Post by straightlight » Sat Apr 18, 2020 1:02 am

jsw wrote:
Sat Apr 18, 2020 12:13 am
straightlight wrote:
Sun Aug 04, 2019 6:45 pm
arthena wrote:
Sun Aug 04, 2019 12:28 pm
Hi,
I have CSRF Protection Extension installed in version 3.0.2.0 and am still getting at least one fake account every few days. I have noticed that the account set up never has an address? how can this happen when any proper customer has to enter an address to set up an account?
Any ideas please?
As I said many times on the topic before, this extension does NOT prevent SPAM!

It simply kicks out the CSRF bots sitting behind the HTML forms. Re-Captcha V3 is still needed to work with it so that Re-Captcha doesn't have to work with many sitting-by bots awaiting for a user.
Thanks for the extension, straightlight! Installed it on OC v3.0.3.2 today. One little question, does it work well with Basic Captcha?
It should. However, Johnathan did addressed on the forum that Captcha V3 may differ with Captcha V2 which V2 might be working better as opposed to V3. In this case, an extension from the Marketplace would be rather suggested to use.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by jsw » Sat Apr 18, 2020 9:39 pm

straightlight wrote:
Sat Apr 18, 2020 1:02 am
It should. However, Johnathan did addressed on the forum that Captcha V3 may differ with Captcha V2 which V2 might be working better as opposed to V3. In this case, an extension from the Marketplace would be rather suggested to use.
Thanks, I've installed Google reCAPTCHA extension that came with OC v3 along with your vQmod. reCAPTCHA v3 gives an "invalid key type" error but reCAPTCHA v2 works fine so that's what I'm using now. Have a great weekend!

jsw
Newbie

Posts

Joined
Wed Jun 12, 2013 11:42 pm
Location - Canada

Post by straightlight » Sun Apr 19, 2020 12:16 am

jsw wrote:
Sat Apr 18, 2020 9:39 pm
straightlight wrote:
Sat Apr 18, 2020 1:02 am
It should. However, Johnathan did addressed on the forum that Captcha V3 may differ with Captcha V2 which V2 might be working better as opposed to V3. In this case, an extension from the Marketplace would be rather suggested to use.
Thanks, I've installed Google reCAPTCHA extension that came with OC v3 along with your vQmod. reCAPTCHA v3 gives an "invalid key type" error but reCAPTCHA v2 works fine so that's what I'm using now. Have a great weekend!
Thanks for your feedback. :)

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by khnaz35 » Fri May 15, 2020 6:32 pm

Thank you for the extension it worked on OC 2.3.0.2 ;)
Just a note to other forum user do install google reCaptcha together with this extension it will work amazingly.
And for reCaptcha do use only V2 versions hence the V3 is not yet done by default opencart.
Lastly don't forget to turn on the reCaptcha from store settings :laugh:
Regards
Khnaz35

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by daymobrew » Fri Jun 05, 2020 5:57 pm

I'm unclear about how to enable this mod.
I have downloaded crsf30.zip.
I have uploaded system/helper/csrf_helper.php and vqmod/xml/csrf.xml
I am running OC 3.0.3.3.

As csrf.xml didn't seem to change my theme files (I am not using 'default') I made some changes in my own vQmod xml file.

Code: Select all

		<file name="catalog/controller/account/register.php">
			<operation info="Enable CSRF protection in register form to stop spam registrations.">
				<search position="before"><![CDATA[
		// Captcha
				]]></search>
				<add><![CDATA[
$csrf = new Csrf();
$csrf->csrf_start($this->registry);
$data['csrf_form_input'] = $csrf->csrf_form_input();
				]]></add>
			</operation>
		</file>
		<file name="catalog/view/theme/luxury/template/account/register.twig">
			<operation info="Add CSRF protection to register form to stop spam registrations.">
				<search position="after"><![CDATA[
      <form action="{{ action }}" method="post" enctype="multipart/form-data" class="form-horizontal">
				]]></search>
				<add><![CDATA[
{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}
				]]></add>
			</operation>
		</file>
The catalog/controller/account/register.php changed generated 500 error because Csrf class not available.
I looked through all my Extensions/Extensions but do not see any CSRF module there.

New member

Posts

Joined
Wed Dec 22, 2010 7:36 am

Post by straightlight » Fri Jun 05, 2020 6:19 pm

I looked through all my Extensions/Extensions but do not see any CSRF module there.
It won't be. Do you have the ZLIB library installed on your server as per Opencart's requirements since installation? If so, please provide the XML file as an attachment. Only a partial solution has been posted on the above.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Wed Aug 19, 2020 8:37 pm

Hi Straightlight, I have installed on my 3.0.3.2 release, I do see the hidden area in the admin view source but not on the front page forms (login, register etc)
straightlight wrote:
Mon Jul 14, 2014 11:12 pm
The package will be updated soon.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Wed Aug 19, 2020 9:42 pm

nightwing wrote:
Wed Aug 19, 2020 8:37 pm
Hi Straightlight, I have installed on my 3.0.3.2 release, I do see the hidden area in the admin view source but not on the front page forms (login, register etc)
straightlight wrote:
Mon Jul 14, 2014 11:12 pm
The package will be updated soon.
You need to edit your XML file to match all TWIG files of your custom themes.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Wed Aug 19, 2020 9:48 pm

(Noted, I will remove until it is completed, I will keep watch of this thread - Thanks) Edited - I actually saw your last post on the front page and responded :D - My apologies - I am using the default theme.
straightlight wrote:
Mon Jul 14, 2014 11:12 pm
The package will be updated soon.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by nightwing » Wed Aug 19, 2020 11:37 pm

When I do this, it stopped working for the admin panel.
PSMDanny wrote:
Thu Nov 01, 2018 5:12 am
Hi and thank you for creating this wonderful extension and spending so much time here on helping users (that don't read).

