antadis/bebeboutik
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'ticket-13775-PreventHacking'

Browse Source
This commit is contained in:
Marion Muszynski 2017-07-26 11:10:12 +02:00
commit 3525fdc711
6 changed files with 594 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
adm/tabs/AdminImport.php
View File

@ -898,6 +898,7 @@ class AdminImport extends AdminTab
$image->id_product = (int)($product->id);
$image->position = Image::getHighestPosition($product->id) + 1;
$image->cover = (!$key AND !$productHasImages) ? true : false;
$image->legend = self::createMultiLangField($product->name);
if (($fieldError = $image->validateFields(UNFRIENDLY_ERROR, true)) === true AND ($langFieldError = $image->validateFieldsLang(UNFRIENDLY_ERROR, true)) === true AND $image->add())
{
if (!self::copyImg($product->id, $image->id, $url))

225
modules/ant_alerthack/AdminAntAlertHack.php Normal file
View File

@ -0,0 +1,225 @@
<?php
if(!defined('_PS_VERSION_')) {
exit;
}
include_once(_PS_MODULE_DIR_.'/ant_alerthack/models/Suspect.php');
require_once(PS_ADMIN_DIR . '/helpers/HelperFormBootstrap.php');
class AdminAntAlertHack extends AdminTab {
public function postProcess() {
if (Tools::getValue('edit_suspect') && Tools::getValue('id_suspect')) {
$suspect = new Suspect((int)Tools::getValue('id_suspect'));
if(Tools::getValue('state')){
$suspect->is_suspect = Tools::getValue('state');
}
if($suspect->save()){
echo HelperFormBootstrap::displaySuccess($this->l('Suspect has been updated'));
return;
} else {
echo HelperFormBootstrap::displayError($this->l('Error occured while updating Suspect'));
return;
}
} elseif (Tools::isSubmit('update_conf')) {
if(($limit = Tools::getValue('limit')) !== false) {
Configuration::updateValue('ANT_ALERTHACK_LIMIT', (int) $limit);
}
if($time = Tools::getValue('time')) {
Configuration::updateValue('ANT_ALERTHACK_TIME', (int) $time);
}
if($emails = Tools::getValue('emails')) {
Configuration::updateValue('ANT_ALERTHACK_EMAILS', $emails);
}
echo HelperFormBootstrap::displaySuccess($this->l('Configurations has been updated'));
return;
}
}
public function display() {
global $cookie;
$helper = new HelperFormBootstrap();
$helper->_css.= $this->_addCss();
$html = $helper->renderStyle();
$html .= '
<div class="row">
<div class="col-md-12">
<div class="panel">
<div class="panel-title">
<h2 style="font-size:24px;"><span class="anticon anticon-shield text-rose" style="font-size:24px;"></span> Alert Hack</h2>
<div class="clearfix"></div>
</div>
<div class="panel-content">
<div class="row">
<form action="'.$_SERVER['REQUEST_URI'].'" method="post">
<div class="col-sm-4 col-sm-offset-4">';
$input = array(
'type' => 'text',
'label' => $this->l('Emails :'),
'name' => 'emails',
'id' => 'emails',
'required' => true,
'help' => "Emails à alerter (séparés d'une virgule)",
'default' => Configuration::get('ANT_ALERTHACK_EMAILS')
);
$html.= $helper->generateInput($input);
$html.= '<div class="clearfix"></div>';
$input = array(
'type' => 'text',
'label' => $this->l('Temps :'),
'name' => 'time',
'id' => 'time',
'required' => true,
'help' => "Temps en min ex: 5",
'default' => Configuration::get('ANT_ALERTHACK_TIME')
);
$html.= $helper->generateInput($input);
$html.= '<div class="clearfix"></div>';
$input = array(
'type' => 'text',
'label' => $this->l('Limit :'),
'name' => 'limit',
'id' => 'limit',
