Post by supak111 » Fri Dec 04, 2020 6:22 am

First off thanks for this extension :).. A quick question for you..

Would everything work the same if I convert/rewrite the vQmod xml file to OCmod xml file and leave the helper file as is? Or does this only work on VQmod?

I don't like using both OCmod and VQmod so all my modifications are OCmod at the moment

PS just converted it to OCmod and it seems to work on admin but not on front end on 3.0.3.2 for me too.

you have the csrf_help initiate on admin controller but not on the catalog controller, should this be in the xml file too?

Code: Select all

	<file path="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search><![CDATA[$data['scripts']]]></search>
            <add position="before"><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
PPS yup adding the code above seems to make it work, now the csrf secret value shows up 😊

~ OC 3.0.3.2 and OCmods only ~


User avatar
Active Member

Posts

Joined
Fri Feb 13, 2015 12:09 pm

Post by straightlight » Fri Dec 04, 2020 8:14 pm

supak111 wrote:
Fri Dec 04, 2020 6:22 am
First off thanks for this extension :).. A quick question for you..

Would everything work the same if I convert/rewrite the vQmod xml file to OCmod xml file and leave the helper file as is? Or does this only work on VQmod?

I don't like using both OCmod and VQmod so all my modifications are OCmod at the moment

PS just converted it to OCmod and it seems to work on admin but not on front end on 3.0.3.2 for me too.

you have the csrf_help initiate on admin controller but not on the catalog controller, should this be in the xml file too?

Code: Select all

	<file path="catalog/controller/common/header.php" error="skip">
        <operation error="skip">
            <search><![CDATA[$data['scripts']]]></search>
            <add position="before"><![CDATA[
			$this->load->helper('csrf_helper');
			
			csrf_start();
			]]></add>
        </operation>
	</file>
PPS yup adding the code above seems to make it work, now the csrf secret value shows up 😊
Excellent, good work!

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by supak111 » Sat Dec 05, 2020 8:36 am

straightlight wrote:
Fri Dec 04, 2020 8:14 pm
Excellent, good work!
You might wanna update your extension in the marketplace.

Also do you want me to post up my converted OCmod version of it on the marketplace so people can use it since some people prefer OCmod over VQmod?

~ OC 3.0.3.2 and OCmods only ~


User avatar
Active Member

Posts

Joined
Fri Feb 13, 2015 12:09 pm

Post by straightlight » Sat Dec 05, 2020 10:25 am

supak111 wrote:
Sat Dec 05, 2020 8:36 am
straightlight wrote:
Fri Dec 04, 2020 8:14 pm
Excellent, good work!
You might wanna update your extension in the marketplace.

Also do you want me to post up my converted OCmod version of it on the marketplace so people can use it since some people prefer OCmod over VQmod?
Send me your version in PM and I'll take a look at it.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by docroesner » Fri Jan 01, 2021 12:29 am

@supak111
I'd appreciate your ocmod version as I have no idea how to install this extension in my 3.0.2 and 3.0.6 installations.
Straightlight is talking about overwriting existing files of a library, which library?
The zip I downloaded contains only 2 files, one xml file which seems to need VQmod which I do not have installed and a csrf_helper.php
That's all to make it run?
Many thanks for eventually answering.

User avatar
New member

Posts

Joined
Sat Jan 21, 2012 11:17 pm


Post by straightlight » Fri Jan 01, 2021 1:16 am

The zip I downloaded contains only 2 files, one xml file which seems to need VQmod which I do not have installed and a csrf_helper.php
You do need it installed.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by docroesner » Sun Jan 03, 2021 2:15 am

Ok, I succeeded to install VQmode and the CSRF script.
This is a multi shop. I suppose I need to install some of the files to the other installations as well, don't I?
Which ones, please?
If this is not considered abuse, may I ask one more question which is related to the contact forms that come usually with OpenCart.
We had increasing volumes of spam submissions of these contact forms and installing ReCaptcha did not resolve anything.
Then I took the contact forms completely away. This did not resolve anything neither!
Then I went into the code of catalog/controller/information/contact.php and disabled the line $mail->send(); in function index.
That resolved the problem absolutely.
But what absurdity! Is there a more elegant way to prevent these submissions which are obviously done by scripts that submit the contact form without going through a browser! Perhaps by cURL or whatever, I have no idea. It is odd.
Solution?

User avatar
New member

Posts

Joined
Sat Jan 21, 2012 11:17 pm


Post by khnaz35 » Sun Jan 03, 2021 7:38 pm

If you are using Cpanel enable cpanel hulk brute force protection and put all those countries/Ips into black list.
Enable extra firewall on your server as well as enable spam filter on your mail server.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by docroesner » Mon Jan 04, 2021 1:29 am

Hi khnaz35, thanks for caring!
I am not on cPanel. We have some russian/ucranian/indian customers, so .... that's not an option.
I was hoping for the CFSR script to block these robot submissions but seemingly I am unable to have it installed.
Even with a "VQMODDED Startup" the xml does not throw the __cfsr parameter into my forms on the customer side. Not in the main shop nor in the dependent shops (I have a multi shop setup). Consequently we receive fake account registrations as always. It seems I did not install the scripts correctly (though the admin login form is showing the token in its source code).

