[FREE MODULE] Simple Security

[metacreo]

Anti-Spam, Anti-Bot, Anti-Brute-Force, Block Unwanted Bot and Spammer Traffic

The module allows you to protect registration and login forms from bots. Limit the number of login and registration attempts.
Module protect and limits the use of contact form, newsletter registration form and modules 'productcomments', 'iqitreviews'.
Also, the module detects and ban more than 90% of the simplest bots.
It is possible to manually block an IP and Email addresses, as well as exclude blocking.
The module keeps a log of connection attempts and a log of entered data.

After install, module creates 2 tabs in BO Customers tab.

SS Triggers - phrases and words for contact form and 'productcomments', 'iqitreviews' modules (empty table after install and create own list).
SS Actions - attempts log table with controls (view, edit, delete).

Developed for 8.X but may work with 1.7.8+ (Reported: works on 1.7.8.3)
The module will NOT work with versions below 1.7.8.3, perhaps in the future...

 

Download simplesecurity.zip (Always latest version.)

~=DONATIONS ARE WELCOME=~

About updates please read this topic.

Edited September 24 by metacreo (see edit history)

[metacreo]

Module updated.

Fixed AdminSimpleSecurityActionController search filters.

Also fixed registration bug. 🙂

Edited January 11 by metacreo (see edit history)

[vietnamdulich]

Have anyone take tests with this ?

[metacreo]

Module upgrade.

Added support for newsletter registration (check bot, limit attempts).

[torbho]

The module is indeed excellent and appears to function well. Thank you!

However, I'm concerned about the security implications of storing passwords in plain text, especially for non-bot users.

As a solution, I've modified it to store passwords as hashed values, aligning with data protection regulations.

In this case my Prestashop version is 1.7.8.3

[metacreo]

Thank you.
What hashes mechanism you want use (md5, sha, etc....)? I can add variable like

protected $pwd_use_clear_text = 0;

and rewrite passwords to use hashes by default for non-bots.

[Antti]

I installed this yesterday to my store and already it has blocked over 30 spam accounts from registering - so thank you for solving my problem with this module! However, I too am a little concerned about the passwords showing in plain text. Hopefully this can be resolved with the next update - keep up the great work and thanks again!

[metacreo]

Thank you Antti.
Module updated. New version 1.0.2
Added configuration page.
Added hash passwords option (on config page you may choose how to keep passwords).
For new install no need any action. For update you need to go to module config page and enter values.

Thanks All for donation.

Edited February 22 by metacreo (see edit history)

[Antti]

What should the values be? The module now blocks even real accounts, including my own....😅 so I had to switch it off temporarily.

[metacreo]

37 minutes ago, Antti said:

What should the values be? The module now blocks even real accounts, including my own....😅 so I had to switch it off temporarily.

by default:
all warn 3
all ban 5

Edited February 22 by metacreo (see edit history)

[metacreo]

Upgraded. Actual version 1.0.3.
Fixed update issues. Now no need additional actions on update. Config must be filled with default values by default on update and on install.
Added function checkConfig for each action.
Added small description in module config. Warn - count attempts to before warning, Ban - count attempts to before ban.
Warn values (default 3) must be always less than Ban values (default 5).

simplesecurity.zip   <-  download v 1.0.3 from topic start

On 2/22/2024 at 4:10 PM, Antti said:

What should the values be? The module now blocks even real accounts, including my own....😅 so I had to switch it off temporarily.

In your case you can just uninstall and install. config fill auto on install. in new version on update too.

Edited September 24 by metacreo (see edit history)

[Antti]

2 hours ago, metacreo said:

Upgraded. Actual version 1.0.3.
Fixed update issues. Now no need additional actions on update. Config must be filled with default values by default on update and on install.
Added function checkConfig for each action.
Added small description in module config. Warn - count attempts to before warning, Ban - count attempts to before ban.
Warn values (default 3) must be always less than Ban values (default 5).

simplesecurity.zip   <-  download v 1.0.3

In your case you can just uninstall and install. config fill auto on install. in new version on update too.

Great, thank you again! 🙏

[metacreo]

Updated to v 1.0.4

Small improve contact form checks.

Convert all chars in Simple Security Triggers to lowercase.
Automatic conversion to lowercase during checks and addition to table.

simplesecurity.zip   <-  download v 1.0.4 from start of topic

Edited September 24 by metacreo (see edit history)

[metacreo]

Module updated. No version up. Same version 1.0.4.

Small fix in contact form checker. Fixed error if customer sent empty email.

Also processing form access counter if email is empty.

