanks!
@Straightlight:
I have asked the host manager to enable zlib.compression_output on a php level and will see if that changes anything.
I have installed now vqmod on another hosting account where OC 3.0.3.6 is installed. zlib.compression_output is enabled there.
The admin login form shows the token field perfectly.
However, no other form on the customer side shows any hidden token-field.
Since I have account/register.twig modified there, I included the lines
{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}
in the template right below the form open tag.
That does not resolve anything (I included some text with this modification and that shows up in the source code).
So that means csfr_form_input is empty when loading the form.
Then I modified the modified catalog/controller/account/register.php in the storage folder and included the lines
$csrf = new Csrf();
$csrf->csrf_start($this->registry);
$data['csrf_form_input'] = $csrf->csrf_form_input();
in function index()
That gave a fatal error saying
Class 'Csrf' not found in /....../storage/modification/catalog/controller/account/register.php
Seems I put this code in the wrong place. Where do I have to include it?