User avatar
New member

Posts

Joined
Sat Jan 21, 2012 11:17 pm


Post by straightlight » Mon Jan 04, 2021 2:06 am

docroesner wrote:
Mon Jan 04, 2021 1:29 am
Hi khnaz35, thanks for caring!
I am not on cPanel. We have some russian/ucranian/indian customers, so .... that's not an option.
I was hoping for the CFSR script to block these robot submissions but seemingly I am unable to have it installed.
Even with a "VQMODDED Startup" the xml does not throw the __cfsr parameter into my forms on the customer side. Not in the main shop nor in the dependent shops (I have a multi shop setup). Consequently we receive fake account registrations as always. It seems I did not install the scripts correctly (though the admin login form is showing the token in its source code).
You need to enable the Zlib Compression Output on your domain as well as look up to your XML file paths inside the XML to ensure all routes are pointing to the right locations compared to your physical paths on your server. Another way would be to use the VQMod Manager extension to look at the logs which automatically generates error outputs when the case.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by docroesner » Mon Jan 04, 2021 8:52 am

Hello Straightlight,
I enabled zlib.compression_output in .htaccess.
Regarding the file paths: I have some customized templates. I have now deleted the customized account/register.twig for testing purposes.
Of course I cleared the cache on the server and in my browser, Safari.
Nevertheless calling index.php?route=account/register into the browser, no hidden input field is visible containing the csrf token.
The error log of the VQMod Manager is empty even though it says error logging be enabled.
What makes me wonder is that my modules' list displays VQMod Manager as disabled. In the manager I see no way to enable this.
However, inside the manager it displays VQMOD CORE, VQMod Manager Menu Shortcut and CSRF Form Protection as enabled.
All this on the main shop (shop_id=0). The most fake account registrations however originate from shop_id=1 - that would be the next step to have all this setup there, a different domain on the same server.
Any advice?

User avatar
New member

Posts

Joined
Sat Jan 21, 2012 11:17 pm


Post by straightlight » Mon Jan 04, 2021 9:10 am

docroesner wrote:
Mon Jan 04, 2021 8:52 am
Hello Straightlight,
I enabled zlib.compression_output in .htaccess.
Regarding the file paths: I have some customized templates. I have now deleted the customized account/register.twig for testing purposes.
Of course I cleared the cache on the server and in my browser, Safari.
Nevertheless calling index.php?route=account/register into the browser, no hidden input field is visible containing the csrf token.
The error log of the VQMod Manager is empty even though it says error logging be enabled.
What makes me wonder is that my modules' list displays VQMod Manager as disabled. In the manager I see no way to enable this.
However, inside the manager it displays VQMOD CORE, VQMod Manager Menu Shortcut and CSRF Form Protection as enabled.
All this on the main shop (shop_id=0). The most fake account registrations however originate from shop_id=1 - that would be the next step to have all this setup there, a different domain on the same server.
Any advice?
The extension shows as enabled in your VQMod Manager. Therefore, you just need to find the right paths in the XML file for the __csrf to load from view source. In the mean time, ensure to try the zlib.compression_output in your php.ini or .user.ini file instead of .htaccess to notice the difference.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON


Post by supak111 » Tue Jan 05, 2021 8:02 am

Yes there are only 2 files in the vQmod version of this extension. You must have vQmod installed.
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer

VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI

PS only tested on 3.0.3.2, should work on all oc 3xxx

~ OC 3.0.3.2 and OCmods only ~


User avatar
Active Member

Posts

Joined
Fri Feb 13, 2015 12:09 pm

Re:


Post by khnaz35 » Tue Jan 05, 2021 8:11 am

supak111 wrote:
Tue Jan 05, 2021 8:02 am
Yes there are only 2 files in the vQmod version of this extension. You must have vQmod installed.
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer

VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI

PS only tested on 3.0.3.2, should work on all oc 3xxx
I would suggest send this version to Straightlight
And let upload both mod under the same extension link so it would be easy for new user to download and install there prefer mod.

