Security warning with new upgrade??

[Guest pbrcaptain]

George, before changing the code in the one file, the error was occuring for me when trying to get to either admin or the storefront. So it may be the same thing. If you back up any file(s) you edit, and if your fixing doesn't work or if it turns out to be a different problem altogether, no harm done. You could just re-upload the original file(s).

Thanks tshells - I assume you are referring to commenting out the security check code mentioned earlier in this post?

Any comments Al?

George

The changes I made to inc.inc.php worked for the USPS security warning! However, NOW, when I test buying a product I get this message when transferring to LinkPoint:

Form Processing Error

The following errors occurred while processing your request:

# It is not possible to order from the store at this time.

# Contact the merchant for further information (error 1002).

Any ideas ?? I'm behind schedule and we've already missed this Christmas sales season because of all these problems!!

AL!!! HELP!!

George

[Guest MrsPH]

I am also getting this error after the upgrade.

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

I can delete cookies in IE7 and get to the store front. However I can no longer get into any of the admin areas. Once I delete cookies in IE7, then go someplace else I have to re-delete cookies.

Samething happens in Firefox 2

site is

http://www.ncfoothills-geocachers.com/store

[convict]

I am also getting this error after the upgrade.

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

I can delete cookies in IE7 and get to the store front. However I can no longer get into any of the admin areas. Once I delete cookies in IE7, then go someplace else I have to re-delete cookies.

Samething happens in Firefox 2

site is

http://www.ncfoothills-geocachers.com/store

MySQL Error Occured

1044: Access denied for user: 'parrots_mrsph@localhost' to database 'parrots_store'

[Guest panorama motor]

We're new to this business and have just come to the stage where we should release the shop. But after a last upgrade we also have the same problem. We've read all the 'solutions' and tried appropriate ones, but no avail...

Please advice. Reinstall and go through all setups again? Install another webshop???

None of us are very skilled programmers and we need a shop that is easy and reliable, any recommendations?

[Guest omegareport]

I have to say it, not to be an ass, but because it needs to be said - I am thoroughly disgusted with the total lack of service even AFTER shelling out the maximum price asked three months ago, and receiving not a single response from tech support for major problems - and after following every "solution" recommended on this forum - I spent the better part of two days reading the forum for help.

I see from the nature of so many posts that I'm not alone. I'm beginning to think this is very buggy software and should be totally avoided.

After being ignored for 3 months and then told my service had expired, I was stupid enough to shell out another $30 for a "whole month" of "support" only to be told that it may take up to a month for the payment to even be credited - at which time support has expired again. What is this?

I don't know if anyone from the Corporate Kingdom at Cubecart ever reads this site, but people - the main reason businesses fail is lack of customer support.

I host a number of websites dealing with ebooks, software and ecommerce and you can be sure I will have to give my visitors a big thumbs down on CubeCart after this dismal experience!

[Guest Dazzy]

I too am getting this error, but only on Firefox in Linus and Mac

Parsed array keys can not contain illegal characters! Script execution has been halted

[Guest Dazzy]

Jsut applied the changes to ini.inc it works now

using 3.0.1.5

[Guest ams]

Hi All,

I have just loaded the new version of Cubecart ver 3.0.15 and get the same security error

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

I made the changes to the ini.php file, which got rid of the error, but when I tried to log into the admin section it keeps asking for the username and password.

I have installed Cubecart through HSphere Easy Apps. if that makes a difference.

Any help is grately appreciated

A

[Guest ams]

Hi All,

I have just loaded the new version of Cubecart ver 3.0.15 and get the same security error

Security Warning

Parsed array keys can not contain illegal characters! Script execution has been halted.

It may be possible to fix this error by deleting your browsers cookies and refresh this page.

I made the changes to the ini.php file, which got rid of the error, but when I tried to log into the admin section it keeps asking for the username and password.

I have installed Cubecart through HSphere Easy Apps. if that makes a difference.

Any help is grately appreciated

A

Hi all,

Are there any fixes for the above problem? I have made all the changes suggested in this thread and as I mentioned above, the security error disappeared but now I cannot access the admin section.

I keep getting the admin log in form no matter how many times i try to enter the correct details.

Would like to give it one more try before I totally give up on it, so if anyone out there knows the fix please let me know??

thanks in advance!

