Guest sparrowdog Posted June 17, 2010 Share Posted June 17, 2010 I need to completely strip out the Tell A Friend feature from a Version 3 install of Cube Cart. I know how to take the line of code with the link off the product page, but how do I ensure the whole thing can't be accessed or used in any way at all? Quote Link to comment Share on other sites More sharing options...
Robsta Posted June 17, 2010 Share Posted June 17, 2010 Why don't you enable recaptcha? If you know how to take the line out of the product page, you can also just edit the tellafriend template to take out the form code. Quote Link to comment Share on other sites More sharing options...
Guest Posted June 18, 2010 Share Posted June 18, 2010 I deleted the script from the tellafriend.inc.php myself and deleted the link from the viewprod page. I use a share gadget anyway that includes emailing a friend so was redundant and I also has someone try to exploit it. Quote Link to comment Share on other sites More sharing options...
Guest Toby Wallis Posted June 22, 2010 Share Posted June 22, 2010 I had the same problem. I've removed the link in the product template and also replaced tellafriend.php and the tellafriend template file (tellafriend.tpl) with null files, but I'm concerned that it may still be possible to get in and utilise the security vulnerability. Has anybody got any suggestions/comments in this regard? Many thanks ===Toby=== Quote Link to comment Share on other sites More sharing options...
Adam Frey Posted August 13, 2010 Share Posted August 13, 2010 I also added the Image verification in the admin screen. Has this been effective? If you possible, can you tell me the specific lines of code that need to be removed to make this work? thanks and sorry for all the questions. I had the same problem. I've removed the link in the product template and also replaced tellafriend.php and the tellafriend template file (tellafriend.tpl) with null files, but I'm concerned that it may still be possible to get in and utilise the security vulnerability. Has anybody got any suggestions/comments in this regard? Many thanks ===Toby=== Quote Link to comment Share on other sites More sharing options...
Guest shereen Posted August 18, 2010 Share Posted August 18, 2010 hi, all. i do not wish to disable this script, i'd like to continue to use it, but apparently my "tell a friend" page was recently hijacked by spammers, according to my isp, and now i must rectify this problem before it gets exploited again. sir william suggested that i enable "captcha" in the general settings of my admin, and robsta also mentions here to enable or use "recaptcha"; however, i don't see anything called "captcha" or "recaptcha" in my admin. can someone please tell me where to find it on my version 3.10 cubecart? thank you in advance for your reply. ~ shereen ~ www.splashgearusa.com [email protected] Quote Link to comment Share on other sites More sharing options...
Guest Posted August 18, 2010 Share Posted August 18, 2010 captcha isn't in version 3, its a feature in 4. It's that little image that you have to type in the letters of to verify you are a real person. Personally I hate the things and won't register on sites that use them as I can rarely figure out what the words/letters are anyway. Quote Link to comment Share on other sites More sharing options...
Guest shereen Posted August 19, 2010 Share Posted August 19, 2010 hi, mysty, thanx! for your response. well, as it turns out, my isp informed me that captcha is not the solution to prevent a spammer from hijacking a form from a site to then use it to send out a mass/bulk e-mail. apparently, the spammers use the "action" directly in the php file (they don't use the browser), and apparently the captcha feature may stop some spammers, but only slow down others. at this point, i still need to find a way to modify the php code, so, is anyone out there able to modify the "tell a friend" php code to prevent any other message from being introduced and sent? looking forward to anyone's reply... ~ shereen ~ www.splashgearusa.com [email protected] Quote Link to comment Share on other sites More sharing options...
bsmither Posted August 20, 2010 Share Posted August 20, 2010 In the file \includes\content\tellafriend.inc.php, at around line 29, the script begins with an if() statement. We need to kill the script right away. Since the link to this script has been removed, there should be no legitimate way anyone could get to it. So, we can get away with forcing this script to announce to everyone having accessed this script that access is forbidden. And that's what we will do. Change this: if (eregi( to this: if (true || eregi( This forces the test to be true, thus the script kills itself, and that the script still exists so anything that *could* call the script won't cause the dreaded "include_file not found system error", and that the script, in killing itself, "Dead Ends" there. That is, there is no automatic return to the store home page, no link available to take them somewhere else, etc. Quote Link to comment Share on other sites More sharing options...
Guest Posted August 20, 2010 Share Posted August 20, 2010 hi, mysty, thanx! for your response. well, as it turns out, my isp informed me that captcha is not the solution to prevent a spammer from hijacking a form from a site to then use it to send out a mass/bulk e-mail. apparently, the spammers use the "action" directly in the php file (they don't use the browser), and apparently the captcha feature may stop some spammers, but only slow down others. at this point, i still need to find a way to modify the php code, so, is anyone out there able to modify the "tell a friend" php code to prevent any other message from being introduced and sent? looking forward to anyone's reply... ~ shereen ~ www.splashgearusa.com [email protected] I would still disable the script that comes with cubecart and use a hosted one instead like sharethis.com or addthis.com (I use the ones from add this that not only lets someone tell a friend, but also lets them share or bookmark your site on the most popular social networks like facebook, twitter, digg, etc). Quote Link to comment Share on other sites More sharing options...
Guest shereen Posted August 20, 2010 Share Posted August 20, 2010 hi, mysty, thanx! for your response. well, as it turns out, my isp informed me that captcha is not the solution to prevent a spammer from hijacking a form from a site to then use it to send out a mass/bulk e-mail. apparently, the spammers use the "action" directly in the php file (they don't use the browser), and apparently the captcha feature may stop some spammers, but only slow down others. at this point, i still need to find a way to modify the php code, so, is anyone out there able to modify the "tell a friend" php code to prevent any other message from being introduced and sent? looking forward to anyone's reply... ~ shereen ~ www.splashgearusa.com [email protected] I would still disable the script that comes with cubecart and use a hosted one instead like sharethis.com or addthis.com (I use the ones from add this that not only lets someone tell a friend, but also lets them share or bookmark your site on the most popular social networks like facebook, twitter, digg, etc). thanx! for the advice, mysty. ~ shereen ~ In the file \includes\content\tellafriend.inc.php, at around line 29, the script begins with an if() statement. We need to kill the script right away. Since the link to this script has been removed, there should be no legitimate way anyone could get to it. So, we can get away with forcing this script to announce to everyone having accessed this script that access is forbidden. And that's what we will do. Change this: if (eregi( to this: if (true || eregi( This forces the test to be true, thus the script kills itself, and that the script still exists so anything that *could* call the script won't cause the dreaded "include_file not found system error", and that the script, in killing itself, "Dead Ends" there. That is, there is no automatic return to the store home page, no link available to take them somewhere else, etc. thanx! bsmither, i appreciate the assistance, i found the code you were referring to on line 30; but what exactly is this symbol that you wrote? "||" is that an equal sign? (or two equal signs next to each other?) looking forward to your reply. ~ shereen ~ Quote Link to comment Share on other sites More sharing options...
bsmither Posted August 21, 2010 Share Posted August 21, 2010 That's two pipe characters (http://en.wikipedia.org/wiki/Vertical_bar), in PHP the character sequence for a logical OR. To get the pipe character, type the shifted back-slash. Quote Link to comment Share on other sites More sharing options...
Guest shereen Posted August 21, 2010 Share Posted August 21, 2010 That's two pipe characters (http://en.wikipedia.org/wiki/Vertical_bar), in PHP the character sequence for a logical OR. To get the pipe character, type the shifted back-slash. gotcha, thanx! hopefully this will work... ~ shereen ~ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.