Just wanted to note:
couple of minutes ago I downloaded the extension and started testing on Opencart 3020 with vqmod 2.6.2 Admin test was correct... frontend test was not correct (= no csrf tokens...)

So I started debuging the xml file and found out that in the current downloadable version (csrf.xml) there was code missing for the catalog/controller/common/header.php

So I added following code to the xml and everything seems to be working:
<file name="catalog/controller/common/header.php" error="skip">
<operation error="skip">
<search position="before"><![CDATA[$data['scripts']]]></search>
<add><![CDATA[
$this->load->helper('csrf_helper');

csrf_start();
]]></add>
</operation>
</file>

Thanks again and good luck!

Best Regards,
Danny

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Wed Aug 19, 2020 11:45 pm

It must be applied straight to your TWIG files as replied above for the catalog-end side, not on the header controller.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Wed Aug 19, 2020 11:52 pm

Hey straighlight, yes I have been going through the post and saw your comment. I have the default theme, the xml file is as is and still only works for admin.
straightlight wrote:
Wed Aug 19, 2020 11:45 pm
It must be applied straight to your TWIG files as replied above for the catalog-end side, not on the header controller.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Thu Aug 20, 2020 4:25 am

nightwing wrote:
Wed Aug 19, 2020 11:52 pm
Hey straighlight, yes I have been going through the post and saw your comment. I have the default theme, the xml file is as is and still only works for admin.
straightlight wrote:
Wed Aug 19, 2020 11:45 pm
It must be applied straight to your TWIG files as replied above for the catalog-end side, not on the header controller.
Then, you're doing something wrong.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Thu Aug 20, 2020 4:45 am

straightlight, thats odd, I download the latest version of the file, csrf.xml goes into /vqmod/xml and csrf_helper.php goes to /system/helper
Refreshed Modification, Cleared Theme and SAAS Cache, Cleared Browser Cache & Cookies, Close and reopen the browser logged in and this only works for admin page. I am using the default theme, and I have no modules that makes changes to the forms.
I do use cloudflare (Just to add) I cleared the cloudflare cache as well. Still doesnt work...

[Edited]
I installed on my local host (default theme) and its the same effect, admin has it, catalog doesnt.
straightlight wrote:
Thu Aug 20, 2020 4:25 am
nightwing wrote:
Wed Aug 19, 2020 11:52 pm
Hey straighlight, yes I have been going through the post and saw your comment. I have the default theme, the xml file is as is and still only works for admin.
straightlight wrote:
Wed Aug 19, 2020 11:45 pm
It must be applied straight to your TWIG files as replied above for the catalog-end side, not on the header controller.
Then, you're doing something wrong.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Thu Aug 20, 2020 11:48 pm

Since others were able to make it work, it's simply about user error.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Fri Aug 21, 2020 11:44 am

I just installed 3.0.3.2 install via xampp - Same results
straightlight wrote:
Mon Jul 14, 2014 11:12 pm
The package will be updated soon.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by nightwing » Sat Aug 22, 2020 2:48 am

Straightlight, strangely, after copying

Code: Select all

	<file name="admin/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
			$this->load->helper('csrf_helper');

			csrf_start();
			]]></add>
        </operation>
	</file>
pasting and replacing admin/controller/common/header.php with catalog/controller/common/header.php like this:

Code: Select all

  <file name="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search position="before"><![CDATA[$data['scripts']]]></search>
            <add><![CDATA[
      $this->load->helper('csrf_helper');

      csrf_start();
      ]]></add>
        </operation>
  </file>
With all the default spacing etc, it worked, I can now see the token on the view source.
You said "It must be applied straight to your TWIG files as replied above for the catalog-end side, not on the header controller."
If it works like this, is there some possibility that it is as not secure?
It works for my lab even after removing these:

Code: Select all

	<file name="catalog/view/theme/*/template/product/*.twig" error="skip">
        <operation error="skip">
            <search position="replace" regex="true"><![CDATA[~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i]]></search>
            <add><![CDATA[$1]]></add>
        </operation>
	</file>
Please let me know.
nightwing wrote:
Fri Aug 21, 2020 11:44 am
I just installed 3.0.3.2 install via xampp - Same results
straightlight wrote:
Mon Jul 14, 2014 11:12 pm
The package will be updated soon.
Last edited by nightwing on Sat Aug 22, 2020 2:56 am, edited 1 time in total.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by straightlight » Sat Aug 22, 2020 2:55 am

The times when and where it won't be secured is when the header is not being called from the controller from installed extensions you might be using.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by nightwing » Sat Aug 22, 2020 3:20 am

Noted, thank you for this extension!
straightlight wrote:
Sat Aug 22, 2020 2:55 am
The times when and where it won't be secured is when the header is not being called from the controller from installed extensions you might be using.

Regards,
Nightwing
Access to my Free Extensions: https://www.opencart.com/index.php?rout ... =nightwing


Active Member

Posts

Joined
Tue Nov 05, 2019 11:08 pm


Post by Cabsie » Wed Sep 09, 2020 12:31 am

I followed all the instructions but still received the spam sign ups, but there was 1 final part missing - the most obvious! :D
This:
khnaz35 wrote:
Fri May 15, 2020 6:32 pm
Lastly don't forget to turn on the reCaptcha from store settings

Newbie

Posts

Joined
Sun May 19, 2013 4:51 am
Who is online

Users browsing this forum: No registered users and 16 guests