Maintenance mode does not restrict access
Printable View
The who's online replacement file breaks the who's online page.
The top bar breaks:
REFRESH LIST
Legend: Active cart Inactive cart Active no cart Inactive no cart
Inactive is Last Click >= 180s || Inactive since arrival > 540s will be removed Updating every 15 seconds. OFF 5 sec 15 sec 30 sec 1 min TEXT_WHOS_ONLINE_TIMER_FREQ5 TEXT_WHOS_ONLINE_TIMER_FREQ6 TEXT_WHOS_ONLINE_TIMER_FREQ7
Exclude Spiders? Yes No Exclude Admin IP Addresses? Yes No
Attachment 17697
@jmberman, what version of Zen Cart? ... and what version of IP Blocker?
It looks like you can solve the zc1.5.4 compatibility issue by editing /YOUR_ADMIN/whos_online.php, locating this code block
and changing it toCode:<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='0') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=0"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ0; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='5') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=5"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ1; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='15') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=15"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ2; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='30') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=30"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ3; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='60') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=60"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ4; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='300') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=300"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ5; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='600') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=600"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ6; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='840') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=840"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ7; ?></a> <br />
I'll note the issue in the plugin's GitHub repository for corrective action.Code:
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='0') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=0"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ0; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='5') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=5"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ1; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='15') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=15"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ2; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='30') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=30"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ3; ?></a>
<a class="optionClick<?php echo ($_SESSION['wo_timeout']=='60') ? ' chosen' : ''; ?>" href="<?php echo $optURL;?>t=60"><?php echo TEXT_WHOS_ONLINE_TIMER_FREQ4; ?></a> <br />
In reviewing the changes, v2.1.3 should have been tagged as supporting Zen Cart 1.5.5 or later. v2.1.2 should be used for earlier versions of Zen Cart.
Hi Lat9,
As I was reviewing my website logs I discovered 588 files which are not supposed to be there. Looking into the files I found in each one a first line like this :
All these are attempts to break in the host using zen-cart and php, especially the last one which tries to get the /etc/passwd file.Code:[17-Dec-2018 14:28:57 America/New_York] Request URI: /index.php?main_page=discount_coupon'A=0, IP address: 185.235.15.140
or
[17-Dec-2018 22:04:17 America/New_York] Request URI: /index.php?main_page=index'A=0&cPath=66, IP address: 35.236.99.80
or
[18-Dec-2018 23:59:31 America/New_York] Request URI: /index.php?main_page=site_map'[0], IP address: 173.44.37.114
or
[21-Dec-2018 23:58:14 America/New_York] Request URI: /index.php?cPath=70_126&main_page=index2121121121212.1, IP address: 47.91.241.128
[21-Dec-2018 23:58:17 America/New_York] Request URI: /index.php?cPath=70_126&main_page=index%20and%201%3E1, IP address: 47.91.241.128
or even
[30-Dec-2018 12:31:27 America/New_York] Request URI: /index.php?main_page=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00&cPath=90, IP address: 14.185.32.246
Fortunately zen-cart didn't answer these attempts but the repeated requests did put the machine on knees.
As I have fail2ban installed, I looked why fail2ban didn't deal with these.
The answer is because fail2ban doesn't know anything about zen-cart log files.
So that fail2ban manages these attempts I have to make a fail2ban configuration file, where I tell it which log file to monitor and , using a regex, how to identify bad attempts and get the ip.
With these infos, fail2ban jails the IP for a delay. Means it add the ip to the deny list of either ufw or iptables (linux firewalls).
So... I was thinking... Would it be difficult to mimic the fail2ban behaviour, i.e. monitor zen-cart log files and when a attempt is done add the IP to the block list ?
That's just a suggestion. As I have fail2ban, I will try to make a configuration file for it, but not everybody has access to this kind of tool, especially if the website is on a shared host.
thanks for reading.
Hub
P.S. : if you need my 588 log files with all kind of attempts, just tell me.
Those same invalid accesses that are being reported by Zen Cart via debug-logs are also captured in your site's Apache logs which, from my quick read of fail2ban, is what that module looks at for its processing.
So, after installing this mod, I blocked my own address to test it, and it didn't block it. What bit am I missing?
Did you have an active session at the time you blocked the access? From code inspection, if the IP address is active at the time the 'block' was added then it's not blocked until the next attempted session.
