Page 72 of 84 FirstFirst ... 2262707172737482 ... LastLast
Results 711 to 720 of 836
  1. #711
    Join Date
    Jul 2007
    Posts
    213
    Plugin Contributions
    3

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Quote Originally Posted by jeking View Post
    Tested with zencart version 1.5.5 seemed OK except I had an issue with missing Language files for checkout_success.php I needed to add the following:
    define('HEADING_ORDER_NUMBER', 'Order #%s');
    define('HEADING_DELIVERY_ADDRESS','Delivery Address');
    define('HEADING_BILLING_ADDRESS','Billing Address');
    define('HEADING_PAYMENT_METHOD','Payment Method');
    define('HEADING_ORDER_DATE','Date:');
    define('HEADING_ORDER_HISTORY','');
    define('HEADING_QUANTITY','Qty');
    define('HEADING_PRODUCTS', 'Item Name');
    define('HEADING_TOTAL', 'Total');
    define('TABLE_HEADING_STATUS_DATE', 'Date');
    define('TABLE_HEADING_STATUS_ORDER_STATUS', 'Order Status');
    define('TABLE_HEADING_STATUS_COMMENTS', 'Comments');
    define('QUANTITY_SUFFIX', ' ea. ');
    define('ORDER_HEADING_DIVIDER', ' - ');
    Will be testing with PayPal soon.

  2. #712
    Join Date
    May 2006
    Location
    Gardiner, Maine
    Posts
    2,080
    Plugin Contributions
    22

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    quick question and hopefully someone will have a quick and easy answer. I have a client who simply wants only the checkout without account. This is not normal ecommerce but use of the shopping cart to sell information (sensitively) to cancer patients. For one reason or another - either they live or they die - they don't need to come back necessarily to buy another report.

    So the client wants only the checkout without account so I need a redirect to only that page - not the login or the create account screen. I think I've done this before but it was a really long time ago. So quick answer to where to change the redirect and is there really only one place as I think I remember?
    The full-time Zen Cart Guru. WizTech4ZC.com

  3. #713
    Join Date
    Oct 2005
    Location
    Chicago, IL USA
    Posts
    1,391
    Plugin Contributions
    28

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Quote Originally Posted by delia View Post
    quick question and hopefully someone will have a quick and easy answer. I have a client who simply wants only the checkout without account. This is not normal ecommerce but use of the shopping cart to sell information (sensitively) to cancer patients. For one reason or another - either they live or they die - they don't need to come back necessarily to buy another report.

    So the client wants only the checkout without account so I need a redirect to only that page - not the login or the create account screen. I think I've done this before but it was a really long time ago. So quick answer to where to change the redirect and is there really only one place as I think I remember?
    I had a client with the same request. However, it was a typical ecommerce site and I strongly recommended against it. He asked to to revert back a couple of weeks later after customer complaints.

    If you search this tread, you should find the solution I used.

  4. #714
    Join Date
    May 2006
    Location
    Gardiner, Maine
    Posts
    2,080
    Plugin Contributions
    22

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Well, it's certainly not what I want to do, believe me. We had a big wrangle about it.

    What I did was go in and change the checkout link in the shopping cart page to this:
    PHP Code:
    <a href="' . zen_href_link(FILENAME_NO_ACCOUNT, '', 'SSL') . '">' . zen_image_button(BUTTON_IMAGE_CHECKOUT, BUTTON_CHECKOUT_ALT) . '</a>'; ?> 
    I am adding a page (because this site has been up for years) that is for folks who have bought before just in case they come back and need to buy something else. That will have links to the login and my account, etc. But removed the links to the shopping cart as well so it's a crappy user experience for someone who did.
    The full-time Zen Cart Guru. WizTech4ZC.com

  5. #715
    Join Date
    Jan 2007
    Location
    Los Angeles, California, United States
    Posts
    10,030
    Plugin Contributions
    32

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    V
    Quote Originally Posted by ianhg View Post
    Tested with zencart version 1.5.5 seemed OK except I had an issue with missing Language files for checkout_success.php I needed to add the following:
    define('HEADING_ORDER_NUMBER', 'Order #%s');
    define('HEADING_DELIVERY_ADDRESS','Delivery Address');
    define('HEADING_BILLING_ADDRESS','Billing Address');
    define('HEADING_PAYMENT_METHOD','Payment Method');
    define('HEADING_ORDER_DATE','Date:');
    define('HEADING_ORDER_HISTORY','');
    define('HEADING_QUANTITY','Qty');
    define('HEADING_PRODUCTS', 'Item Name');
    define('HEADING_TOTAL', 'Total');
    define('TABLE_HEADING_STATUS_DATE', 'Date');
    define('TABLE_HEADING_STATUS_ORDER_STATUS', 'Order Status');
    define('TABLE_HEADING_STATUS_COMMENTS', 'Comments');
    define('QUANTITY_SUFFIX', '&nbsp;ea. ');
    define('ORDER_HEADING_DIVIDER', '&nbsp;-&nbsp;');
    Will be testing with PayPal soon.
    Good catch.. Made these updates..
    My Site - Zen Cart & WordPress integration specialist
    I don't answer support questions via PM. Post add-on support questions in the support thread. The question & the answer will benefit others with similar issues.

