rxbanditboy1112 Posted May 23, 2007 Share Posted May 23, 2007 Alright everyone, I thought my cart system was completely stable. I have rigourously tested this thing, but there seems to be some sort of error. I have gotten 2 blank orders through this thing, and I do not know what is causing it. This is how the cart works/checks to make sure everything is cool. First of all if you don't have anything in the cart it will not let you check out and say you dont have anything in the cart. Next when you add an item it will add it to the cart. When you click check out it will check if you are a member/signed in then after you register or sign in you can go back and check out. It will confirm your membership again. Then it will take you to an enter payment/shipping information page. When you click submit it will check if you entered in the required info if you have it will place your address into the database, and then ask you to confirm the order then it will take you to the order reciept page. Now the one error i can think of is if you refresh the order confirmation page it will either result in an order being submitted with just your memeber id (if you are signed in), or it will be completely blank if you arn't signed in. This page removes the order from the cart that is why a refresh will cause it to be blank. In the future I am going to make an order reciept page, to display the order ids, and have the removale just be a processing in between page. That way people can bookmark their orders.... I would be more concerned with this; however, the blank orders that i am recieving (i eventually was emailed by those people) were from people that signed up and checked out (or so they say) but we just get a blank order rather than the actual one. This isn't thattttt common; however, it does make me concerned. the website is www.earcandycabs.com try to sign up and crack it the best you can i suppose. Don't try to do things an average user wouldn't do, but please do things that you may feel will ruin it. I am fearing that I missed something in the logic. Also when you submit the order make sure you put "test" in the special instructions. Oh when you submit an order dont worry your info can be fake it is not connected to paypal or any other gateway. Thanks for the help!!!! Link to comment Share on other sites More sharing options...
rxbanditboy1112 Posted May 23, 2007 Author Share Posted May 23, 2007 So i talked to the person who had the error. I guess what happened was not enough login checks. He says he waited a while before he tried to complete the check out. Soooooo what happened was i think his session may have timed out.... Is there a way to specify how long a session stays active? Link to comment Share on other sites More sharing options...
Glyde Posted May 23, 2007 Share Posted May 23, 2007 php.ini session.gc_maxlifetime Link to comment Share on other sites More sharing options...
agentsteal Posted June 13, 2007 Share Posted June 13, 2007 Full Path Disclosure: http://www.earcandycabs.com/articles.php?req=read Warning: extract() [function.extract]: First argument should be an array in /home/earcand/public_html/articles.php on line 18 Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 11 in /home/earcand/public_html/articles.php on line 21 Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 12 in /home/earcand/public_html/articles.php on line 23 User Enumeration: http://www.earcandycabs.com/~earcand User Enumeration: http://www.earcandycabs.com/~root Link to comment Share on other sites More sharing options...
d.shankar Posted September 26, 2007 Share Posted September 26, 2007 User Enumeration: http://www.earcandycabs.com/~earcand User Enumeration ?? What does that mean agentsteal ??? Is that an attack ? Link to comment Share on other sites More sharing options...
rarebit Posted September 26, 2007 Share Posted September 26, 2007 dunno, however it gives the username away for the account, allowing for a targeted brute force on the password. This generally is same for ftp account also... it's the little details which makes life more pleasant! Link to comment Share on other sites More sharing options...
d.shankar Posted September 26, 2007 Share Posted September 26, 2007 Oh cool.. Are there any example of such attacks in the web to gain more info regarding it? Link to comment Share on other sites More sharing options...
rarebit Posted September 26, 2007 Share Posted September 26, 2007 What, info on a brute force password attack, I think it's is in the name! Or are you after info on how to protect against it? Link to comment Share on other sites More sharing options...
d.shankar Posted September 26, 2007 Share Posted September 26, 2007 yea i need to protect against it. i know using CAPTCHA we can deny it , do you have any other ideas ? Link to comment Share on other sites More sharing options...
rarebit Posted September 26, 2007 Share Posted September 26, 2007 Do you use image verification at login? Here I use frequency checking, future features are to use overall ratios and not just x tries in time, but fail/bans are obvious in my frequency logs. Link to comment Share on other sites More sharing options...
d.shankar Posted September 27, 2007 Share Posted September 27, 2007 Image Verification is nothing but CAPTCHA... Rarebit Link to comment Share on other sites More sharing options...
xylex Posted September 30, 2007 Share Posted September 30, 2007 You're vulnerable to SQL injection all over your website, including the login, so brute forcing isn't even necessary. I would recommend patching that part up ASAP. Link to comment Share on other sites More sharing options...
Recommended Posts