User tracking mod

[mc12345678]

I am hoping someone can help me. We upgraded to Zen Cart 1.5.1 and User Tracking 1.4.2 and I am getting these errors in the log file:

Code:

[07-Aug-2013 01:26:56 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'O' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '931f031bebc22bab074f3e9f9dd60475', '198.100.145.182', '1375853216', '1375853216', '/index.php?main_page=\'0=A&products_id=13493', 'http://www.clevershoppers.com/index.php?main_page='0=A&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120

Code:

[07-Aug-2013 01:26:57 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A', 'NAVBAR_TITLE', 'OFFICE_IP_TO_HOST_ADDRESS')' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '42c15c5d5052c1bd8b9601e07c1c65ff', '198.100.145.182', '1375853217', '1375853217', '/index.php?main_page=product_info&products_id=\'0=A', 'http://www.clevershoppers.com/index.php?main_page=product_info&products_id='0=A', 'NAVBAR_TITLE', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120

Code:

[07-Aug-2013 01:26:58 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A+and+1=1&products_id=13493', 'Learning Resources Pretend and Play Food Snack ' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '4fbeab1bb17a9a9ab8b444106ba60f2d', '198.100.145.182', '1375853218', '1375853218', '/index.php?main_page=\'0=A+and+1=1&products_id=13493', 'http://www.clevershoppers.com/index.php?main_page='0=A+and+1=1&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120

These are just some examples, there are 100s of these errors in the log. On The Admin side, I see tracking and such but obvious something is wrong here.

Thanks!

I'm curious from what version you upgraded.

Basically, what I have discovered from errors of that type, is that whomever or whatever is at the ip address shown in the error is/has been trying to abuse Zen Cart by sending a bad URL. You can reproduce/force the error by manually entering the same URL. The good thing? Now you know about it, and hopefully/probably now they can't use the same trick they used to to get what they were able to. (Sorry, I'm assuming that since the same IP address was in each of those error logs, that they have probably been sending that URL for a while.)

See, it is if someone is trying to submit what I think is called SQL injection, because if you notice that after main_page= there is a backwards slash followed by an apostrophein SQL that combination is like forcing an apostrophe to stay in the string which if improperly handled in the code could act like a break in a line with the following text to be executed if as actual code. For example, one of the entries evaluates to 0=A which results in an error because you can't assign the letter A to the number 0. If the code didn't catch this then there might be a problem. But basically, to log records, the user tracking mod is passing to the SQL interpreter the data that is shown, and it doesn't like some of the data.

That's my interpretation based on finding an occasional similar event in my log, tracking down the originator (same place each time), and a little research on the values attempted to inject.

[BlessIsaacola]

I upgraded from Version: 1.3.6.2. If I understand you correctly, this is nothing to worry about other than the annoying 100s of entry in the log folder? If this continues I still may ditch this mod. It's interesting that this never show up before upgrading to Zen Cart 1.5.1. Thanks so much for looking into this.

[mc12345678]

I upgraded from Version: 1.3.6.2. If I understand you correctly, this is nothing to worry about other than the annoying 100s of entry in the log folder? If this continues I still may ditch this mod. It's interesting that this never show up before upgrading to Zen Cart 1.5.1. Thanks so much for looking into this.

Well, glad you upgraded from such an old version. My understanding is that likely it had security issues. My recommendation would be to use this previously unavailable information to take action on your site. Take a look at the errors and see what commonalities exist. Perhaps that (or those) ip addresses need to be reported to the respective host(s) about how they are trying to abuse your site, and then maybe also have the address(es) blocked from your site through your .htaccess file(s). Afterall, if they're not engaging with your site appropriately then either they shouldn't be able to or maybe they have an issue that needs to be corrected. Take a look at the product_id identified and review your database through your myPHPAdmin panel, do you have a product_id of 13493? (Or could look through your store to find the same.) My guess is that no, you don't have 13,493 items and therefore don't have a product_id that high, which further indicates that it's not actually your cart providing that URL, but someone/something providing that to your cart to attempt to abuse it.

Realize, ignoring the abusive behavior won't resolve anything, and it may even escalate.

[BlessIsaacola]

Thank you again! I will definitely keep an eye on it and block the ips as they come through. The product ids that's included are valid on our site and work just fine. I still find it rather interesting that they are using User Tracking Mod to try and attack. Obviously, there's a reason for that best known to them. I will monitor the log for a while and add the offending ip to the block list. Thanks for troubleshooting with me.

