Post by khnaz35 » Sun Jan 24, 2021 11:56 am

By looking at that code, there doesn't seem to be anything wrong with it. See if any whitespace characters above or underneath it at the end of the lines.
Yes, above posted code is correct, it was line # 2209 & 2321 missing the closing php tags );

Once those fixes zip the extension again and installed as per instructions it worked on admin end. However i am not seeing the ___csrf key on Catalog side.

@straightlight

Code: Select all

// admin/controller/common/header/before
	public function commonHeaderBefore(&$route, &$args) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
		
For Catalog ???

Code: Select all

<?php
class ControllerExtensionModuleSlCsrf extends Controller {
	// catalog/controller/common/header/after
	public function index(&$route, &$args, &$output) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
	}
}

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Sun Jan 24, 2021 12:42 pm

khnaz35 wrote:
Sun Jan 24, 2021 11:56 am
By looking at that code, there doesn't seem to be anything wrong with it. See if any whitespace characters above or underneath it at the end of the lines.
Yes, above posted code is correct, it was line # 2209 & 2321 missing the closing php tags );
installed as per instructions it worked on admin end. However i am not seeing the ___csrf key on Catalog side.

@straightlight

Code: Select all

// admin/controller/common/header/before
	public function commonHeaderBefore(&$route, &$args) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
		
For Catalog ???

Code: Select all

<?php
class ControllerExtensionModuleSlCsrf extends Controller {
	// catalog/controller/common/header/after
	public function index(&$route, &$args, &$output) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
	}
}
Yes, above posted code is correct, it was line # 2209 & 2321 missing the closing php tags );
I don't see the missing closing parentheses on those two lines ... are you sure to be using UTF-8 without BOM?

As for the CSRF Key, you can test the session data in the event of the catalog you posted and see if you notice an output. Also ensure the event is active and added into the OC admin > extensions > events page. Can you confirm those?

Can you also upload the controller file of the modifications you made? I will compare it on my end here to see if my editor can track a compared change since.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Sun Jan 24, 2021 1:33 pm

straightlight wrote:
Sun Jan 24, 2021 12:42 pm

I don't see the missing closing parentheses on those two lines ... are you sure to be using UTF-8 without BOM?
Yes, i am quite sure about that, I have made modifications using brackets and edited those 2 mentioned lines.
As for the CSRF Key, you can test the session data in the event of the catalog you posted and see if you notice an output. Also ensure the event is active and added into the OC admin > extensions > events page. Can you confirm those?
Events admin_sl_csrf are successfully added into event table and all are active. I have uploaded the image for your reference.
Can you also upload the controller file of the modifications you made? I will compare it on my end here to see if my editor can track a compared change since.
Uploaded.

Attachments

event-confirm.png

event-confirm.png (180.86 KiB) Viewed 6053 times


Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Sun Jan 24, 2021 1:41 pm

Ok, confirmed for those two lines. It is indeed because of the empty spaces. For some reasons, this might result corrupted headers on the browser in different zones. I will upload the correction shortly.
Events admin_sl_csrf are successfully added into event table and all are active. I have uploaded the image for your reference.
sl_csrf should also be listed and active in the OC admin > extensions > events page. Are you able to see it?

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Sun Jan 24, 2021 1:44 pm

Package updated.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Sun Jan 24, 2021 1:59 pm

straightlight wrote:
Sun Jan 24, 2021 1:41 pm
sl_csrf should also be listed and active in the OC admin > extensions > events page. Are you able to see it?
Do you mean only sl_csrf?

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Sun Jan 24, 2021 2:04 pm

khnaz35 wrote:
Sun Jan 24, 2021 1:59 pm
straightlight wrote:
Sun Jan 24, 2021 1:41 pm
sl_csrf should also be listed and active in the OC admin > extensions > events page. Are you able to see it?
Do you mean only sl_csrf?
Yes, there should be two. admin_sl_csrf (for all events in admin) and sl_csrf events (single one for now).

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Sun Jan 24, 2021 2:11 pm

straightlight wrote:
Sun Jan 24, 2021 2:04 pm
sl_csrf events (single one for now).
Nope i don't see this is registered event list.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Sun Jan 24, 2021 2:19 pm

Ok, let's troubleshoot this.

In catalog/controller/extension/module/sl_csrf.php file,

find:

Code: Select all

// catalog/controller/common/header/after
	public function index(&$route, &$args, &$output) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
	}
replace with:

Code: Select all

// catalog/controller/common/header/before
	public function index(&$route, &$args) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
	}
Then, in your PHPMyAdmin, in the oc_event table, add the catalog event as described on line 2078 of admin/controller/extension/module/sl_csrf.php file and make sure the status is set to 1 (active). See if that works afterwards.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Sun Jan 24, 2021 4:35 pm

straightlight wrote:
Sun Jan 24, 2021 2:19 pm
Ok, let's troubleshoot this.

