Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Serious Security Issue

Guest

By Guest
in General Support

Recommended Posts

Guest

Guest

Posted
Posted

Isn't it about time this was resolved?

 

If you read the forums there are dozens of stores experiencing problems with security, ie customers information being mixed up/customers being able to see personal details of other customers, but there is nowhere on the OSCommerce site that deals with it. All of us are spending hours trawling through forums searching for possible solutions and just when we think we have found the answer we find that we have reached another dead end! Similarly we find that some so called "solutions" may even cause further problems.

 

Unfortunately, a large proportion of readers are not programmers, so find it difficult to sort the useful information from the not so useful (possibly even harmful) guidance about sessions SIDs etc. But it would seem to me that there exists a basic flaw in OSCommerce that allows serious breaches of security of personal data, by allowing customers to view one anothers information. I am sure that there are a large number of us who want to know how to deal with this.

 

Why isn't it being taken seriously? What we need is the OSCommerce team to post the solution in the documentation on their website. This would save hours of time for those of us trying our best with limited knowledge to find a solution that actually works. It is my opinion that this issue is serious enough to warrant this.

Guest

Guest

Posted
Posted

You are absolutely right, of course.

 

Unfortunately, (it seems) pretty much all security issues come way down on the list of priorities for many people. Much easier to "set file permissions to 777" or "just do this...." or "Well, nobody will know if I store these credit card numbers here, will they?" than actually do the job correctly.

 

I've never experienced the problem you mention but I am aware of it. If I'd seen it in action, I could maybe offer some advice, but as it is, I'm afraid I can't help you.

 

Rich.

Guest

Guest

Posted
Posted
Isn't it about time this was resolved?

why you're posting the same thing over and over again? It would be faster to search the forum/contributions and find one of the proposed solutions.

Guest

Guest

Posted
Posted
why you're posting the same thing over and over again? It would be faster to search the forum/contributions and find one of the proposed solutions.

 

I replied to a posting and then thought that the topic deserved a serious discussion. You obviously didn't read my post or you would realise that I have like others spent hours trawling forums. Unfortunately, this also means having to read such un-useful advice like this along the way!

Guest

Guest

Posted
Posted
I replied to a posting and then thought that the topic deserved a serious discussion. You obviously didn't read my post or you would realise that I have like others spent hours trawling forums. Unfortunately, this also means having to read such un-useful advice like this along the way!

yes and you posted the same thing couple of extra times. And your answer simply means either you do not respect the forum rules or you haven't read them.

http://www.oscommerce.com/forums/index.php?act=boardrules

see the posting section.

 

And whether you find my advice useful or not is irrelevant.

Guest

Guest

Posted
Posted
yes and you posted the same thing couple of extra times. And your answer simply means either you do not respect the forum rules or you haven't read them.

http://www.oscommerce.com/forums/index.php?act=boardrules

see the posting section.

 

And whether you find my advice useful or not is irrelevant.

 

I am sorry enigma1, when I was posting, explorer hung for several minutes so I clicked the post button again, and ended up posting the same twice, which I did not mean to do!

 

So there's no need to get your knickers in a twist is there?

 

Do you actually have any useful contribution to this serious issue? If not, I suggest you stop posting.

Guest

Guest

Posted
Posted
So there's no need to get your knickers in a twist is there?

 

Do you actually have any useful contribution to this serious issue? If not, I suggest you stop posting.

meaning what?

 

And I have already answered before even posting in this thread.

http://www.oscommerce.com/forums/index.php?s=&...t&p=1061825

so you found a problem with this module or what? It's released over a year now.

Jack_mcs

Jack_mcs

Posted
Posted
Isn't it about time this was resolved?

 

If you read the forums there are dozens of stores experiencing problems with security, ie customers information being mixed up/customers being able to see personal details of other customers, but there is nowhere on the OSCommerce site that deals with it. All of us are spending hours trawling through forums searching for possible solutions and just when we think we have found the answer we find that we have reached another dead end! Similarly we find that some so called "solutions" may even cause further problems.

 

Unfortunately, a large proportion of readers are not programmers, so find it difficult to sort the useful information from the not so useful (possibly even harmful) guidance about sessions SIDs etc. But it would seem to me that there exists a basic flaw in OSCommerce that allows serious breaches of security of personal data, by allowing customers to view one anothers information. I am sure that there are a large number of us who want to know how to deal with this.

 

Why isn't it being taken seriously? What we need is the OSCommerce team to post the solution in the documentation on their website. This would save hours of time for those of us trying our best with limited knowledge to find a solution that actually works. It is my opinion that this issue is serious enough to warrant this.

The probelm isn't in oscommerce so there is nothing to fix. The problem is in how the shop is set up. For example, many sites will enable the cache setting but not change the path for the cached files. That means the tmp difrectory on the server is used, which is shared by many sites (on a shared server, of course) and that can cause data to be shared. There are other settings that can also cause this problem and they have been mentioned many times on the server. If you are having the problem, you need to spend the time finding the solution.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Guest

Guest

Posted
Posted
meaning what?

