Page 15 of 19
Re: [RELEASED] CSRF Protection Form
Posted: Mon Jan 18, 2021 6:10 am
by imager
I apologize in advance - as this may be a very simple question.
On our 3.0.2.0 system, I went through the install of VQmod and crsf30 with no apparent errors.
Our install of 3.0.2.0 is very much standard, so I did NOT perform any edits of the csrf.xml; rather, I used it as supplied.
I am not sure it is "working" and unsure how to check. I have reviewed the first message of this forum and am not sure what type of result I should be looking for/at.
Could someone confirm a quick way for us to confirm if the install is working?
Thanks..
Re: [RELEASED] CSRF Protection Form
Posted: Mon Jan 18, 2021 8:51 am
by imager
I had a better look, and I see on my login to the Admin page, there is the necessary:
Code: Select all
<input type="hidden" name="__csrf" value="***">
Should I also be protecting pages such as Change Password and Edit Account pages? I believe I should be, and confirmed that the hidden field is not showing up on those pages. What is involved in adding it to those pages (I am not even sure of OC 3.0.2.0 TWIG file names for those pages to have VQMod do the changes on).
Assistance would be appreciated.
Re: [RELEASED] CSRF Protection Form
Posted: Mon Jan 18, 2021 1:32 pm
by straightlight
imager wrote: ↑Mon Jan 18, 2021 8:51 am
I had a better look, and I see on my login to the Admin page, there is the necessary:
Code: Select all
<input type="hidden" name="__csrf" value="***">
Should I also be protecting pages such as Change Password and Edit Account pages? I believe I should be, and confirmed that the hidden field is not showing up on those pages. What is involved in adding it to those pages (I am not even sure of OC 3.0.2.0 TWIG file names for those pages to have VQMod do the changes on).
Assistance would be appreciated.
The only requirement is to edit your XML file by targeting the right path and file of each TWIG files until you notice the __csrf key input.
Re: [RELEASED] CSRF Protection Form
Posted: Mon Jan 18, 2021 11:00 pm
by khnaz35
straightlight wrote: ↑Mon Jan 18, 2021 1:32 pm
The only requirement is to edit your XML file by targeting the right path and file of each TWIG files until you notice the __csrf key input.
This question has been asked for many times,
I think its time to put the default theme twig path in xml file to let people understand that what and which is need to be added.
Re: [RELEASED] CSRF Protection Form
Posted: Tue Jan 19, 2021 12:38 am
by straightlight
khnaz35 wrote: ↑Mon Jan 18, 2021 11:00 pm
straightlight wrote: ↑Mon Jan 18, 2021 1:32 pm
The only requirement is to edit your XML file by targeting the right path and file of each TWIG files until you notice the __csrf key input.
This question has been asked for many times,
I think
its time to put the default theme twig path in xml file to let people understand that what and which is need to be added.
By doing that, it would mislead the people downloading extension themes where the default theme folder is being overwritten and taking the lead to the original default theme folder even though we're informing the users on an everyday basis not to do that. In results, non-knowledgeable users would then believe that the extension might be the problem while the default folder could be replaced. In addition, using custom themes, as opposed to the default theme is of course the right course of action but, yet, to know how to deal with custom theme paths while using the default theme.
Based on these observations, I think time would need to be set to another time.
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 9:04 am
by straightlight
May be I should release Events version of this extension.
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 9:07 am
by khnaz35
straightlight wrote: ↑Wed Jan 20, 2021 9:04 am
May be I should release Events version of this extension.
That's a good idea, since OC 4 is also on its way and OCMOD is remove from it.
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 1:23 pm
by straightlight
Alright folks here it is:
https://www.opencart.com/index.php?rout ... on_id=4773 . I have deprecated the previous releases. From now on, it's the Events version. Full instructions posted on the Marketplace starting from today's date (and from this post's date).
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 1:27 pm
by khnaz35
Thanks Straightlight for your time and effort and trying to keep this OC safe as much as possible.
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 3:37 pm
by nightwing
Thank you Straightlight!
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 8:41 pm
by straightlight
Glad to hear everything's working great now. Please rate my extension on the Marketplace page if you like it. In the mean time, there's a post or two about using the exit and an additional header line on this topic or the Marketplace page to block CSRF attempts in the CSRF helper. I'll run some tests on it and see if I can pull it in for the next update.
Re: [RELEASED] CSRF Protection Form
Posted: Wed Jan 20, 2021 8:49 pm
by straightlight
As for previous OC releases, it should work as well as long as it supports recent OCMod installers from the core.