[joe ramires]

I can't install it on 1.7.8.8

Installation of the simplesecurity module failed. Your module version is not compatible with your PrestaShop version.

 

Edited March 19 by joe ramires (see edit history)

[metacreo]

10 hours ago, joe ramires said:

I can't install it on 1.7.8.8

Installation of the simplesecurity module failed. Your module version is not compatible with your PrestaShop version.

 

Hi joe ramires. You can try to install again. I downgraded PS version requirements to 1.7.8.3.

[joe ramires]

Everything works normally now. Thank you.

[chrono]

Hi, is it possible to downgrade the requirements for the 1.7.6.5 version?

Edit: I checked my bo after trying to install earlier and now i have SS Trigger and Action which gives error 500 everytime i try to click
Can you tell me whats the best way to get rid off any leftovers?

Edited April 8 by chrono (see edit history)

[metacreo]

On 4/8/2024 at 3:43 PM, chrono said:

Hi, is it possible to downgrade the requirements for the 1.7.6.5 version?

Edit: I checked my bo after trying to install earlier and now i have SS Trigger and Action which gives error 500 everytime i try to click
Can you tell me whats the best way to get rid off any leftovers?

Hello,

What PHP version your PS used?

And can you publish error from http  server log and from PS_DIR/var/log?

Unfortunately I'm very busy at the moment. Maybe later I will launch the old version of PS and adapt the module.

1.7.6 and 1.7.8 have different auth controllers and hooks. So... need to rewrite much code to work with 1.7.6 correctly.

1.7.8+ have separate auth and reg controllers. 1.76 have one auth controller, 1.7.6 email subscribe module different of 1.7.8 too.

Simple rewrite PS_VERSION requirements not help you to module work with 1.7.6

Edited April 10 by metacreo (see edit history)

[BlackCrow]

I have tried your module, it is really good and works according to my first tests.

You write that it should be possible to manually block IP's or e-mail addresses.

I can't find this option anywhere. Can you help me further?

Otherwise: really nice, great👍

[metacreo]

3 hours ago, BlackCrow said:

I have tried your module, it is really good and works according to my first tests.

You write that it should be possible to manually block IP's or e-mail addresses.

I can't find this option anywhere. Can you help me further?

Otherwise: really nice, great👍

Thank you for warm words.

To block IP, go to SS Actions in customer section. Find (last by date) IP you need in table and click Edit (not VIEW). Set ban IP or email or both and save.

[BlackCrow]

Hi @metacreo , ty for your help.

Can you explain to me which criteria are used to block an ip?
I don't quite understand this process yet.
I can register accounts, but then there is nothing under Customers > SS Action.
However, some bots have already been successfully blocked there.
I also tried to register for the newsletter with a normal e-mail address - error message: Bot or invalid traffic detected. Connection prohibited.
So it is no longer possible to register for the newsletter. However, the account registration and login work fine.

[biker1947]

Module installed. Installation without issues. Bots are blocked at contact form! Great!

However all attempts to signup for newsletter are blocked, including my own emailaddresses. Error message: Bot or invalid traffic detected. Connection prohibited. Email addresses are seen as bot, after editing SS actions "ban IP" to 'never', and "ban email" to 'never',  IP still is blocked on second attempt to signup for newsletter.  

Edited April 16 by biker1947 (see edit history)

[Antti]

Same here with the newsletter signup issue -  it blocks even my own address. I have been successfully using the module for quite a while but only noticed this now. 

[metacreo]

please write ps version, this module (1.0.4 latest) version and ps_emailsubscription module version. because as I see this bug is possible only on 1.7
to temporary disable this part of functionality just unhook this module from actionNewsletterRegistrationBefore hook

just tested on 1.7.8.11 and 8.x ps and not found any bug with newsletter

Edited April 16 by metacreo (see edit history)

[metacreo]

Version UP 1.0.5

Fixed newsletter registration failure bug on classic theme.

Fixed bot check process for newsletter via ajax call on classic theme or themes used ajax.

Edited September 24 by metacreo (see edit history)

[Antti]

I had / have the newsletter issue with PS 8.0.4 - I did not realize this before biker1947 mentioned this in their post as only then did I test it. I unhooked from "actionNewsletterRegistrationBefore" as you instructed and that solved it for me. Thank you!

[metacreo]

4 minutes ago, Antti said:

I had / have the newsletter issue with PS 8.0.4 - I did not realize this before biker1947 mentioned this in their post as only then did I test it. I unhooked from "actionNewsletterRegistrationBefore" as you instructed and that solved it for me. Thank you!

Hook back again and up module ver. to 1.0.5  I found the problem and fixed it.