Noting also that the updates made to the admin's whos_online.php haven't kept up with the various changes in zc156.
...hmm, later it did block it. So, works as expected.
Note for testing, just delete the zenid cookie to reset the session in that browser.
I've just submitted v2.2.0 of the IP Blocker to the plugin moderators for review and will post back here once it's available (https://www.zen-cart.com/downloads.php?do=file&id=1814) for download.
This release contains changes associated with the following GitHub issues. Note that support is dropped for Zen Cart versions prior to 1.5.6!
#12: Correct use of PHP's serialize function.
#13: Correct "special_login" page location; issue when store is installed in a sub-directory.
#14: Restructure, using HTML5 for zc156+.
#15: Reduce changes to `whos_online.php` (1 change section).
#16: Correct MySQL error on initial install.
#17: Use the built-in `zen_get_ip_address` to retrieve the current IP address.
#18: Automatically block addresses found invalid by `zen_get_ip_address`
#19: Remove unused fields from the database table.
#20: Admin: Use PHP's `val_function` to validate any entered IP address.
#21: Add language-constant to contain the `special_login` page's instructions.
#22: No exit, now, from the `special_login` page if the configured password is blank/empty.
#23: Simplify storefront checks for wildcard IP address ranges.
#25: Admin: Display the password (hashed) as a simple input field instead of a password one.
v2.2.0 is now available for download: https://www.zen-cart.com/downloads.php?do=file&id=1814
Just installed the 2.2.0 ip blocker.
i am getting this error message on Php 7.3 zen 1.5.7
PHP Warning: A non-numeric value encountered in whos_online.php on line 75
That line is this
$xx_mins_ago = (time() - 'WHOIS_TIMER_REMOVE');
Has anyone else had this happen?
Prior to 1.5.7 that constant was defined in the whos online language file. In 1.5.7 it chooses a default if it's not defined.
I can't speak to the plugin you're using: maybe you're using a version of it that's not ready for 1.5.7?
You didn't quote the log details which explain the name of the file where the warning is occurring, so it's increasingly difficult to give any sort of useful assistance.
Thank you for mentioning that. I looked and compared the whos_online.php file to the 1.5.7 file and they were different so I copied the newest one from the 1.5.7 zen version and I believe that fixed it. I am not getting any error logs now. I am so sorry for the bother. I should have checked that to begin with. I do appreciate your help.
Hello,
The following PHP Warnings appeared in the logs, when I tried to add the IP-address to "Blocked IP Addresses" list for the first time (using a link on "Who's Online" page)
Quote:
--> PHP Warning: in_array() expects parameter 2 to be array, boolean given in admin/includes/functions/extra_functions/ip_blocker_functions.php on line 167.
I tried to understand what happened adding and removing (some and all) another IP-addresses.Quote:
--> PHP Warning: in_array() expects parameter 2 to be array, boolean given in admin/includes/functions/extra_functions/ip_blocker_functions.php on line 169.
I tried even to remove all lines from ip_blocker table manually and then add IP-address again.
But unfortunately (??? :-) ) the issue has not appeared again.
Probably I should try to fully remove this addon and then install it again (in order to get the same issue again), but this is not possible at the moment, sorry.
PHP Code:
$blocked_ip_array = unserialize($blocklist->fields['ib_blocklist']);
$is_new_address = false;
if (!in_array($newaddress, $blocked_ip_array)) {
$newaddress_all = substr($newaddress, 0, strrpos($newaddress, '.')) . '*';
if (!in_array($newaddress_all, $blocked_ip_array)) {
$blocked_ip_array[] = $newaddress;
$is_new_address = true;
}
}
In my homble opinion (I'm definitely not a pro), something is wrong with usage of unserialize function, which can return a very diffetent typs of value
https://www.php.net/manual/en/function.unserialize.php
Is this plugin deprecated or has it just not been updated for 1.5.7 yet?
I find the Access Blocker (https://www.zen-cart.com/showthread....Support-Thread) less intrusive/difficult so I won't be updating IP Blocker. If anyone wants to take its support over, I'll be happy to transfer the GitHub account.
Roger that. I will update the web page for IP blocker with this recommendation. I wasn't sure if it was a superset or not - thanks for confirming.
Access Blocker download is at
https://www.zen-cart.com/downloads.php?do=file&id=2237