Jump to content



Member Since 07 Dec 2021
Offline Last Active Today, 04:34 PM

#352889 Generate Pdf File From A Thread Attached To An Order

Posted by thecigarhut on 14 September 2022 - 04:36 PM

I have used this before with success to read encoded files

Online PHP Javascript Script Decoder | Quttera (malwaredecoder.com)


but as eComLabs suggest, you should contact the developer for assistance

#351922 Smtp Error

Posted by thecigarhut on 26 July 2022 - 06:32 PM

I recently had a similar issue with testing on mailtrap.io

if on cPanel using ConfigServer Security & Firewall, you will need to allow your domains user ID to bypass the SMTP block in the config file


Always allow the following comma separated users and groups to bypass

Note: root (UID:0) is always allowed

#351815 Cannot Edit Layout & Ip Keep Getting Blocked

Posted by thecigarhut on 22 July 2022 - 03:35 AM

You can find details regarding both extensions here




And as I posted in the forum before the mod_security rules they suggest are outdated and useless in todays environments



  • mod_security should be disabled; if you don’t want to disable it fully, configure it to work with CS-Cart as described in this file;


#351778 Cannot Edit Layout & Ip Keep Getting Blocked

Posted by thecigarhut on 20 July 2022 - 04:09 PM

This fixed both issues, thanks!


However, its only a temporary solution correct? any ideas on how to have this fixed permenantly for launch?


to have mod security enabled on your site, but disabled on your backend admin, add this rule to Modsecurity tools

SecRule REQUEST_URI "@beginsWith /my_custom_admin_page" "phase:1,id:12345,allow"

(change the name of your admin page to suit)


FYI, CS-Cart and ModSecurity do not play nice together and you may want to just disable it all together on your domain.

Sadly the CS-CArt documentation for ModSec rules is very outdated and no longer functional at all. I ended up just disabling it on the domain.

#351642 Here's A Handy Snippet For Admin Notifications With Customer Id And Ip

Posted by thecigarhut on 11 July 2022 - 10:07 PM

my old system included customer ID and IP address in the order notifications sent via email, CS-Cart does not do that by default (you have to log into orders section to find the IP etc. so I created this snippet that I call at the bottom of each admin notification after the footer snippet


1st, create a snippet like so


Name Customer ID and IP
code cID_IP
add this code into it
{% if  order_info.ip_address %}
<p style="color: #787878; font-size: 14px; font-family: Helvetica, Arial, sans-serif; padding-bottom: 5px; margin: 0px;">
<span style="color: #444444; font-weight: 600; font-family: Helvetica, Arial, sans-serif; text-transform: uppercase;">{{__("cID_Number")}}</span> {{order_info.user_id}}</p>
{% endif %}
{% if  order_info.ip_address %}
<p style="color: #787878; font-size: 14px; font-family: Helvetica, Arial, sans-serif; padding-bottom: 5px; margin: 0px;">
<span style="color: #444444; font-weight: 600; font-family: Helvetica, Arial, sans-serif; text-transform: uppercase;">{{__("ip_address")}}</span> {{order_info.ip_address}}</p>
{% endif %}

in your language settings, create this

Language Variable cID_Number

Value cID Number: 



then in the admin notification templates in the order section add this to the bottom of each below the footer snippet

{{ snippet("cID_IP") }}

it will then give you this bit at the bottom of each order notification

cID Number: 12345

IP address 123.456.78.9



hope it is helpful to any of you 

#351599 Cs-Cart And Multi-Vendor 4.15.1 Released

Posted by thecigarhut on 08 July 2022 - 07:55 PM

just upgraded to 4.15.1 and product export no longer works, regardless of # of products selected or which method direct, server or screen, no matter if comma, semicolon or tab separator, looks to start process, ends in a second and nothing is exported, nothing on server, screen or downloaded to browser




Note, this only affects product export, works just fine for images, qty discounts and other sections, seems that no products get picked up for export when new field of "Unit Name" is selected for export, remove that field and export works just fine


New field of "Units in Product" works fine...

#351463 Notification Snippet To Count Shippings?

Posted by thecigarhut on 01 July 2022 - 04:58 PM

I thought that worked until I tested it with an order with only 1 shipping method, for those interested here is what I did that worked

{% if o.shipping.1.shipping_id %}
<p style="color: #787878; font-size: 14px; font-family: Helvetica, Arial, sans-serif; padding-bottom: 5px; margin: 0px;">{{ __("order_ships_multi_packages") }}<br /></p>
{% endif %}

what that does is look if there is a 2nd shipping id in the string, if so it displays the message text


#349449 Try Version 4.15.1 Before Release

Posted by thecigarhut on 06 June 2022 - 01:49 PM

I took a deep look into Multi Vendor at the beginning of my CS-Cart journey almost 2 years ago and found that it is not suitable for a single company using various drop shippers that do not have access to the admin end or of managing any products or prices sold on my store.


