cbp Posted July 26, 2006 Share Posted July 26, 2006 I have installed osCommerce over a year ago and I was thinking if there is a way to find all security problems that have been found (and have been fixed) in the past year, as well as bugs related to the core of osCommerce (not the addons)? I know about the bug reports section on this site, but it contains also non-fixed bugs, and it doesn't have any dates to it. Plus there are like 100+ pages of bug reports. Link to comment Share on other sites More sharing options...
Guest Posted July 27, 2006 Share Posted July 27, 2006 there is an osc upgrade from last nov. http://www.oscommerce.com/solutions/downloads Link to comment Share on other sites More sharing options...
cbp Posted July 27, 2006 Author Share Posted July 27, 2006 there is an osc upgrade from last nov.http://www.oscommerce.com/solutions/downloads I know about that, but it is still 8 months old. In those 8 months I think there were newer bugs/security issues that have been found. Link to comment Share on other sites More sharing options...
Guest Posted July 27, 2006 Share Posted July 27, 2006 I think there were newer bugs/security issues that have been found. if there were, i'm sure they would have been posted. the only things regarding security that pop up around here is "my site got hacked" - which is usually do to an un-patched shop or poor htaccess (or none) of the admin panel this is the only exploit posted on bugtraq since the nov update: http://www.securityfocus.com/bid/14294/exploit but i do not have an extras folder in my installation, so i'm not sure what that is. Link to comment Share on other sites More sharing options...
cbp Posted July 27, 2006 Author Share Posted July 27, 2006 if there were, i'm sure they would have been posted. the only things regarding security that pop up around here is "my site got hacked" - which is usually do to an un-patched shop or poor htaccess (or none) of the admin panel this is the only exploit posted on bugtraq since the nov update: http://www.securityfocus.com/bid/14294/exploit but i do not have an extras folder in my installation, so i'm not sure what that is. Indeed, one of my testing sites got hacked and used for phishing. It turns out that I didn't bother password protecting the admin dir. As for the update.php from the exploit you mentioned, it can be found in the extras dir that comes out with the release of osC. This extras directory must not be updated on the server. As you said this is one of the exploits found, but there can be many and how would we know about it? I do not have time to search for such bugs on hacking forums (or the open bug list), and some of these exploits might not even be released to the public until damage has been done. I read some more on the forums and I understand that Harald, lately, is working solo on osC, so by no means I want this to be a priority. Maybe a automated updating kit can be implemented in the new version of osC. Although, at the very least, maybe the Bug Reports page can be changed to show the date and to allow for sorting by date. This shouldn't be hard, nor take a long time to do. Link to comment Share on other sites More sharing options...
Guest Posted July 27, 2006 Share Posted July 27, 2006 As for the update.php from the exploit you mentioned, it can be found in the extras dir that comes out with the release of osC. This extras directory must not be updated on the server. what's it for? (extras folder) for some reason, i must have deleted it thinking it's useless... but i don't remember ever having it As you said this is one of the exploits found, but there can be many and how would we know about it? anyone can find a zillion holes in any piece of software. anyone determined enough, can crack just about any website. the site i posted is one of the main bugtraq websites, so if any known exploit is out there.. there's a thick chance it would appear on that website. Although, at the very least, maybe the Bug Reports page can be changed to show the date and to allow for sorting by date. This shouldn't be hard, nor take a long time to do. the bug reports section is a complete joke. there should be requirements set before posting bug reports (such as: "did you post this problem you're having in the forum first? if not, you can't submit this report.") i'm so tired of seeing "my admin isn't password protected" rubbish all over the place. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.