'required' => true,
'help' => "Nombres de message envoyés dans le temps renseigné",
'default' => Configuration::get('ANT_ALERTHACK_LIMIT')
);
$html.= $helper->generateInput($input);
$html.= '<div class="clearfix"></div>';
$html .='
</div>
<div class="clear"></div>
<div class="ln_solid-small"></div>
<div class="text-right">
<input type="submit" class="btn btn-primary" name="update_conf" value="Enregistrer" />
</div>
</form>
</div>
</div>
</div>
</div>
</div>';
$suspects = Suspect::getSuspects();
$states = Suspect::$states;
$html .= '
<div class="row">
<div class="col-md-12">
<div class="panel">
<div class="panel-title">
<h2 style="font-size:24px;"><span class="anticon anticon-target" style="font-size:24px;"></span> Suspects</h2>
<div class="clearfix"></div>
</div>
<div class="panel-content">
<div class="row">
<div class="col-md-12">
<table class="table table-custombordered" style="width: 100%;">
<thead>
<tr>
<th class="text-left">'.$this->l('ID').'</th>
<th class="text-left">'.$this->l('email').'</th>
<th class="text-left">'.$this->l('id_customer').'</th>
<th class="text-left">'.$this->l('Remote IP').'</th>
<th class="text-center">'.$this->l('Remote Host').'</th>
<th class="text-center">'.$this->l('Condition').'</th>
<th class="text-center">'.$this->l('State').'</th>
<th class="text-center">'.$this->l('Action').'</th>
</tr>
</thead>
<tbody>';
foreach ($suspects as $suspect) {
$html .= '
<tr>
<td class="text-left">'.$suspect['id_suspect'].'</td>
<td class="text-left">'.$suspect['email'].'</td>
<td class="text-left">'.$suspect['id_customer'].'</td>
<td class="text-left">'.$suspect['remote_ip'].'</td>
<td class="text-center">'.$suspect['remote_host'].'</td>
<td class="text-center">'.$suspect['condition'].'</td>
<td class="text-center"><i class="'.$states[(int)$suspect['is_suspect']]['icon'].'"></i> '.$states[(int)$suspect['is_suspect']]['name'].'</td>
<td class="text-center">
<form action="'.$_SERVER['REQUEST_URI'].'&edit_suspect=1" method="post">';
if($suspect['is_suspect'] == 1){
$html .= '
<button type="submit" class="btn btn-sm btn-default">Valider</button>
<input type="hidden" name="state" value="2">';
}elseif($suspect['is_suspect'] == 2){
$html .= '
<button type="submit" class="btn btn-sm btn-default">Bannir</button>
<input type="hidden" name="state" value="1">';
}
$html .='
<input type="hidden" name="id_suspect" value="'.$suspect['id_suspect'].'">
</form>
</td>
</tr>';
}
$html .= '
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
</div>';
$html .= $helper->renderScript();
echo $html;
}
protected function _addCss()
{
return '
form sup {
color: #CC0000;
font-weight: bold;
vertical-align: sub;
}
#content .bootstrap-datetimepicker-widget tr th {
border-radius :0px !important;
}
.table tr th {
background: #565485;
background: rgba(86,84,133,0.9);
color: #fff;
font-size: 12px;
}
.table tr:nth-child(even) {
background: #F1F1F1;
}
.table>tbody>tr>td,
.table>tbody>tr>th,
.table>tfoot>tr>td,
.table>tfoot>tr>th,
.table>thead>tr>td,
.table>thead>tr>th {
vertical-align: middle;
}
.table .input-group-btn .btn {
padding: 4px 5px;
color: #504d8b;
}
.table .input-group-btn .btn .anticon{
font-size: 12px;
}
.bg-grey{
background: #EFEFEF;
border-radius:4px;
}
.bg-grey .div-title {
border-bottom: 2px solid #504D8B;
}
.div-title i.anticon,
.div-title i.glyphicon,
ul li a{
color:#504d8b;
}
';
}
}

