Post by nightwing » Thu Feb 04, 2021 10:02 pm

Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
straightlight wrote:
Wed Feb 03, 2021 8:32 am
nightwing wrote:
Wed Feb 03, 2021 8:22 am
I get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean
straightlight wrote:
Wed Feb 03, 2021 7:46 am


As explained on the above, it would be the ordering priority entered by the user when using the element names on the <form line.
They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Thu Feb 04, 2021 10:28 pm

nightwing wrote:
Thu Feb 04, 2021 10:02 pm
Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
straightlight wrote:
Wed Feb 03, 2021 8:32 am
nightwing wrote:
Wed Feb 03, 2021 8:22 am
I get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean

They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.
However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Thu Feb 04, 2021 10:32 pm

Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.
straightlight wrote:
Thu Feb 04, 2021 10:28 pm
nightwing wrote:
Thu Feb 04, 2021 10:02 pm
Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
straightlight wrote:
Wed Feb 03, 2021 8:32 am


They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.
However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Fri Feb 05, 2021 1:48 am

nightwing wrote:
Thu Feb 04, 2021 10:32 pm
Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.
straightlight wrote:
Thu Feb 04, 2021 10:28 pm
nightwing wrote:
Thu Feb 04, 2021 10:02 pm
Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i
However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.
It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Fri Feb 05, 2021 2:51 am

Lol :laugh: Sraightlight, I have nit figured it out!
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
straightlight wrote:
Fri Feb 05, 2021 1:48 am
nightwing wrote:
Thu Feb 04, 2021 10:32 pm
Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.
straightlight wrote:
Thu Feb 04, 2021 10:28 pm


However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.
It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Fri Feb 05, 2021 2:53 am

nightwing wrote:
Fri Feb 05, 2021 2:51 am
Lol :laugh: Sraightlight, I have nit figured it out!
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
straightlight wrote:
Fri Feb 05, 2021 1:48 am
nightwing wrote:
Thu Feb 04, 2021 10:32 pm
Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.

It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.
The old version used too. You're simply trying to fallback but can't seem to reproduce the ways it used to be. That's fine, since there doesn't seem to be any way out on this one since the deprecation of OCMod.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Fri Feb 05, 2021 2:58 am

Thanks for the info. If I figure anything out, I will share with you.
straightlight wrote:
Fri Feb 05, 2021 2:53 am
nightwing wrote:
Fri Feb 05, 2021 2:51 am
Lol :laugh: Sraightlight, I have nit figured it out!
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.
straightlight wrote:
Fri Feb 05, 2021 1:48 am


It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.
The old version used too. You're simply trying to fallback but can't seem to reproduce the ways it used to be. That's fine, since there doesn't seem to be any way out on this one since the deprecation of OCMod.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by Rainforest » Sat Sep 11, 2021 2:00 pm

Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Sat Sep 11, 2021 6:05 pm

Rainforest wrote:
Sat Sep 11, 2021 2:00 pm
Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
Not sure why this is addressed on the topic ...

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by Rainforest » Sun Sep 12, 2021 1:03 pm

straightlight wrote:
Sat Sep 11, 2021 6:05 pm
Rainforest wrote:
Sat Sep 11, 2021 2:00 pm
Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
Not sure why this is addressed on the topic ...
Because it has to do with this extension.
1. Is the extension compatible with 3.0.3.8? (doesn't list so on the extension page)
2. My Firewall provider said to me when I showed him this extensions:

"In regards to the extension I would recommend looking into adding it and checking if there are any issues with the firewall requests. This would ensure that the "CSRF" token is added to confirm the requests are legit. "

Self Taught Opencart User & Developer Since 2010.


User avatar
Active Member

Posts

Joined
Fri Jan 28, 2011 3:50 am

Post by straightlight » Sun Sep 12, 2021 7:35 pm

Rainforest wrote:
Sun Sep 12, 2021 1:03 pm
straightlight wrote:
Sat Sep 11, 2021 6:05 pm
Rainforest wrote:
Sat Sep 11, 2021 2:00 pm
Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?
Not sure why this is addressed on the topic ...
Because it has to do with this extension.
1. Is the extension compatible with 3.0.3.8? (doesn't list so on the extension page)
2. My Firewall provider said to me when I showed him this extensions:

"In regards to the extension I would recommend looking into adding it and checking if there are any issues with the firewall requests. This would ensure that the "CSRF" token is added to confirm the requests are legit. "
As long you have the ZLIB library installed, the OC version should not matter. Only editing the XML file for your purpose is needed and for the CSRF token to show on the view source with the ZLIB output. Once being shown on the view source, the output can be disabled on your domain for security purposes.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by joeantropy » Wed Dec 15, 2021 12:24 am

This extension doesn't do anything to protect against CSRF!

In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:

Code: Select all

if (isset($this->request->post['__csrf'])) {
You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.

Newbie

Posts

Joined
Mon Mar 02, 2020 10:19 pm

Post by khnaz35 » Mon Dec 20, 2021 11:35 am

joeantropy wrote:
Wed Dec 15, 2021 12:24 am
This extension doesn't do anything to protect against CSRF!

In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:

Code: Select all

if (isset($this->request->post['__csrf'])) {
You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.
So, what are your suggestions?

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by Majnoon » Tue Dec 21, 2021 4:10 pm

joeantropy wrote:
Wed Dec 15, 2021 12:24 am
This extension doesn't do anything to protect against CSRF!

In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:

Code: Select all

if (isset($this->request->post['__csrf'])) {
You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.
Maybe @straightlight can explain this.

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm

Post by Majnoon » Tue Jan 10, 2023 9:22 am

@Straightlight

Does this extension works with OC 3.0.3.8 ?

Active Member

Posts

Joined
Fri Feb 05, 2021 8:29 pm
Who is online

Users browsing this forum: No registered users and 4 guests