straightlight wrote: ↑Sat Aug 22, 2020 2:55 amThe times when and where it won't be secured is when the header is not being called from the controller from installed extensions you might be using.
Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing

Would everything work the same if I convert/rewrite the vQmod xml file to OCmod xml file and leave the helper file as is? Or does this only work on VQmod?
I don't like using both OCmod and VQmod so all my modifications are OCmod at the moment
PS just converted it to OCmod and it seems to work on admin but not on front end on 3.0.3.2 for me too.
you have the csrf_help initiate on admin controller but not on the catalog controller, should this be in the xml file too?
Code: Select all
<file path="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search><![CDATA[$data['scripts']]]></search>
<add position="before"><![CDATA[
$this->load->helper('csrf_helper');
csrf_start();
]]></add>
</operation>
</file>
~ OC 3.0.3.2 and OCmods only ~
Excellent, good work!supak111 wrote: ↑Fri Dec 04, 2020 6:22 amFirst off thanks for this extension.. A quick question for you..
Would everything work the same if I convert/rewrite the vQmod xml file to OCmod xml file and leave the helper file as is? Or does this only work on VQmod?
I don't like using both OCmod and VQmod so all my modifications are OCmod at the moment
PS just converted it to OCmod and it seems to work on admin but not on front end on 3.0.3.2 for me too.
you have the csrf_help initiate on admin controller but not on the catalog controller, should this be in the xml file too?
PPS yup adding the code above seems to make it work, now the csrf secret value shows upCode: Select all
<file path="catalog/controller/common/header.php" error="skip"> <operation error="skip"> <search><![CDATA[$data['scripts']]]></search> <add position="before"><![CDATA[ $this->load->helper('csrf_helper'); csrf_start(); ]]></add> </operation> </file>
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
You might wanna update your extension in the marketplace.
Also do you want me to post up my converted OCmod version of it on the marketplace so people can use it since some people prefer OCmod over VQmod?
~ OC 3.0.3.2 and OCmods only ~
Send me your version in PM and I'll take a look at it.
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
I'd appreciate your ocmod version as I have no idea how to install this extension in my 3.0.2 and 3.0.6 installations.
Straightlight is talking about overwriting existing files of a library, which library?
The zip I downloaded contains only 2 files, one xml file which seems to need VQmod which I do not have installed and a csrf_helper.php
That's all to make it run?
Many thanks for eventually answering.
You do need it installed.The zip I downloaded contains only 2 files, one xml file which seems to need VQmod which I do not have installed and a csrf_helper.php
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
This is a multi shop. I suppose I need to install some of the files to the other installations as well, don't I?
Which ones, please?
If this is not considered abuse, may I ask one more question which is related to the contact forms that come usually with OpenCart.
We had increasing volumes of spam submissions of these contact forms and installing ReCaptcha did not resolve anything.
Then I took the contact forms completely away. This did not resolve anything neither!
Then I went into the code of catalog/controller/information/contact.php and disabled the line $mail->send(); in function index.
That resolved the problem absolutely.
But what absurdity! Is there a more elegant way to prevent these submissions which are obviously done by scripts that submit the contact form without going through a browser! Perhaps by cURL or whatever, I have no idea. It is odd.
Solution?
Enable extra firewall on your server as well as enable spam filter on your mail server.
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
I am not on cPanel. We have some russian/ucranian/indian customers, so .... that's not an option.
I was hoping for the CFSR script to block these robot submissions but seemingly I am unable to have it installed.
Even with a "VQMODDED Startup" the xml does not throw the __cfsr parameter into my forms on the customer side. Not in the main shop nor in the dependent shops (I have a multi shop setup). Consequently we receive fake account registrations as always. It seems I did not install the scripts correctly (though the admin login form is showing the token in its source code).
You need to enable the Zlib Compression Output on your domain as well as look up to your XML file paths inside the XML to ensure all routes are pointing to the right locations compared to your physical paths on your server. Another way would be to use the VQMod Manager extension to look at the logs which automatically generates error outputs when the case.docroesner wrote: ↑Mon Jan 04, 2021 1:29 amHi khnaz35, thanks for caring!
