Claudia M Posted December 14, 2017 Share Posted December 14, 2017 I received an order today and this showed in admin order summary. Under Order Summary the customers name looked like this. I wouldn’t think they would type it in like that. Of course they used their real name I just changed it for security. Note the "> Customer Name"> Company (this was blank)"> Street address"> Hiram, Ohio 44234 I’ve checked files but don’t see any bad code. Any specific ideas where to look? Also turns out their email does not exist and was returned. The payment with PayPal went thru without a hitch. Should I worry – not a large order. Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 14, 2017 Share Posted December 14, 2017 Please use an external database utility to view CubeCart's database directly. In CubeCart_order_summary, examine the customer data for the suspect order. Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 14, 2017 Author Share Posted December 14, 2017 (edited) In looking in myphphadmin database customers I found that this person plus another customer had the password that is the same as my admin password! I used Firefox Web Tool to examine the code and didn't see anything wrong with it. I also created a "new customer" and placed an order it the "> didn't show Edited December 14, 2017 by Claudia M Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 14, 2017 Share Posted December 14, 2017 (edited) Would that be the encoded password? The 128 character-long hash? If so, then the 'salt' value must also be the same. Catching this in CubeCart_customer is noteworthy, but what about the data in CubeCart_order_summary? Edited December 14, 2017 by bsmither Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 14, 2017 Author Share Posted December 14, 2017 Yes it was the varchar 128 character password. I don't know what long hash means. The salt is not the same. I'm not sure what you are looking for in the Cubecart_order-summary. Are you talking about my admin order screen. If so that is where I first found the "> in the address. In looking at the page source in the Delivery address tab in admin / orders for this person this is what I see. The ... is me removing their personal info. the info shown in company name is as is. <div><label for="ajax_title">Title</label><span><input type="text" id="ajax_title" name="customer[title]" value="L......" class="textbox billing"></span></div> <div><label for="ajax_first_name">First Name</label><span><input type="text" id="ajax_first_name" name="customer[first_name]" value="L..." class="textbox billing required"></span></div> <div><label for="ajax_last_name">Last Name</label><span><input type="text" id="ajax_last_name" name="customer[last_name]" value="...">" class="textbox billing required"></span></div> <div><label for="sum_company_name">Company Name</label><span><input type="text" id="sum_company_name" name="customer[company_name]" value="">" class="textbox billing"></span></div> <div><label for="sum_line1">Address</label><span><input type="text" id="sum_line1" name="customer[line1]" value="... RD">" class="textbox billing required"></span></div> <div><label for="sum_line2"> </label><span><input type="text" id="sum_line2" name="customer[line2]" value="" class="textbox billing"></span></div> <div><label for="sum_town">Town/City</label><span><input type="text" id="sum_town" name="customer[town]" value="...." class="textbox billing required"></span></div> <div> Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 14, 2017 Author Share Posted December 14, 2017 I'm beginning to think the customer must have added the "> My test order and the order I just received did not show the "> and all info was correct. Quite concerning about my admin info in their account though. I noticed if you go to my login page in the store front my admin user name and the dotted out password showed in the boxes instead of email (required) password (required). I removed my stored password in Firefox and it quit showing my info so maybe it was just like that on my computer. Would like to know how my admin info got in their customer account. Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 14, 2017 Share Posted December 14, 2017 'Hash' is a term that describes a series of letters and numbers that do not spell anything, and generally cannot be reversed into something readable. So, the 128 characters is a hash. That hash is computed by also using a randomly-generated salt value. Once the salt is generated, it is used along with the login username - they are swished around together to come up with the final hash. That final hash and the salt used to create it are databased. Then, when logging in, the username entered on the form and the databased salt are swished around in the same manner to come up with the same hash. If the computed hash matches the databased hash, then the username must be correct. Using phpMyAdmin, view the contents of the database table CubeCart_order_summary. The customer name in use at the time when the order was made is stored in this table. You are viewing an Order Summary, so you should be seeing the customer's name as it was databased when the order was made. If there is no corruption in the customer's name in the CubeCart_order_summary table, but is appearing on the wen page, then the corruption is happening somewhere in-between. Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 14, 2017 Author Share Posted December 14, 2017 It shows "> in the customer name and company name and customer address. Same places that "> shows up in admin order summary. What is the wen page? Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 14, 2017 Share Posted December 14, 2017 Spelling error - the "web" page showing CubeCart's Order Summary for that order. Ok, so it is in the database CubeCart_order_summary. Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 14, 2017 Author Share Posted December 14, 2017 So the customer typed it that way? Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 15, 2017 Share Posted December 15, 2017 No way to be 100% sure. So, you have a choice: spend more expensive time looking for more clues, or just keep an eye out for more of this. Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 15, 2017 Author Share Posted December 15, 2017 I'll just keep an eye out for more of them. Keep an eye out - that may hurt a liitle. LOL Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 21, 2017 Author Share Posted December 21, 2017 This order was returned to me by the Post Office stating there is no such address. I looked up the address and somehow got to a "Bad Buyer List". Seems this customer has done the same thing before. What would be going on? Why would she pay for an order (nowhere near a large order) then put those characters around her name and address, but have a payment that goes thru? Anyway, my main question is: Is there anyway to block her from being able to buy anything from me again? I'm going to refund her money just to be done with it. Quote Link to comment Share on other sites More sharing options...
keat Posted December 21, 2017 Share Posted December 21, 2017 I've seen this with my admin info on the customer account. If I remember correctly, it will show my login name in one of the fields (possibly mobile phone), if it's blank at the time. Annoyingly, it will then save if you click the save button. Scouring the database, I found 3 occurances, so definately a security concern if you're not keen eyed. Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 21, 2017 Share Posted December 21, 2017 "it will show my login name in one of the fields ... if it's blank at the time." I believe this was blamed on the web browser having a "automatic form filler" addon, that was populating form fields with data it thought appropriate from the addon's repository. Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 21, 2017 Author Share Posted December 21, 2017 Does anyone know how to block a buyer? Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 21, 2017 Share Posted December 21, 2017 * If they have a known set of email addresses, and have created accounts on those addresses, you can disable the customer having that email address. * You can install the CubeCart Security Suite and enter IP addresses that will be blocked. * A (easily written) plugin to automatically disable new customers based on "rules", such as punctuation in name fields and other oddities. Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 21, 2017 Author Share Posted December 21, 2017 How do I do those things? If they have a known set of email addresses, and have created accounts on those addresses, you can disable the customer having that email address. and/or A (easily written) plugin to automatically disable new customers based on "rules", such as punctuation in name fields and other oddities. Quote Link to comment Share on other sites More sharing options...
bsmither Posted December 21, 2017 Share Posted December 21, 2017 (edited) In admin, Customer List, find the customer with the target email address. Uncheck the Status column. That customer will not be able to log in. (Might probably still be able to buy as a "ghost" (unregistered) customer, however.) I have a plugin that intercepts the "registration" process and sets the status of the customer to disabled. The admin, after confirming the "eligibility" of any customer to shop at their store (wholesale customers, typically), will enable the status. That plugin can be modified to run tests on the registration data and set the status to disabled if any test matches the fail conditions. Edited December 21, 2017 by bsmither Quote Link to comment Share on other sites More sharing options...
Claudia M Posted December 21, 2017 Author Share Posted December 21, 2017 Thank you .. I disabled her. This would be nice, like you said, such as punctuation in name fields and other oddities. .... That plugin can be modified to run tests on the registration data and set the status to disabled if any test matches the fail conditions. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.