As opposed to a marketplace with separate vendors (like a shopping mall) who sell their own goods independently under 1 roof, a store using drop shippers is more like a mail order catalog that buys goods from various suppliers and has the goods shipped direct to the customer. In this scenario the customer is shopping from 1 catalog but receiving goods from several locations as opposed to going to the virtual mall and shopping from various stores under 1 roof.

In contrast to getting a commission on sales of the Vendors products, I buy at a discount and make my own markups to keep the difference. Suppliers have no say in how the items are sold. To use Multivendor would require multiple user logins on my part and just make things all the more complicated.


Speaking of integrations, would LOVE to see BlueCheck and Avalara integrations in the future  :idea:

#349443 Discount Equal To Shipping (Not Free Shipping Promotion)

Posted by thecigarhut on 06 June 2022 - 12:37 PM

FYI, SoftSolid did a great job making the addon to suit my needs.
Kudos to Michael and Robert for putting up with my demands and for the great work at a very reasonable price

#349441 Try Version 4.15.1 Before Release

Posted by thecigarhut on 06 June 2022 - 12:28 PM


Speaking of dropshipping, it could help us a lot if you provided a few more details.

- How exactly you use "Suppliers" now?

- Is there anything in particular that you (dis)like about the current add-on?


P.S. As for a possible replacement, we were considering to extend the "Warehouses" functionality. But again, a lot depends on the feedback we get.


I use suppliers to dropship orders placed on my sites, I personally do not stock any items myself, but have an assortment of companies that ship products for me. There is no API or plug in with any of them so not at all like Alibaba or the other conglomerate drop shippers that you can plug and play with an addon, these are small to midsized companies that supply me with goods shipped direct to my customers from their locations.

I have been using this business model since 1999 on other platforms and after much investigation, trial and errors with other carts, CS-Cart seemed to be the closest fit to enable a modern platform to continue on.

As it is, I have had to invest several thousands on additional custom coding and add-ons to get basic things like supplier price and supplier sku added to CS-Cart as well as adding those variables to the supplier notifications.


Warehouses implies that you have your own stock in several locations, suppliers implies that you have external companies shipping your goods for you. Expanding suppliers functionality would further open up the doors to many additional customers in the fast growing business segment.


Perhaps the reason your existing suppliers add-on is not used much is because it lacks the 2 most important aspects of using external companies to fulfill orders, their prices and item numbers need to be in the product data. As it is I had to buy 2 addons to get that info as well as spend thousands on custom coding to get those variables included into the supplier notification / invoice



On a separate note I am very happy to see Zapier being integrated as well as price per unit

#349215 Try Version 4.15.1 Before Release

Posted by thecigarhut on 03 June 2022 - 02:14 PM

Functionality Changes

[*] Add-ons: Suppliers: Add-on marked as deprecated.



what on earth were you thinking?
Any shop owner who dropships or outsources MUST have suppliers.
This is THE reason for using CS-Cart

What is the planned replacement functionality then?


#348375 Paypal Returns Customer To Login Screen

Posted by thecigarhut on 18 May 2022 - 10:29 PM

I have noted recently that a few of the main add-on developers' websites do the same thing when paying with PayPal. On returning from payment you have to log in to their stores to get to the thank you page.

@Simtech, @soft-sold, @Cart-Power to name a few, you guys should fix this on your sites and pressure CS-Cart Devs to get this bug fixed ASAP

#346944 Impact Of The Ukraine War On Cs-Cart License Validation

Posted by thecigarhut on 17 March 2022 - 12:20 PM

Did you not get the email from the CS-Cart CEO dated March 3?

Included here in case you didn't.

Our vision and guarantees for an uninterrupted provision of services



In this message, I would like to comment on the current political situation around Russia and Ukraine as the conflict may raise questions on the stability of our services. I’ll tell you more about our company and discuss the measures we’ve taken to eliminate any risks for your business.

We are against this war in Ukraine and any other military conflicts and wars. There is no excuse for what’s happening with people’s lives. We have colleagues and partners in Ukraine and we feel their personal tragedy.

CS-Cart has been in business for 16 years internationally with customers in 170 countries. For all these years we’ve been utilizing technological advances to help people implement their ideas, achieve their ambitions, and make their dreams come true. And we continue doing it with more effort.

I’d like to discuss our company and our obligations, and assure you of the measures in place to protect your business.


How your data is secured

The main thing is that our clients' data are stored on their own servers, which means our e-commerce software operates fully independently.

Our Help Desk communication history from cs-cart.com is stored on EU and US-based servers. We do not receive transaction data (credit card details or any other sensitive data) in line with PayPal and BlueSnap payment system policies.

We also provide our own optional hosting solution that utilizes data centers worldwide—outside Russia. For more details please read about the security measures taken by the CS-Cart team.


How we accept payments

You can securely pay for the CS-Cart products and services with PayPal and Bluesnap, or transfer the payment right to our USA-registered bank account. Consequently, there should be no issues with payment transactions.


Where CS-Cart team members are located

We have a financial office in the USA, but CS-Cart is a geographically dispersed team. Its employees are located around the world including the United States, Russia, Ukraine, Belarus, Uzbekistan, Portugal, and Sri Lanka.


What obligations we have

Our company has been operating since 2005, and we have a huge customer base in 170 countries. This is a great responsibility: data security and the stable operation of CS-Cart users’ web stores and marketplaces are both top priorities for us. Our customers have never suffered from political issues.

We feel utmost confidence in putting our reputation at stake by stating we guarantee uninterrupted provision of services according to our license agreement.





Sincerely yours,
Ilya Makarov

#346859 Outdated Mod_Security Rule Set In Cs-Cart Docs?

Posted by thecigarhut on 14 March 2022 - 07:52 PM

as per the linked rule set here:

  • mod_security should be disabled; if you don’t want to disable it fully, configure it to work with CS-Cart as described in this file;


the customer rules in the mod_security.txt file seem to be outdated.
when trying to add them to cPanel at 

Edit Custom ModSecurity™ Rules

page on my WHM/cPanel server I get the following error:


Error: The following rule did not have an ID: # Enable XML request body parser. # Initiate XML Processor in case of xml content-type # SecRule REQUEST_HEADERS:Content-Type "text/xml" \ "phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"



I really dislike having to disable this level of security on my site(s) and wonder if there is an updated version of the custom rule set for mod_security

This is the link rule set:

# -- Rule engine initialization ----------------------------------------------

# Enable ModSecurity, attaching it to every transaction. Use detection
# only to start with, because that minimises the chances of post-installation
# disruption.
SecRuleEngine DetectionOnly

# -- Request body handling ---------------------------------------------------

# Allow ModSecurity to access request bodies. If you don't, ModSecurity
# won't be able to see any POST parameters, which opens a large security
# hole for attackers to exploit.
SecRequestBodyAccess On

# Enable XML request body parser.
# Initiate XML Processor in case of xml content-type
SecRule REQUEST_HEADERS:Content-Type "text/xml" \

# Maximum request body size we will accept for buffering. If you support
# file uploads then the value given on the first line has to be as large
# as the largest file you are willing to accept. The second value refers
# to the size of data, with files excluded. You want to keep that value as
# low as practical.
SecRequestBodyLimit 13107200
SecRequestBodyNoFilesLimit 131072

# Store up to 128 KB of request body data in memory. When the multipart
# parser reachers this limit, it will start using your hard disk for
# storage. That is slow, but unavoidable.
SecRequestBodyInMemoryLimit 131072

# What do do if the request body size is above our configured limit.
# Keep in mind that this setting will automatically be set to ProcessPartial
# when SecRuleEngine is set to DetectionOnly mode in order to minimize
# disruptions when initially deploying ModSecurity.
SecRequestBodyLimitAction Reject

# Verify that we've correctly processed the request body.
# As a rule of thumb, when failing to process a request body
# you should reject the request (when deployed in blocking mode)
# or log a high-severity alert (when deployed in detection-only mode).
SecRule REQBODY_ERROR "!@eq 0" \
"phase:2,t:none,log,deny,status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2"

# By default be strict with what we accept in the multipart/form-data
# request body. If the rule below proves to be too strict for your
# environment consider changing it to detection-only. You are encouraged
# _not_ to remove it altogether.
"phase:2,t:none,log,deny,status:44,msg:'Multipart request body \
failed strict validation: \

# Did we see anything that might be a boundary?
"phase:2,t:none,log,deny,status:44,msg:'Multipart parser detected a possible unmatched boundary.'"

# PCRE Tuning
# We want to avoid a potential RegEx DoS condition
SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

# Some internal errors will set flags in TX and we will need to look for these.
# All of these are prefixed with "MSC_". The following flags currently exist:
# MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
SecRule TX^MSC_/ "!@streq 0" \
"phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'"

# -- Response body handling --------------------------------------------------

# Allow ModSecurity to access response bodies. 
# You should have this directive enabled in order to identify errors
# and data leakage issues.
# Do keep in mind that enabling this directive does increases both
# memory consumption and response latency.
SecResponseBodyAccess On

# Which response MIME types do you want to inspect? You should adjust the
# configuration below to catch documents but avoid static files
# (e.g., images and archives).
SecResponseBodyMimeType text/plain text/html text/xml

# Buffer response bodies of up to 512 KB in length.
SecResponseBodyLimit 524288

# What happens when we encounter a response body larger than the configured
# limit? By default, we process what we have and let the rest through.
# That's somewhat less secure, but does not break any legitimate pages.
SecResponseBodyLimitAction ProcessPartial

# -- Filesystem configuration ------------------------------------------------

# The location where ModSecurity stores temporary files (for example, when
# it needs to handle a file upload that is larger than the configured limit).
# This default setting is chosen due to all systems have /tmp available however, 
# this is less than ideal. It is recommended that you specify a location that's private.
SecTmpDir /tmp/

# The location where ModSecurity will keep its persistent data. This default setting 
# is chosen due to all systems have /tmp available however, it
# too should be updated to a place that other users can't access.
SecDataDir /tmp/

# -- File uploads handling configuration -------------------------------------

# The location where ModSecurity stores intercepted uploaded files. This
# location must be private to ModSecurity. You don't want other users on
# the server to access the files, do you?
#SecUploadDir /opt/modsecurity/var/upload/

# By default, only keep the files that were determined to be unusual
# in some way (by an external inspection script). For this to work you
# will also need at least one file inspection rule.
#SecUploadKeepFiles RelevantOnly

# Uploaded files are by default created with permissions that do not allow
# any other user to access them. You may need to relax that if you want to
# interface ModSecurity to an external program (e.g., an anti-virus).
#SecUploadFileMode 0600

# -- Debug log configuration -------------------------------------------------

# The default debug log configuration is to duplicate the error, warning
# and notice messages from the error log.
#SecDebugLog /opt/modsecurity/var/log/debug.log
#SecDebugLogLevel 3

# -- Audit log configuration -------------------------------------------------

# Log the transactions that are marked by a rule, as well as those that
# trigger a server error (determined by a 5xx or 4xx, excluding 404, 
# level response status codes).
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus "^(?:5|4(?!04))"

# Log everything we know about a transaction.

# Use a single file for logging. This is much easier to look at, but
# assumes that you will use the audit log only ocassionally.
SecAuditLogType Serial
SecAuditLog /var/log/modsec_audit.log

# Specify the path for concurrent audit logging.
#SecAuditLogStorageDir /opt/modsecurity/var/audit/

# -- Miscellaneous -----------------------------------------------------------

# Use the most commonly used application/x-www-form-urlencoded parameter
# separator. There's probably only one application somewhere that uses
# something else so don't expect to change this value.
SecArgumentSeparator &

# Settle on version 0 (zero) cookies, as that is what most applications
# use. Using an incorrect cookie version may open your installation to
# evasion attacks (against the rules that examine named cookies).
SecCookieFormat 0

turning on mod security locks me out of the server and gives a "Store Closed" page on the admin back end


error that triggers csf firewall


Failures: 3 (mod_security)

Interval: 300 seconds

Blocked:  Permanent Block [LF_MODSEC]


ModSecurity: Access denied with code 403 (phase 2). Operator GE matched 5 at TX:anomaly_score. [file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "93"] [id "949110"] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.2"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "www.shop.xxxxxxx.com"] [uri "/xxxxxxx_admin.php"] [unique_id "Yi-MexkjvxreGrxVQoTBIQAAAFA"], referer:https://www.shop.xxx...h=orders.manage

#346377 Discount Equal To Shipping (Not Free Shipping Promotion)

Posted by thecigarhut on 24 February 2022 - 02:05 PM

I'm looking for a way to offer customers a rebate / coupon / Promotion on shipping costs but not the way the cart currently offers free shipping.

I need the shipping fee to be calculated by UPS or USPS and passed on to the supplier and included as shipping charge in the customer invoice, but also have a promotion that applies a discount to the order for the calculated shipping amount.

Example, have a promotion that if customer spends $100.00 or more they get a coupon applied that is equal to the cost of shipping so cart summary would be like this

3 item(s) $102.75
Shipping $20.35
Order discount -$20.35
Order Total $102.75
As opposed to the current Free Shipping Promotion that inputs shipping as $0.00 in all notifications and order details / invoices
This makes for a nightmare in accounting as shipping fees can not be $0 but promotions / discounts can be accounted for.