Guest Posted June 14, 2007 Share Posted June 14, 2007 I'm kind of a newbie at web commerce so I have been learning as I go thru the forums and documentation... The old system I remember had no login necessary and displayed customer's credit card info in the order records/database. My store has not gotten any activity in the past several months, but I recently discovered that at some point someone managed to get into my admin panel and change the contact email. I know that osCommerce changed the system sometime in the past 6 months to have a partial credit card number display in the order records, while sending the hidden numbers in an email.... I only recently discovered how to make the admin password-protected by contacting tech support. Normally i should think this would be an automatic part of the system, but it was something I had to go about doing myself. Now my concern is, if this person who got into my account did this either before OR after the more secure method was instated, can either osCommerce or my host by held liable for the lack of security of the system? And regardless of their new system, the admin is still normally unprotected - can they be held liable for this? Or am I just screwed for not discovering this sooner? Has anyone else had this issue or considered it even if no problems occurred? Link to comment Share on other sites More sharing options...
Jack_mcs Posted June 14, 2007 Share Posted June 14, 2007 There's a No Warranty clause included with oscommerce which you agree to by using the package. And I doubt that any host has a TOS policy that doesn't include such a statement. The end result - you are responsible for securing your site and for any damages that occur due to the lack of security. This is my opinion - I am not an attorney - so take this for what it is worth. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons Link to comment Share on other sites More sharing options...
Guest Posted June 14, 2007 Share Posted June 14, 2007 Now my concern is, if this person who got into my account did this either before OR after the more secure method was instated, can either osCommerce or my host by held liable for the lack of security of the system? And regardless of their new system, the admin is still normally unprotected - can they be held liable for this Lack of security of what system? If someone hijacks your pc are you going to held the pc h/w manufacturer liable? From the osC documentation (comes with the osc package) page-9 Note: Due to security related issues, database session storage is recommended forshared servers. Click the "Continue" button. You are nearly finished! Rename the catalog/install folder or delete it. Reset the permissions on /catalog/includes/configure.php to 644 (if you are still getting the warning message at the top set configure.php to 444 which is read only - this happens on some servers that have been updated for security reasons). Set the permissions on /catalog/images directory to 777. Reset the permissions on /catalog/admin/includes/configure.php to 644. Create the dir /catalog/admin/backups and set the permissions to 777. Set the permissions on /catalog/admin/images/graphs directory to 777. You need to .htaccess your /catalog/admin directory so that it is password protected. You can use the password manager in your server admin area like cpanel. Congratulations! Now you are really done! Link to comment Share on other sites More sharing options...
Guest Posted June 14, 2007 Share Posted June 14, 2007 There's a No Warranty clause included with oscommerce which you agree to by using the package. And I doubt that any host has a TOS policy that doesn't include such a statement. The end result - you are responsible for securing your site and for any damages that occur due to the lack of security. This is my opinion - I am not an attorney - so take this for what it is worth. Jack Alright thanks for the info. Do you know where I can find a copy of the No Warranty clause? I was unable to find any legal statements in the documentation... Link to comment Share on other sites More sharing options...
Guest Posted June 14, 2007 Share Posted June 14, 2007 Alright thanks for the info.Do you know where I can find a copy of the No Warranty clause? I was unable to find any legal statements in the documentation... See the LICENSE file in the osC archive item-11 of the GPL NO WARRANTY11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.