address in customer login

[HeleneWallis]

Helene, does the problem persist if you (temporarily) switch to a different template? eg: rule out customizations unique to your current template or its language files.

I haven't tried that, because our system is busy all the time. We ship all over the world, so we have orders coming in at all hours of the day and night, and I'm reluctant to do anything that would screw up the site's appearance. But the template customization was all done shortly after downloading and installing the package in 2016 and has not changed since then.

[DrByte]

(If this weren't happening on multiple screens in exactly the same way, I'd be more focused on a single template file, but the repetition suggests a deeper issue.)

Okay, then this is how I would tackle the situation if I were investigating:

Online:
I'd test on a browser that has javascript disabled, even if only temporarily -- to see whether some javascript is injecting the email address (Whether via a widget you've added recently, or via something you didn't expect). Knowing that would help focus on specific kinds of files for first phase of fixing. But if you do find something in that area, if you don't know exactly why/who "did" that, then you'd still want to do a deep search/clean, as follows:

Offline: https://docs.zen-cart.com/user/troub...bscure_issues/
- I'd make a fresh copy of your site's files and database, to my PC. (Copy the files via secure FTP to a PC that has been checked for viruses etc.)
- I'd compare all your site's files against the last "known good" copy of your site's files that you already had on your PC. The goal is to check for unauthorized alterations that have been made to server files.
- I'd then compare all your site's files against originals for your Zen Cart version, looking for alterations/surprises.
- I'd then compare your template-specific override files against "default" files, to see if there's anything template-specific that's been changed.

One thing I'm wondering about is if a language file or template file has been changed to put your email address in place of something that should be driven by logic instead of hard-coded.
But there could be other things that have been changed that are causing the output you've described.

I'd also go looking for unexpected changes in the database. All tables should be inspected, especially the configuration table and even the tables that "rarely change".

While I'm not immediately suspecting any "hack" or malicious activity, I wouldn't rule it out without a deep inspection. The steps above are the abbreviation of what I recommend for inspecting for hacks. In short: inspect by assuming the worst so that the inspection is utterly thorough, until you can fully prove that it isn't something rogue.

It might just be some innocent side-effect of something a team member or hosting company employee was trying to do, which needs correcting.

[HeleneWallis]

The 'team' consists of me, lol. Nobody else here would even know where to start. So if there has been a change, and I didn't do it, then hacker activity is at least a possibility. I can't figure out why any hacker wouldn't have done something more useful to the hacker and less obvious to the user, but they aren't all brilliant. Thanks for your suggestions. I can't tackle all of this right now--we're in the middle of a move to a new city with all the headaches that involves. But I will go down the list one at a time and look at each one. And I guess I'd better pull up the tpl_login_default.php file and see exactly where it's getting its data from and what it's doing with it. I was hoping this would turn out to be some known problem with a quick fix that wouldn't require me to debug anything.

[DrByte]

I would have asked more about template files too, but templates are fed from variables built in the /includes/modules files (sometimes page-specific, and sometimes more broadly generic), so it makes sense to investigate all the files, at least in the /includes/ directory and subdirectories. But since you're using a custom template, the comparison steps also involve checking everything template-specific.

The situation you describe is not related to any known bug.

Keep in mind: if only "you" have access to your server, then anything that "suddenly" changes is not something that's caused from external, and rarely from a pre-existing "bug". Those "sudden" changes are typically environmental like a server software upgrade (PHP, MySQL, Apache, etc), or someone adding something via an admin screen, or unauthorized access.

[balihr]

One other thing you might wanna check - includes/functions/html_output.php (specifically the zen_draw_input_field() function) and also your includes/classes/observers/ to see if you have anything there that would alter the output. One thing I find very interesting is that it does the exact same thing where zen_draw_input_field('email') or zen_draw_input_field('email_address') is called. Smells like an observer, maybe...

[VDecalS]

I haven't tried that, because our system is busy all the time. We ship all over the world, so we have orders coming in at all hours of the day and night, and I'm reluctant to do anything that would screw up the site's appearance. But the template customization was all done shortly after downloading and installing the package in 2016 and has not changed since then.

That's great to have so much business. If you were to put the site down for maintenance (of course making sure your IP remains active), switch templates, and check the contact us page, you should be able to eliminate the template in just a couple of minutes before switching the template back and dropping out of maintenance.

[HeleneWallis]

If this is any help, here is the code that's actually being executed at this point. I haven't dug deep enough to see why it's filling in the value with our email address. Sorry, I hate asking other people to do things I should be able to figure out myself, but it's a three ring circus around here right now.


<div class="centerColumn" id="loginDefault">

<h1 id="loginDefaultHeading">Welcome, Please Sign In</h1>



<!--BOF normal login-->
<form name="login" action="https://www.newnaturalsonline.com/index.php?main_page=login&amp;action=process" method="post" id="loginForm"><input type="hidden" name="securityToken" value="3eb7d7d2636f6438c59fbb81d288f506" /><fieldset>
<legend>Returning Customers: Please Log In</legend>

<label class="inputLabel" for="login-email-address">Email Address:</label>
<input type="email" name="email_address" value="newnaturalsonline @ gmail.com" size = "41" maxlength= "96" id="login-email-address" autofocus placeholder="*" required /><br class="clearBoth" />

<label class="inputLabel" for="login-password">Password:</label>
<input type="password" name="password" size = "41" maxlength= "255" id="login-password" autocomplete="off" placeholder="*" required /><br class="clearBoth" />
<input type="hidden" name="securityToken" value="3eb7d7d2636f6438c59fbb81d288f506" /></fieldset>

<div class="buttonRow forward"><input class="cssButton submit_button button button_login" onmouseover="this.className='cssButtonHover button_login button_loginHover'" onmouseout="this.className='cssButton submit_button button button_login'" type="submit" value="Sign In" /></div>
<div class="buttonRow back important"><a href="https://www.newnaturalsonline.com/index.php?main_page=password_forgotten">Forgot your password?</a></div>
</form>
<br class="clearBoth" />

<form name="create_account" action="https://www.newnaturalsonline.com/index.php?main_page=create_account" method="post" onsubmit="return check_form(create_account);" id="createAccountForm"><input type="hidden" name="securityToken" value="3eb7d7d2636f6438c59fbb81d288f506" /><input type="hidden" name="action" value="process" /><input type="hidden" name="email_pref_html" value="email_format" /><fieldset>
<legend>New? Please Provide Your Billing Information</legend>

[HeleneWallis]

One other thing you might wanna check - includes/functions/html_output.php (specifically the zen_draw_input_field() function) and also your includes/classes/observers/ to see if you have anything there that would alter the output. One thing I find very interesting is that it does the exact same thing where zen_draw_input_field('email') or zen_draw_input_field('email_address') is called. Smells like an observer, maybe...

I do have a plug-in (for encrypted master password) in the observers section, but it's been there since 2017.

[HeleneWallis]

Thanks much to balihr for his help with figuring this out. What he had to do was comment out the line in /includes/templates/MY_TEMPLATE/common/html_header.php that says

//if $use_email is set to 1;
$email_address = "newnaturalsonline######################"; // your email <--------- this line commented out

This is in the AutoOpenGraph section. No idea why it suddenly started being a problem, because I've been running this version of Zencart since 2016 and this just started a few months ago. But now I also see why I'm getting emails with our address as the return address--people are seeing our email address in that field and not replacing it with their own.

Thanks for everyone's input on this, problem fixed.