179
modules/ant_alerthack/ant_alerthack.php Normal file
View File

@ -0,0 +1,179 @@
<?php
if (!defined('_PS_VERSION_'))
exit;
include_once(_PS_MODULE_DIR_.'/ant_alerthack/models/Suspect.php');
class Ant_Alerthack extends Module
{
public function __construct()
{
$this->name = 'ant_alerthack';
$this->tab = 'administration';
$this->author = 'Antadis';
$this->version = '1.0';
$this->need_instance = 0;
parent::__construct();
$this->displayName = $this->l('Alert for hacking tentative');
$this->description = $this->l('Alert when someone try to make SQL injection in contact form');
}
public function install()
{
// if (!$this->installDB()){
// return false;
// }
$hooks = array(
'ant_alerthack' => array('Ant Alert Hack', 'Called when someone sends some messages in few minutes'),
'ant_alerthackbefore' => array('Ant Alert Hack Before', 'Called before customer or visitor makes an action'),
);
foreach($hooks as $k => $v) {
if(count(Db::getInstance()->ExecuteS('
SELECT `id_hook`
FROM `'._DB_PREFIX_.'hook`
WHERE `name` = "'.$k.'"
LIMIT 1
')) == 0) {
Db::getInstance()->ExecuteS('
INSERT INTO `'._DB_PREFIX_.'hook`
VALUES (DEFAULT, "'.$k.'", "'.$v[0].'", "'.$v[1].'", 0, 0)
');
}
}
if(!parent::install()
|| !$this->registerHook('ant_alerthack')
|| !$this->registerHook('ant_alerthackbefore')) {
return false;
}
# Set default configuration values
Configuration::updateValue('ANT_ALERTHACK_LIMIT', 5);
Configuration::updateValue('ANT_ALERTHACK_TIME', 1);
Configuration::updateValue('ANT_ALERTHACK_EMAILS', 'marion@antadis.com');
return true;
}
private function installDB()
{
$result = true;
# Add tables
$query = '
CREATE TABLE IF NOT EXISTS `' . _DB_PREFIX_ . 'ant_alerthack_suspect` (
`id_suspect` INTEGER NOT NULL AUTO_INCREMENT,
`id_customer` INTEGER DEFAULT 0,
`email` VARCHAR(128),
`page` VARCHAR(250),
`referrer` VARCHAR(250),
`user_agent` VARCHAR(128),
`remote_host` VARCHAR(255),
`remote_ip` VARCHAR(20),
`condition` VARCHAR(50),
`is_suspect` INTEGER DEFAULT 0,
`date_add` DATETIME NOT NULL,
`date_upd` DATETIME NOT NULL,
PRIMARY KEY(`id_suspect`)
) ENGINE=' . _MYSQL_ENGINE_ . ' DEFAULT CHARSET=utf8
';
$result = Db::getInstance()->Execute($query);
return $result;
}
public function uninstall() {
if(parent::uninstall() == false) {
return false;
}
Configuration::deleteByName('ANT_ALERTHACK_LIMIT');
Configuration::deleteByName('ANT_ALERTHACK_TIME');
Configuration::deleteByName('ANT_ALERTHACK_EMAILS');
return true;
}
public function hookAnt_Alerthackbefore($params) {
global $cookie;
return true;
}
public function hookAnt_Alerthack($params) {
global $cookie;
$min = (int)Configuration::get('ANT_ALERTHACK_TIME');
$count_limit = (int)Configuration::get('ANT_ALERTHACK_LIMIT');
$id_customer = ($params['id_customer']?$params['id_customer']:'');
$count = Db::getInstance()->getValue('
SELECT COUNT(m.`id_customer_message`)
FROM `'._DB_PREFIX_.'customer_message` m
LEFT JOIN `'._DB_PREFIX_.'customer_thread` t ON (t.`id_customer_thread` = m.`id_customer_thread`)
WHERE (
t.`email` = "'.pSQL($params['email']).'"
'.(!empty($id_customer)?' OR t.`id_customer` = '.(int)$id_customer:'').'
)
AND m.`date_add` < NOW() AND m.`date_add` > DATE_SUB(NOW(), INTERVAL '.$min.' MINUTE)
');
if($count >= $count_limit){
$info = array(
'count' => (int)$count,
'time' => (int)$min
);
$this->saveInfo($info, $params['email'], $id_customer);
$emails = Configuration::get('ANT_ALERTHACK_EMAILS');
$to = explode(',', $emails);
$data = array(
'{limit}' => (int)Configuration::get('ANT_ALERTHACK_LIMIT'),
'{time}' => (int)Configuration::get('ANT_ALERTHACK_TIME'),
'{suspect_email}' => $params['email'],
);
foreach ($to as $email) {
Mail::Send((int)$cookie->id_lang, 'ant_alerthack', 'Alert Hack', $data, $to);
}
}
}
public function saveInfo($info, $email, $id_customer = '')
{
$remoteIP = $_SERVER['REMOTE_ADDR'];
if (strstr($remoteIP, ', ')) {
$ips = explode(', ', $remoteIP);
$remoteIP = $ips[0];
}
$page = "https://{$_SERVER['HTTP_HOST']}{$_SERVER['PHP_SELF']}";
$page .= (!empty($_SERVER['QUERY_STRING'])? $_SERVER['QUERY_STRING']:'');
$referrer = $_SERVER['HTTP_REFERER'];
$useragent = $_SERVER['HTTP_USER_AGENT'];
$remotehost = gethostbyaddr($remoteIP);
$is_exist = Db::getInstance()->getRow('
SELECT `id_suspect`
FROM `'._DB_PREFIX_.'ant_alerthack_suspect`
WHERE `email` = "'.pSQL($email).'"
');
if($is_exist){
$suspect = new Suspect((int)$is_exist['id_suspect']);
} else {
$suspect = new Suspect();
}
$suspect->id_customer = (!empty($id_customer)?$id_customer:0);
$suspect->email = pSQL($email);
$suspect->page = pSQL($page);
$suspect->user_agent = pSQL($useragent);
$suspect->remote_host = pSQL($remotehost);
$suspect->remote_ip = pSQL($remoteIP);
$suspect->referrer = pSQL($referrer);
$suspect->is_suspect = 1;
$suspect->condition = pSQL($info['count'].' messages in '.$info['time'].' minutes');
$suspect->save();
}
}

