Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security updates and fixed bugs?


cbp

Recommended Posts

I have installed osCommerce over a year ago and I was thinking if there is a way to find all security problems that have been found (and have been fixed) in the past year, as well as bugs related to the core of osCommerce (not the addons)?

 

I know about the bug reports section on this site, but it contains also non-fixed bugs, and it doesn't have any dates to it. Plus there are like 100+ pages of bug reports.

Link to comment
Share on other sites

I think there were newer bugs/security issues that have been found.

if there were, i'm sure they would have been posted.

 

the only things regarding security that pop up around here is "my site got hacked" - which is usually do to an un-patched shop or poor htaccess (or none) of the admin panel

 

 

this is the only exploit posted on bugtraq since the nov update: http://www.securityfocus.com/bid/14294/exploit

 

 

but i do not have an extras folder in my installation, so i'm not sure what that is.

Link to comment
Share on other sites

if there were, i'm sure they would have been posted.

 

the only things regarding security that pop up around here is "my site got hacked" - which is usually do to an un-patched shop or poor htaccess (or none) of the admin panel

this is the only exploit posted on bugtraq since the nov update: http://www.securityfocus.com/bid/14294/exploit

but i do not have an extras folder in my installation, so i'm not sure what that is.

Indeed, one of my testing sites got hacked and used for phishing. It turns out that I didn't bother password protecting the admin dir.

As for the update.php from the exploit you mentioned, it can be found in the extras dir that comes out with the release of osC. This extras directory must not be updated on the server.

 

As you said this is one of the exploits found, but there can be many and how would we know about it? I do not have time to search for such bugs on hacking forums (or the open bug list), and some of these exploits might not even be released to the public until damage has been done.

 

I read some more on the forums and I understand that Harald, lately, is working solo on osC, so by no means I want this to be a priority. Maybe a automated updating kit can be implemented in the new version of osC.

 

Although, at the very least, maybe the Bug Reports page can be changed to show the date and to allow for sorting by date. This shouldn't be hard, nor take a long time to do.

Link to comment
Share on other sites

As for the update.php from the exploit you mentioned, it can be found in the extras dir that comes out with the release of osC. This extras directory must not be updated on the server.

what's it for? (extras folder) for some reason, i must have deleted it thinking it's useless... but i don't remember ever having it

 

 

As you said this is one of the exploits found, but there can be many and how would we know about it?

anyone can find a zillion holes in any piece of software.

anyone determined enough, can crack just about any website.

the site i posted is one of the main bugtraq websites, so if any known exploit is out there.. there's a thick chance it would appear on that website.

 

Although, at the very least, maybe the Bug Reports page can be changed to show the date and to allow for sorting by date. This shouldn't be hard, nor take a long time to do.

the bug reports section is a complete joke. there should be requirements set before posting bug reports (such as: "did you post this problem you're having in the forum first? if not, you can't submit this report.")

 

i'm so tired of seeing "my admin isn't password protected" rubbish all over the place.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...