Jump to content

Tell A Friend sending spam, need to strip from site

Guest sparrowdog

By Guest sparrowdog
in Technical Help

 Share

Recommended Posts

Guest sparrowdog

Guest sparrowdog

Posted
Posted

I need to completely strip out the Tell A Friend feature from a Version 3 install of Cube Cart. I know how to take the line of code with the link off the product page, but how do I ensure the whole thing can't be accessed or used in any way at all?

Link to comment
Share on other sites

Guest

Guest

Posted
Posted

I deleted the script from the tellafriend.inc.php myself and deleted the link from the viewprod page. I use a share gadget anyway that includes emailing a friend so was redundant and I also has someone try to exploit it.

Link to comment
Share on other sites
Guest Toby Wallis

Guest Toby Wallis

Posted
Posted

I had the same problem. I've removed the link in the product template and also replaced tellafriend.php and the tellafriend template file (tellafriend.tpl) with null files, but I'm concerned that it may still be possible to get in and utilise the security vulnerability. Has anybody got any suggestions/comments in this regard?

Many thanks

===Toby===

Link to comment
Share on other sites
  • 1 month later...
Adam Frey Newbie

Adam Frey

Posted
Posted

I also added the Image verification in the admin screen. Has this been effective?

If you possible, can you tell me the specific lines of code that need to be removed to make this work?

thanks and sorry for all the questions.

I had the same problem. I've removed the link in the product template and also replaced tellafriend.php and the tellafriend template file (tellafriend.tpl) with null files, but I'm concerned that it may still be possible to get in and utilise the security vulnerability. Has anybody got any suggestions/comments in this regard?

Many thanks

===Toby===

Link to comment
Share on other sites
Guest shereen

Guest shereen

Posted
Posted

hi, all.

i do not wish to disable this script, i'd like to continue to use it, but apparently my "tell a friend" page was recently hijacked by spammers, according to my isp, and now i must rectify this problem before it gets exploited again.

sir william suggested that i enable "captcha" in the general settings of my admin, and robsta also mentions here to enable or use "recaptcha"; however, i don't see anything called "captcha" or "recaptcha" in my admin. can someone please tell me where to find it on my version 3.10 cubecart?

thank you in advance for your reply.

~ shereen ~

www.splashgearusa.com

[email protected]

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

captcha isn't in version 3, its a feature in 4. It's that little image that you have to type in the letters of to verify you are a real person. Personally I hate the things and won't register on sites that use them as I can rarely figure out what the words/letters are anyway.

Link to comment
Share on other sites
Guest shereen

Guest shereen

Posted
Posted

hi, mysty, thanx! for your response.

well, as it turns out, my isp informed me that captcha is not the solution to prevent a spammer from hijacking a form from a site to then use it to send out a mass/bulk e-mail. apparently, the spammers use the "action" directly in the php file (they don't use the browser), and apparently the captcha feature may stop some spammers, but only slow down others.

at this point, i still need to find a way to modify the php code, so, is anyone out there able to modify the "tell a friend" php code to prevent any other message from being introduced and sent?

looking forward to anyone's reply...

~ shereen ~

www.splashgearusa.com

[email protected]

Link to comment
Share on other sites
bsmither Mentor

bsmither

Posted
Posted

In the file \includes\content\tellafriend.inc.php, at around line 29, the script begins with an if() statement. We need to kill the script right away.

Since the link to this script has been removed, there should be no legitimate way anyone could get to it. So, we can get away with forcing this script to announce to everyone having accessed this script that access is forbidden. And that's what we will do.

Change this:

if (eregi(

to this:

if (true || eregi(

This forces the test to be true, thus the script kills itself, and that the script still exists so anything that *could* call the script won't cause the dreaded "include_file not found system error", and that the script, in killing itself, "Dead Ends" there. That is, there is no automatic return to the store home page, no link available to take them somewhere else, etc.

Link to comment
Share on other sites
Guest

Guest

Posted
Posted

hi, mysty, thanx! for your response.

well, as it turns out, my isp informed me that captcha is not the solution to prevent a spammer from hijacking a form from a site to then use it to send out a mass/bulk e-mail. apparently, the spammers use the "action" directly in the php file (they don't use the browser), and apparently the captcha feature may stop some spammers, but only slow down others.

at this point, i still need to find a way to modify the php code, so, is anyone out there able to modify the "tell a friend" php code to prevent any other message from being introduced and sent?

looking forward to anyone's reply...

~ shereen ~

www.splashgearusa.com

[email protected]

I would still disable the script that comes with cubecart and use a hosted one instead like sharethis.com or addthis.com (I use the ones from add this that not only lets someone tell a friend, but also lets them share or bookmark your site on the most popular social networks like facebook, twitter, digg, etc).

Link to comment
Share on other sites
Guest shereen

Guest shereen

Posted
Posted

hi, mysty, thanx! for your response.

well, as it turns out, my isp informed me that captcha is not the solution to prevent a spammer from hijacking a form from a site to then use it to send out a mass/bulk e-mail. apparently, the spammers use the "action" directly in the php file (they don't use the browser), and apparently the captcha feature may stop some spammers, but only slow down others.

at this point, i still need to find a way to modify the php code, so, is anyone out there able to modify the "tell a friend" php code to prevent any other message from being introduced and sent?

looking forward to anyone's reply...

~ shereen ~

www.splashgearusa.com

[email protected]

I would still disable the script that comes with cubecart and use a hosted one instead like sharethis.com or addthis.com (I use the ones from add this that not only lets someone tell a friend, but also lets them share or bookmark your site on the most popular social networks like facebook, twitter, digg, etc).

thanx! for the advice, mysty.

~ shereen ~

In the file \includes\content\tellafriend.inc.php, at around line 29, the script begins with an if() statement. We need to kill the script right away.

Since the link to this script has been removed, there should be no legitimate way anyone could get to it. So, we can get away with forcing this script to announce to everyone having accessed this script that access is forbidden. And that's what we will do.

Change this:

if (eregi(

to this:

if (true || eregi(

This forces the test to be true, thus the script kills itself, and that the script still exists so anything that *could* call the script won't cause the dreaded "include_file not found system error", and that the script, in killing itself, "Dead Ends" there. That is, there is no automatic return to the store home page, no link available to take them somewhere else, etc.

thanx! bsmither, i appreciate the assistance, i found the code you were referring to on line 30; but what exactly is this symbol that you wrote? "||" is that an equal sign? (or two equal signs next to each other?)

looking forward to your reply.

~ shereen ~

Link to comment
Share on other sites
Guest shereen

Guest shereen

Posted
Posted

That's two pipe characters (http://en.wikipedia.org/wiki/Vertical_bar), in PHP the character sequence for a logical OR. To get the pipe character, type the shifted back-slash.

gotcha, thanx! hopefully this will work...

~ shereen ~

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...