admin/store security

[osc_svendsen]

I can't by any means understand why:

1. The securing of admin-folder requires either 3rd. party addons, or 3rd. party support if you're not the PHP/apache .htaccess -guru
   
2. No data in the tables appears to be encrypted in any way.
   

Is this something that will be patched at some point, or be part of next MileStone ... or does a good reason for those features not being implemented exist?

 

Especially the lack of admin-security at a clean install wonders me .... :blink:

 

none the less I'm thrilled about the possible flexibility of osC alongside myself gaining knowledge in PHP .... I've tried 'bout a dozen os-webshops, and none of them as 'rewarding' as osCommerce :thumbsup:

[Mark Evans]

Is this something that will be patched at some point, or be part of next MileStone ... or does a good reason for those features not being implemented exist?

<{POST_SNAPBACK}>

 

We will add security to the admin section during the current development cycle.

[burt]

We will add security to the admin section during the current development cycle.

<{POST_SNAPBACK}>

 

I'd seriously suggest re-considering as you'll (Core Team) be opening yourself to all sorts of problems if the "osC Lock" (for want of a better phrase) gets broken/hacked.

 

Even if not in terms of monetary (as everyone knows there is no warranty) - in terms of bad publicity though? Imagine the fallout if someone's site got hacked and it was found to be the new security which had a problem...credit card details stolen etc etc...

 

I'd say leave it to the individual Store Owner to secure using .htaccess. most website hosts can do this in a matter of seconds (or via most Control Panels, users can do it themselves). And I know of at least 10 sites where you can input the name and password you want to use and then get the encrpyted files to use! I even built one a few years back.

 

Something to think about anyway.

[Mark Evans]

I'd seriously suggest re-considering as you'll (Core Team) be opening yourself to all sorts of problems if the "osC Lock" (for want of a better phrase) gets broken/hacked.

 

I guess we better test it fully :D

 

There are a number of ways security can be compromised using xss etc... since most of these are not possible by following good coding practices etc I think we can put together a reasonably secure system.

 

Note: Thats not a challenge for someone to try cracking it :P

 

I'd say leave it to the individual Store Owner to secure using .htaccess.  most website hosts can do this in a matter of seconds (or via most Control Panels, users can do it themselves).  And I know of at least 10 sites where you can input the name and password you want to use and then get the encrpyted files to use!  I even built one a few years back.

 

Something to think about anyway.

<{POST_SNAPBACK}>

 

In 1 respect I agree with you :)

 

However more and more people want to restrict access to certain parts of the system and have multi isers with certain rights. Using htaccess et al does not cater for this situation.

[osc_svendsen]

In my humble opinion you're not making a very good point there, burt.

The .htaccess-way of securing the admin part of osC has more or less the same possibility of getting broken/hacked as ... well .. any other way of doing it.

I just can't see how an os storefront can be delivered without any security on the admin-core of the store, not even the simple .htaccess and e.g. a link to a site for creating name/psw and getting the encrypted file.

But simply letting the security depend on the unique adminfolder-name, which often is not at all as unique as you would like, in my eyes is an even greater factor of 'fallout'/depreciation.

But to make an example:

I'm writing this on a computer 'infected' with microsoft .... now how many times during the lifetime of windows-os's have we seen seriuos security holes leaving the computer wide open?? And does microsoft still controll the market-share? Yes. And why? Because the actual security will in 99% of the cases depend on the user (in this case storeadmin) and not on the dev.team who can only deliver this much security thus more or less making it the users own fault if a successfull hack/crack is done. But you do get at least some basic features for securing yourself, allready from a clean install, and even MS has now changed the agenda to be much more security-oriented than nifty and compatible/flexible.

To draw this back onto osC, I've found that this is the more compatible/flexible of the stores I've tried out, but completely lacking the basic security, and I can't see why since eg. the contrib's contain several .htaccess-security entires alongside other ways of securing the admin further.

I for one am fairly new with the .htaccess files, but know my way around html/js and I'm getting closer with php, and by searching the web/contrib's I've found that the .htaccess is more or less an entire chapter of it's own.

Hence I seriously think that a greater level of security than just the unique naming of the admin-folder ought to be included allready in the standard osC-store, rather than leaving the options to be the community-contributions.

Is it btw true that no encryption of sql-data takes place?

[Guest]

Please keep admin security part of MS3. It is needed.

 

I do a lot of COTS integration, DMS/CMS/RMS, portals, ERM, etc. Everyone has security on the admin section. No one has ever told me to supply the security layer myself.

 

ed

[burt]

It's my opinion that security measures should not be anything to do with osCommerce software - it should be upto the Store Owner and his/her webhost functions to do it.

 

Imagine if you relied on the osCo software to secure your admin section. Then it got hacked. All your customers details get stolen along with their CC details (let's assume for sake of logical argument that you use the standard CC module without email)...

 

- I can foresee a nightmare scenario, where you (as the store owner) get your site closed down from the bad publicity.

- You then come here and complain. This then gets into the mainstream OS community and osC becomes the "pariah" of OS Carts because of the flaw.

- The ongoing bad publicity would already have killed your Store. Once the flaw is known, more Stores would be hacked.

- The publicity would kill osCommerce and all of the community would not be too happy.

 

At least putting the onus on the Store Owner to provide his own security measures takes osC (both the software, the Core Team & the Community) out of the loop. Your Store would still be dead, but it would be your fault, not the fault of osCommerce.

 

Or in other words, I'm asking you to cover your own arse ...

 

Of course, all the above might not happen as the code might be impregnable (like Fort Knox and the Titanic ;)). But anything is possible...

[burt]

ps, I believe that customers Passwords are encrypted one way. Nothing else is as far as I know.