A

[Guest Brivtech]

Have you tried clearing cookies?

[Al Brookbanks]

If you run other scripts on the hosting which set cookies with "illegal" characters than that can cause a problem.

There shouldn't be anything in the code now that would cause this. Some browsers enable you to browse the current cookies so you may be able to see if any are causing it.

CubeCart only allows cookies with keys containing a-z1-9.

[Guest Dazzy]

Al

Just to let you know, the site I noticed it on first (http://www.jinlunuk.co.uk) only had cubecart on it, but as I said it only happened in FF on linux and mac, pc version was fine.

[Guest lswebdesign]

Thank you. I also had the security problem and your fixes took care of the issue. Very much appreciated.

Joe

The issue causes additional code in treatGet function however security improvement. If the URL contains

&

treatGet changes it to

&

The second amp; is the big problem! str_replace does replace only

$amp;

 to & 

amp;

remains there and it looks like

&

afterwards. Only you need is change following: switch.php SEARCH FOR

header("Location: ".str_replace("&","&",treatGet($_GET['r'])));

REPLACE WITH (you have to do it twice!)

header("Location: ".str_replace('amp;','',treatGet($_GET['r'])));

includes/content/reg.php



SEARCH FOR

header("Location: ".str_replace("&","&",$redir));

REPLACE WITH

header("Location: ".str_replace('amp;','',$redir));

I have found useless security featuere in includes/content/login.inc.php

$_GET['redir'] = treatGet($_GET['redir']);

header("Location: ".str_replace("&","&",base64_decode(treatGet($_GET['redir']))));

Should be

header("Location: ".str_replace('amp;','',treatGet(base64_decode($_GET['redir']))));

[Guest]

You can turn off that security function by opening /includes/ini.inc.php

Find:

$clean = new clean_all($data);



$_GET = $clean->clean_all($_GET);

$_POST = $clean->clean_all($_POST);

$_COOKIE = $clean->clean_all($_COOKIE);

$_REQUEST = $clean->clean_all($_REQUEST);

Replace with:

/*

$clean = new clean_all($data);



$_GET = $clean->clean_all($_GET);

$_POST = $clean->clean_all($_POST);

$_COOKIE = $clean->clean_all($_COOKIE);

$_REQUEST = $clean->clean_all($_REQUEST);

*/

The function is a hardening measure. This means that it is only an extra measure to prevent potential security issues. It is safe to trun off but we recommend having it on.

There have been a few bugs concerning this and I will release a patch asap.

We are running 3.0.14 and we have been getting the Security Warning message A LOT over the last 3/4 days when in the admin panel adding products, managing categories, etc.

Does the solution above solve these problems we are getting?

[Guest]

This thread has been a life saver...well an estore saver!!!

Thanks to everyone

Louie

[Guest XeroBeagle]

hiya, unfortunatly im having some serious issues, when i logged into admin and try and do something it just loops back 2 login, Then IF it works i get the illegal char problems..

Anyone available to help ?

[Guest XeroBeagle]

ok, quick update, found out the problem it was my shitty host where i was getting my webhosting from (alphafrag) I moved 2 a new host and now it worked like charm thanks guys!

[Guest Agouti]

THe problem seems to occur because line 76 in /includes/ini.inc.php

if (eregi('[^a-z0-9\-_\:\@\|]', urldecode($key)))

still returns true for upper case alpha (ABCDEF etc) on some servers.



I fixed the problem by replacing the above line with

if (preg_match('/[^a-zA-Z0-9\-_\:\@\|]/', urldecode($key)))

which works around whatever bug causes the false positives. As there's virtually no difference (except marginally more server processing) can't see why it can't be changed in a release.

[Guest kev143]

perfect, thanks! Editing the ini.inc.php file did the trick

[Guest dands]

Hi, I am new to all this and am having the exact same problem with version 3.0.17

and if I do the fix that Al posted, it causes the login to loop. I

tried clearing the cookies and there are no

illegal characters in the cookie it sets. Somewhere it's changing the

"&" in the url to "&" but I have no idea where.

The url that gives the Security Warning looks like this:

"?goto=/admin/modules/gateway/ExpressCheckout/index.php?module=gateway&folder=ExpressCheckout"

I would appreciate any help or suggestions.

Thanks in advance,

Doris