Hi,
I'm Running Opencart version 3.0.4.0 on PHP 8.3.13 and getting the below errors in my error log.
PHP Warning: Undefined array key "email" in /storage/modification/catalog/controller/account/login.php on line 164
PHP Unknown: mb_strtolower(): Passing null to parameter #1 ($string) of type string is deprecated in /system/helper/utf8.php on line 30
PHP Warning: Undefined array key "email" in /storage/modification/catalog/controller/account/login.php on line 171
PHP Warning: Undefined array key "email" in /storage/modification/catalog/controller/account/login.php on line 178
PHP Warning: Undefined array key "password" in /storage/modification/catalog/controller/account/login.php on line 178
PHP Unknown: md5(): Passing null to parameter #1 ($string) of type string is deprecated in /httpdocs/system/library/cart/customer.php on line 54
PHP Warning: Undefined array key "email" in /storage/modification/catalog/controller/account/login.php on line 181
PHP Warning: Undefined array key "email" in /storage/modification/catalog/controller/account/login.php on line 164
Does anyone know what could be causing this and a possible solution please?
Seems like it could be caused by an extension that you've installed since the path shows under modifications.
Check out our ever-growing list of extensions for OpenCart here.
Some useful extensions for a better admin experience: Image File Manager Pro • Drag & Drop Sort Order
Reach out to us at hello@softmonke.com for your OpenCart web development needs or feedback for our extensions.
First of all, unless you can provide more details, nobody will be able to help you here.
Please read the Forum Rules before proceeding.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
Thank you for your reply softmonke.
To eliminate any effects that modifications may have I have built a dev site using the bog standard Opencart version 3.0.4.0 and the problem I think is that bots are trying to login and causing the error messages.
After further testing there seems to be an issue in that even after the incorrect login details are entered many times and after the maximum login attempts message 'Warning: Your account has exceeded allowed number of login attempts. Please try again in 1 hour.' has displayed you can still attempt to login and when the correct customer details are eventually entered the customer is allowed login.
I may be overlooking something but this seems to be a security issue as it allows bots many login attempts
To eliminate any effects that modifications may have I have built a dev site using the bog standard Opencart version 3.0.4.0 and the problem I think is that bots are trying to login and causing the error messages.
After further testing there seems to be an issue in that even after the incorrect login details are entered many times and after the maximum login attempts message 'Warning: Your account has exceeded allowed number of login attempts. Please try again in 1 hour.' has displayed you can still attempt to login and when the correct customer details are eventually entered the customer is allowed login.
I may be overlooking something but this seems to be a security issue as it allows bots many login attempts
that is correct as thisI may be overlooking something
is incorrect.after the maximum login attempts message 'Warning: Your account has exceeded allowed number of login attempts. Please try again in 1 hour.' has displayed you can still attempt to login and when the correct customer details are eventually entered the customer is allowed login.
These post requests on the login path come from bots who post without providing the required fields like email and password, i.e. direct posts not using the OC form. OC does not check if those fields are present, it assumes they are, and as such php logs a warning when those fields are referenced.
Is that OK from OC? No, is it a security issue? No.
To me that doesn't make sense, as a potential hacker could continue trying different passwords after the maximum number of attempts message has appeared and before the 1 hour re-set time has elapsed - I thought the whole idea of not being able to try and enter a password the maximum number of attempts was that you could not try to re-enter a password until the 1 hour had expired?
No, if different passwords are used, they are blocked for an hour.Micas wrote: ↑Mon Nov 18, 2024 10:56 pmTo me that doesn't make sense, as a potential hacker could continue trying different passwords after the maximum number of attempts message has appeared and before the 1 hour re-set time has elapsed - I thought the whole idea of not being able to try and enter a password the maximum number of attempts was that you could not try to re-enter a password until the 1 hour had expired?
These are bogus (not even) login attempts as they do not contain email addresses nor passwords, these are just probes.
Learn about how different bots behave, what they seek, how they seek it and how they might find what they seek.
It is true that OC has a very poor handling of bots, in many areas, but OC is not insecure with regard to bots.
In short, you are confusing login attemps with viable login attempts.
Good, I know that some requests may freak people out but most of them are just probes, trying to figure out what you have there.
Some straightforward, some sophisticated, some ellusive, some mindboggling, some just freaking weird but most just innocent "let's see what you have got".
In general OC is pretty secure, the only thing you really need to worry about is extensions you install as they are not scrutinized on security, so in essence, your OC system is as secure as your extensions are.
Some straightforward, some sophisticated, some ellusive, some mindboggling, some just freaking weird but most just innocent "let's see what you have got".
In general OC is pretty secure, the only thing you really need to worry about is extensions you install as they are not scrutinized on security, so in essence, your OC system is as secure as your extensions are.
Who is online
Users browsing this forum: No registered users and 4 guests