125
modules/ant_alerthack/models/Suspect.php Normal file
View File

@ -0,0 +1,125 @@
<?php
class Suspect extends ObjectModel
{
const VERIFY = 2;
const SUSPECT = 1;
public static $states = array(
0 => array(
'name' => "A vérifier",
'icon' => 'anticon anticon-hour-glass text-orange',
),
1 => array(
'name' => "Suspect",
'icon' => 'anticon anticon-target text-rose',
),
2 => array(
'name' => "Verifié",
'icon' => 'anticon anticon-checkmark text-green-light',
),
);
public $id_suspect;
public $id_customer;
public $email;
public $page;
public $referrer;
public $user_agent;
public $remote_host;
public $remote_ip;
public $condition;
public $is_suspect;
public $date_add;
public $date_upd;
protected $fieldsRequired = array('email');
protected $fieldsValidate = array(
'id_suspect' => 'isUnsignedId',
'id_customer' => 'isUnsignedId',
'email' => 'isEmail',
'page' => 'isString',
'referrer' => 'isString',
'user_agent' => 'isString',
'remote_host' => 'isString',
'remote_ip' => 'isString',
'condition' => 'isString',
'is_suspect' => 'isInt',
'date_add' => 'isDate',
'date_upd' => 'isDate',
);
protected $table = 'ant_alerthack_suspect';
protected $identifier = 'id_suspect';
public function getFields()
{
parent::validateFields();
$fields['id_suspect'] = (int)$this->id_suspect;
$fields['id_customer'] = (int)$this->id_customer;
$fields['email'] = pSQL($this->email);
$fields['page'] = pSQL($this->page);
$fields['referrer'] = pSQL($this->referrer);
$fields['user_agent'] = pSQL($this->user_agent);
$fields['remote_host'] = pSQL($this->remote_host);
$fields['remote_ip'] = pSQL($this->remote_ip);
$fields['condition'] = pSQL($this->condition);
$fields['is_suspect'] = (int)$this->is_suspect;
$fields['date_add'] = pSQL($this->date_add);
$fields['date_upd'] = pSQL($this->date_upd);
return $fields;
}
public function delete()
{
return true;
}
/**
* Get suspects
* @param $states array get only suspects in specific states
* @return Array Groups
*/
public static function getSuspects($states = array(), $where = false)
{
if($where){
return Db::getInstance()->executeS('
SELECT *
FROM `'._DB_PREFIX_.'ant_alerthack_suspect` s
WHERE '.$where.'
');
} else {
return Db::getInstance()->executeS('
SELECT *
FROM `'._DB_PREFIX_.'ant_alerthack_suspect` s
WHERE 1
'.(!empty($states) ? 'AND s.`is_suspect` IN ('.implode(',',$states).')' : '').'
ORDER BY s.date_add DESC
');
}
}
public function save()
{
if (parent::save()) {
return true;
}
}
public static function isBannished($email){
$suspect = Db::getInstance()->getRow('
SELECT `is_suspect`
FROM `'._DB_PREFIX_.'ant_alerthack_suspect`
WHERE `email` = "'.pSQL($email).'"
');
if((int)$suspect['is_suspect'] == 1){
return true;
}
return false;
}
}

