Jump to content

Potential Malicous Attack


Recommended Posts

@wkd

Just bear in mind what I mentioned 6 posts up.

If a customer had his caps lock on, and his first and second name ended in the same letter, then he's going to get caught by BSmithers trap.

 

From my point of view

It's not often that a customer will leave his caps lock on, and what's the odds that if he did, that he might just have the same end letter in both his first and second name?

However, if we lost a customer, and he was about to spend £500 (or above), then this would be more annoying than the bot.

 

Maybe we should collectively try to find another pattern ?

Link to post
Share on other sites

I just got a registered customer with the same three letter first and last name in all caps from singapore.  What is your trap Brian?

I know this won't make sense and I've been told in the past this is not possible but it has happened again.  I went to look at my webstore this morning and it was showing and old skin that I still have uploaded. I DID NOT CHANGE THE SETTINGS IN ADMIN. Also, in checking my email log the above customer had used the contact form and sent it to the following departments:  General Inquiry - International Shipping Quote - Questions about a product.   I have long ago deleted those email accounts and moved all emails sent from the contact form to [email protected] blah.  In looking at the store settings  these old email addresses are showing which I  had changed all of them to [email protected] I still have the departments.

I don't know if the two are connected but I'd like to figure out what is going on.

Edited by Claudia M
Link to post
Share on other sites

I added that code but now nobody can sign up for our site - it will give everyone the white out...

 

message me direct and I will send  you the credentials for our website so you can check it out yourself bsmither.

Link to post
Share on other sites
  • 8 months later...

 In case anyone wants to try SemperFi's old hack, I found the code in an archived copy of our store. (The link to the post is from the old CC forum and is no longer any good. - maybe somebody knows how to find it in the new forum?)

If I remember correctly, a REAL customer going through the sign up form sees the error message that first and last cannot be the same - but a bot will not see that message and will never know they were not successful.

In cubecart.class.php

				// Check passwords match if not empty
				if (isset($_POST['register']) && $_POST['register']==1 && !empty($_POST['password']) && $_POST['password'] !== $_POST['passconf']) {
					$errors['password'] = true;
					$error_messages[] = $GLOBALS['language']->account['error_password_mismatch'];
				}
				//SemperFi from http://www.cubecartforums.org/index.php?showtopic=17937 STOP HACKERS
				// Check names aren't the same
		                if ($_POST['user']['first_name']==$_POST['user']['last_name']) {
		                    $error['names'] = true;
		                    $error_messages[] = $GLOBALS['language']->account['error_names_same'];
		                }				
				//SemperFi end STOP HACKERS
				if (preg_match("/[a-z]/i", $_POST['user']['phone'])) {
					$errors['phone'] = true;
					$error_messages[] = $GLOBALS['language']->account['error_valid_phone'];
				}

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...