betagirl
asked on
urgent - osCommerce suddenly throwing errors - not sure if hacked
Hello - I have started receiving a variety of random errors (they seem random to me) that are intermittent - do not always occur - and often clear upon one or more page refreshes. I've listed some below:
########### ERRORS ##########################
Warning: Unexpected character in input: ' in /usr/local/apache/htdocs/c atalog/inc ludes/func tions/gene ral.php on line 54
Warning: Cannot modify header information - headers already sent by (output started at /usr/local/apache/htdocs/c atalog/inc ludes/func tions/gene ral.php:54 ) in
/usr/local/apache/htdocs/c atalog/inc ludes/func tions/gene ral.php on line 1326
Fatal error: Unknown function: àéG@ÂF() in /usr/local/apache/htdocs/c atalog/inc ludes/lang uages/engl ish.php on line 191
Warning: Cannot modify header information - headers already sent by (output started at /usr/local/apache/htdocs/c atalog/inc ludes/func tions/gene ral.php:54 ) in /usr/local/apache/htdocs/c atalog/inc ludes/func tions/gene ral.php on line 1326
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /usr/local/apache/htdocs/c atalog/inc ludes/func tions/gene ral.php:54 ) in /usr/local/apache/htdocs/c atalog/inc ludes/func tions/sess ions.php on line 128
Warning: main(pub/): failed to open stream: No such file or directory in /usr/local/apache/htdocs/c atalog/adm in/include s/applicat ion_top.ph p on line 44
Fatal error: main(): Failed opening required 'pub/' (include_path='.:/usr/loca l/lib/php' ) in /usr/local/apache/htdocs/c atalog/adm in/include s/applicat ion_top.ph p on line 44
Fatal error: main(): Failed opening required 'tep_db_nufilenames.php' (include_path='.:/usr/loca l/lib/php' ) in /usr/local/apache/htdocs/c atalog/inc ludes/appl ication_to p.php on line 57
Warning: main(type): failed to open stream: No such file or directory in /usr/local/apache/htdocs/c atalog/inc ludes/appl ication_to p.php on line 57
Fatal error: main(): Failed opening required 'type' (include_path='.:/usr/loca l/lib/php' ) in /usr/local/apache/htdocs/c atalog/inc ludes/appl ication_to p.php on line 57
Fatal error: main(): Failed opening required 'messageStfilenames.php' (include_path='.:/usr/loca l/lib/php' ) in /usr/local/apache/htdocs/c atalog/inc ludes/appl ication_to p.php on line 57
########################
Here are the "offending" lines of code in the pages mentioned in the errors - all seems OK to me and no changes had been made to these files, prior to receiving the errors:
includes/functions/general .php on line 54:
if ($protected == true) {
includes/functions/general .php on line 1326:
setcookie($name, $value, $expire, $path, (tep_not_null($domain) ? $domain : ''), $secure);
includes/functions/session s.php on line 128:
return session_start();
includes/application_top.p hp on line 44:
//$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';
/includes/application_top. php on line 57:
require(DIR_WS_INCLUDES . 'filenames.php');
-------------------------
I'm really quite baffled and not sure of where to look - particularly at the errors like this one:
Fatal error: main(): Failed opening required 'messageStfilenames.php' (include_path='.:/usr/loca l/lib/php' ) in /usr/local/apache/htdocs/c atalog/inc ludes/appl ication_to p.php on line 57
It seems some random string is getting prepended to the require('filenames.php') and I have no idea how.
Thanks in advance for any assistance!
########### ERRORS ##########################
Warning: Unexpected character in input: ' in /usr/local/apache/htdocs/c
Warning: Cannot modify header information - headers already sent by (output started at /usr/local/apache/htdocs/c
/usr/local/apache/htdocs/c
Fatal error: Unknown function: àéG@ÂF() in /usr/local/apache/htdocs/c
Warning: Cannot modify header information - headers already sent by (output started at /usr/local/apache/htdocs/c
Warning: session_start(): Cannot send session cache limiter - headers already sent (output started at /usr/local/apache/htdocs/c
Warning: main(pub/): failed to open stream: No such file or directory in /usr/local/apache/htdocs/c
Fatal error: main(): Failed opening required 'pub/' (include_path='.:/usr/loca
Fatal error: main(): Failed opening required 'tep_db_nufilenames.php' (include_path='.:/usr/loca
Warning: main(type): failed to open stream: No such file or directory in /usr/local/apache/htdocs/c
Fatal error: main(): Failed opening required 'type' (include_path='.:/usr/loca
Fatal error: main(): Failed opening required 'messageStfilenames.php' (include_path='.:/usr/loca
########################
Here are the "offending" lines of code in the pages mentioned in the errors - all seems OK to me and no changes had been made to these files, prior to receiving the errors:
includes/functions/general
if ($protected == true) {
includes/functions/general
setcookie($name, $value, $expire, $path, (tep_not_null($domain) ? $domain : ''), $secure);
includes/functions/session
return session_start();
includes/application_top.p
//$request_type = (getenv('SERVER_PORT') == '443') ? 'SSL' : 'NONSSL';
/includes/application_top.
require(DIR_WS_INCLUDES . 'filenames.php');
-------------------------
I'm really quite baffled and not sure of where to look - particularly at the errors like this one:
Fatal error: main(): Failed opening required 'messageStfilenames.php' (include_path='.:/usr/loca
It seems some random string is getting prepended to the require('filenames.php') and I have no idea how.
Thanks in advance for any assistance!
ASKER
That's the problem - register_globals needs to be on for this app to work and there is a considerable amount of code in this open source software, so I'm unsure of where to specifically begin in shoring up the initialization of vars. I'm hoping someone with considerable experience with osCommerce might have experienced something similar and have a fix.
Thanks so much for your help!
Thanks so much for your help!
You're welcome, hope you're able to resolve this proplem soon...
ASKER
TeRReF - a follow up question - you wrote:
"Which means that script kiddies can assign values to certain vars by passing them via GET or POST. "
I'm trying to imagine how this is being accomplished - specifically so that it is completely random. I've been testing the site all day long and there is no consistent pattern to the errors - no specific actions that bring them on. Often I can cruise through the store and after 20 clicks or more, still no error. Close the browser, start again, and then an error pops after just a click or two. Is there possibly a roque script that has been placed on the server? Any ideas as to how I could locate it? I just took a look through all the files in the directory for the store (including admin) to look for new/changed files based on timestamp - but I'm not finding anything out of order.
I appreciate any further assistance with this. I'm not finding anything online that is helpful, which kind of surprises me given the number or osCommerce installations out there. I'm not sure what I'm missing but I'd really like to get this sorted out for my client.
"Which means that script kiddies can assign values to certain vars by passing them via GET or POST. "
I'm trying to imagine how this is being accomplished - specifically so that it is completely random. I've been testing the site all day long and there is no consistent pattern to the errors - no specific actions that bring them on. Often I can cruise through the store and after 20 clicks or more, still no error. Close the browser, start again, and then an error pops after just a click or two. Is there possibly a roque script that has been placed on the server? Any ideas as to how I could locate it? I just took a look through all the files in the directory for the store (including admin) to look for new/changed files based on timestamp - but I'm not finding anything out of order.
I appreciate any further assistance with this. I'm not finding anything online that is helpful, which kind of surprises me given the number or osCommerce installations out there. I'm not sure what I'm missing but I'd really like to get this sorted out for my client.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You should either turn register_globals off, or initialize your vars properly. Be aware, turning register_globals off might stop the application from working at all (some rewriting will be necessary...