Monika Mathé's Amazon Blog http://www.amazon.com/gp/blog/A1WS4REWYG71CY Monika Mathé's Amazon Blog en-us Copyright 2005-2007 Amazon.com Mon, 13 Aug 2007 04:31:37 -0700 Mon, 13 Aug 2007 04:31:37 -0700 http://blogs.law.harvard.edu/tech/rss Amazon.com Blogs 60 Speed Optimizing http://www.amazon.com/gp/blog/post/PLNK361VDNZVOFJ7N Monika Mathé Dear readers,
If your store has been running a bit slow recently, it's time to whip up the following tuning potion:

Change indexing of products_to_categories + specials tables

I had excellent speed optimization results by removing the combined primary key of the products_to_categories table and replacing it by 2 single indexes.

ALTER TABLE `products_to_categories` DROP PRIMARY KEY;
ALTER TABLE `products_to_categories` ADD INDEX `idx_p2c_categories_id` ( `categories_id` );
ALTER TABLE `products_to_categories` ADD INDEX `idx_p2c_products_id` ( `products_id` );

I also added an index on the products_id column for the specials table with great success.

ALTER TABLE `specials` ADD UNIQUE `idx_s_products_id` ( `products_id` );

Bon Appetit!


BTW: you can now find me handing out tips, tricks & recipes as a Moderator on this osCommerce related forum: osC Answers  - see you there!

kind regards
Monika
]]> Mon, 13 Aug 2007 04:31:37 -0700 PLNK361VDNZVOFJ7N Process Logic Flaw affecting several payment modules http://www.amazon.com/gp/blog/post/PLNK17BJEOSWYY3VQ Monika Mathé Dear Readers,
this one is important to check out! It was brought up to me by a fellow osCommerce geek  - Bobby, aka chemo - who cares for you shop owners. Read carefully through the issue he has found and apply the suggested fixes - both. I have copied his post directly from the osCommerce forum where you may have overlooked it ...

Watch out, and always keep up on security!

kindly
Monika

DESCRIPTION
The checkout process logic relies on redirect headers to handle transaction failure (decline, fraud, stolen card, etc.). This does not secure the store from purpose created bots from submitting arbitrary valid CC numbers from bypassing this check and as a result continues processing as if it were a valid transaction.
PROCESS LOGIC FLAW
The checkout_process.php script calls the before_process() method from the respective payment module. However, on failure the only action taken is a header redirect to the checkout_payment.php script.
There is no additional security checks performed beyond the initial header redirect. If the client is using a purpose built bot or script (using cURL for example) that does not obey headers this will effectively bypass the accept/decline logic and allow checkout_process.php to continue execution.
POSSIBLE FIXES
Modify the payment module to return boolean value for the before_process() method and incorporate this into the checkout_process.php script like this:
CODE
// load the before_process function from the payment modules
    $approved = $payment_modules->before_process();
    /**
     * The customer should have redirected already if before_process fails
     * However, some might bypass the simple security check
     * by disabling header codes.  If this is the case let's kill the script
     */
    if ( $approved !== true ){
        // Try to redirect one more time
        tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, 'error_message=' . urlencode('Exception'), 'SSL', true, false));
        /**
         * Apparently the customer is not going anywhere
         * At this point it's safer to destroy the session and kill the script
         */
        session_destroy();
        exit('Exit -> Exception(3)');
    }
Modify the tep_redirect() function to exit() after header call like this:
CODE
////
// Redirect to another page or site
  function tep_redirect($url) {
    if ( (strstr($url, "\n") != false) || (strstr($url, "\r") != false) ) {
      tep_redirect(tep_href_link(FILENAME_DEFAULT, '', 'NONSSL', false));
    }
    if ( (ENABLE_SSL == true) && (getenv('HTTPS') == 'on') ) { // We are loading an SSL page
      if (substr($url, 0, strlen(HTTP_SERVER)) == HTTP_SERVER) { // NONSSL url
        $url = HTTPS_SERVER . substr($url, strlen(HTTP_SERVER)); // Change it to SSL
      }
    }
    header('Location: ' . $url);
    /**
         * Exit if client does not obey headers
         */
        exit();
  }