[Guest]

Burt,

 

But that logic could be carried to the whole osCommerce system. The payment module could get hacked and someone performs an illegal transaction using the standard payment modules (doesn't the standard PayPal module allow for an easy edit of the final total?). The user account section could get hacked and someone could change another user's details. The osCid can be hacked and sales details can be seen by another browser. The moment you make something and put it on the Internet, it is open to attack. Should we just drop e-commerce?

 

As far as I know, no module or version of osCommerce stores full cc data in the database except the standard cc module you use for arguments sake. I think it is easier to get owners to use e-mail with the standard cc payment module then it is to get them to install their own security layer.

 

I believe the opposite is also true. An osCommerce site could get hacked. If it's a site where the admin/ directory is wide open, customers could sue osCommerce for NOT providing security for the admin.

 

ed

[osc_svendsen]

thanks medvid for pointing out some of the things I were about to :D

 

I just wonder, burt, why you're arguing that strongly against implementing eg. basic .htaccess-security in the out-of-box osC-store.

 

Anyways ... the team replies that this security-issue is a part of MS3, so embrace it ;)

[burt]

Only for the sake of argument ;)

 

Seriously, there are so many server set-ups these days that the onus should be on the Store Owner to make sure that their site/server is secure. It takes 2 minutes for a Store Owner with zero knowledge to make a Directory Secure using cpanel (or other Control Panel software) - so why not make the Store Owner responsible?

 

I think you guys are not seeing the problems I can foresee. By the way, at no point did I recommend (or even mention) leaving Admin wide open! It should be protected at the Server Level which is something the osCo Software simply cannot do. But the Store Owner/Web Host can...

 

If MS3 does have security built in, I'll look forward to breaking it ;)

[burt]

ps, if Admin is left wide open, users could not sue osCommerce as the software is supplied without warranty.

 

But then, it would be the fault of the Store Owner for not taking a few moments to set htaccess - no fault of osCo...

[osc_svendsen]

ps, if Admin is left wide open, users could not sue osCommerce as the software is supplied without warranty.?

 

But then, it would be the fault of the Store Owner for not taking a few moments to set htaccess - no fault of osCo...

<{POST_SNAPBACK}>

As long as the product is delivered wo any warranty, you still can't sue osC if hacked, even though they implement the for-starters-.htaccess file along with the instructions on how to get/make the encrypted psw-file.

[burt]

But I never said they would get sued (re-read the comments I made). I'm more concerned about the Bad Publicity that would ensue...that would kill osCommerce...

[Guest]

Burt,

 

Point taken. Bad press could go further than a suit.

 

ed

[osc_svendsen]

Burt, by saying that

ps, if Admin is left wide open, users could not sue osCommerce as the software is delivered without warranty

you kinda suggest, that just because some level of security were implemented the user would all of a suddon be eligble to sue osC in case of hacking, even though the software still is delivered as-is wo warranty, leaving security fully up to the user.

But again ... simply including .htaccess-security as a for-starters security alongside informing that you should take further steps than rely solely on delivered security... I can't see how this would ammount to bad publicity for osC itself if broken, rather than bad publicity for the storeowner. In fact I'm amazed that this bad publicity isn't allready a 'major' issue as no security is present at this time, other than community-contributions (if you dont allready have the nescesary knowledge in eg. .htaccess-files, that is).

And yet again; sparky replied that some level of security other than uniquely renaming the admin folder will be a part of MS3 as it's a part of current development cycle ... so again; embrace this fact, and noone forces anyone to solely depend on whatever they come up with. Everone will still be able to ensure thier store the way they like it, I just wondered why nothing at all is implemented in out-of-box osC, hence this thread .... that kinda took a wrong turn somewhere along the road ;)

[burt]

You misread/misunderstood my comments.

 

There is no way that osC can be sued as no warranty is given or implied with the software. This is true whether or not Security is implemented in MS3. I haven't mentioned legal issues at all - please re-read my previous comments.

 

I am only concerned about bad publicity for osCommerce (the software, the Developers and the community) if a Store Owner relied solely on this MS3 security feature and it then got hacked becuase the security was never really that great.

 

I'm not sure how else I can say what I mean?

[Mark Evans]

I'm not sure how else I can say what I mean?

<{POST_SNAPBACK}>

 

I understand what you mean :)

 

Maybe a challenge should be setup once the security is in place to check for problems before we release?

 

Would be a good test of code over brains :P

[osc_svendsen]

But i DO understand what you mean burt, though I'm starting to see some possible lingual glitches here .. english isn't my maternal language uknow, I just don't understand how you can't see the same arguments transferred onto osC not delivering even the basic .htaccess and/or comments regarding the use of this, regarding the bad publicity issue, but rather would maintain the 'unsecuredness' of osC to avoid any issues, legal or not, concerning security. It's seems a bit over-pacifist, no offence intended, to state that by leaving the system un-secured and thereby leaving it 100% up to the webmaster of the store to secure it in all aspects, osC is freed from negative publicity concerning evt. broken security, though delivering an unsecured system in my opinion ought to be enough bad publicity in itself.

Though you are right: by not trying to secure the system, osC wont get knocked on the head for having poor security, only for having none. In either way osC should not (and undoubtably won't) forget to mention that the supplied security is not in itself enough to claim your site as secure for online commerce, further actions will be required. Unless this is the goal ofcourse ;)

[Guest]

I can see both points and would actually recommend two levels of security. One built into OSC with levels and controls by the store owner. For instance, I might have someone in receiving who doesn't need to know information about the customers, or another inputting catalog orders who doesn't need to be able to change inventory.

 

However to be more secure from the outside world, it should also have server level security (i.e. .htaccess or NTAUTH) if it is on a publicly accessible server.