Zen Cart has released a patch for all versions v1.2 through v1.3.7 that fixes a serious security hole in the admin login/password reset system.
I strongly advise all current ZenCart users to see to it that this patch is performed on their systems. The patch takes less than fifteen minutes to complete.
If you need help with this patch, I can install for $25.
(more…)
Popularity: 25%
I have written several times about debugging a live site and posted snippets for working on the themes of a live Wordpress install. One trick I haven’t mentioned is using the PHP error log.
PHP on any production site should be configured to not display errors. I see all too often on random sites that PHP has been configured to show errors (sometimes even in Google results). This gives away too much information about your application and server.
On the servers and applications I work on all of the time, I configure PHP to log errors to /var/log/php_errors. Simply tailing this file through a console will quickly show any errors caused by the edits.
To enable logging, check these two variables in your php.ini:
To tail the log file from an SSH console:
Popularity: 26%
These are all useful when trying to track down an open formmail script.
List bounce messages
Freeze bounce messages
Freeze messages from user@domain.com
Find out what user your webserver runs as. Use this as the email address to key on. For example, my Apache runs as nobody so I want to freeze all messages sent from the user nobody@domain.com so I can look through them to see if I can deduce where the insecure formmail script is.
Delete frozen messages
Popularity: 27%
Credit card slamming is the practice of trying hundreds or thousands of card numbers and security code combinations to find the few in the batch that will actually work. I have discussed credit card slamming here and over at the ZenCart forums several times in the past.
The code snippet below can be used in modules/checkout_process.php to automatically log a user out after a set number (6 in the below snippet) of payment attempts.
if($_SESSION['payment_attempt'] > 6) { // change 6 to change how many attempts to allow before logout
// log attempt or email report
// the following information is useful
// "Host:\t\t".$_SESSION['customers_host_address'].
// "\nCustomer:\t".$_SESSION['customer_id'].
// "\nTotal:\t\t".$_SESSION['cart']->total,
// destroy session to log customer out
zen_session_destroy();
// redirect to timeout page or create new page to redirect to
zen_redirect(zen_href_link(FILENAME_TIME_OUT, '', 'SSL'));
}
Place in between this code near the top of the file:
INSERT AUTO LOGOUT FUNCTIONALITY HERE
// load selected payment module
require(DIR_WS_CLASSES . 'payment.php');
$payment_modules = new payment($_SESSION['payment']);
// load the selected shipping module
require(DIR_WS_CLASSES . 'shipping.php');
I found six attempts to work well on the sites I implemented on. You do not want to adversely impact normal users but you do want to make it harder on abusers so that they just go away.
Improper use of this code could prevent anyone from checking out. The two things that will save you when trying this out are:
Popularity: 23%
Nolisting - Poor Man’s Greylisting
I thought this was an interesting option to try to weed out some spam on servers inundated by spam. It wouldn’t be a permanent fix as it would only require a trivial workaround. But in my experience, these types are lazy and will go off to easier pickens if they run into too many problems.
I bookmarked this site late last week, but wasn’t able to connect just now. If the site doesn’t come back shortly I’ll post a link or two to other sites discussing. Or if I can find the time, post my own implementation.
Popularity: 14%
I have a major client whose Authorize.net gateway account gets hit sometimes hundreds of times a day with charge attempts. Most are posted by an automated script from IPs coming out of Indonesia or Eastern Europe in an attempt to find a valid credit card number and security code. Fortunately, it hasn’t cost the client any money directly yet. Out of the thousands of attempts in the last few months only a couple of charges actually captured funds from the stolen card information. All of these were promptly cancelled after review.
In discussions with this client, we came up with the following options. They are listed in order of ease to implement and least impact on legitimate customers.
My thinking is the better methods would include ways of slowing down the requests so that automated script kiddie tools would constantly fail while legitimate users that are just having problems would not be completely prevented from checking out. I also think a more robust system would utilize several layers of protection (same as a multi-layered approach to server security is better in the long run than putting all of your eggs in the single proverbial basket).
Over the course of the next few weeks I will implement some of these options and dream up more if necessary. Stay tuned for updates.
Should your site be experiencing similar issues, contact me to discuss options.
Maxmind supplies a free IP to country database in CSV format along with their commercial IP database products.
Popularity: 21%
 |
Ayn Rand: Atlas Shrugged |
 |
Neal Stephenson: Cryptonomicon |
 |
Jeremy D. Zawodny: High Performance MySQL |