Edited April 16 by metacreo (see edit history)

[metacreo]

10 hours ago, biker1947 said:

Module installed. Installation without issues. Bots are blocked at contact form! Great!

However all attempts to signup for newsletter are blocked, including my own emailaddresses. Error message: Bot or invalid traffic detected. Connection prohibited. Email addresses are seen as bot, after editing SS actions "ban IP" to 'never', and "ban email" to 'never',  IP still is blocked on second attempt to signup for newsletter.  

 

8 hours ago, Antti said:

Same here with the newsletter signup issue -  it blocks even my own address. I have been successfully using the module for quite a while but only noticed this now. 

fixed in 1.0.5

[metacreo]

On 4/12/2024 at 12:50 PM, BlackCrow said:

Hi @metacreo , ty for your help.

Can you explain to me which criteria are used to block an ip?
I don't quite understand this process yet.
I can register accounts, but then there is nothing under Customers > SS Action.
However, some bots have already been successfully blocked there.
I also tried to register for the newsletter with a normal e-mail address - error message: Bot or invalid traffic detected. Connection prohibited.
So it is no longer possible to register for the newsletter. However, the account registration and login work fine.

Your SS Actions table is always empty or just on registration? Probably your PS version too old and not have separate registration controller.

Try new 1.0.6 with small corrections of logic.

If IP or Email is blocked or is set to never, no more records in table. Checked last record only for blocked or whitelisted conditions.
If IP or Email have zero condition in table, all related checks performed always and if detected bot (for example), IP is blocked.

    private $_block_ip = 0; // 0 - not blocked, 1 - blocked, 2 - never block
    private $_block_email = 0; // 0 - not blocked, 1 - blocked, 2 - never block

    public function hookActionSubmitAccountBefore($params)
    {
        $this->_redirect = $this->_action = 'registration';
        $this->checkAuthAndReg();
        if (!$this->_errors) {
            return true;
        }
    }

    private function checkAuthAndReg()
    {
        ....
        if (!$this->checkIsBlocked()) {
            $this->checkIsBot();
            $this->_attempt = $this->getAttemptsCount();
            if (($this->_attempt .... {
                if ($this->_block_ip !== 2 && $this->_block_email !== 2) {
                    $this->_errors[] = $this->l('Temporarily prohibited. Please try again in a few minutes.');
                }
                $this->_detected[] = 'warn';
            }
            if ($this->_attempt ....) {
                if ($this->_block_ip !== 2 && $this->_block_email !== 2) {
                    $this->_errors[] = $this->l('Prohibited. Please contact site administrator.');
                    $this->_block_ip = 1;
                }
                $this->_detected[] = 'ban';
            }
            $this->storeData();
        }
        if (!$this->_errors) {
            return;
        } else {
            ...
        }
    }

Function store data runs only if not blocked.

    private function storeData()
    {
        if ($this->_block_ip === 2 || $this->_block_email === 2) {
            return;
        }

and storeData self checks for witelisting....

About newsletter is just a bug, just my themes not used ajax for newsletter and I  missed this moment. Now it fixed.

Edited April 17 by metacreo (see edit history)

[biker1947]

PS 1.8.3
Classic theme
Module v1.06

Register for the newsletter with a normal e-mail address - error message: Bot or invalid traffic detected. Connection prohibited.

Not to alarm or frustate customers, for the time being, I disabled register for newsletter, 

Edited April 18 by biker1947 (see edit history)

[metacreo]

19 hours ago, biker1947 said:

PS 1.8.3
Classic theme
Module v1.06

Register for the newsletter with a normal e-mail address - error message: Bot or invalid traffic detected. Connection prohibited.

Not to alarm or frustate customers, for the time being, I disabled register for newsletter, 

PS 1.8.3 please write correct version

No bugs on PS 1.7.8.3. Tested.

 

 

Edited April 19 by metacreo (see edit history)

[biker1947]

Correction on previous my note: 

PS 8.1.3

module 1.0.6

classic theme

 

[metacreo]

15 hours ago, biker1947 said:

Correction on previous my note: 

PS 8.1.3

module 1.0.6

classic theme

 

@biker1947

Hi,

As can you see, no problem on PS 8.1.3 with Classic theme.

Check your module config. Maybe wrong settings stored.

 

 

[chrono]

On 4/8/2024 at 2:43 PM, chrono said:

Hi, is it possible to downgrade the requirements for the 1.7.6.5 version?

Edit: I checked my bo after trying to install earlier and now i have SS Trigger and Action which gives error 500 everytime i try to click
Can you tell me whats the best way to get rid off any leftovers?