46
modules/ant_support_form/support.php
View File

@ -36,6 +36,12 @@ if ($cookie->isLogged()) {
}
if (Tools::isSubmit('submitMessage')) {
$alert_mode = false;
if(Module::isInstalled('ant_alerthack')) {
$alert_mode = true;
include_once dirname(__FILE__).'/../../modules/ant_alerthack/models/Suspect.php';
}
$fileAttachment = NULL;
if (isset($_FILES['fileUpload']['name']) AND !empty($_FILES['fileUpload']['name']) AND !empty($_FILES['fileUpload']['tmp_name']))
{
@ -46,24 +52,40 @@ if (Tools::isSubmit('submitMessage')) {
$fileAttachment['mime'] = $_FILES['fileUpload']['type'];
}
$message = Tools::htmlentitiesUTF8(Tools::getValue('message'));
if (!($from = trim(Tools::getValue('from'))) OR !Validate::isEmail($from))
if (!($from = trim(Tools::getValue('from'))) OR !Validate::isEmail($from)){
$errors[] = Tools::displayError('Invalid e-mail address');
elseif (!($message = nl2br2($message)))
}
elseif ($alert_mode && Suspect::isBannished($from)){
$errors[] = Tools::displayError('Message cannot be sent.');
}
elseif (!($message = nl2br2($message))){
$errors[] = Tools::displayError('Message cannot be blank');
elseif (!Validate::isCleanHtml($message))
}
elseif (!Validate::isCleanHtml($message)){
$errors[] = Tools::displayError('Invalid message');
elseif (!($id_contact = (int)(Tools::getValue('id_contact'))) OR !(Validate::isLoadedObject($contact = new Contact((int)($id_contact), (int)($cookie->id_lang)))))
}
elseif (!($id_contact = (int)(Tools::getValue('id_contact'))) OR !(Validate::isLoadedObject($contact = new Contact((int)($id_contact), (int)($cookie->id_lang))))){
$errors[] = Tools::displayError('Please select a subject on the list.');
elseif (($id_contact = (int)(Tools::getValue('id_contact'))) && $id_contact == 9 && !Tools::getValue('id_reason'))
}
elseif (($id_contact = (int)(Tools::getValue('id_contact'))) && $id_contact == 9 && !Tools::getValue('id_reason')){
$errors[] = Tools::displayError('Please select a reason on the list.');
elseif (($id_contact = (int)(Tools::getValue('id_contact'))) && ($id_contact == 9 || $id_contact == 1 || $id_contact == 2) && !Tools::getValue('id_order'))
}
elseif (($id_contact = (int)(Tools::getValue('id_contact'))) && ($id_contact == 9 || $id_contact == 1 || $id_contact == 2) && !Tools::getValue('id_order')){
$errors[] = Tools::displayError('Please enter/choose an order ID');
elseif (($id_contact = (int)(Tools::getValue('id_contact'))) && $id_contact == 1 && !Tools::getValue('id_products'))
}
elseif (($id_contact = (int)(Tools::getValue('id_contact'))) && $id_contact == 1 && !Tools::getValue('id_products')){
if((int)($cookie->id_customer)){
$errors[] = Tools::displayError('Please choose a product');
elseif (!empty($_FILES['fileUpload']['name']) AND $_FILES['fileUpload']['error'] != 0)
} else {
$errors[] = Tools::displayError('You have to be logged');
}
}
elseif (!empty($_FILES['fileUpload']['name']) AND $_FILES['fileUpload']['error'] != 0){
$errors[] = Tools::displayError('An error occurred during the file upload');
elseif (!empty($_FILES['fileUpload']['name']) AND !in_array(substr($_FILES['fileUpload']['name'], -4), $extension) AND !in_array(substr($_FILES['fileUpload']['name'], -5), $extension))
}
elseif (!empty($_FILES['fileUpload']['name']) AND !in_array(substr($_FILES['fileUpload']['name'], -4), $extension) AND !in_array(substr($_FILES['fileUpload']['name'], -5), $extension)){
$errors[] = Tools::displayError('Bad file extension');
}
else
{
if ((int)($cookie->id_customer))
@ -218,7 +240,11 @@ if (Tools::isSubmit('submitMessage')) {
$errors[] = Tools::displayError('An error occurred while sending message.');
}
// Module::hookExec('ant_alert', array()); // @ToDo - uncomment it
Module::hookExec('ant_alerthack', array(
'email' => $from,
'id_customer' => (isset($customer->id)?$customer->id:false),
'message' => $message
));
if (count($errors) > 1)
array_unique($errors);