INITIAL DISCOVERY AND PROOF OF CONCEPT
Client noticed several orders that were accepted but upon comparison with AuthorizeNET (using AIM method) noticed that they were declined. Since the site was processing several thousand orders daily they were detected only through the random quality assurance checks.
Upon closer investigation the flaw was discovered and subsequently replicated using cURL for requests. The vulnerability was verified on 6 other sites (with the cooperation of the respective store owners) using the same script. In addition, 4 were osC 2.2 platforms, 1 was CRE Loaded standard, and the other was CRE Pro.
This script is available to the osC / CRE project developers first and then will be released for public consumption. However, the description of the vulnerability should be enough to guide an intermediate level coder to produce the same functionality using whatever programming language they are most comfortable with.

SCOPE OF VULNERABILITY
This report affects all stable versions of osCommerce. This report affects all stable versions of CRE Loaded. Other fork projects were not inspected, tested or verified.
This report affects all AIM or SIM payment modules and excludes IPN types (such as PayPal).



]]> Sun, 14 Jan 2007 04:13:05 -0800 PLNK17BJEOSWYY3VQ Getting to know ya .... http://www.amazon.com/gp/blog/post/PLNK102VI3P9ARA0K Monika Mathé Hello dear readers,
a few weeks ago, a long interview with me was posted at webXadmin with tons of info about my background and plans in general. Should you be interested in it, please click on the link below.

Hope your holiday cooking goes well this week ;-). Enjoy!!!

kindly
Monika

http://webxadmin.free.fr/article/a-cookbook-for-oscommerce-666.php
]]> Sun, 19 Nov 2006 23:14:57 -0800 PLNK102VI3P9ARA0K Hacking the hack :-) http://www.amazon.com/gp/blog/post/PLNK39SQU44IN70UV Monika Mathé Hi dear readers,
this week and last, I was asked to modify recipe 59 that tackles product placement banners to allow for any page to be used in this new banner tool.

This is such a great hack I decided not to have you wait for my new book but show you here how to do it. So if you liked the product placement banners so much you want to use it for any page on his site use this variation. The code only needs to be modified a little bit to allow for non-product-related pages as well (and you can place SEO URLs in your banner manager now too!):

add the following function to catalog/includes/functions/general.php
function InStr($String,$Find,$CaseSensitive = false)  {
 $i=0; 
 while (strlen($String)>=$i) 
 { 
   unset($substring); 
   if ($CaseSensitive) 
   { 
    $Find=strtolower($Find); 
    $String=strtolower($String); 
   } 
   $substring=substr($String,$i,strlen($Find)); 
   if ($substring==$Find) return true; 
   $i++; 
  } 
  return false; 
 } 

then open your file catalog/includes/functions/banner.php and find this code:

tep_update_banner_click_count($banner['banners_id']);
$banner_string = '<a href="' . tep_href_link(before ('?', $banner['banners_url']), after ('?', $banner['banners_url'])) . '">' . tep_image(DIR_WS_IMAGES . $banner['banners_image'], $banner['banners_title']) . '</a>';

replace by this:
tep_update_banner_click_count($banner['banners_id']);
if (instr($banner['banners_url'], '?') > 0) {
 $banner_string = '<a href="' . tep_href_link(before ('?', $banner['banners_url']), after ('?', $banner['banners_url'])) . '">' . tep_image(DIR_WS_IMAGES . $banner['banners_image'], $banner['banners_title']) . '</a>';
} else {
 $banner_string = '<a href="' . tep_href_link($banner['banners_url']) . '">' . tep_image(DIR_WS_IMAGES . $banner['banners_image'], $banner['banners_title']) . '</a>';
}

Happy Cooking, and bon appetit!

kindly
Monika
]]> Sat, 28 Oct 2006 01:41:36 -0700 PLNK39SQU44IN70UV Welcome and thanks for reading this Blog! http://www.amazon.com/gp/blog/post/PLNK1GM82I1PX04BS Monika Mathé Hi,
compiling recipes and chapters for this book was one of the most enjoyable tasks in my coding career ... wondering which one would be most fun, most wanted or most of a lesson teaching cooking abilities for new osCommerce hacks :-).

