Add to cart not working with jHackGuard from SiteGround

Started by Globacide Solutions, December 30, 2011, 19:42:11 PM

Previous topic - Next topic

Globacide Solutions

SiteGround automatically installs a plugin called jHackGuard that is supposed to protect your Joomla! site. It is automatically installed and published when using their automatic installer.

This plugin seems to detect weird characters in the Add To Cart button's AJAX request, and return an "Illegal key characters in global data" error, causing the process to stop, and nothing getting added to the cart at all, and no message being displayed.

Simplest way is to disable the jHackGuard plugin altogether, although workarounds might be found.

Thought this might help someone with the same issue, and also alert the dev team, since those weird characters in the URL, caused by a bad and unnecessary (no offense) encoding of the parameters, is not a good technique.

Thank you!
Emilian Manolache
Globacide Solutions
VirtueMart Affiliate

PRO


Milbo

Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Globacide Solutions

It's caused by the encodeURIComponent() JS function, in "components/com_virtuemart/assets/js/vmprices.js", line 43.

It seems the form contains a couple of fields that are "array" values, such as quantity[]. When using form.serialize(), above that line, the square brackets [] are automatically "URL-encoded". When doing the second URL encode, by calling encodeURIComponent, the hex codes for the square brackets get re-encoded, causing an unrecognized parameter (%255B%255D), which jHackGuard considers weird (you can't blame it).

The fix would be to replace the line 43:
$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',encodeURIComponent(datas),

with

$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',datas,

thus passing the serialized form data directly, since it has already been url encoded by the "form.serialize()" function.

The same goes for the same behavior in many other functions throughout VM.
Emilian Manolache
Globacide Solutions
VirtueMart Affiliate

Svetlio

Hello,

Indeed, as Mr. Emilian Manolache has explained the problem is caused by the duplicate usage of the URL encoding function in the components/com_virtuemart/assets/js/vmprices.js file. This functionality encodes already encoded characters and produces unexpected characters in the corresponding query. The jHackGuard plugin recognized these characters as suspicious and filters them.

Still, we have found other extensions with similar problems.

Thus, in order to make our jHackGuard plugin compatible with more extensions our Joomla extensions developer has disabled the corresponding check in the last version.

This means that the last version of jHackGuard will work with VirtueMart even without the manual code modifications in the components/com_virtuemart/assets/js/vmprices.js file.

You can download it from the following location:

http://www.siteground.com/joomla-hosting/joomla-extensions/ver1.5/jhack.htm

SiteGround Technical Support Team Member. Check out our special VirtueMart hosting package

Globacide Solutions

Emilian Manolache
Globacide Solutions
VirtueMart Affiliate

McRui

Quote from: Globacide Solutions on December 31, 2011, 00:10:13 AM
It's caused by the encodeURIComponent() JS function, in "components/com_virtuemart/assets/js/vmprices.js", line 43.

It seems the form contains a couple of fields that are "array" values, such as quantity[]. When using form.serialize(), above that line, the square brackets [] are automatically "URL-encoded". When doing the second URL encode, by calling encodeURIComponent, the hex codes for the square brackets get re-encoded, causing an unrecognized parameter (%255B%255D), which jHackGuard considers weird (you can't blame it).

The fix would be to replace the line 43:
$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',encodeURIComponent(datas),

with

$.getJSON(siteurl+'index.php?option=com_virtuemart&nosef=1&view=cart&task=addJS&format=json',datas,

thus passing the serialized form data directly, since it has already been url encoded by the "form.serialize()" function.

The same goes for the same behavior in many other functions throughout VM.


Yes, that's the solution, although there are two lines with the "encodeURIComponent". To make it work, the "encodeURIComponent" must be replaces on both lines. That's how I solved my problem thanks to Globacide Solutions post. Thank you for the insight!