Jump to content
thirty bees forum

datakick

Administrators
  • Posts

    3,035
  • Joined

  • Last visited

  • Days Won

    465

Everything posted by datakick

  1. Enabling debug mode will NOT help you decrypt your existing error txt files. When you enable it, and encounter some 500 error on your website, you will see error directly on the screen. There will be no prompt to download some error txt file and decrypt it. There can be many reasons why your back office don't want to decrypt your error txt files. One of the images in your previous posts shows that your server cant creating files in /tmp folder because of read only filesystem. The same probably happens when you try to upload the error file -- your php server can use /tmp dir to temporary store file during the upload.
  2. Debug mode fixes the problem with The decrypt function in Logs is not decrypting the message. since there is nothing to decrypt.
  3. regarding get_magic_quotes_gpc - you can do full search / replace in all modules, and replace get_magic_quotes_gpc() with false Of course, you can then remove the surrounding code as well, since if (get_magic_quotes_gpc()) { $params = Tools::stripslashes($params); } will turn into if (false) { $params = Tools::stripslashes($params); } But it's not strictly necessary. The end result will be the same if you keep the unreachable code or if you remove it.
  4. This is from order-confirmation.tpl template. In Niara / community-theme-default, the value of $id_order_formatted is rendered: <p>{l s='Your order ID is:'} <span class="bold">{$id_order_formatted}</span> . {l s='Your order ID has been sent via email.'}</p> This variable is set in OrderConfirmationController, and contains order internal ID left padded with zeros 'id_order_formatted' => sprintf('#%06d', $this->id_order),
  5. This key is generated during installation, or when you switch from Blowfish to PHP Encryption. At least that's how it works on bleeding edge. Anyway, creating this manually works as well. Thirty bees does not add anything related to admin directory to .htaccess file. This might be your own manual addition, or entry by some module.
  6. You can download this php script, upload it to your store root directory, and then open https://www.yourstore.com/genkeys.php genkeys.php Keys for rijndael should not be needed. Just ensure you are using Use the PHP Encryption library as you ciphering algorithm (in Advanced Parameters > Performance)
  7. I don't have any issues even on php8.2
  8. No, I won't implement this. Frankly, that's too much work, and I believe it can only cause trouble. For example, in my country invoice must contain customer's full address, so I need to collect it even for virtual products. That only leaves company information fields. And this one is important for business users. I guess I could implement such check. Is is something that is useful, though? I mean, if my customer has voucher for $100, and they want to use it on a product that costs $80, why should I block them to do that?
  9. All information required for invoicing is collected, including address If you cart contains only virtual products, shipping is not displayed No, such option does not exists. It behave in the same way as default checkout -- allow free orders. I don't understand
  10. Thanks for reporting this. Fixed in new version 0.9.3
  11. In PHP8 Attribute is a reserved name. Every PHP codebase that used the same name must stop using it if they want to be compatible with PHP8. Thirtybees definitely want to run on PHP8, so we renamed this class to ProductAttribute. You will have to adjust your module and replace usage of Attribute class with this one. For example, if your module contains $attr = new Attribute(); $attributes = Attribute::getAttributes(); You have to change it to look like this $attr = new ProductAttribute(); $attributes = ProductAttribute::getAttributes(); There is also more easier solution - add this line at the beginning of every PHP file in the module (that is using this class). And you can keep the rest of the code intact use ProductAttribute as Attribute;
  12. Yes, as long as it's a full backup. You shouldn't do merge into current root directory, but delete everything (or rename your root directory) and replace with your backup.
  13. Oh, that's scary. Stage 1) remove the infection. use core updater and/or Configuration information to figure out if core files were modified. Use core updater to fix that look for any modules that you didn't installed check your overrides. You can use overridecheck module to list all existing overrides. check the theme for any modification. Take note of all modified or new files. Write down file creation/modification dates. Stage 2) strengthen your store update core to latest bleeding edge 1.5, if possible. There were a lot of security fixes rename your admin directory change all sensitive information in /config/settings.inc.php, including _DB_PASSWD_ - you will need to change password for your database user first _COOKIE_KEY_, _COOKIE_IV_ _PHP_ENCRYPTION_KEY_ _RIJNDAEL_KEY_, _RIJNDAEL_IV_ Delete all modules that you don't use. Even if they are not installed, they can pose security risk. Delete them. Stage 3) figure out attack vector updating your store to latest version and deleting unused modules may or may not fixed the vulnerability. If not, attacker can use it once again to get access to your store. You need to figure out how they got access look into your server Access logs It will help if you know the approximate time of attack (from file modification time) search for group of weird requests. Something like this nginx_1 | [29/Apr/2023:03:43:02 +0000] "GET /.git/HEAD HTTP/1.1" 403 153 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /nmaplowercheck1682739782 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /localstart.jhtml HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /CSS/Miniweb.css HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /5Mrh HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /Portal0000.htm HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET / HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET / HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "\x0E\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00bbbb0100000001" 400 157 "-" "-" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "POST /sdk HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /Portal/Portal.mwsl HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /robots.txt HTTP/1.1" 200 36 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /__Additional HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /HNAP1 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "GET /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" nginx_1 | [29/Apr/2023:03:43:03 +0000] "POST /scripts/WPnBr.dll HTTP/1.1" 302 5 "-" "curl/7.54.0" "-" within this group, search for requests that succeeded - response code 200. POST and PUT requests should be the first to investigate. check the php scripts for requests that succeeded check requests with response code 500. it can be indication of some vulnerability If you are unsure how to do all that, you can and should hire somebody to help you with all that.
  14. While the idea behind this module is nice, I think it has a potential to cause a lot of trouble. And doesn't solve any actual problem, really. When you use this module, you should edit your templates and strip all microdata from them. Otherwise, search engines would see two sets of metadata. For product and organization info metadata this is ok, as json+ld format already contains this info. Problem occurs if you have some module that emits additional metadata (like reviews from revws module, author metadata, FAQ, related content, etc). Because of missing product metadata we just removed, these additional information will not be attributed to anything. And google search console will raise a lot of errors. In this case, the proper solution would be to integrate these third party modules with jsonmodule. Jsonmodule would expose some API that other modules could use to render json-ld metadata. This api does not exists. And even if it did, nobody will modify these third party modules to work with jsonmodule. So, if you don't use any module that emits metadata, you can use the jsonmodule. The end result will be, however, the same as if you just keep the html based markup
  15. You should check files permissions. Maybe some of your files are not readable/writeable and were not updated delete file cache/class_index.php clear cache disable all overrides
  16. Note: previous suggestion no longer works for bleeding edge / thirty bees 1.5. Employee record in database now contains 'signature' column that ensures employee password/email/role is not modified externally. This is to prevent attackers from accessing your back office in case of SQL injection vulnerability. If you are locked-out, you can use auto login script from this thread:
  17. Here's a helper php script force-login.php Upload it to your admin directory, and then open it in your browser, ie https://your.domain.com/admin-dir/force-login.php This should log you in without need for password. Then go to core updater. In settings, enable Developer mode. Then click on Developer icon in upper right corner. In the developer tool, execute "Execute processes" That should complete the failed migration, and you should be able to log-in again. Don't forget to remove the force-login.php script again force-login.php PS: if you tried the suggestion from https://forum.thirtybees.com/topic/6081-locked-out/#comment-46072 thread, then don't forget that your password is already changed to changeme1234
  18. sorry, that's classes/ConfigurationTest.php
  19. This is an issue with TLS12 check. It stopped working due to external changes. In version 1.5 / bleeding edge, this test does not exists anymore. Edit file and delete line 130. Original code public static function getDefaultTestsOp() { return [ 'Gz' => false, 'Tlsv12' => false, ]; } should look like this public static function getDefaultTestsOp() { return [ 'Gz' => false, ]; }
  20. Indeed, that's a bug. Javascript method that translates string is in this case called before the translations are provided. I have to delay this, and translate string only when error happens.
  21. My guess is that your server raises some warning/error very early because of server misconfiguration -- maybe relate to that tempname() notice that should not be there. Thirty bees tries to handle the error, and during that error handler tries to access database. This fails, because db connection is not configured yet. The original error is not reported, and instead new error regarding database connection is raised. If true, it is obviously bug in thirty bees. Unfortunately, I can't reproduce this issue, so I'm not sure what to fix. @Alexander001 could you assist? Please edit file classes/db/DbPDO.php Find line die(sprintf(Tools::displayError('Link to database cannot be established: %s'), utf8_encode($e->getMessage()))); And replace it with die("<pre>$e</pre>"); That should tell us the origin of the problem. That's not real server, that's a joke. Their free plan severely limit number of concurrent connections to the server. Modern browsers can easily trigger a lot of concurrent requests, and their server just can't (won't) handle it.
  22. No, that's correct. There shouldn't be this file. I asked because if this file existed, it might explain your issue.
  23. Hard to tell. Do you have existing file /config/settings.inc.php ?
  24. Hi everyone, I've just released a new module to strengthen back office security - two factor authentication module. https://store.getdatakick.com/en/modules/back-office-two-factor-authentication With this module, your store employees will have to enter authentication code during login to back office. The code changes every 30 seconds, and the only way to obtain current value is to use Authentication app on your phone -- there are many free authentication application available, for example Google Authenticator or FreeOTP. This functionality makes your back office more secure. It protect your store against brute-force attacks, mitigate impact of weak or leaded passwords, etc.
      • 5
      • Like
×
×
  • Create New...