Thread: Hack attempt?

Results 1 to 5 of 5
  1. #1
    Join Date
    Nov 2005
    Posts
    513
    Plugin Contributions
    7

    Default Hack attempt?

    I have a site running Zen Cart 1.5.7c with lat9's excellent One Page Checkout module.
    A recent account created showed the following surname entry.

    Code:
    Anderson<ScRipT SRc=//nojs.me></
    I checked the form fields and they are written like

    Code:
    $firstname = zen_db_prepare_input(zen_sanitize_string($_POST['firstname']));
    $lastname = zen_db_prepare_input(zen_sanitize_string($_POST['lastname']));
    How did this get passed zen carts' data sanitization?

  2. #2
    Join Date
    Nov 2005
    Posts
    513
    Plugin Contributions
    7

    Default Re: Hack attempt?

    No response on this from any of the Zen Cart devs, @DrByte, @lat9, @swguy?

    I would have expected this kind of entry to be prevented at form submission.

  3. #3
    Join Date
    Sep 2009
    Location
    Stuart, FL
    Posts
    10,828
    Plugin Contributions
    80

    Default Re: Hack attempt?

    Yes, that was a hack attempt, but the zen_sanitize_string function has negated the inclusion of that <script> tag, converting it to &lt;script&gt; so that while it looks like a script-tag, its operation has been nullified.

  4. #4
    Join Date
    Nov 2005
    Posts
    513
    Plugin Contributions
    7

    Default Re: Hack attempt?

    Quote Originally Posted by lat9 View Post
    Yes, that was a hack attempt, but the zen_sanitize_string function has negated the inclusion of that <script> tag, converting it to <script> so that while it looks like a script-tag, its operation has been nullified.
    Is there a way to have it prevent the form from being submitted if such an entry is detected, in the same way that the anti spam feature does?

  5. #5
    Join Date
    Nov 2005
    Posts
    513
    Plugin Contributions
    7

    Default Re: Hack attempt?

    I modified functions_general_shared.php to

    Code:
    function zen_sanitize_string($string) {
        $_SESSION['hackAttempt'] = false;
        $string = preg_replace('/ +/', ' ', $string);
        if (preg_match("/[<>]/", $string)) {
          $_SESSION['hackAttempt'] = true;
        }
        return preg_replace("/[<>]/", '_', $string);
      }
    and modules/create_account.php from
    Code:
    if ($error == true) {
        // hook notifier class
        $zco_notifier->notify('NOTIFY_FAILURE_DURING_CREATE_ACCOUNT');
      } elseif ($antiSpam != '') {
        $zco_notifier->notify('NOTIFY_SPAM_DETECTED_DURING_CREATE_ACCOUNT');
        $messageStack->add_session('header', (defined('ERROR_CREATE_ACCOUNT_SPAM_DETECTED') ? ERROR_CREATE_ACCOUNT_SPAM_DETECTED : 'Thank you, your account request has been submitted for review.'), 'success');
        zen_redirect(zen_href_link(FILENAME_SHOPPING_CART));
      } else {
    to
    Code:
    if ($error == true) {
        // hook notifier class
        $zco_notifier->notify('NOTIFY_FAILURE_DURING_CREATE_ACCOUNT');
      } elseif ($antiSpam != '') {
        $zco_notifier->notify('NOTIFY_SPAM_DETECTED_DURING_CREATE_ACCOUNT');
        $messageStack->add_session('header', (defined('ERROR_CREATE_ACCOUNT_SPAM_DETECTED') ? ERROR_CREATE_ACCOUNT_SPAM_DETECTED : 'Thank you, your account request has been submitted for review.'), 'success');
        zen_redirect(zen_href_link(FILENAME_SHOPPING_CART));
      } elseif ($_SESSION['hackAttempt'] != '') {
          $zco_notifier->notify('NOTIFY_SPAM_DETECTED_DURING_CREATE_ACCOUNT');
          $messageStack->add_session('header', (defined('ERROR_CREATE_ACCOUNT_SPAM_DETECTED') ? ERROR_CREATE_ACCOUNT_SPAM_DETECTED : 'Thank you, your account request has been submitted for review.'), 'success');
          zen_redirect(zen_href_link(FILENAME_SHOPPING_CART));
      } else {
    There may be a more elegant solution, but it does what I want for now

 

 

Similar Threads

  1. Hack attempt
    By Tapis in forum General Questions
    Replies: 1
    Last Post: 8 Sep 2011, 07:03 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR