Issue #25: March 17, 2003

By Harald Ponce de Leon

March 17, 2003

Security And Privacy Proposal
Filenames And Database Tables Definitions
Cross Site Scripting Vulnerabilities
Tax Implementation Update
New Wiki Documentation Site
Contributions Added/Updated In The Last 3 Days

Security And Privacy Proposal

The Security And Privacy Proposal discussed on the Developers forum has been realized and is now in CVS.

The implementation introduces a new Sessions configuration group with three parameters:

SESSION_WRITE_DIRECTORY (default /tmp)

It is recommended to change the location of where the file based sessions are being stored as /tmp is generally accessible to all users on the server.

SESSION_FORCE_COOKIE_USE (default False)

When enabled, sessions are only started when a set cookie is readable.

As cookies are depended on, this option will only successfully work when HTTP and HTTPS servers have the same top level domain, for example:

https://www.server.com and https://ssl.server.com will work, whereas

https://www.server.com and https://www.ssl.com/server/ will not work.

SESSION_CHECK_SSL_SESSION_ID (default False)

When enabled, the SSL_SESSION_ID automatically generated on secure HTTPS requests is stored in the session and verified on subsequent secure HTTPS requests. If the value has changed the customer must log in again to continue their actions.

Ross Lapkoff and Marcel van Lieshout are looking for workarounds on the SESSION_FORCE_COOKIE_USE option for it to be able to work on servers that use shared SSL certificates.

The discussions of the proposal can be read at:

https://forums.oscommerce.com/viewtopic.php?t=31928

The updated proposal is available at the new Wiki documentation site at:

https://wiki.oscommerce.com/proposalSecurityAndPrivacy

Filenames And Database Tables Definitions

During the implementation of the Security And Privacy Proposal, the application_top.php file on the Catalog went through a clean-up process.

Part of the process moved the filename and database table definitions to their own files.

This will ease the merging of the Catalog and Administration Tool files when it occurs for Milestone 4.

Cross Site Scripting Vulnerabilities

Daniel Alcántara de la Hoz alerted the team of 2 cross site scripting vulnerabilities existing in catalog/includes/header.php.

These and other vulnerabilities have been fixed, and can be seen with the Bug Reporter by viewing all Cross Site Scripting reports.

As these vulnerabilities exist on the developing Milestone releases, no point release of Milestone 1 will be made available.

Point releases will be made available when vulnerabilities are found on stable project releases.

The Cross Site Scripting bug reports can be seen here:

https://www.oscommerce.com/community/bugs/action,search/type,Cross Site Scripting

Tax Implementation Updates

The tax implementation has been updated again as tax rates that were meant to be compounded were not compounding at all.

Updates were also made on the tep_round() function as PHPs native number_format() and round() functions produced different results when float and string values were parsed.

A bug report at PHP was opened due to this issue but turned out to be a float/mathematical issue instead of a PHP issue.

The updated tep_round() function now produces the expected results but may again be updated soon to increase its performance.

The PHP bug report can be seen here:

https://bugs.php.net/bug.php?id=22712

An updated proposal for the tax implementation can be read at the new Wiki documentation site at:

https://wiki.oscommerce.com/proposalTaxes

New Wiki Documentation Site

A new Wiki documentation site has been setup to start a public effort in writing documentation for the project.

Melinda Odom from oscdox fame has contributed a lot of help related documentation, Ian Wilson has started off the programming documentation, and Harald Ponce de Leon has started off the proposals section.

If you're interested in participating in the effort, or have questions to the Wiki site in general, get in touch at the Wiki forum channel provided at:

https://forums.oscommerce.com/viewforum.php?f=15

The Wiki documentation site can be reached at:

https://wiki.oscommerce.com

Live Shops List

Recent Live Shop entries are still pending to be activated which will be done during the week.

Contributions Added/Updated In The Last 3 Days

AdminLogin-0.0.5
SVFlix Bank Transfer
Low Stock Report
MS1 to L5 db upgrade
french-zone france metropolitaine
Product Attributes - Option Type Feature
Gift Certificates - Generic
Protx Form Payment Module
PaySystems Module
Add Shopping Cart Info to Your Header
Big Images
Customer specific discount percentage
ot_commission 1.0
Bluepay Web Link Gateway
Ship 2 Pay v1.0 (MS1)
PDF data_sheet maker 1.1
Banner Picture Hack in Banner Manager
Infoboxes outside OSC
newsdesk_v_1.4_tarred
admin_controlled_bestsellers_images_scroll
NewsDesk
Card Zapper
Conditions, Privacy & Shipping with MySQL v1.0

 

Recent posts

Time limited offer to mark the arrival of osCommerce v4!

May 24, 2022
Valuable REWARDS to all Subscribers of osCommerce newsletter:   - 10 native osCommerce applications +   - discounted osCommerce hosting for 1 shop Subscribe now ...

osCommerce v4 Beta 2 Released

January 26, 2022
osCommerce v4 Beta 2 has been released today! Current Beta is closer to the planned release version. We have removed a number of add-ons to simplify the installation. They will be re-instated via the App store, most of them free. Beta 2 comes with: - installation tool - 2 demo front ends - osCommerce back end - data import tool to migrate data from old osCommerce 2.x - instructions on how to submit your feedback Download links have been emailed to all Beta testers. If you have not received your link, please check your "spam" folder just in case, and contact us via this Forum to have the link re-sent to you. If you wanted to try Beta 2 but didn't sign up - get in touch with us via the Forum or via the Contact form on the website and we will sort it for you. osCommerce v4 will be released shortly as a powerful modern modular optimised FREE open source Ecommerce solution! Kind regards, osCommerce team   ...

osCommerce v4 Beta 1 Released

November 17, 2021
osCommerce v4 Beta 1 has been made available to a limited number of first reviewers today. We will work with the feedback we receive over the next couple of weeks, and will release Beta 2 to registered Beta-testers in early December 2021. Want to become a Beta tester? Contact us via the main website to register your interest now and receive access to Beta 2 in December! Providing we continue to receive reasonable feedback from the Beta testers we are looking to launch osCommerce v4 in early January 2022. Keep checking the Forums for updates. The wait is over!   ...

osCommerce v4 features: Order Editor, Gift Vouchers, Loyalty points, Currencies and Rounding

March 19, 2021
Working through the feature list of osCommerce v4: Order Editor and MOTO orders: https://forums.oscommerce.com/topic/496930-order-editor/?tab=comments#comment-1821801 Gift Vouchers: https://forums.oscommerce.com/topic/496929-gift-vouchers/?tab=comments#comment-1821800 Loyalty points: https://forums.oscommerce.com/topic/496924-loyalty-or-bonus-points/?tab=comments#comment-1821793 Currencies and Rounding: https://forums.oscommerce.com/topic/496921-currencies-and-rounding/?tab=comments#comment-1821738 Have any questions or comments? Feel free to post them here! Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

osCommerce v4 updates: Payments, Shipping, Shipping Labels, Order Totals

March 12, 2021
Update on osCommerce v4 feature list Payment methods: https://forums.oscommerce.com/topic/496907-payment-methods/ Shipping solutions: https://forums.oscommerce.com/topic/496910-shipping-methods/ Shipping labels: https://forums.oscommerce.com/topic/496911-shipping-labels/ Order structure management: https://forums.oscommerce.com/topic/496912-order-structure-totals-modules/ Have any questions or comments? Feel free to post them here! Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

osCommerce v4 news: SEO and Menu Editor

March 06, 2021
osCommerce v4 features continue to be revealed. Today we published preview of on-site SEO system in osCommerce v4 on our Forums: https://forums.oscommerce.com/topic/496884-search-engine-optimisation-seo/ and its Menu editor: https://forums.oscommerce.com/topic/496886-menu-editor/ Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

osCommerce v4 news: Multiple Design Templates and Template Designer

March 02, 2021
osCommerce v4 features are being revealed. Today we share information about Design Templates and Template Designer of osCommerce v4 on our Forums: https://forums.oscommerce.com/topic/496786-multiple-design-templates-and-built-in-designer/ Questions about osCommerce shall be emailed to  hello@oscommerce.com Development Partners and Beta Testers are always welcome! Please sign up via our  Contact Page . We will notify you when the Beta version becomes available (likely in June 2021). Development Partners - we will make preview versions available to you, please indicate your interest when signing up for the Beta Program.   ...

New management and osCommerce v4

February 19, 2021
Assert Record Run SnapTest ...

Phoenix v1.0.7.15

February 10, 2021
v1.0.7.15 is a bugfix release. This should be considered the second release candidate for 1.0.8.0. Easy Updates Easy update zip and instructions are provided in the Phoenix Club for every minor and major update. Going from version to version could not be easier - you are supported by the Phoenix Team,  Certified Developers , and other Shop owners. This update takes 100 seconds from start to finish. Have your say at the Phoenix Club Instead of waiting for a perfect tomorrow, help us make a better today by joining the  Phoenix Club . Thank you Thank you to all Shop owners and Developers who are supporting the Project - you allow Phoenix to fly high and burn brightly.   ...

Phoenix v1.0.7.14

January 26, 2021
v1.0.7.14 is the final development release of the 1.0.7.* series. It finishes the templates system, including the ability to override the HTML templates and the language files. This should be considered the first release candidate for 1.0.8.0. Easy Updates Easy update zip and instructions are provided in the Phoenix Club for every minor and major update. Going from version to version could not be easier - you are supported by the Phoenix Team,  Certified Developers , and other Shop owners. This update takes 100 seconds from start to finish. Have your say at the Phoenix Club Instead of waiting for a perfect tomorrow, help us make a better today by joining the  Phoenix Club . Thank you Thank you to all Shop owners and Developers who are supporting the Project - you allow Phoenix to fly high and burn brightly.   ...
Products