I am not on cPanel. We have some russian/ucranian/indian customers, so .... that's not an option.
I was hoping for the CFSR script to block these robot submissions but seemingly I am unable to have it installed.
Even with a "VQMODDED Startup" the xml does not throw the __cfsr parameter into my forms on the customer side. Not in the main shop nor in the dependent shops (I have a multi shop setup). Consequently we receive fake account registrations as always. It seems I did not install the scripts correctly (though the admin login form is showing the token in its source code).
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
I enabled zlib.compression_output in .htaccess.
Regarding the file paths: I have some customized templates. I have now deleted the customized account/register.twig for testing purposes.
Of course I cleared the cache on the server and in my browser, Safari.
Nevertheless calling index.php?route=account/register into the browser, no hidden input field is visible containing the csrf token.
The error log of the VQMod Manager is empty even though it says error logging be enabled.
What makes me wonder is that my modules' list displays VQMod Manager as disabled. In the manager I see no way to enable this.
However, inside the manager it displays VQMOD CORE, VQMod Manager Menu Shortcut and CSRF Form Protection as enabled.
All this on the main shop (shop_id=0). The most fake account registrations however originate from shop_id=1 - that would be the next step to have all this setup there, a different domain on the same server.
Any advice?
The extension shows as enabled in your VQMod Manager. Therefore, you just need to find the right paths in the XML file for the __csrf to load from view source. In the mean time, ensure to try the zlib.compression_output in your php.ini or .user.ini file instead of .htaccess to notice the difference.docroesner wrote: ↑Mon Jan 04, 2021 8:52 amHello Straightlight,
I enabled zlib.compression_output in .htaccess.
Regarding the file paths: I have some customized templates. I have now deleted the customized account/register.twig for testing purposes.
Of course I cleared the cache on the server and in my browser, Safari.
Nevertheless calling index.php?route=account/register into the browser, no hidden input field is visible containing the csrf token.
The error log of the VQMod Manager is empty even though it says error logging be enabled.
What makes me wonder is that my modules' list displays VQMod Manager as disabled. In the manager I see no way to enable this.
However, inside the manager it displays VQMOD CORE, VQMod Manager Menu Shortcut and CSRF Form Protection as enabled.
All this on the main shop (shop_id=0). The most fake account registrations however originate from shop_id=1 - that would be the next step to have all this setup there, a different domain on the same server.
Any advice?
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer
VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI
PS only tested on 3.0.3.2, should work on all oc 3xxx
~ OC 3.0.3.2 and OCmods only ~
I would suggest send this version to Straightlightsupak111 wrote: ↑Tue Jan 05, 2021 8:02 amYes there are only 2 files in the vQmod version of this extension. You must have vQmod installed.
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer
VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI
PS only tested on 3.0.3.2, should work on all oc 3xxx
And let upload both mod under the same extension link so it would be easy for new user to download and install there prefer mod.
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
I see may be he didn't get time yet for that,
Since there was allot of development happening for OC 4.x
Got an urgent question that’s keeping you up at night? There might just be a magical inbox ready to help: khnaz35@gmail.com
Enjoy nature
Dedication and passion goes to those who are able to push and merge a project.
Regards,
Straightlight
Programmer / Opencart Tester
@Straightlight:
I have asked the host manager to enable zlib.compression_output on a php level and will see if that changes anything.
I have installed now vqmod on another hosting account where OC 3.0.3.6 is installed. zlib.compression_output is enabled there.
The admin login form shows the token field perfectly.
However, no other form on the customer side shows any hidden token-field.
Since I have account/register.twig modified there, I included the lines
{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}
in the template right below the form open tag.
That does not resolve anything (I included some text with this modification and that shows up in the source code).
So that means csfr_form_input is empty when loading the form.
Then I modified the modified catalog/controller/account/register.php in the storage folder and included the lines
$csrf = new Csrf();
$csrf->csrf_start($this->registry);
$data['csrf_form_input'] = $csrf->csrf_form_input();
in function index()
That gave a fatal error saying
Class 'Csrf' not found in /....../storage/modification/catalog/controller/account/register.php
Seems I put this code in the wrong place. Where do I have to include it?
Users browsing this forum: No registered users and 0 guests