Here is the full list of recipes from the Deep Inside osCommerce Cookbook to tantalize your tastebuds and make your fingers itch to dig into your own code:

Chop And Cream The Basic Design
01. Add easy top category driven stylesheets
02. Create flexible column definitions
Serve Them New Menus
03. Show active subcategories only in your categories box
04. Create separate boxes for each top category
05. Simplify category box navigation by defining specific colors for each level
06. Add extra links to your category box
Spice Up Your Infoboxes
07. Move your infobox header closer to content
08. Make your infobox header taller
09. Add a pop-up page from an infobox link
10. Add images to infoboxes
11. Add extra images to your columns without framing boxes
12. Hide or show boxes driven by language choice
13. Add boxes dedicated to specified countries
14. Define box image size independent of product thumbs
15. Show manufacturers' logos in Manufacturers infobox
16. Add double borders to boxes with background matting
Stuff Your Product Display
17. Add parent category in product listing
18. Add top category in product listing
19. Add a separator line in product listing
20. Add a cell background and image border to product listing
21. Sort product listing by date added
22. Prepare a quick 'n easy review system for product listing
23. Whip up a top category driven product listing
24. Restrain manufacturer image size
25. Call a pop-up from product description in product info
26. Call unique code for a single product in product info
27. Show a pop-up with shipping options in product info
28. Add an anchor for options in product info
29. Integrate Tell A Friend into product info
30. Offer Ask A Question About A Product link on product info
31. Sell affiliate products from your catalog
32. Fill up Also Purchased Products search result
33. Limit New Products to those with an image
34. Set column count for New Products
Dish Up Better Search
35. Add help text to your search box input field
36. Set the search result value independent of admin listings
37. Add an All Manufacturers page to Manufacturers infobox
38. Create your custom product listing with individual boxes for each manufacturer
Grill That Checkout Process
39. Make removing products from the cart more intuitive
40. Remove Delivery Address modification from your Shipping page
41. Modify Shipping Method display for Confirmation page
42. Add a sophisticated gift wrapping option to Shipping page
43. Add the option to donate during checkout
44. Personalize your Order Confirmation email
45. Add your customers' email & phone to your Order Confirmation email
46. Add your customers' fax number to your Order Confirmation email
47. Add the products' manufacturers to your Order Confirmation email
48. Add the products' category tree to your Order Confirmation email
Whip Up New Shipping Options
49. Add multiple Flat Rate Shipping Modules
50. Add percentage and base price support to Table Rate
51. Allow Free Postage for free items
52. Limit Flat Rate shipping to a specific top category only
53. Hide Shipping Modules driven by weight
54. Create a Per Item Shipping Module with two price levels
Season Your Payment Modules
55. Hide Payment Modules from public eyes
56. Create dependencies between Shipping and Payment Modules
57. Offer customized payment options for selected customers
Cook Up A Multiple Banner System
58. Set up category driven banners
59. Create rotating banners that link within your own shop
Throw Together Dessert - Extra Treats For You!
60. Display a dynamic shipping table for Table Rate shipping
61. Restructure and Customize your file download module
62. Create a dual website combining Shopping Cart and Showroom features
Beef Up Your Admin
63. Reset date added for products
64. Set an expiry date for products
65. Limit Also Purchased Products selection by date
66. Display full info for customer, delivery and billing address at a glance
67. Highlight orders according to their order status
68. Sort your administration menu configuration box entries
69. Allow entering products in an additional currency


That's it, that's all, there is no more ...

I keep track of errata on the publisher's support site here - so be sure to take a swift look over there before you roll up your sleeves and start your cooking.

I'm very interested to see new ideas come from my recipes; hacking the hack is so much fun as I'm sure you agree. Please share clever modifications you have made to have the code work for YOUR shop! I'd love to hear from you.

Happy cooking!
]]> Thu, 12 Oct 2006 17:01:59 -0700 PLNK1GM82I1PX04BS I'm a Plogger, too! http://www.amazon.com/gp/blog/post/PLNKMCA3U7WGHKN5 Monika Mathé Hi,

what a cool new feature ... give me a sec to familiarize myself with it, and then off I go and post all recipe chapter names from my book Deep Inside osCommerce!
]]> Thu, 12 Oct 2006 05:08:06 -0700 PLNKMCA3U7WGHKN5