Re: [RELEASED] CSRF Protection Form
Posted: Thu Jan 21, 2021 4:35 am
by straightlight
Updated the extension. Added X-CSRF header lookup as per StackOverFlow.com :
https://www.opencart.com/index.php?rout ... on_id=4773 . Simply uninstall the extension from the OC Admin installer and re-upload the updated ZIP file and follow the same instructions as per yesterday on the Marketplace page (20-01-2021).
Re: [RELEASED] CSRF Protection Form
Posted: Fri Jan 22, 2021 3:48 am
by micke6559
I have had some troubles with a bot that is creating new customers.
I found this module, but I have Opencart 1.5.6 running at the moment (yes, it will be updated soon).
Does this work for OC 1.5.6 or do you have an old fix that you can send me?
Regards, Micke
Re: [RELEASED] CSRF Protection Form
Posted: Fri Jan 22, 2021 8:39 pm
by straightlight
micke6559 wrote: ↑Fri Jan 22, 2021 3:48 am
I have had some troubles with a bot that is creating new customers.
I found this module, but I have Opencart 1.5.6 running at the moment (yes, it will be updated soon).
Does this work for OC 1.5.6 or do you have an old fix that you can send me?
Regards, Micke
The v4.x releases supports OC v3.x releases only now with the exception of the Template Switcher extension which could probably be used with lower OC versions but above and equal to 2.2.0.0 release of OC. However, I do recommend to upgrade to OC v3.x releases still.
Re: [RELEASED] CSRF Protection Form
Posted: Fri Jan 22, 2021 8:48 pm
by straightlight
* Note to all users: Now that the extension works with Events, I highly recommend store owners to put their stores under maintenance whenever they need to install a 3rd party extension prior to uninstall, re-pack and re-install the CSRF Protection Form. This way, the transition between those times where the extension will be uninstalled and re-uploaded will less likely impact customers during authentication process as well as other pages where POST method is required. *
Re: [RELEASED] CSRF Protection Form
Posted: Sat Jan 23, 2021 10:26 pm
by khnaz35
@straightlight
OC 3.0.3.5 with default theme.
I have downloaded and install the latest csrf extension and upon installing i have run into the error. When click to install button and it just says "error".
Checking the developer console it shows 500 error code and these are errors codes in php error log.
Code: Select all
[23-Jan-2021 14:02:54 UTC] PHP Parse error: syntax error, unexpected '$this' (T_VARIABLE), expecting ')' in /home/asdfghbjk/public_html/xxx/test/admin/controller/extension/module/sl_csrf.php on line 2210
[23-Jan-2021 14:03:11 UTC] PHP Parse error: syntax error, unexpected '$this' (T_VARIABLE), expecting ')' in /home/asdfghbjk/public_html/xxx/test/admin/controller/extension/module/sl_csrf.php on line 2210
[23-Jan-2021 14:03:27 UTC] PHP Parse error: syntax error, unexpected '$this' (T_VARIABLE), expecting ')' in /home/asdfghbjk/public_html/xxx/test/admin/controller/extension/module/sl_csrf.php on line 2210
[23-Jan-2021 14:09:07 UTC] PHP Parse error: syntax error, unexpected '$this' (T_VARIABLE), expecting ')' in /home/asdfghbjk/public_html/xxx/test/admin/controller/extension/module/sl_csrf.php on line 2210
Re: [RELEASED] CSRF Protection Form
Posted: Sat Jan 23, 2021 11:29 pm
by straightlight
What is the code on that line that you have?
Re: [RELEASED] CSRF Protection Form
Posted: Sun Jan 24, 2021 12:00 am
by khnaz35
straightlight wrote: ↑Sat Jan 23, 2021 11:29 pm
What is the code on that line that you have?
Code: Select all
$this->model_setting_event->deleteEventByCode('admin_sl_csrf_payment_payza');
Re: [RELEASED] CSRF Protection Form
Posted: Sun Jan 24, 2021 12:21 am
by straightlight
khnaz35 wrote: ↑Sun Jan 24, 2021 12:00 am
straightlight wrote: ↑Sat Jan 23, 2021 11:29 pm
What is the code on that line that you have?
Code: Select all
$this->model_setting_event->deleteEventByCode('admin_sl_csrf_payment_payza');
By looking at that code, there doesn't seem to be anything wrong with it. See if any whitespace characters above or underneath it at the end of the lines.