34
override/controllers/ContactController.php
View File

@ -3,7 +3,7 @@ class ContactController extends ContactControllerCore {
public function preProcess()
{
parent::preProcess();
FrontController::preProcess();
if (self::$cookie->isLogged())
{
@ -40,6 +40,12 @@ class ContactController extends ContactControllerCore {
if (Tools::isSubmit('submitMessage'))
{
$alert_mode = false;
if(Module::isInstalled('ant_alerthack')) {
$alert_mode = true;
include_once dirname(__FILE__).'/../../modules/ant_alerthack/models/Suspect.php';
}
$fileAttachment = NULL;
if (isset($_FILES['fileUpload']['name']) AND !empty($_FILES['fileUpload']['name']) AND !empty($_FILES['fileUpload']['tmp_name']))
{
@ -50,18 +56,27 @@ class ContactController extends ContactControllerCore {
$fileAttachment['mime'] = $_FILES['fileUpload']['type'];
}
$message = Tools::htmlentitiesUTF8(Tools::getValue('message'));
if (!($from = trim(Tools::getValue('from'))) OR !Validate::isEmail($from))
if (!($from = trim(Tools::getValue('from'))) OR !Validate::isEmail($from)){
$this->errors[] = Tools::displayError('Invalid e-mail address');
elseif (!($message = nl2br2($message)))
}
elseif ($alert_mode AND Suspect::isBannished($from)){
$this->errors[] = Tools::displayError('Message cannot be sent.');
}
elseif (!($message = nl2br2($message))){
$this->errors[] = Tools::displayError('Message cannot be blank');
elseif (!Validate::isCleanHtml($message))
}
elseif (!Validate::isCleanHtml($message)){
$this->errors[] = Tools::displayError('Invalid message');
elseif (!($id_contact = (int)(Tools::getValue('id_contact'))) OR !(Validate::isLoadedObject($contact = new Contact((int)($id_contact), (int)(self::$cookie->id_lang)))))
}
elseif (!($id_contact = (int)(Tools::getValue('id_contact'))) OR !(Validate::isLoadedObject($contact = new Contact((int)($id_contact), (int)(self::$cookie->id_lang))))){
$this->errors[] = Tools::displayError('Please select a subject on the list.');
elseif (!empty($_FILES['fileUpload']['name']) AND $_FILES['fileUpload']['error'] != 0)
}
elseif (!empty($_FILES['fileUpload']['name']) AND $_FILES['fileUpload']['error'] != 0){
$this->errors[] = Tools::displayError('An error occurred during the file upload');
elseif (!empty($_FILES['fileUpload']['name']) AND !in_array(substr($_FILES['fileUpload']['name'], -4), $extension) AND !in_array(substr($_FILES['fileUpload']['name'], -5), $extension))
}
elseif (!empty($_FILES['fileUpload']['name']) AND !in_array(substr($_FILES['fileUpload']['name'], -4), $extension) AND !in_array(substr($_FILES['fileUpload']['name'], -5), $extension)){
$this->errors[] = Tools::displayError('Bad file extension');
}
else
{
if ((int)(self::$cookie->id_customer))
@ -188,6 +203,11 @@ class ContactController extends ContactControllerCore {
}
Module::hookExec('ant_alert', array());
Module::hookExec('ant_alerthack', array(
'email' => $from,
'id_customer' => (isset($customer->id)?$customer->id:false),
'message' => $message
));
if (count($this->errors) > 1)
array_unique($this->errors);