Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Anyone Had Security Issues In The Past?


Guest

Recommended Posts

I'm kind of a newbie at web commerce so I have been learning as I go thru the forums and documentation...

 

The old system I remember had no login necessary and displayed customer's credit card info in the order records/database. My store has not gotten any activity in the past several months, but I recently discovered that at some point someone managed to get into my admin panel and change the contact email.

I know that osCommerce changed the system sometime in the past 6 months to have a partial credit card number display in the order records, while sending the hidden numbers in an email....

I only recently discovered how to make the admin password-protected by contacting tech support. Normally i should think this would be an automatic part of the system, but it was something I had to go about doing myself.

 

Now my concern is, if this person who got into my account did this either before OR after the more secure method was instated, can either osCommerce or my host by held liable for the lack of security of the system? And regardless of their new system, the admin is still normally unprotected - can they be held liable for this? Or am I just screwed for not discovering this sooner?

Has anyone else had this issue or considered it even if no problems occurred?

Link to comment
Share on other sites

There's a No Warranty clause included with oscommerce which you agree to by using the package. And I doubt that any host has a TOS policy that doesn't include such a statement. The end result - you are responsible for securing your site and for any damages that occur due to the lack of security. This is my opinion - I am not an attorney - so take this for what it is worth.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

Now my concern is, if this person who got into my account did this either before OR after the more secure method was instated, can either osCommerce or my host by held liable for the lack of security of the system? And regardless of their new system, the admin is still normally unprotected - can they be held liable for this

Lack of security of what system? If someone hijacks your pc are you going to held the pc h/w manufacturer liable?

 

From the osC documentation (comes with the osc package) page-9

 

Note: Due to security related issues, database session storage is recommended for

shared servers.

Click the "Continue" button.

You are nearly finished!

 

Rename the catalog/install folder or delete it.

 

Reset the permissions on /catalog/includes/configure.php to 644 (if you are still getting

the warning message at the top set configure.php to 444 which is read only - this happens

on some servers that have been updated for security reasons).

 

Set the permissions on /catalog/images directory to 777.

 

Reset the permissions on /catalog/admin/includes/configure.php to 644.

 

Create the dir /catalog/admin/backups and set the permissions to 777.

 

Set the permissions on /catalog/admin/images/graphs directory to 777.

 

You need to .htaccess your /catalog/admin directory so that it is password protected. You

can use the password manager in your server admin area like cpanel.

 

Congratulations! Now you are really done!

Link to comment
Share on other sites

There's a No Warranty clause included with oscommerce which you agree to by using the package. And I doubt that any host has a TOS policy that doesn't include such a statement. The end result - you are responsible for securing your site and for any damages that occur due to the lack of security. This is my opinion - I am not an attorney - so take this for what it is worth.

 

Jack

 

 

Alright thanks for the info.

Do you know where I can find a copy of the No Warranty clause? I was unable to find any legal statements in the documentation...

Link to comment
Share on other sites

Alright thanks for the info.

Do you know where I can find a copy of the No Warranty clause? I was unable to find any legal statements in the documentation...

See the LICENSE file in the osC archive item-11 of the GPL

 

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...