Ecommerce software home
Shopping Cart Software Forum for Ecommerce Templates
 
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

Find us on Facebook Follow us on Twitter View our YouTube channel
Search our site
 All Forums
 Technical
 ASP (Windows server) versions
 New Error Popping up since last week - cookies?
Next Page
Author « Topic »
Page: of 2

Graham Slaughter
Ecommerce Template Expert

814 Posts

Posted - 11/12/2018 :  07:51:29  
Hey Guys,

Last Friday I started to see errors come in with this specific line as the error line:
incfunctions.asp

elseif trim(request.cookies("WRITECLL")&"")<>"" then


This, of course, falls in this chunk of code:

if enableclientlogin then
if SESSION("clientID")<>"" then



Here is an example of this recently:

Error Type:

(0x80004005)
/vsadmin/inc/incfunctions.asp, line 1658


Browser Type:
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

Page:
POST 42 bytes to /cart.asp


POST Data:
optn0x0=1&optn0x1=11670&id=7.2102&mode=add


Time:
Monday, November 12, 2018, 10:35:59 AM
Requested Resource


I haven't made any updates to the code that would be doing this. I'm in the middle of upgrading to the most current version of the software and I see incfunctions.asp still uses that exact line, so I imagine it's affecting other folks too.

I don't suppose anyone else is careful to watch what 500 errors pop up on their servers and have noticed the same thing?

Any ideas on what could possibly be causing this?

- Graham Slaughter

Edited by - Graham Slaughter on 11/12/2018 07:54:36

Andy
ECT Moderator

95440 Posts

Posted - 11/12/2018 :  08:18:49  
Hi Graham

I haven't seen any reports of problems, is the site now fully updated and if so, do you still get a problem?

Andy

Please feel free to review / rate our software

Graham Slaughter
Ecommerce Template Expert

814 Posts

Posted - 11/12/2018 :  08:24:20  
We are going to be getting the sites updated to current in the next few weeks. I only ask now because it looks like the underlying code isn't different in newer versions from what we are on now.

I'm honestly more curious to see if anyone else is seeing this than anything else. I mean ... I can't reproduce the error, so it's kinda hard to impossible right now.

- Graham Slaughter

Andy
ECT Moderator

95440 Posts

Posted - 11/12/2018 :  09:53:18  
I'll keep an eye out for reports but it's definitely not something I've seen here.

Andy

Please feel free to review / rate our software

Graham Slaughter
Ecommerce Template Expert

814 Posts

Posted - 11/12/2018 :  14:18:50  
I've had it pop up about 40+ times today alone. It appears to be specific to a user in that I'll see the error pop up 4 or 5 times within a minute or 2 and those errors will all have the same IP address before the user (presumably) gives up and leaves the website.

I can't help but wonder if it's compromised browsers perhaps feeding illegitimate cookies back to the server? I mean, as far as I can tell it happens at the FIRST place that a cookie is requested in the code.
If that is the case, there's nothing I can do to mitigate the error as there are multiple places cookies are requested ... heck. I surely can't be the only person this is happening to. Is there anyone else who actually watches and reads the 500 errors that pop up on their websites?

- Graham Slaughter



Graham Slaughter
Ecommerce Template Expert

814 Posts

Posted - 11/13/2018 :  09:06:35  
So far today I've only had a few instances of it. Interestingly enough, for the first time, it showed up on a different line. Not surprisingly it is on a cookies line again:
elseif request.cookies("ectcartcookie")<>"" then


This line is inside this function in incfunctions.asp
function getsessionid()


If anyone else sees these, please let us know!

- Graham Slaughter

dbdave
ECT Moderator

USA
10242 Posts

Posted - 11/13/2018 :  09:43:44  
Is this in the server logs that you see the error, or the browser?
If browser, is it customer side, or admin?

David

Graham Slaughter
Ecommerce Template Expert

814 Posts

Posted - 11/13/2018 :  11:20:25  
Hey Dave,

I actually created an error page that appears when a customer hits an error.
Basically, it must be an error that would otherwise hit a user's browser. Instead, it shows them the custom error page and sends me an email. That way they don't see the error details which would otherwise be a compromising risk.

It is incredibly useful because the email it sends me contains data on the error. This allows me to see quickly if I break something even if I didn't personally run into the error.

I'd be happy to share the code with you if you'd like.

- Graham Slaughter

Edited by - Graham Slaughter on 11/13/2018 11:28:09

Graham Slaughter
Ecommerce Template Expert

814 Posts

Posted - 11/13/2018 :  13:45:22  
So the error finally happened to us so that I could track it down. Apparently, it was related to our livechat software we use. It was just updated recently and before the error started (imagine that). Anyone who used it to talk to us could no longer browse the website until they cleared their cookies. YIKES! I'm guessing the request.cookies("") in ASP simply receives ALL of the cookies and something about the one their software was writing just kinda broke the heck out of ASP in IIS.

Glad to get to the bottom of it. Thanks all who read this post.

- Graham Slaughter

stevep
Advanced Member

USA
182 Posts

Pre-sales questions only
(More Details...)