 

And I have already answered before even posting in this thread.

http://www.oscommerce.com/forums/index.php?s=&...t&p=1061825

so you found a problem with this module or what? It's released over a year now.

 

I have tried this and it alone does not solve the problem.

 

The probelm isn't in oscommerce so there is nothing to fix. The problem is in how the shop is set up. For example, many sites will enable the cache setting but not change the path for the cached files. That means the tmp difrectory on the server is used, which is shared by many sites (on a shared server, of course) and that can cause data to be shared. There are other settings that can also cause this problem and they have been mentioned many times on the server. If you are having the problem, you need to spend the time finding the solution.

 

I have changed the cache setting, and it alone or with the above does not solve the problem. I have also tried all the different suggestions on how to write the configure file, with no positive result. I have been back to the OSCommerce install and checked that the sessions.php are the same as the original. Moreover, I do not pass oscIDs, because I know this will pass personal information.

 

I am finding that customers are not being logged out of the site when they leave. So the next person to go in sees their information and can order products on their behalf!

 

Once again, I will say that I am not the only one experiencing these issues. I am not the only one who has spent hours trawling the forums for solutions, many of which turn out to be red herrings. What is the point of hundreds of us spending hundreds of hours on this when someone on the OSCommerce team knows the answer and could post it in the knowledge base. Whether you like it or not, it is a problem which needs sorting!

Guest

Guest

Posted
Posted
I have tried this and it alone does not solve the problem.

Ok, which part the contribution does not solve? It does protect the customer accounts yes? So different customers cannot use the same account.

 

It does not solve the shopping cart contents, so here is my suggestion to get around this.

 

So you install the session regeneration to be on the safe side for the private info, then rename the shopping_cart.php to a different filename in your catalog\includes\filenames.php for example:

define('FILENAME_SHOPPING_CART', 'new_shopping_cart.php');

and rename the actual file. So this will take care of the existing cached pages spiders stored about the shopping cart. Besides you don't want them to cache that page they should be redirected to the cookies usage page. Also use the latest spiders.txt

http://www.oscommerce.com/community/contributions,2455

Jack_mcs

Jack_mcs

Posted
Posted
Once again, I will say that I am not the only one experiencing these issues. I am not the only one who has spent hours trawling the forums for solutions, many of which turn out to be red herrings. What is the point of hundreds of us spending hundreds of hours on this when someone on the OSCommerce team knows the answer and could post it in the knowledge base. Whether you like it or not, it is a problem which needs sorting!
Your logic is flawed. Just because a group of shops are having the same problem doesn't mean the oscommerce code is at fault. Your problem is fixable. You just haven't tried everything yet. And, yes, you have to try those things. It is not possible to code for every situation since it sometimes depends on the hosting environment.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Guest

Guest

Posted
Posted
Your logic is flawed. Just because a group of shops are having the same problem doesn't mean the oscommerce code is at fault. Your problem is fixable. You just haven't tried everything yet. And, yes, you have to try those things. It is not possible to code for every situation since it sometimes depends on the hosting environment.

 

Jack

 

This isn't just a case of a button not working or a image not showing or a page not loading, this is an issue of customers information being viewable i.e. being exposed to the public at large.

 

There are a lot of shops out there with what many would consider to be a very serious problem and it is still my belief that some kind of guidance should be available.

 

I am not afraid of exposing myself to criticism from those who fail to take this issue seriously so I will continue to post until some support is offered.

Guest

Guest

Posted
Posted
So you install the session regeneration to be on the safe side for the private info, then rename the shopping_cart.php to a different filename in your catalog\includes\filenames.php for example:

define('FILENAME_SHOPPING_CART', 'new_shopping_cart.php');

and rename the actual file. So this will take care of the existing cached pages spiders stored about the shopping cart. Besides you don't want them to cache that page they should be redirected to the cookies usage page. Also use the latest spiders.txt

http://www.oscommerce.com/community/contributions,2455

 

Thank you enigma1 I have installed the regeneration contribution and the spiders text and have done what you said.

 

Are you able to tell me where I will find the code snippet that puts the session id in the URL when the button add to cart is clicked as I think a problem may stem from this. If two people are logged in at the same time the item appears in both baskets.

 

Thanks in advance

Jack_mcs

Jack_mcs

Posted
Posted
This isn't just a case of a button not working or a image not showing or a page not loading, this is an issue of customers information being viewable i.e. being exposed to the public at large.

 

There are a lot of shops out there with what many would consider to be a very serious problem and it is still my belief that some kind of guidance should be available.

 

I am not afraid of exposing myself to criticism from those who fail to take this issue seriously so I will continue to post until some support is offered.

I understand the problem you are describing completely. It is common and fixable. The guidance you seek is available and is here in the forums. The real problem, it seems, is that you are refusing to accept that. It isn't a matter of setting yourself for criticism, at least not from me. It's just a matter of whether or not you want the problem fixed. No one is going to change the current oscommerce code to fix such a problem, mainly because it can't be done as mentioned in my previous post. So waiting for that to happen just means your problem doesn't get fixed.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...