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by supak111 » Tue Jan 05, 2021 8:13 am

I sent it to him a while back, don't see that he posted it on the marketplace yet

~ OC 3.0.3.2 and OCmods only ~


User avatar
Active Member

Posts

Joined
Fri Feb 13, 2015 12:09 pm

Post by khnaz35 » Tue Jan 05, 2021 8:15 am

supak111 wrote:
Tue Jan 05, 2021 8:13 am
I sent it to him a while back, don't see that he posted it on the marketplace yet
I see may be he didn't get time yet for that,
Since there was allot of development happening for OC 4.x

Urgent Questions shoot here: khnaz35@gmail.com
Enjoy nature ;) :) :-*


User avatar
Active Member

Posts

Joined
Mon Aug 27, 2018 11:30 pm
Location - Malaysia

Post by straightlight » Tue Jan 05, 2021 10:55 am

I did took time to look at it. As it was delivered, I was told the VQMod version was converted into the OCMod release. Ironic, I then took a look at the csrf_helper file, it was modified compared to the VQMod version. In addition, since the paths in the XML file might need to modified, however, I figured it would be more time consuming for each users having to reinstall a package each times a path needs to be modified in the first place rather than troubleshooting one XML file and test each paths until the __csrf token does show with the compression on.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by docroesner » Tue Jan 05, 2021 11:15 am

@supak111: I have downloaded this OCmod version and will try it on a test installation of OC. Many thanks!
@Straightlight:
I have asked the host manager to enable zlib.compression_output on a php level and will see if that changes anything.
I have installed now vqmod on another hosting account where OC 3.0.3.6 is installed. zlib.compression_output is enabled there.
The admin login form shows the token field perfectly.
However, no other form on the customer side shows any hidden token-field.
Since I have account/register.twig modified there, I included the lines
{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}
in the template right below the form open tag.
That does not resolve anything (I included some text with this modification and that shows up in the source code).
So that means csfr_form_input is empty when loading the form.
Then I modified the modified catalog/controller/account/register.php in the storage folder and included the lines
$csrf = new Csrf();
$csrf->csrf_start($this->registry);
$data['csrf_form_input'] = $csrf->csrf_form_input();
in function index()
That gave a fatal error saying
Class 'Csrf' not found in /....../storage/modification/catalog/controller/account/register.php
Seems I put this code in the wrong place. Where do I have to include it?

User avatar
New member

Posts

Joined
Sat Jan 21, 2012 11:17 pm


Post by straightlight » Tue Jan 05, 2021 11:42 am

docroesner wrote:
Tue Jan 05, 2021 11:15 am
@supak111: I have downloaded this OCmod version and will try it on a test installation of OC. Many thanks!
@Straightlight:
I have asked the host manager to enable zlib.compression_output on a php level and will see if that changes anything.
I have installed now vqmod on another hosting account where OC 3.0.3.6 is installed. zlib.compression_output is enabled there.
The admin login form shows the token field perfectly.
However, no other form on the customer side shows any hidden token-field.
Since I have account/register.twig modified there, I included the lines
{% if csrf_form_input %}
{{ csrf_form_input }}
{% endif %}
in the template right below the form open tag.
That does not resolve anything (I included some text with this modification and that shows up in the source code).
So that means csfr_form_input is empty when loading the form.
Then I modified the modified catalog/controller/account/register.php in the storage folder and included the lines
$csrf = new Csrf();
$csrf->csrf_start($this->registry);
$data['csrf_form_input'] = $csrf->csrf_form_input();
in function index()
That gave a fatal error saying
Class 'Csrf' not found in /....../storage/modification/catalog/controller/account/register.php
Seems I put this code in the wrong place. Where do I have to include it?
That's intended to have an error there. The csrf_helper uses a buffer to output the token and cannot be added manually with the object without using the regex for security purposes on the catalog-end side. As explained previously, you simply need workaround the paths in the XML for all your TWIG files and, to make it easier, use the VQMod Manager to see for any errors in the paths. If you can't see any, then you need to keep playing with one block of XML modifications at a time to see where the issue might be originating from in your paths.

Dedication and passion goes to those who are able to push and merge a project.

Regards,
Straightlight
Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Re:


Post by docroesner » Wed Jan 06, 2021 2:33 am

supak111 wrote:
Tue Jan 05, 2021 8:02 am
Yes there are only 2 files in the vQmod version of this extension. You must have vQmod installed.
BUT I converted it to OCmod so download my version below and install it vie admin: extension --> installer

VQmod version of CSRF Protection Form Extension https://www.opencart.com/index.php?rout ... on_id=4773
OCmod version download it here: https://gofile.io/d/pHognI

PS only tested on 3.0.3.2, should work on all oc 3xxx
I tried to install the ocmod version into a test installation of OC (Version 3.0.3.6) but received an error saying "The directory system/helper is not allowed to be written to!". Then I set the permissions from 755 to 777 for both. Same error.
Ideas?

What I did: I put the lines
$this->load->helper('csrf_helper');
csrf_start();
into catalog/controller/common/header.php as indicated by install.xml and that worked!
Now I see, the hidden token input in the source code.
Does that really mean, the forms are now protected? I have NOT installed the extension (due to the error given above) and have no install.xml on the server!

User avatar
New member

Posts

Joined
Sat Jan 21, 2012 11:17 pm

Who is online

Users browsing this forum: No registered users and 21 guests