osCommerce and Security

[Hero Zzyzzx]

Hey all. I'm checking this out as an upgrade for a shop I built that's doing a brisk business selling coins online, and I have one major question that wasn't solved by searching the forum. Has the code injection bug mentioned here been fixed yet?

 

I was burnt once when I trusted PHPNuke (it got hacked. . .) now I'm INFINITELY more paranoid about trusting other's code.

 

Thanks in advance! I'm a full-time mod_perl/PHP developer, and before I do an audit of the code I want to see how responsive the team is to security issues (and yes, I know that web security is more of an art than a science, and it can be a compromise between functionality and security.).

[Trusten]

that was version 2.1. wasn't it?

 

i think this issue has long since been addressed in version 2.2. but don't quote me.

 

that file doesn't exist in 2.2 as far as i remember.

[mattice]

Yes it was 2.1 and is fixed.

 

2.2 still has CSS issues (Cross Site Scripting) afaik.

See suggestions & fixes here:

http://www.oscommerce.com/community.php/weekly,75

[Hero Zzyzzx]

Arrgh. There's still CSS issues, huh? Thanks for the frank warning.

 

That would makes me nervous, personally. Oh well, thanks for your help. I was actually kind of surprised not to see a security forum in these boards. . .

[Aragon127]

I thought the CSS issues were fixed in early August?

 

Arrgh. There's still CSS issues, huh? Thanks for the frank warning.

 

That would makes me nervous, personally. Oh well, thanks for your help. I was actually kind of surprised not to see a security forum in these boards. . .

[mattice]

I didn't check... hence the "AFAIK"...

Could not find anything but the quoted news though but I could have overlooked it...