Im still having issues with this, I see the SS trigger and Action again and everytime a customer tries to create an account it gives error 500.
Thanks for your time

edit: tried even reinstalling with the updated version but it doesn't let me. its also causing issues with payments other than registering customers (its the only new module ive added since the customers complaints)

Edited June 25 by chrono (see edit history)

[metacreo]

On 6/25/2024 at 6:31 PM, chrono said:

Im still having issues with this, I see the SS trigger and Action again and everytime a customer tries to create an account it gives error 500.
Thanks for your time

edit: tried even reinstalling with the updated version but it doesn't let me. its also causing issues with payments other than registering customers (its the only new module ive added since the customers complaints)

Can you provide php server error.log at 500 error ?

1.7.6.5 have other, different auth and reg code and maybe other hooks...

How to you use 1765 version? this version is seriously vulnerable.

https://www.cybersecurity-help.cz/vdb/prestashop/prestashop/1.7.6.5/

I don’t try to make it compatible with such versions, but when I have free time, I can rewrite the module. and yet for this I need to install the old and vulnerable 1765.

[Netagent]

Hello,
it seems as if the "hasStopWord" function (blocking bad words in contact forms) no longer works in Prestashop version 8.1.x. I have no problems in version 8.0.x. Tested with module versions 1.0.4 and 1.0.6.
Can anyone confirm this?

[metacreo]

On 7/31/2024 at 1:34 AM, Netagent said:

Hello,
it seems as if the "hasStopWord" function (blocking bad words in contact forms) no longer works in Prestashop version 8.1.x. I have no problems in version 8.0.x. Tested with module versions 1.0.4 and 1.0.6.
Can anyone confirm this?

Checked, work fine. PS 8.1.6 contactform v 4.4.2

Check your overrides probably disabled via admin. or maybe you use custom contact module?

[metacreo]

Same, no problem on PS 8.1.7 with native contactform v 4.4.2

[Netagent]

ok, I think I know why it doesn't work...
I also have the module "CAPTCHA - reCAPTCHA - Anti spam - Anti fake account" (ets_advancedcaptcha) running. This module also uses an override with the "sendMessage" function and uses a hook in the contact form template.
As soon as the hook is set, it doesn't work. If the hook isn't set, it works.

[metacreo]

@Netagent Did you succeed to combine the modules? If not, it would be good to look at the overwrite of other modules. Maybe I will make them compatible.

[helsinkisisu]

My 1.7.8.11 site suddenly started being hit by a registration bot three days ago (the upper and lower case random letter names one) and I gave your module a try. It has worked a charm and has caught 140 bot attempts in just over two days. 🙂👍

Is there a way to change the default to ban email as well as IP for these? They frequently use the same email address. My site has no newsletter and an embedded third-party contact form (a solution which allows zero spam submissions). So it's just registrations, and, in this country, it is pretty unlikely that we'll have any registrations with the email names being used.

Edited September 14 by helsinkisisu (see edit history)

[vintop95]

You are the GOAT

[metacreo]

@helsinkisisu  Yes, it is possible, but I did not do it intentionally. Now imagine a situation where an attacker will use email addresses of innocent people. In this way, the attacker will be able to prevent access to anyone.

[helsinkisisu]

14 minutes ago, metacreo said:

@helsinkisisu  Yes, it is possible, but I did not do it intentionally. Now imagine a situation where an attacker will use email addresses of innocent people. In this way, the attacker will be able to prevent access to anyone.

Yes, I appreciate this danger. However, out of the now 225+ registration attempts by the same bot, none of the email address names remotely resemble 99.9% of the genuine Finnish email names registering in the shop. And I would much prefer to make it that little bit more restrictive for the bot and deal with maybe one person with an English email name if they have difficulty registering. Looking back through four years of registered accounts, there is only one. And I know that customer personally.

Edited September 16 by helsinkisisu (see edit history)

[metacreo]

@helsinkisisu Ok. let's try to add such an option in the near future

[metacreo]

@helsinkisisu New module ver. 1.0.7 witch option block bot emails can be downloaded from top. Testing.

[helsinkisisu]

Thanks! Wasn't expecting that so quickly. 🤩 Looks to be working great for me.

[NIO72]

I try to use it on my PS 1.7.8.1 but reply to me a series of errors that you didn't know how to interpret but a very long list, I tried to download and install all the versions that are present in this topic but none of them works so I ask if someone can help me

[Ray UK]

Works fine on my 8.1.7

Im always afraid that is potentially blocking legitimate registrations.

Would it be possible to maybe add columns for Name/Surname and remove the password hash column ( as I think that column is useless ).

Then if we see a Name/Surname that looks legitimate we can have an option to authenticate that registration and send the email registration form to the customer with a custom note (ie, Upon registration, your ip address was mistaken as a potential bot registration. We have now activated your account and you are able to log in".

Thanks for a great module

[metacreo]

@Ray UK Thank you.
I can add Name/Surname col`s. But many of shops using only email field for registration, depended on shop theme.
During the entire period of use, no erroneous blocking was observed.
If client using real browser (not like chrome headless for js scraping/hacking) there can be no mistake.

Edited September 20 by metacreo (see edit history)

[metacreo]

@NIO72 As far as I know and tested, this is the initial version 1.7.8.3. Earlier versions may have a different authentication mechanism, so the module will not work. As I wrote above, there is no point in making an adaptation for versions below 1.7.8.10, since you will still be hacked sooner or later and this module will not help.
In order to try to help you, we still need to get some information from you.
Option: I tried everything, I have a lot of errors - this means absolutely nothing to anyone.
We don't have telepathic abilities, we need to know what errors the page and even the web server gives you.

[metacreo]

@Ray UK  Columns added.
I see you use PHP 8.3.9 PS 8.1.7
Please share experience. You have downgrade PHP on update time? Or correcting autoupgrade module? I just need to update one shop quickly.

Edited September 20 by metacreo (see edit history)

[NIO72]

@metacreo Thanks for your reply. So yes, obviously you can't know all the error responses that were given to me but at the same time I didn't want to weigh down the chat by copying and pasting everything, it seemed a bit excessive to me. In the meantime I found an additional plugin online called "User verification" which is compatible with my version and in its simplicity I see that it is blocking all the unwanted registrations so for now it works like this and I'm fine. I know for sure that a good solution would certainly be to upgrade the software version but I still don't know exactly how to do it. And as long as this function is fine with me, at this point if in the future I should continue to have problems, however, I will resume this topic and I will return to ask for help, in the meantime, thank you very much for your enormous availability 😊

[Ray UK]

5 hours ago, metacreo said:

@Ray UK  Columns added.
I see you use PHP 8.3.9 PS 8.1.7
Please share experience. You have downgrade PHP on update time? Or correcting autoupgrade module? I just need to update one shop quickly.

Module is now showing the columns, First Name, Last Name.. but they are all blank.

and the columns are now too wide.  Can the password one be removed. I dont think that is of use to anybody.

Edited September 20 by Ray UK (see edit history)

[Ray UK]

11 hours ago, metacreo said:

@Ray UK  Columns added.
I see you use PHP 8.3.9 PS 8.1.7
Please share experience. You have downgrade PHP on update time? Or correcting autoupgrade module? I just need to update one shop quickly.

Ive actually changed it back to 8.1.29. Not because I had any problems but the PS advice says the compatability does not go up to php 8.3.9 yet so unsure on updates.

[diysec]

Thanks for a great module. I have installed the latest 1.0.8 onto our server running 1.7.8.11.

I am having an issue where it thinks my IP address is a BOT, even though I have cleared out the "SS Actions" table.

I am asking what is the criteria that the module looks for when determining traffic is a bot?

Thanks 

[metacreo]

first name, last name columns removed from table, this data still is available in action view and edit.

password column removed from table and still displayed in action view.

@Ray UK  The passwd column needed for many shops to set customer correct password. Many of customers not seen "remember my password" button and call to admins after blocking

@diysec Can you give more details? What does "I think" mean?

Edited September 23 by metacreo (see edit history)

[helsinkisisu]

1 hour ago, metacreo said:

first name, last name columns removed from table, this data still is available in action view and edit.

Why did you do this? It was perfect for immediately confirming (as in a quick glance at the table) a non-genuine login/registration.

The listings below without names were recorded pre-1.0.8

 

Edited September 23 by helsinkisisu (see edit history)

[metacreo]

ok, let's return the first and last name to the table.
I just noticed that the table is too wide.
I use huge monitors, and this is inconvenient for users with laptops. I'll try to optimize the table.

[helsinkisisu]

34 minutes ago, metacreo said:

ok, let's return the first and last name to the table.
I just noticed that the table is too wide.
I use huge monitors, and this is inconvenient for users with laptops. I'll try to optimize the table.

Yes, I have a huge monitor too (and 1080 laptop). Removing the password column will help, as the passwords a hashed anyway.

[metacreo]

Passwords column removed completely, it can be displayed on action view only.

First/Last Names returned back to table...

All as @Ray UK asked.

[Ray UK]

Updated and working fine on PS8.1.7

Many thanks

[diysec]

@metacreo - More details for you.

1. Installed your module (v1.0.8) and left settings at defaults (ie 3 warn / 5 ban)

2. Go to SigIn page on my site and login with incorrect password as a test.

3. Look at SS Actions table and my IP address is detected as a "bot" and ban IP is set to "yes".

Just want to know what criteria does the module use to determine what a "bot" is?

Thanks

[metacreo]

@diysec Please wait some time. I make special debug version for you.

[metacreo]

@diysec Please download latest module.

In module config enable debug mode and enter token who I sent you via PM. Save settings.

Repeat your actions where module ban your IP.  (go to login page, try login !!! at this moment your IP cannot be banned in actions table)

If you see message about success debugging and debug mode can be turned off - disable debug mode.

Edited September 25 by metacreo (see edit history)

[diysec]

5 hours ago, metacreo said:

@diysec Please download latest module.

In module config enable debug mode and enter token who I sent you via PM. Save settings.

Repeat your actions where module ban your IP.  (go to login page, try login !!! at this moment your IP cannot be banned in actions table)

If you see message about success debugging and debug mode can be turned off - disable debug mode.

Thanks @metacreo for the support and debug assistance is solving my problem. Successfully resolved login issue with OPC with v1.0.9 of your module.

Cheers 

[helsinkisisu]

Easily the most responsive and helpful support I've had for any PS module. Donation sent. 👍

[metacreo]

@diysec, @helsinkisisu Thank you

new ver. 1.0.10

Everyone who is satisfied with the functionality and it works, there is no need to update, nothing new.

Added simplest debugging support.
Added Ajax Login and Ajax Registration support. Before this there were false definitions of the bot on sites with AJAX forms.
Added Attempt Time option can set 1 - 10 min. time interval during which the checks is performed (between now and X minutes earlier).
Message Please try again in a few minutes now indicates time who set by Attempt Time Like Please try again in a 3 minute(s).
Action Table now have css (word-wrap: anywhere; word-break: break-all;) fixes display too long names.

Thanks all for donation

Edited September 25 by metacreo (see edit history)

[Okiproko]

Bonjour,

Je suis votre thread depuis le début et vous remercie pour la mise à disposition du module.

Je suis sous PS 1.7.8.10 avec le dernier module Simple Security 1.0.10 installé.

Je constate et ce uniquement sur mobile et Google Chrome la disparition de la case à cocher Politique de Confidentialité dès qu'on rentre son mail, empêchant l'envoi d'un mail puisque non coché.

Sur les autres navigateurs, aucun souci, mais 2 fois sur 3, le message "Prohibited. Please contact site administrator.", test effectué avec mon email personnel alors que depuis l'admin section SS Actions, j'ai modifié mon email en Never sur Ban IP et Ban Email, mais le résultat est toujours le même.

Une cliente m'a appelé ce jour m'informant de la difficulté à envoyer un mail... cependant il bloque parfaitement les mails étrangers vraiment indésirables, top top ! 

Une idée ?

[metacreo]

@Okiproko Hello,

I didn't quite understand what the problem was.

The flag disappearing is not related to the module, it doesn't have such functionality.

If you set "ban email", then everything is correct, this email is blocked. If the client is blocked, see the SS Actions table.

To unblock, delete all records associated with this IP and/or email. Or set 'never ban...' to last record (ordered by ID record).

See if the number of attempts has been exceeded or if the client is identified as a bot.

What theme are you using? Does the form use AJAX?  site url?

[Okiproko]

Hello,

Thank you for your quick feedback,

I'm using the Cartzilla theme from Prestasafe, the form doesn't use Ajax, the site doesn't use Ajax.

My email address is shown in Never on the IP and email.

Edited September 26 by Okiproko (see edit history)

[metacreo]

1 hour ago, Okiproko said:

My email address is shown in Never on the IP and email.

Tested just now your contact form. All works fine. Tested with pc, mobile with chrome. No bugs detected. All works fine.

You cat see my connections in Action table meta***@newe***on.com IP start 88.216.... and over mobile ipv6

Now about checkbox and chrome. the checkbox is removed when the form is reloaded, this is normal behavior. You can also make it set by default, for this you need to edit the template file OR override or change controller (in your case gdpr_module) to make checkbox "rememberable" user set.

If I didn't understand something, please write in more detail.

P.S. To set properly UNBAN needs set unban in last table record (last by time  or ID) or better is to remove all records related to IP/Email and leave one with unban settings.

Edited September 26 by metacreo (see edit history)

[diysec]

Hi @metacreo

Updated your module to the latest version 1.0.10 and no longer working for me. Previous module 1.0.9 - where you added support for AJAX was working.

Would you like to do another debug trace?

 

[metacreo]

@diysec Hello,

Please go to module config page. Ensure that module enabled. Check AJAX settings state.

After update to 1.0.10 AJAX settings added and set by default to disabled. This is related to this version only.

[metacreo]

fixed bug of wrong message in productcomments override native module. Now message of success comment post shown correctly.

[diysec]

3 hours ago, metacreo said:

@diysec Hello,

Please go to module config page. Ensure that module enabled. Check AJAX settings state.

After update to 1.0.10 AJAX settings added and set by default to disabled. This is related to this version only.

Hi,

AJAX settings are on (see attached) and module is enabled.

[metacreo]

@diysec ok, so what's going on? what's not working?
turn on debug with Ti0EgX2VhTtqDCwOAqyovZJOtJYVUCdA

 

Edited October 1 by metacreo (see edit history)

[diysec]

Hi @metacreo

Turned on debug and did 4 login attempts with sign-in form. I do not even see anything recorded in the SS Actions table.

Its as if the module is not there even though its enabled (including the AJAX settings).

I am going uninstall the module and reinstall. I will report back

[metacreo]

ver 1.0.11
Removed all AJAX settings. Improved automatic AJAX detection.

[Ray UK]

Im not sure when this happened, but this module and the ReCaptch module are now conflicting. 

This is stopping anybody being able to log in as it throws an error like this

{“error”: true, “message”: “404 not found!”},

Ive disabled the Recaptcha one for now and its working again.

[diysec]

Hi,

My problem of the module not working appears to be with our reCaptcha (Knowband) module as well. Turn it off and your module works perfectly, turn it on and your module does NOT function on our site (ie does not record any attempts in SS Action table).

Is this something where a fix is need in your module or in the reCaptcha module?

Thanks

[metacreo]

@Ray UK, @diysec Hello,

I don't quite understand why you need a module if you use captcha or why you need a captcha if you use a module.

Oh well... I'll try to make them friends (the module with your captchas).

Let's try to find a way to check the contact form without overriding contact module, which is very good.

This will take longer than previous fixes as there is a lot of testing to do.

[diysec]

@metacreo Hi

You make a good point. I mainly use your module to restrict login attempts because PS does not do this natively (well on 1.7.8.11 it does not).

[Ray UK]

5 hours ago, metacreo said:

@Ray UK, @diysec Hello,

I don't quite understand why you need a module if you use captcha or why you need a captcha if you use a module.

Oh well... I'll try to make them friends (the module with your captchas).

Let's try to find a way to check the contact form without overriding contact module, which is very good.

This will take longer than previous fixes as there is a lot of testing to do.

I just thought double protection may be good.  I don't have a single registration or contact form submission since disabling the recaptcha module, so looks like just yours alone will do the trick.  No need to go through the hassle of remaking it without the override.

And since disabling the recaptcha yesterday, I now have 136 entries in the SS Action, which I never got before.

Edited October 2 by Ray UK (see edit history)

[metacreo]

All clear. I'm still thinking about how to make sure the modules don't conflict.
The most correct solution is to refuse override. But then we will have to create an extra load on hooks.

Since the contact form and controller do not have any hooks, we will have to load everything into the displayHeader hook, which means that the module will hang in memory all the time.

Here I need to think through everything

Edited October 2 by metacreo (see edit history)

[metacreo]

Major module rework. New ver. 1.0.12

Fixed sql/install.php (duplicate entry warning during upgrade).

Removed all overrides (no more needed).
Unhooked all hooks (no more needed) and hooked to one FrontController initialisation hook.
Now module works directly with FrontController and will intercept requests directly and faster.

Improvements:
Full support for modules: contactform, iqitreviews, productcomments, ps_emailsubscription, iqitemailsubscriptionconf. (without overrides)
Modules support tested on PS 8.2.0 with default theme and warehouse 4.6.4.

Added checks on add products to cart. (block bots on click add to cart)
Added checks on registration to guest or customer during checkout. (block bots on order page)

upgrade-1.0.12.php file added but if something wrong try to reinstall the module. Do not forget to backup tables if needed.

After this upgrade may work on earlier PS versions but minimum is 1.7.7 (not tested)
For testing modify:

$this->ps_versions_compliancy = ['min' => '1.7.8.3', 'max' => _PS_VERSION_];

Change min to 1.7.7 version.

Thanks all for donations.

Edited October 15 by metacreo
syntax (see edit history)

[Ray UK]

20 hours ago, metacreo said:

Major module rework. New ver. 1.0.12

Fixed sql/install.php (duplicate entry warning during upgrade).

Removed all overrides (no more needed).
Unhooked all hooks (no more needed) and hooked to one FrontController initialisation hook.
Now module works directly with FrontController and will intercept requests directly and faster.

Improvements:
Full support for modules: contactform, iqitreviews, productcomments, ps_emailsubscription, iqitemailsubscriptionconf. (without overrides)
Modules support tested on PS 8.2.0 with default theme and warehouse 4.6.4.

Added checks on add products to cart. (block bots on click add to cart)
Added checks on registration to guest or customer during checkout. (block bots on order page)

upgrade-1.0.12.php file added but if something wrong try to reinstall the module. Do not forget to backup tables if needed.

After this upgrade may work on earlier PS versions but minimum is 1.7.7 (not tested)
For testing modify:

$this->ps_versions_compliancy = ['min' => '1.7.8.3', 'max' => _PS_VERSION_];

Change min to 1.7.7 version.

Thank all for donations.

Updated.

After update, I noticed the override is still in the override folder.

Ive deleted it manually, but will that cause issues.

Many Thanks

[metacreo]

@Ray UK No. This module not needed overrides. But check other modules like captcha, reCaptcha, etc... if they used overrides then reinstall these modules.

[Ray UK]

57 minutes ago, metacreo said:

@Ray UK No. This module not needed overrides. But check other modules like captcha, reCaptcha, etc... if they used overrides then reinstall these modules.

Yes I saw that in your notes.  I know it doesnt need an override, but the override from the previous version of your module was still there.  I opened it up and it mentioned ets in there so I deleted that override.  Not sure if you can put something in your install file to remove that override for people who are less savvy

[metacreo]

 Strange. The directories should have been deleted.
Both from the module folder and from the overrides folder. Maybe you have wrong permissions on override dir or wrong owner.

    @$module->unregisterHook('actionNewsletterRegistrationBefore');
    @$module->unregisterHook('actionAuthenticationBefore');
    @$module->unregisterHook('actionSubmitAccountBefore');
    @$module->unregisterHook('actionCheckoutRender');
    @$module->unregisterHook('displayHeader');

    $module->registerHook('actionFrontControllerInitBefore');

    $modOverridePath = _PS_MODULE_DIR_ . 'simplesecurity/';
    $modDirs = [
        'override/modules/productcomments/controllers/front',
        'override/modules/productcomments/controllers',
        'override/modules/productcomments',
        'override/modules/iqitreviews/controllers/front',
        'override/modules/iqitreviews/controllers',
        'override/modules/iqitreviews',
        'override/modules/contactform',
        'override/modules',
        'override'
    ];
    foreach ($modDirs as $dir) {
        if (file_exists($modOverridePath . $dir)) {
            @array_map('unlink', glob($modOverridePath . $dir . '/*.*'));
            @rmdir($modOverridePath . $dir);
        }
    }
    $psOverridePath = _PS_OVERRIDE_DIR_ . 'modules/';
    $psDirs = [
        'productcomments/controllers/front',
        'productcomments/controllers',
        'productcomments',
        'iqitreviews/controllers/front',
        'iqitreviews/controllers',
        'iqitreviews',
        'contactform'
    ];
    foreach ($psDirs as $dir) {
        if (file_exists($psOverridePath . $dir)) {
            @array_map('unlink', glob($psOverridePath . $dir . '/*.*'));
            @rmdir($psOverridePath . $dir);
        }
    }

    return true;

[diysec]

Hi @metacreo

Upgraded to version 1.0.12 from 1.0.10 and now I see NO attempts logged in SS Actions table and I still have reCaptcha turned off.

Help?

[metacreo]

9 hours ago, diysec said:

Hi @metacreo

Upgraded to version 1.0.12 from 1.0.10 and now I see NO attempts logged in SS Actions table and I still have reCaptcha turned off.

Help?

in modules list shown version 1.0.12?
try clean cache and install module again. check module hooks. go to design > positions. select show:1-simplesecurity. and check Display non-positionable hooks
you must see only one hook actionFrontControllerInitBefore

and check is module ENABLED first.  In some cases module disables on error(permissions, owner) during install or update.

Edited October 16 by metacreo (see edit history)

[diysec]

Hi @metacreo

Module shows as 1.0.12. I uninstalled module and re-installed it. Checked the module hooks (see attached) and module is enabled.

It is showing the same signs as an older version of the module before you included fixes for AJAX, not sure if that issue has come back.

[metacreo]

maybe you have filled filters in table ?

try reset

please write me  url of your site or go to config, enter token and enable debug.

Edited October 18 by metacreo (see edit history)