  6. #716
    Join Date
    Jan 2013
    Posts
    7
    Plugin Contributions
    0

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Hi everybody

    There seems to be a security issue with Cowoa. I just tested with ZC 1.5.5 and Cowoa 2.7 (latest in Github):

    1. Person A makes an order from Zen Cart using Cowoa checkout using email test@example.com
    2. Person B user makes a new account to Zen Cart using the same email address test@example.com
    3. Person B now sees order that Person A made in step 1. which is the security issue I am talking about

    This is due to registering doesn't use email confirmation by default... It isn't normally a issue if someone registers with a faulty email they have no access to, not really a major issue. However when using Cowoa, this reveals sensitive data about users and their order history.

    I am currently trying to figure how to fix this problem in my customers site, and basically I'm rather unsure how to fix it. I suppose email-confirmation must be required when cowoa-account exists before upgrading it to a normal account. Or mark orders to cowoa-orders, and not display them to a non-cowoa users.

  7. #717
    Join Date
    Jan 2013
    Posts
    7
    Plugin Contributions
    0

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Quote Originally Posted by Jarkko View Post
    Hi everybody

    There seems to be a security issue with Cowoa. I just tested with ZC 1.5.5 and Cowoa 2.7 (latest in Github):

    1. Person A makes an order from Zen Cart using Cowoa checkout using email test@example.com
    2. Person B user makes a new account to Zen Cart using the same email address test@example.com
    3. Person B now sees order that Person A made in step 1. which is the security issue I am talking about

    This is due to registering doesn't use email confirmation by default... It isn't normally a issue if someone registers with a faulty email they have no access to, not really a major issue. However when using Cowoa, this reveals sensitive data about users and their order history.

    I am currently trying to figure how to fix this problem in my customers site, and basically I'm rather unsure how to fix it. I suppose email-confirmation must be required when cowoa-account exists before upgrading it to a normal account. Or mark orders to cowoa-orders, and not display them to a non-cowoa users.
    I made a quick fix to this problem in my installation by modifying includes/modules/pages/account/header_php.php and includes/modules/pages/account_history/header_php.php with following line added to sql-query in both files:
    Code:
    AND    o.COWOA_order = 0
    So account and account_history will only show orders that are not Cowoa-orders.

    Also while testing I noticed that order_status -page can easily be brute-forced to give out information about orders for desired email. So I also took that feature off from the admin area, and deleted the includes/modules/pages/order_status -folder (since it kept working even after feature was disabled).

  8. #718
    Join Date
    Jan 2007
    Location
    Los Angeles, California, United States
    Posts
    10,030
    Plugin Contributions
    32

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Quote Originally Posted by Jarkko View Post
    I made a quick fix to this problem in my installation by modifying includes/modules/pages/account/header_php.php and includes/modules/pages/account_history/header_php.php with following line added to sql-query in both files:
    Code:
    AND    o.COWOA_order = 0
    So account and account_history will only show orders that are not Cowoa-orders.
    While I don't have a fix to share, I do want to point out that this suggested fix is a bandaid solution IMHO, and probably not a desireable long term solution. If one starts out as a guest customer and decides to convert to a standard account using the same email address, I would think that the desired behavior is to see their entire order history (guest sales as well as standard account sales).

    On an unrelated side note.. 2 more posts to my 10,000th post on this forum!!
    My Site - Zen Cart & WordPress integration specialist
    I don't answer support questions via PM. Post add-on support questions in the support thread. The question & the answer will benefit others with similar issues.

  9. #719
    Join Date
    Dec 2007
    Location
    Payson, AZ
    Posts
    915
    Plugin Contributions
    12

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    It depends on your idea of security risk or user convenience.

    My two pennies..

    Yes, COWOA always had that issue so does other sites that use email address as the user ID. I don't think I've actually had a shopping site do a opt-in opt-out check on account creation or checkout like non-shopping sites do.. wouldn't be hard to code in, but its another announce to the shopper!

    What I mean by opt-in opt-out, during the account sign up or creation you enter an email address, an email is sent with a standard is this you message, if so type in this number or click this link to finish or activate your account! I don't think you would get a customer to finish checking out if that happens... This is the only way I know of to prevent email address ID abuse for any site.... not just COWOA!