Posted - 08/14/2019 :  07:51:55  
I'm getting a PCI scan failure related to ectcartcookie, here is the "evidence" from Trustwave:
Cookie Name - ectcartcookie
Cookie value - ny2o8qbc5ee7pt8mof3dwjiw3v
Cookie secure flag - false
Description - The website software running on this server appears to be setting session cookies without the Secure flag set over HTTPS connections. This means the session identifier information in these cookies would be transmitted even over unencrypted HTTP connections, which might make them susceptible to interception and tampering.
Remediation - Contact the vendor of this web application and request the Secure flag be set on session cookies transmitted over HTTPS.

Please let me know if this is a known issue or what the solution might be - forum search did not reveal much.

Thank you,
Steve

1818charlie
ECT Moderator

United Kingdom
1177 Posts

Posted - 08/14/2019 :  07:58:31  
There is a mention of the Secure Flag from Vince in this updater post from 5th August for the ECT version 7.1.3
quote:
Cart Cookies
The cart cookie now uses the "Secure" flag when on HTTPS.

https://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=111898

Steve
Manchester, UK.

Edited by - 1818charlie on 08/14/2019 08:00:42

stevep
Advanced Member

USA
182 Posts

Pre-sales questions only
(More Details...)

Posted - 08/14/2019 :  09:30:54  
Great catch, thank you. I'm running 7.0.5, will update.
Steve

insight
ECT Moderator

USA
4476 Posts

Posted - 08/14/2019 :  11:43:29  
The update to 7.1.3 will take care of it. It's something we identified with a client a few weeks back and ECT jumped right on it and issued an update for us. Scans came back clean after that

Peter


Professional ecommerce web hosting services
Shared hosting Windows & Linux | Dedicated servers | Domains | SSL
Ecommerce Templates specialists since 2003
https://servelink.com

stevep
Advanced Member

USA
182 Posts

Pre-sales questions only
(More Details...)

Posted - 08/14/2019 :  12:30:23  
It didn't - and the update caused my responsive slider to break (addressing that on different topic). So I still have this problem, plus another.
Steve

stevep
Advanced Member

USA
182 Posts

Pre-sales questions only
(More Details...)

Posted - 08/21/2019 :  09:41:10  
I still need assistance with this - PCI scan failing due to ectcartcookie, value jexcuzutuxcl12zrqukmfu9kqv, cookie secure flag false. I've tried everything I can think of to troubleshoot it, and if not corrected by 9/5 could use compliance.
Steve

Vince
Administrator

42425 Posts

Posted - 08/21/2019 :  10:14:07  
Hi Stevep
I would say that this could be because either the 7.1.3 updater wasn't applied fully. Or, it could be that your site is not actually on HTTPS. In either case though, I think you can raise this as a false positive by saying...
"No sensitive or cardholder data is held using the session cookie".

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

insight
ECT Moderator

USA
4476 Posts

Posted - 08/21/2019 :  10:31:20  
I'd be inclined to suggest the former of those two. As mentioned earlier, we went through this with a client a while back, it was kindly fixed for us by ECT in version 7.1.3 and the scanner (also Trustwave) seems happy with what they find now.

Peter


Professional ecommerce web hosting services
Shared hosting Windows & Linux | Dedicated servers | Domains | SSL
Ecommerce Templates specialists since 2003
https://servelink.com

Vince
Administrator

42425 Posts

Posted - 08/21/2019 :  12:41:14  
Hi Steve
Sorry about this but servelink.com have just pointed out to me that the changes didn't make it into the ASP updater as the customer in question was using the PHP version. I've done that now so if you get a new copy of the updater and copy the incfunctions.asp script to your site it should hopefully scan ok.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

stevep
Advanced Member

USA
182 Posts

Pre-sales questions only
(More Details...)

Posted - 08/22/2019 :  07:07:49  
I'll try the updater again - though I am sure I got the updated successfully message, and when I log into the admin panel it reflects v7.1.3. Maybe I didn't get all the files copied, which raises a question: could problems be caused by files that are no longer used and therefore not overwritten?

(wrote this before seeing latest Vince message, will follow that instruction).

Thank you,
Steve

Edited by - stevep on 08/22/2019 07:09:15

stevep
Advanced Member

USA
182 Posts

Pre-sales questions only
(More Details...)

Posted - 08/22/2019 :  12:31:45  
Instructions for custompayproc are incomplete and conflict with prior instructions. I have deleted old versions from vsadmin/inc folder, which then makes it match the updater in number of files and total size.

vsadmin/inc/incfunctions.asp update version is uploaded. I was very careful with the update, and did get success message. Errors are exactly the same as before, and "evidence" tab shows site url including https:// so I don't see that as an issue.

Point I made about old files existing from prior versions not addressed, let me know if that might cause scan failure.

Wits end - will dispute it, hopefully they accept and I don't have to deal with it every month when they scan.

Thank you,
Steve

Vince
Administrator

42425 Posts

Posted - 08/22/2019 :  13:01:33  
Hi Steve
quote:
Point I made about old files existing from prior versions not addressed, let me know if that might cause scan failure.
The only two files that won't be updated by the updater (apart from your database connection and the includes.asp file with your site settings) are the customppsend.asp and customppreturn.asp files. But these should only have been changed if you had a custom payment provider set up. But as it seems you don't anyway updating them from the versions in the updater was a good idea.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater
Page: of 2 « Topic »  
Next Page
Jump To:
Shopping Cart Software Forum for Ecommerce Templates © 2002-2022 ecommercetemplates.com
This page was generated in 0.03 seconds. Snitz Forums 2000