In catalog/controller/extension/module/sl_csrf.php file,

find:

Code: Select all

// catalog/controller/common/header/after
	public function index(&$route, &$args, &$output) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
	}
replace with:

Code: Select all

// catalog/controller/common/header/before
	public function index(&$route, &$args) {
		$this->load->library('csrf_helper');		
		$csrf = new csrf_helper($this->registry);		
		$csrf->csrf_start();
	}
Then, in your PHPMyAdmin, in the oc_event table, add the catalog event as described on line 2078 of admin/controller/extension/module/sl_csrf.php file and make sure the status is set to 1 (active). See if that works afterwards.
I can confirm that upon replacing the catalog controller code and adding event manually into DB , oc_event table as suggested csrf key shown up in catalog side now.

Thanks @straightlight

Attachments

confirmation.png

confirmation.png (128.31 KiB) Viewed 5963 times

event-table.png

event-table.png (127.99 KiB) Viewed 5963 times

event-added.png

event-added.png (81.16 KiB) Viewed 5963 times


Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by khnaz35 » Sun Jan 24, 2021 5:05 pm

To make admin more secure simply created .htaccess & .htpasswd into admin folder and place following code.

Code: Select all


<Files *.*>
Order Deny,Allow
Deny from all
Allow from xxx.xxx.xxx.xxx
</Files>

#Begin user auth
AuthType Basic

AuthName "restricted area"

AuthUserFile       home/xxxxxxxxx/public_html/xxxxxxx/admin/.htpasswd

Require valid-user

#End auth
For .htpasswd

Code: Select all

*The usernames are stored in plaintext, where as the passwords are hashed using the MD5 algorithm.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Sun Jan 24, 2021 11:54 pm

I can confirm that upon replacing the catalog controller code and adding event manually into DB , oc_event table as suggested csrf key shown up in catalog side now.
Ok, I will update it shortly. I added the sl_csrf lookup in the admin header event as well since it seem it might be too heavy for the browser to complete its installation task.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by straightlight » Sun Jan 24, 2021 11:55 pm

.htpasswd is NOT safe. Please don't post this crap on my topic!

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Sun Jan 24, 2021 11:59 pm

straightlight wrote:
Sun Jan 24, 2021 11:55 pm
.htpasswd is NOT safe. Please don't post this crap on my topic!
I am not seeing the option to delete it, you can remove that post on my behalf.

Thanks.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Mon Jan 25, 2021 12:04 am

Package updated.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Mon Jan 25, 2021 12:06 am

straightlight wrote:
Mon Jan 25, 2021 12:04 am
Package updated.
Thanks for keeping it up to date.

Btw what else would you suggest to make admin more protected?

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Mon Jan 25, 2021 12:30 am

khnaz35 wrote:
Mon Jan 25, 2021 12:06 am
straightlight wrote:
Mon Jan 25, 2021 12:04 am
Package updated.
Thanks for keeping it up to date.

Btw what else would you suggest to make admin more protected?
There are available extensions on the Marketplace for that. Admin folder extensions protection. The only problem with these types of extensions vs. this one is that the admin forms are not protected once authenticated regardless how improved the protection would be once authenticated into the hidden folder. If CSRF attempts would be prevented by simply renaming a folder and playing with .htaccess, I think we could all agree that nobody would need to worry but we know it's not the case.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Sat Jan 30, 2021 8:53 am

Hi straightlight - Just a question, lets say you have the extension installed and when you inspect the page and check under the form tag you see the hidden input and the token. Lets say I modify that token to anything I want and then submit the form, shouldnt this extension fail the CSRF Check and throw the error? I just wanna know - Thank you!

[EDIT] - The reason why I asked is I have a chat installed and it uses tokens similar to this extension but surprisingly when I modify the token in the inspect tool and try to submit the form, I get a CSRF Token Error, same when I visit https://portswigger.net/users/forgottenpassword type in test@gmail.com, change the value in the hidden field and submit, I get the CSRF Error. However, using this extension under the same circumstances submits the form on my website. Maybe I missed something - Let me know

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Sat Jan 30, 2021 11:00 am

May be I should use a controller instead of a library to output the errors. There is another way to output the errors from the library but seem to be a bit more complexed than expected. I will test with a controller and see if I can use a log file for this.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Sat Jan 30, 2021 11:52 am

Thanks straightlight!
straightlight wrote:
Sat Jan 30, 2021 11:00 am
May be I should use a controller instead of a library to output the errors. There is another way to output the errors from the library but seem to be a bit more complexed than expected. I will test with a controller and see if I can use a log file for this.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm

Who is online

Users browsing this forum: Amazon [Bot] and 50 guests