OpenCart Community

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i

straightlight wrote: ↑

Wed Feb 03, 2021 8:32 am

nightwing wrote: ↑

Wed Feb 03, 2021 8:22 am

I get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean

straightlight wrote: ↑

Wed Feb 03, 2021 7:46 am

As explained on the above, it would be the ordering priority entered by the user when using the element names on the <form line.

They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.

nightwing wrote: ↑

Thu Feb 04, 2021 10:02 pm

Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i

straightlight wrote: ↑

Wed Feb 03, 2021 8:32 am

nightwing wrote: ↑

Wed Feb 03, 2021 8:22 am

I get you... Hmm that cannot be used then as I see tags with <form method and <form action... If this is what you mean

They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.

straightlight wrote: ↑

Thu Feb 04, 2021 10:28 pm

nightwing wrote: ↑

Thu Feb 04, 2021 10:02 pm

Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i

straightlight wrote: ↑

Wed Feb 03, 2021 8:32 am

They both can and must be used to import the CSRF token but the only difference is the way they're being entered by the user as priority for each element names which is why the use of regex is eminent in this case.

However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.

nightwing wrote: ↑

Thu Feb 04, 2021 10:32 pm

Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.

straightlight wrote: ↑

Thu Feb 04, 2021 10:28 pm

nightwing wrote: ↑

Thu Feb 04, 2021 10:02 pm

Yes, I was explaining that when I tested with regex, it replaced the entire line.
I used this from your original vqmod:

Code: Select all

~(<form[^>]*method\s*=\s*["\']post["\'][^>]*>)~i

However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.

straightlight wrote: ↑

Fri Feb 05, 2021 1:48 am

nightwing wrote: ↑

Thu Feb 04, 2021 10:32 pm

Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.

straightlight wrote: ↑

Thu Feb 04, 2021 10:28 pm

However, the e.g you were showing are still able tracking lines individually with OCMod where OCMod is on its way of deprecation from the core in the future.

It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.

nightwing wrote: ↑

Fri Feb 05, 2021 2:51 am

Lol Sraightlight, I have nit figured it out!
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.

straightlight wrote: ↑

Fri Feb 05, 2021 1:48 am

nightwing wrote: ↑

Thu Feb 04, 2021 10:32 pm

Well its tracking the lines, and replacing them even when I used add position after. I am aware that its on its way to deprecation, but for now its needed.

It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.

straightlight wrote: ↑

Fri Feb 05, 2021 2:53 am

nightwing wrote: ↑

Fri Feb 05, 2021 2:51 am

Lol Sraightlight, I have nit figured it out!
Its removing the form tag and replacing it with the hidden input, in otherwords, its not doing the correct thing even when I add position after and not replace.

straightlight wrote: ↑

Fri Feb 05, 2021 1:48 am

It's good, at least, you figured out your own way to make it work but, as said, going back the way it was won't help the people on how it works since, over the years, it is more than obvious that they don't know since those changes you specified are still about server-specific tracking.

The old version used too. You're simply trying to fallback but can't seem to reproduce the ways it used to be. That's fine, since there doesn't seem to be any way out on this one since the deprecation of OCMod.

Rainforest wrote: ↑

Sat Sep 11, 2021 2:00 pm

Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?

straightlight wrote: ↑

Sat Sep 11, 2021 6:05 pm

Rainforest wrote: ↑

Sat Sep 11, 2021 2:00 pm

Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?

Not sure why this is addressed on the topic ...

Rainforest wrote: ↑

Sun Sep 12, 2021 1:03 pm

straightlight wrote: ↑

Sat Sep 11, 2021 6:05 pm

Rainforest wrote: ↑

Sat Sep 11, 2021 2:00 pm

Using OC 3.0.3.8 here and a WAF
My WAF provider was looking into this and asked:
any issues with the firewall requests?

Not sure why this is addressed on the topic ...

Because it has to do with this extension.
1. Is the extension compatible with 3.0.3.8? (doesn't list so on the extension page)
2. My Firewall provider said to me when I showed him this extensions:

"In regards to the extension I would recommend looking into adding it and checking if there are any issues with the firewall requests. This would ensure that the "CSRF" token is added to confirm the requests are legit. "

joeantropy wrote: ↑

Wed Dec 15, 2021 12:24 am

This extension doesn't do anything to protect against CSRF!

In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:

Code: Select all

if (isset($this->request->post['__csrf'])) {

You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.

joeantropy wrote: ↑

Wed Dec 15, 2021 12:24 am

This extension doesn't do anything to protect against CSRF!

In the csrf_check() function in the system/library/csrf_helper.php file, where the actual CSRF check happens is wrapped in this conditional:

Code: Select all

if (isset($this->request->post['__csrf'])) {

You can bypass the CSRF check entirely by simply omitting the <input name="__csrf" .../> from the form. An attacker can construct a form without this field (i.e. the exact same way they would if this extension was not installed), isset($this->request->post['__csrf'])) evaluates to false, and the CSRF attack proceeds as normal. Completely defeats the purpose of such an extension.