Security Warning

[jrodch]

Running CubeCart Version 4.3.7

 

I'm getting an "Security Warning" when I click on any links from my home page.  The error is as follows:

 

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

 

I read past posts about his error and it seems that is  stray character in the code.  I recently made changes to the index.tpl file (/skins/Killer/styleTemplates/global) to add a site seal.  When the problem started I reverted to a backup copy of the index.tpl file but the error continued.  To my knowledge, no other files were altered.  

 

Any help would be appreciated.   

 

www.ebbesquaredrains.com

[bsmither]

The links on the homepage look fine - using the seo-friendly URL feature of CC4. If you turn that feature off, does the problem go away?

 

Where are you reading the Security Warning message?

 

I also not that any link that has an underscore in a querystring key will get me a blank page. On the Hompage, that includes:

Login (_a=login)

View Cart (_g=co&_a=cart)

 

So, I am going to say the sanitizer is triggering on the underscore. The seo-friendly URLs make it so there is no need for a querystring. (A bad key on a POST element would also trigger, as well as a bad key on a cookie.)

 

Speaking of cookies, I do not see any coming from your site.

[jrodch]

Thanks for the reply.  I turned off the SEO friendly URL feature and I still get the error.  When I switch the skin from "Killer" the problem goes away.  I'm assuming that it's a problem in the skin.

 

Any other suggestions?

[bsmither]

Switching to a skin other than Killer (for CC4?) would certainly indicate such a conclusion. But I saw nothing in my browser's traffic log that would cause it.

 

Although, now I am getting cookies.

 

There are minor HTML coding errors, but nothing that would add a rogue element to the querystring.

 

Let's try this-- edi tthe sanitizer to show what key from which array it doesn't like.

File: ini.inc.php
Class: clean_data, function clean_data
 
Find:
foreach ($data as $key => $val) {
  if (preg_match('#([^a-z0-9-_:@|])#i', urldecode($key))) {
    $die = "<h1 style='font-family: Arial, Helvetica, sans-serif; color: red;'>Security Warning</h1><p style='font-family: Arial, Helvetica, sans-serif; color: #000000;'>nParsed array keys can not contain illegal characters! Script execution has been halted.</p><p style='font-family: Arial, Helvetica, sans-serif; color: #000000;'>It may be possible to fix this error by deleting your browsers cookies and refresh this page.</p>n";
    die($die);
  }
 
Change this line:
die($die);
to:
die($die . "<p>Key: ".base64_encode($key)."</p>");

When CC4 quits and sends just this message to your browser, you will be shown the key it did not like. It will be a string of base64 encoded characters. Please post that here. Or you can use any online base64 decoder.

 

If it becomes important to know, later in that file, we can make some global variables to let us know which array that key is in.
 

[jrodch]

Did as you instructed:

 

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

Key: X191dG10X34x

 

Hope this helps

[bsmither]

This doesn't appear in my browser's traffic (probably because I have disabled this source), but I recognize the key:

__utmt_~1

 

It is a new format of Google's Analytics program. Please read:

http://www.cubecartforums.org/index.php?showtopic=18908

[jrodch]

Eureka!  I removed the Google Analytics code and the problem went away.  

 

Thanks for your help!