steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
 Posted - 01/03/2022 : 09:57:31
Its happening again where someone is getting in and adding items to the cart that mess with and change all the stock to 0 or negative. Last time it was a security hole. Can someone look into this.  |
Vince
Administrator
42874 Posts |
Posted - 01/03/2022 : 12:37:35
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/03/2022 : 16:07:37
No.
Also looking at the items ordered. Some actually had product options that didn't even belong to them.
The is just like the hole you plugged last time.
|
Marshall
Ecommerce Template Guru
USA
1916 Posts |
Posted - 01/03/2022 : 16:35:28
Are your options set to force selection? I just did a test of this product, tfl-503b84, and it added to the cart without selecting the option.
Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/03/2022 : 16:40:52
Marshall, sorry I wasn't clear. Look at my first invoice picture. You will see ose-80905 purchased with my options that are not options of that product.
Here is the link
https://www.offshoreelectrics.com/proddetail.php?prod=ose-80905
|
dbdave
ECT Moderator
USA
10468 Posts |
Posted - 01/03/2022 : 18:47:50
This is the dreaded netsparker bot. Obvious because of the sample@email.tst email address. If I were Vince, I would add some code that, as soon as that email address is used, the IP is instantly blocked for a period of time. This bot can add hundreds of items to your cart in seconds. Somehow it submits data directly to the form. David
Edited by - dbdave on 01/03/2022 18:48:51
|
Marshall
Ecommerce Template Guru
USA
1916 Posts |
Posted - 01/03/2022 : 19:56:27
What PHP version are you using? If you are comfortable modifying the inccart.php script, I have a trick to block an email address that cancels the order before it is processed.
Marshall
CENLYT Productions - ms designs
Affordable Web Design
Custom Ecommerce Designs
Responsive Websites
Cenlyt.com
|
Vince
Administrator
42874 Posts |
Posted - 01/04/2022 : 03:01:46
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/04/2022 : 05:39:15
Vince do you remember the last time this happened? This is a bot, a hack. The system is compromised.
The bot is able to buy a quantity if 1000 items when there are only 5 available.
The bot is able to add options to items that have no options.
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/04/2022 : 06:31:48
Marshall Id love to see the code to help this.
Dave thanks for confirming that Im not going nuts. This is a hack to the cart that needs closing.
Vince, what can be done about this not happening in the future.
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/04/2022 : 06:59:05
Vince it seems this is a SQL Injection.
https://www.google.com/search?q=sample%40email.tst+SQL+Injection&client=firefox-b-1-d&sxsrf=AOaemvKld9aF0BUJ6bZT-eunteRu8wszrA%3A1641307956918&ei=NF_UYdfON52kptQPtdm8sAE&ved=0ahUKEwjXuPTNrJj1AhUdkokEHbUsDxYQ4dUDCA0&uact=5&oq=sample%40email.tst+SQL+Injection&gs_lcp=Cgdnd3Mtd2l6EAMyBwghEAoQoAEyBQghEKsCOgcIIxCwAxAnOgcIABBHELADSgQIQRgASgQIRhgAUNcBWNcBYLcGaAFwAngAgAFviAFvkgEDMC4xmAEAoAECoAEByAEJwAEB&sclient=gws-wiz
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/04/2022 : 07:06:21
Vince Im not sure if this is just a coincidence but the gift cert area has been being spammed since the middle of December.  |
Marshall
Ecommerce Template Guru
USA
1916 Posts |
Posted - 01/04/2022 : 09:14:54
quote:
Marshall Id love to see the code to help this.
I need to know what PHP version you are using. MarshallCENLYT Productions - ms designs Affordable Web Design Custom Ecommerce Designs Responsive Websites Cenlyt.com
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/04/2022 : 09:36:42
Sorry, its PHP 7.3
|
Vince
Administrator
42874 Posts |
Posted - 01/04/2022 : 11:06:13
quote:
Vince it seems this is a SQL Injection.
https://www.google.com/search?q=sample%40email.tst+SQL+Injection&client=firefox-b-1-d&sxsrf=AOaemvKld9aF0BUJ6bZT-eunteRu8wszrA%3A1641307956918&ei=NF_UYdfON52kptQPtdm8sAE&ved=0ahUKEwjXuPTNrJj1AhUdkokEHbUsDxYQ4dUDCA0&uact=5&oq=sample%40email.tst+SQL+Injection&gs_lcp=Cgdnd3Mtd2l6EAMyBwghEAoQoAEyBQghEKsCOgcIIxCwAxAnOgcIABBHELADSgQIQRgASgQIRhgAUNcBWNcBYLcGaAFwAngAgAFviAFvkgEDMC4xmAEAoAECoAEByAEJwAEB&sclient=gws-wiz
There is nothing yet that indicates this is SQL Injection. But can you send your site FTP login to my email and I'll start hunting for what is happening. Vince Click Here for Shopping Cart SoftwareClick Here to sign up for our newsletterClick Here for the latest updater
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/04/2022 : 14:08:20
Vince I send you the details. This is the same issue as the last time? Do you remember working on this with my software guy? Unfortunately he's not around any longer or I would have him look.
Also, I just found someone that had a similar problem on this forum.
https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=108547&SearchTerms=SQL,Injection
|
Marshall
Ecommerce Template Guru
USA
1916 Posts |
Posted - 01/04/2022 : 14:13:41
This does not apply to v7.4+Look for his in the inccart.php file var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i;
if(!regex.test(frm.email.value)){
alert("<?php print jscheck($GLOBALS['xxValEm'])?>");
frm.email.focus();
return(false);
} And replace it with this var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i; if(frm.email.value==" sample@email.tst") { window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg"; return(false); } else if(!regex.test(frm.email.value)){ alert("<?php print jscheck($GLOBALS['xxValEm'])?>"); frm.email.focus(); return(false); } } I redirect to an image that I find funny, but you can redirect to anyplace you want. And I should emphasize, this is not fool proof, but it does work. MarshallCENLYT Productions - ms designs Affordable Web Design Custom Ecommerce Designs Responsive Websites Cenlyt.com
|
dbdave
ECT Moderator
USA
10468 Posts |
Posted - 01/04/2022 : 14:44:01
Hi Steven, in that thread, it was only an "attempt" at SQL injection, but the ECT measures in place stopped anything bad from happening by sanitizing the bots attempts and just rendering the code as text. quote:
Also, I just found someone that had a similar problem on this forum.
https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=108547&SearchTerms=SQL,Injection
Thanks, David |
Vince
Administrator
42874 Posts |
Posted - 01/05/2022 : 03:40:44
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 01/05/2022 : 14:14:40
I sent it over this morning.
|
steven vaccaro
Ecommerce Template Guru
USA
1060 Posts |
Posted - 02/04/2022 : 11:44:57
Marshall is there code to install your fix to 7.46? var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i; if(!regex.test(frm.email.value)){ alert("<?php print jscheck($GLOBALS['xxValEm'])?>"); frm.email.focus(); return(false); } And replace it with this var regex=/[^@]+@[^@]+\.[a-z]{2,}$/i; if(frm.email.value==" sample@email.tst") { window.location.href="https://ih1.redbubble.net/image.717939983.4497/flat,750x,075,f-pad,750x1000,f8f8f8.u6.jpg"; return(false); } else if(!regex.test(frm.email.value)){ alert("<?php print jscheck($GLOBALS['xxValEm'])?>"); frm.email.focus(); return(false); } } |
| |
New Security issue.