Hey Guys,

Last Friday I started to see errors come in with this specific line as the error line:
incfunctions.asp



This, of course, falls in this chunk of code:



Here is an example of this recently:


I haven't made any updates to the code that would be doing this. I'm in the middle of upgrading to the most current version of the software and I see incfunctions.asp still uses that exact line, so I imagine it's affecting other folks too.

I don't suppose anyone else is careful to watch what 500 errors pop up on their servers and have noticed the same thing?

Any ideas on what could possibly be causing this?

- Graham Slaughter

Hi Graham

I haven't seen any reports of problems, is the site now fully updated and if so, do you still get a problem?

Andy

Please feel free to review / rate our software

We are going to be getting the sites updated to current in the next few weeks. I only ask now because it looks like the underlying code isn't different in newer versions from what we are on now.

I'm honestly more curious to see if anyone else is seeing this than anything else. I mean ... I can't reproduce the error, so it's kinda hard to impossible right now.

- Graham Slaughter

I'll keep an eye out for reports but it's definitely not something I've seen here.

Andy

Please feel free to review / rate our software

I've had it pop up about 40+ times today alone. It appears to be specific to a user in that I'll see the error pop up 4 or 5 times within a minute or 2 and those errors will all have the same IP address before the user (presumably) gives up and leaves the website.

I can't help but wonder if it's compromised browsers perhaps feeding illegitimate cookies back to the server? I mean, as far as I can tell it happens at the FIRST place that a cookie is requested in the code.
If that is the case, there's nothing I can do to mitigate the error as there are multiple places cookies are requested ... heck. I surely can't be the only person this is happening to. Is there anyone else who actually watches and reads the 500 errors that pop up on their websites?

- Graham Slaughter

So far today I've only had a few instances of it. Interestingly enough, for the first time, it showed up on a different line. Not surprisingly it is on a cookies line again:


This line is inside this function in incfunctions.asp


If anyone else sees these, please let us know!

- Graham Slaughter

Is this in the server logs that you see the error, or the browser?
If browser, is it customer side, or admin?

David

Hey Dave,

I actually created an error page that appears when a customer hits an error.
Basically, it must be an error that would otherwise hit a user's browser. Instead, it shows them the custom error page and sends me an email. That way they don't see the error details which would otherwise be a compromising risk.

It is incredibly useful because the email it sends me contains data on the error. This allows me to see quickly if I break something even if I didn't personally run into the error.

I'd be happy to share the code with you if you'd like.

- Graham Slaughter

So the error finally happened to us so that I could track it down. Apparently, it was related to our livechat software we use. It was just updated recently and before the error started (imagine that). Anyone who used it to talk to us could no longer browse the website until they cleared their cookies. YIKES! I'm guessing the request.cookies("") in ASP simply receives ALL of the cookies and something about the one their software was writing just kinda broke the heck out of ASP in IIS.

Glad to get to the bottom of it. Thanks all who read this post.

- Graham Slaughter

I'm getting a PCI scan failure related to ectcartcookie, here is the "evidence" from Trustwave:
Cookie Name - ectcartcookie
Cookie value - ny2o8qbc5ee7pt8mof3dwjiw3v
Cookie secure flag - false
Description - The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.
Remediation - Contact the vendor of this web application and request the Secure flag be set on session cookies transmitted over HTTPS.

Please let me know if this is a known issue or what the solution might be - forum search did not reveal much.

Thank you,
Steve

There is a mention of the Secure Flag from Vince in this updater post from 5th August for the ECT version 7.1.3

quote:

---

Cart Cookies
The cart cookie now uses the "Secure" flag when on HTTPS.

---

https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=111898

Steve
Manchester, UK.

Great catch, thank you. I'm running 7.0.5, will update.
Steve

The update to 7.1.3 will take care of it. It's something we identified with a client a few weeks back and ECT jumped right on it and issued an update for us. Scans came back clean after that

Peter


Professional ecommerce web hosting services
Shared hosting Windows & Linux | Dedicated servers | Domains | SSL
Ecommerce Templates specialists since 2003
https://servelink.com

It didn't - and the update caused my responsive slider to break (addressing that on different topic). So I still have this problem, plus another.
Steve

I still need assistance with this - PCI scan failing due to ectcartcookie, value jexcuzutuxcl12zrqukmfu9kqv, cookie secure flag false. I've tried everything I can think of to troubleshoot it, and if not corrected by 9/5 could use compliance.
Steve

Hi Stevep
I would say that this could be because either the 7.1.3 updater wasn't applied fully. Or, it could be that your site is not actually on HTTPS. In either case though, I think you can raise this as a false positive by saying...
"No sensitive or cardholder data is held using the session cookie".

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

I'd be inclined to suggest the former of those two. As mentioned earlier, we went through this with a client a while back, it was kindly fixed for us by ECT in version 7.1.3 and the scanner (also Trustwave) seems happy with what they find now.

Peter


Professional ecommerce web hosting services
Shared hosting Windows & Linux | Dedicated servers | Domains | SSL
Ecommerce Templates specialists since 2003
https://servelink.com

Hi Steve
Sorry about this but servelink.com have just pointed out to me that the changes didn't make it into the ASP updater as the customer in question was using the PHP version. I've done that now so if you get a new copy of the updater and copy the incfunctions.asp script to your site it should hopefully scan ok.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

I'll try the updater again - though I am sure I got the updated successfully message, and when I log into the admin panel it reflects v7.1.3. Maybe I didn't get all the files copied, which raises a question: could problems be caused by files that are no longer used and therefore not overwritten?

(wrote this before seeing latest Vince message, will follow that instruction).

Thank you,
Steve

Instructions for custompayproc are incomplete and conflict with prior instructions. I have deleted old versions from vsadmin/inc folder, which then makes it match the updater in number of files and total size.

vsadmin/inc/incfunctions.asp update version is uploaded. I was very careful with the update, and did get success message. Errors are exactly the same as before, and "evidence" tab shows site url including https:// so I don't see that as an issue.

Point I made about old files existing from prior versions not addressed, let me know if that might cause scan failure.

Wits end - will dispute it, hopefully they accept and I don't have to deal with it every month when they scan.

Thank you,
Steve

Hi Steve

quote:

---

Point I made about old files existing from prior versions not addressed, let me know if that might cause scan failure.

---

The only two files that won't be updated by the updater (apart from your database connection and the includes.asp file with your site settings) are the customppsend.asp and customppreturn.asp files. But these should only have been changed if you had a custom payment provider set up. But as it seems you don't anyway updating them from the versions in the updater was a good idea.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater