[ModSec being triggered]

I seem to have quite a number of Modsec 941100 being triggered.

Worryingly, these are related to some sort of cart activity, so are unlikely to be actual hacking attempts.

 

I can't rule out ModSec being over zelous as usual, but thought I ought to raise the concern.

 

[Sat Jun 24 10:20:11.024651 2017] [:error] [pid 17879] [client 95.xxx.xxx.247] ModSecurity: Access denied with code 403 (phase 2). detected XSS using libinjection. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"] [line "29"] [id "941100"] [rev "2"] [msg "XSS Attack Detected via libinjection"] [data "Matched Data: cookie found within REQUEST_HEADERS:Referer: https://www.mystore.com/index.php?cart_order_id=170624-101707-1054&valid=true&trans_id=170624-101707-1054&code=A&auth_code=005605&amount=274.92&ip=95.xxx.xxx.247&cv2avs=SECURITY CODE MATCH ONLY&mpi_status_code=237&mpi_message=Authenticated&hash=153dafd66a63922a70b3e53915ff30a7&_a=complete"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "1"] [accuracy "9"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-xss"] [tag "OWASP_CRS/WEB_ATTACK/XSS"] [tag "WASCTC/WASC-8"] [tag "WASCTC/WASC-22"] [tag "OWASP_TOP_10/A3"] [tag "OWASP_AppSensor/IE1"] [tag "CAPEC-242"] [hostname "www.mystore.com"] [uri "/js/common.js"] [unique_id "WU4uywInQ3jJ7B-0tHxOiwAAAAU"]

[Updating Products via csv]

Data shouldn't be lost provided you copy the database table first.

Any changes I make in the database, I always ensure that i have a copy of the live data.

Exporting the inventory table as a CSV is pretty painless, and usually takes only seconds.

I could spend days working on a CSV copy, and when I'm happy with my edits, I'll copy the original table (so I have a backup) and then import the one I've been working on back in.

If anything went wrong, it's easy to roll back, again in seconds.

 

[Updating Products via csv]

For editing products, you could bulk edit via PHP MyAdmin using an SQL query if you wanted to modify a number of products en mass.

For instance, lets assume you sell shoe laces, but someone forgot to add the word 'cotton' to them, you could run a query along the lines.

 

UPDATE `CubeCart_inventory`

SET `description` = replace(description, 'shoe laces', 'cotton show laces')

 

Alternatively, you could export the database inventory table as a CSV, perform your cut and paste edits etc, then import it back in to the database.

making a backup copy beforehand though.

 

 

Images is a different story though.

In previous versions, the image file name was part of the inventory table, so would have been easy enough, however, each image is now allocated a number, and that number is part of another table. All quite complex to fudge.

[PayPal Issues]

after applying 1.0.7 payments are now processing, so I guess so.

[[Resolved] Changing the colour of my navigation]

I don't know the professional way to do this, but I take a screen grab, import this in the photoshop.

The using the colour picker tool, obtain the hex code for the colour I wish to change, then start searching the css files for that hex code.

 

That pink for instance is probably ffc0cb

It's crude and cumbersome but works.

[PayPal Issues]

I updated the PayPal module to 1.0.6 a few days ago.

Yesterday we had a number of orders stuck on Pending, but i thought nothing of it, just thought it was PayPal acting up.

Today, every order is stuck on pending and we have an email from Paypal saying that IPN's are failing.

 

I've spotted the PayPal module is now at v1.0.7, is this to fix this issue ???

[Paypoint plugin.]

I agree that Pay360 support is pretty dire of late.

I used to deal with an Irish chap when it was PayPoint, raise a support call and you'd get a response within an hour.

Raise one now and you get someone in India a day or two later, who's no idea, gives you the run around for 24 hours before passing it to some one who knows,... (probably the Irish guy)

[Paypoint plugin.]

I've been using SecPay (Pay360) for 10 years or more.

Bsmither made some changes to the module for V6 about 18 months ago, I've had no issues with it since.

 

The only information I have populated are our Vendor ID along with Remote and Digest keys.

Are you sure the keys are correct, if you copied and pasted, maybe you copied a white space ??

 

You could try contacting Pay360, however, since it became Capita, I feel the level of support knowledge has diminished.

[CubeCart 6.1.8 - County not applicable in my country, how to remove?]

Using PHP MyAdmin, make a backup copy of CubeCart_geo_zone, and then truncate all entries in the original table.

If I remember correctly, this will at least make the county field free text.

if this doesn't work for you, maybe you could populate the table with a single entry along the lines "N/A"

[server errors since upgrade]

what version did you upgrade from ?

[How do I remove Cube Cart credit at bottom of site pages]

I had to do this on one of my sites.

I think it's in skins/yourskin/ccpower.php

[Lost Category]

If i try to open yoursite/index.php, I see a Hostgator 404 error.

Have you done anything with the root files ?

[Lost Category]

I think the 'SEO Path' message is irrelevent to your issue.

For starters, take a look in PHP MyAdmin, and see if you can locate the category.

Take a note of it's category_id and cat_parent_id

 

the root category, will be cat_parent_id = 0

[Edit text on the shopping cart or checkout page]

Could you supply a mockup image, we might have a clearer understanding of what it is your'e trying to achieve .

[Google Msg]

I've looked a few times and connot see that you are using https

 

If I try to connect via https, i see the following.

 

directhomeware.com uses an invalid security certificate.

The certificate is only valid for the following names: s422.sureserver.com, www.s422.sureserver.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

 

 

do you have https configured in store settings, but don't have a certificate ??

[[Solved] Urgent! Order emails stop to send]

In store settings/advanced, enable debugging.

Place a dummy order and check the debug log in the bottom of your browser to see if there are any errors being displayed.

In the file root of your store create a file named   ini-custom.inc.php    and paste the following code inside.

<?php
# Custom initialization commands
# Filename: ini-custom.inc.php
# File location: main CubeCart folder

ini_set('memory_limit', '256M');
ini_set('max_execution_time', '60');
ini_set('error_log', 'error_log');
ini_set('log_errors', 'on');

?>

 

try to place another dummy order, and then check error.log in the file root of your store.

[Google Msg]

Google chrome has started to penailise sites which uses logins if thay are not utilising HTTPS.

Although i've not experineced this, I have seen messages in webmaster tools informing of such.

I see that you don't use https, so maybe this is your problem ??

 

https://developers.google.com/web/updates/2016/10/avoid-not-secure-warn

[Orange closed email accounts]

12 hours ago, Dirty Butter said:

OK - all that works, but we still have a problem. We manually added these email addresses to the Bad Email Group. Once the customer has changed their login email address they are STILL in that group. We need some way to automatically email us with their new email address, or we'll have to ask them to contact us. We now need some way to know to manually or automatically take them out of the group.

For now, I've worded it as

<h3>Your email address is not valid. Please edit your Profile. Then <a href="{$STORE_URL}/contact-us.htm">contact us</a> with your new email address, so we can finish upgrading our records.</h3>

 

I never thought of that.

[Orange closed email accounts]

I don't think that i'll ever understand PHP, it probably takes years of hard work and dedication.

I thought that i'd stumbled upon the issue, but sadly not.

 

Change   {if $customer_membership.group_id == '2'}

to   if {$customer_membership.group_id == '2'}

I'll keep digging though.

 

 

Does this need someing to compare the two database tables.

ie something along the lines ..

if   $customer_customer_id == $customer_membership.customer_id and $customer_membership.group_id ==2 then echo my string ??

[Orange closed email accounts]

Hoping that this was the answer, i made the edit, but I can't get the message to display.

 

<div>
  <h2>{$LANG.account.your_account}</h2>
  {if $customer_membership.group_id == '2'}
<h1>Your email address is no longer valid, Please update your details.</h1>
{/if}
  <div id="myaccount">    
    <ul>
      <li><a href="{$STORE_URL}/index.php?_a=profile" title="{$LANG.account.your_details}">{$LANG.account.your_details}</a></li>
      <li><a href="{$STORE_URL}/index.php?_a=addressbook" title="{$LANG.account.your_addressbook}">{$LANG.account.your_addressbook}</a></li>
      <li><a href="{$STORE_URL}/index.php?_a=vieworder" title="{$LANG.account.your_orders}">{$LANG.account.your_orders}</a></li>
      <li><a href="{$STORE_URL}/index.php?_a=downloads" title="{$LANG.account.your_downloads}">{$LANG.account.your_downloads}</a></li>
      <li><a href="{$STORE_URL}/index.php?_a=newsletter" title="{$LANG.account.your_subscription}">{$LANG.account.your_subscription}</a></li>
      {foreach from=$ACCOUNT_LIST_HOOKS item=list_item}
      <li><a href="{$list_item.href}" title="{$list_item.title}">{$list_item.title}</a></li>
      {/foreach}
    </ul>
  </div>
</div>

[Orange closed email accounts]

I'm struggling a little.

I added all the affected email addresses to a group, but then realised that I ought to really test it, so I added myself as well.

Now when I log in, I see the warning message, but after taking myself out of the group, I still see the message.

I tried a number of things, cleared the cache, cleared my browser cache, but still I see the message.

Not until I restored the original file, did the message subsbide, so at the moment, it looks as if the file edit is displaying the message to every login.

 

 

are you sure              '$pricing_group.product_id ='              is the correct string to use ??

 

should it not be $customer_membership.group_id

 

 

 

ah, I tried that, and the same thing happens.

[[Resolved] Added Bulk listing for google]

I've had similar things happen.

Firstly, I'd clear down all your cached browser files, remove any history and clear cookies etc. I use firefox and the only thing I retain is login credentials.

Maybe you could get away with clearing the last few days worth, but I just go belt and braces.

If this doesn't work, create a file called ini-custom.inc.php in the public_html folder and past the follow php code.

<?php
# Custom initialization commands
# Filename: ini-custom.inc.php
# File location: main CubeCart folder

ini_set('memory_limit', '256M');
ini_set('max_execution_time', '60');
ini_set('error_log', 'error_log');
ini_set('log_errors', 'on');

?>

 

This should create a file called error.log, which may help to diagnose the fault.

[Orange closed email accounts]

I did consider groups thinking that I could somehow segregate these customers, but I don't see any way to create a login message.

I guess this feature hasn't yet been thought of .

 

mmmmmm, i can see a request post coming.

[Item info missing from order]

Got another one today.

This is now starting to become annoying.

[Orange closed email accounts]

I didn't see this coming, but then I don't have one of the affected email addresses, but last week Orange closed a whole host of free email addresses.

• Orange.net
• Orangehome.co.uk
• Wanadoo.co.uk
• Freeserve.co.uk
• Fsbusiness.co.uk
• Fslife.co.uk
• Fsmail.net
• Fsworld.co.uk
• Fsnet.co.uk

Is there a mod available that would generate a popup if a customer logged in with one the affected email accounts.