Jump to content

Code at the end of Customer Name


Claudia M
 Share

Recommended Posts

 

I received an order today and this showed in admin order summary.

Under Order Summary the customers name looked like this.  I wouldn’t think they would type it in like that.  Of course they used their real name I just changed it for security. Note the ">

Customer Name">
Company (this was blank)">
Street address">
Hiram, Ohio 44234

I’ve checked files but don’t see any bad code.  Any specific ideas where to look?

Also turns out their email does not exist and was returned. The payment with PayPal went thru without a hitch. Should I worry – not a large order.

Link to comment
Share on other sites

In looking in myphphadmin database customers I found that this person plus another customer had the password that is the same as my admin password!

I used Firefox Web Tool to examine the code and didn't see anything wrong with it.

I also created a "new customer" and placed an order it the "> didn't show

Edited by Claudia M
Link to comment
Share on other sites

Would that be the encoded password? The 128 character-long hash? If so, then the 'salt' value must also be the same.

Catching this in CubeCart_customer is noteworthy, but what about the data in CubeCart_order_summary?

Edited by bsmither
Link to comment
Share on other sites

Yes it was the varchar 128 character password. I don't know what long hash means.  The salt is not the same. I'm not sure what you are looking for in the Cubecart_order-summary.  Are you talking about my admin order screen.  If so that is where I first found the "> in the address. 

In looking at the page source in the Delivery address tab in admin / orders for this person this is what I see.  The ... is me removing their personal info. the info shown in company name is as is.

<div><label for="ajax_title">Title</label><span><input type="text" id="ajax_title" name="customer[title]" value="L......" class="textbox billing"></span></div>

            <div><label for="ajax_first_name">First Name</label><span><input type="text" id="ajax_first_name" name="customer[first_name]" value="L..." class="textbox billing required"></span></div>

            <div><label for="ajax_last_name">Last Name</label><span><input type="text" id="ajax_last_name" name="customer[last_name]" value="...&#34;>" class="textbox billing required"></span></div>

            <div><label for="sum_company_name">Company Name</label><span><input type="text" id="sum_company_name" name="customer[company_name]" value="&#34;>" class="textbox billing"></span></div>

            <div><label for="sum_line1">Address</label><span><input type="text" id="sum_line1" name="customer[line1]" value="... RD&#34;>" class="textbox billing required"></span></div>

            <div><label for="sum_line2"> </label><span><input type="text" id="sum_line2" name="customer[line2]" value="" class="textbox billing"></span></div>

            <div><label for="sum_town">Town/City</label><span><input type="text" id="sum_town" name="customer[town]" value="...." class="textbox billing required"></span></div>

            <div>

Link to comment
Share on other sites

I'm beginning to think the customer must have added the ">   My test order and the order I just received did not show the "> and all info was correct.  Quite concerning about my admin info in their account though.  I noticed if you go to my login page in the store front my admin user name and the dotted out password showed in the boxes instead of email (required) password (required). I removed my stored password in Firefox and it quit showing my info so maybe it was just like that on my computer. Would like to know how my admin info got in their customer account.

Link to comment
Share on other sites

'Hash' is a term that describes a series of letters and numbers that do not spell anything, and generally cannot be reversed into something readable. So, the 128 characters is a hash. That hash is computed by also using a randomly-generated salt value. Once the salt is generated, it is used along with the login username - they are swished around together to come up with the final hash. That final hash and the salt used to create it are databased. Then, when logging in, the username entered on the form and the databased salt are swished around in the same manner to come up with the same hash. If the computed hash matches the databased hash, then the username must be correct.

Using phpMyAdmin, view the contents of the database table CubeCart_order_summary. The customer name in use at the time when the order was made is stored in this table.

You are viewing an Order Summary, so you should be seeing the customer's name as it was databased when the order was made.

If there is no corruption in the customer's name in the CubeCart_order_summary table, but is appearing on the wen page, then the corruption is happening somewhere in-between.

Link to comment
Share on other sites

This order was returned to me by the Post Office stating there is no such address.  I looked up the address and somehow got to a "Bad Buyer List".  Seems this customer has done the same thing before.  What would be going on?  Why would she pay for an order (nowhere near a large order) then put those characters around her name and address, but have a payment that goes thru?  Anyway, my main question is:  Is there anyway to block her from being able to buy anything from me again? I'm going to refund her money just to be done with it.

Link to comment
Share on other sites

I've seen this with my admin info on the customer account.

If I remember correctly, it will show my login name in one of the fields (possibly mobile phone), if it's blank at the time.

Annoyingly, it will then save if you click the save button.

Scouring the database, I found 3 occurances, so definately a security concern if you're not keen eyed.

Link to comment
Share on other sites

"it will show my login name in one of the fields ... if it's blank at the time."

I believe this was blamed on the web browser having a "automatic form filler" addon, that was populating form fields with data it thought appropriate from the addon's repository.

Link to comment
Share on other sites

* If they have a known set of email addresses, and have created accounts on those addresses, you can disable the customer having that email address.

* You can install the CubeCart Security Suite and enter IP addresses that will be blocked.

* A (easily written) plugin to automatically disable new customers based on "rules", such as punctuation in name fields and other oddities.

 

Link to comment
Share on other sites

How do I do those things?  If they have a known set of email addresses, and have created accounts on those addresses, you can disable the customer having that email address. and/or

A (easily written) plugin to automatically disable new customers based on "rules", such as punctuation in name fields and other oddities.

Link to comment
Share on other sites

In admin, Customer List, find the customer with the target email address. Uncheck the Status column. That customer will not be able to log in. (Might probably still be able to buy as a "ghost" (unregistered) customer, however.)

I have a plugin that intercepts the "registration" process and sets the status of the customer to disabled. The admin, after confirming the "eligibility" of any customer to shop at their store (wholesale customers, typically), will enable the status.

That plugin can be modified to run tests on the registration data and set the status to disabled if any test matches the fail conditions.

Edited by bsmither
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...