[mc12345678]

I upgraded from Version: 1.3.6.2. If I understand you correctly, this is nothing to worry about other than the annoying 100s of entry in the log folder? If this continues I still may ditch this mod. It's interesting that this never show up before upgrading to Zen Cart 1.5.1. Thanks so much for looking into this.

Also, this may not have been observed before because the old version of your Zen Cart may have allowed that computer to do what it was doing before processing the user tracking code. Now that you are on the latest version of Zen Cart, Zen Cart is allowing that "request" to move forward. So, to further clarify (seeing a newer post), they may not be targeting the User Tracking, but "known" issues with the older Zen Cart systems that potentially have security issues, it's just now you have something reported as a result of having the plugin.

Again, I caution about just blocking the ip addresses, it "fixes" potential issues with them reaching to you, but doesn't notify anyone about the attempts they are making.

[BlessIsaacola]

I will greatly appreciate if anyone have a uninstall instruction for the database changes and page registration that was made by this mod. I have uninstalled it from our site and would like to clean it up from the DB.

[mc12345678]

I will greatly appreciate if anyone have a uninstall instruction for the database changes and page registration that was made by this mod. I have uninstalled it from our site and would like to clean it up from the DB.

They (the instructions and or uninstall SQL) should be part of the installation instructions.

Other than the numerous error messages generated by one or more computers attempting to provide a bad string, was there anything else that you saw that could be improved? (I have some plans for additional mods, so I am interested in if I am planning the right ones.)

[BlessIsaacola]

They (the instructions and or uninstall SQL) should be part of the installation instructions.

Other than the numerous error messages generated by one or more computers attempting to provide a bad string, was there anything else that you saw that could be improved? (I have some plans for additional mods, so I am interested in if I am planning the right ones.)

The keyword there is they should be but I don't see uninstall instruction. Inside the Readme I have HOW_TO_UPDATE-V1.5.0.txt and New_Install_Readme.txt and inside the sql folder I have new_install_user_tracking.sql and UPDATE_user_tracking.sql Now sure if my 1.4.2 package download is missing something but there's no uninstall instruction for the database or page registration stuff. I honestly cannot tell you what exactly is wrong but we have so many customization on our site and this is the only mod that's not playing well with the database (in the sense that it keeps triggering an error related to an insert and line 120 of query factory). Instead of chasing it around, I decided to remove it from our site for now. When there's another release I will try it again but it's not critical enough to our business to be messing with it. Our livehelp mod have a built functionality that collects the same data so I am not missing anything. Thanks!

[mc12345678]

The keyword there is they should be but I don't see uninstall instruction. Inside the Readme I have HOW_TO_UPDATE-V1.5.0.txt and New_Install_Readme.txt and inside the sql folder I have new_install_user_tracking.sql and UPDATE_user_tracking.sql Now sure if my 1.4.2 package download is missing something but there's no uninstall instruction for the database or page registration stuff. I honestly cannot tell you what exactly is wrong but we have so many customization on our site and this is the only mod that's not playing well with the database (in the sense that it keeps triggering an error related to an insert and line 120 of query factory). Instead of chasing it around, I decided to remove it from our site for now. When there's another release I will try it again but it's not critical enough to our business to be messing with it. Our livehelp mod have a built functionality that collects the same data so I am not missing anything. Thanks!

First, thank you for the detailed feedback, whether it be me or another Zenner, hopefully the trouble data that is causing the error can be evaluated and an appropriate action taken rather than forwarding on the information in it's entirety to force an additional error log.

As for uninstall, I seem to recall that it is addressed in the individual install documents. I also thought there was an uninstall.sql file provided with the package and that the instructions addressed how to apply that file to the cart.

I'll take a look to see if I'm wrong, and if so provide instructions. I was the last to modify the package, but there was not a separate uninstall instruction file when I made the changes I did.

Glad to hear that the problem(s) will still be captured/addressed by something else, allowing them to be resolved. Whatever the solution specifically for this mod, I think that solution should not use up a significant amount of space either on the server or the database to "flag" the issue. Probably will be as simple as adding a flag to a portion of the collected data and stripping out the offending information from the data before sending it down the path for ZC to process.

[BlessIsaacola]

Thank you so much for taking the time to thorough engage with me on this. I really appreciate it! I downloaded the 1.4.2 again and there's no uninstall instruction. This is simply so you know. I can drop the table from the database manually (but others may not be comfortable with that). The page registration stuff is still new to me which is why I went looking for the uninstall instruction. Have a great weekend!