    COWOA assumes that the email address is one of a kind which it is unless you gave it up and someone decide to reuse it for themselves, then comes to your shop and creates an account.. If your storing more then shipping addresses, order details.. like CC numbers!! then yes I can see this as more then a COWOA security issue. I've also thought about what if someone decides to use someone email address and creates an standard account or cowoa checkout... buys and ships to there address! As a business owner I'm assuming you are managing the billing/payment side with fraud protection.. I am!

    Accessing a COWOA account by using the login side of ZC should be very hard.. COWOA accounts are protected with a password, for me, its a large hash, random character set, then salted... making a very hard password. I think ZC155 does this now which means I'll be switching that could out and using ZC call.

    I agree that the order status code can use better sanitizing and protection... will work on that.

    If you don't want your customers to see past orders, wouldn't be hard to code in a switch for that, but if you don't want them to find out the order status, then you can turn off or un-code that for your site if you wish to leave customers in the dark.. I don't hide the order status page and it's available to both cowoa and standard customers... I don't see a need or reason for someone to turn that feature off, but you can by not adding the page and link to your site.
    Dave
    Always forward thinking... MySite..

  10. #720
    Join Date
    Jan 2007
    Location
    Los Angeles, California, United States
    Posts
    10,030
    Plugin Contributions
    32

    Default Re: COWOA Updated and Combined for ZC v1.5.x

    Quote Originally Posted by davewest View Post
    It depends on your idea of security risk or user convenience.

    My two pennies..

    Yes, COWOA always had that issue so does other sites that use email address as the user ID. I don't think I've actually had a shopping site do a opt-in opt-out check on account creation or checkout like non-shopping sites do.. wouldn't be hard to code in, but its another announce to the shopper!

    What I mean by opt-in opt-out, during the account sign up or creation you enter an email address, an email is sent with a standard is this you message, if so type in this number or click this link to finish or activate your account! I don't think you would get a customer to finish checking out if that happens... This is the only way I know of to prevent email address ID abuse for any site.... not just COWOA!

    COWOA assumes that the email address is one of a kind which it is unless you gave it up and someone decide to reuse it for themselves, then comes to your shop and creates an account.. If your storing more then shipping addresses, order details.. like CC numbers!! then yes I can see this as more then a COWOA security issue. I've also thought about what if someone decides to use someone email address and creates an standard account or cowoa checkout... buys and ships to there address! As a business owner I'm assuming you are managing the billing/payment side with fraud protection.. I am!

    Accessing a COWOA account by using the login side of ZC should be very hard.. COWOA accounts are protected with a password, for me, its a large hash, random character set, then salted... making a very hard password. I think ZC155 does this now which means I'll be switching that could out and using ZC call.

    I agree that the order status code can use better sanitizing and protection... will work on that.

    If you don't want your customers to see past orders, wouldn't be hard to code in a switch for that, but if you don't want them to find out the order status, then you can turn off or un-code that for your site if you wish to leave customers in the dark.. I don't hide the order status page and it's available to both cowoa and standard customers... I don't see a need or reason for someone to turn that feature off, but you can by not adding the page and link to your site.

    **nods in agreement**

    I should have been clear that I don't think this is a SECURITY issue.. It MIGHT be a NUISANCE issue if you actually have folks doing this..

    I have no knowledge of anyone reporting this "issue" with regards to COWOA or Fast & Easy Checkout in any support post on this forum.

    I don't think that there is any GAIN by any hacker or prankster trying to access a CUSTOMER side account. I suspect that the Zen Cart admins and community would have reported such and it would have been addressed.
    My Site - Zen Cart & WordPress integration specialist
    I don't answer support questions via PM. Post add-on support questions in the support thread. The question & the answer will benefit others with similar issues.

 

 
Page 72 of 84 FirstFirst ... 2262707172737482 ... LastLast

Similar Threads

  1. v139c COWOA Module (my update for ZC v1.3.x)
    By JTheed in forum All Other Contributions/Addons
    Replies: 398
    Last Post: 29 Oct 2014, 02:35 PM
  2. Installed FEC before COWOA, now COWOA config menu doesn't appear
    By i-make-robots in forum Addon Payment Modules
    Replies: 8
    Last Post: 12 Jan 2014, 01:34 PM
  3. v151 How to install COWOA (for ZC v1.5.x)
    By edgemeister in forum All Other Contributions/Addons
    Replies: 2
    Last Post: 4 Apr 2013, 05:21 PM
  4. v151 Which COWOA Plugin? Fast and Easy or original COWOA ?
    By damon in forum All Other Contributions/Addons
    Replies: 4
    Last Post: 8 Nov 2012, 03:44 AM
  5. v151 Installation order for new site/template/cowoa?
    By joejoejoe in forum Addon Templates
    Replies: 3
    Last Post: 21 Sep 2012, 02:29 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR