Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Vulnerability Alerts for OSC ?


Guest

Recommended Posts

Is there anywhere on oscommerce.com or elsewhere that it is possible to sign up to that alerts you of any vulnerabilities found or exploits for Oscommerce or its derivatives ?

 

i.e. I had customer testimonials installed and found out about that early on by accident, there must be somewhere i can sign up to that will email me as soon as anything new is discovered ?

Link to comment
Share on other sites

watch or sign up for the news/announcements thread. making sure your keep your osc shop up to date for any security fix. as for contributions, its beyond oscommerce resposibility, their use is at your own risk.

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

Is there anywhere on oscommerce.com or elsewhere that it is possible to sign up to that alerts you of any vulnerabilities found or exploits for Oscommerce or its derivatives ?

 

i.e. I had customer testimonials installed and found out about that early on by accident, there must be somewhere i can sign up to that will email me as soon as anything new is discovered ?

 

 

Yeah, me too.. i upgraded my customer testimonials right away, and also installed Security Pro contrib.. I'm not sure how effective it is though..

Link to comment
Share on other sites

watch or sign up for the news/announcements thread. making sure your keep your osc shop up to date for any security fix. as for contributions, its beyond oscommerce resposibility, their use is at your own risk.

 

this is my point though, there doesn't appear to be anywhere that i can join / signup to that collates all the Osc related exploit bug fixes / vulnerability info for the main source code AND contributions.

 

I suspect that the majority rather than the minority of Osc users out there will have a number of contributions installed and its these users who are at risk at present

Link to comment
Share on other sites

and also installed Security Pro contrib.. I'm not sure how effective it is though.

 

Whitelisting the characters allowed in the querystring created variables is highly effective.

 

Its also a very simple process, there is no argument against whitelisting being far preferable to fighting the losing battle of attempting to blacklist in reaction to a specific threat.

Link to comment
Share on other sites

I just found out from this forum http://www.ozzu.com/hosting-forum/hosting-...rce-t45717.html that oscommerce has vulnerabilities because of register_globals

 

...here "Register globals are a "directive" within php. The world is moving away from register globals - if they arent used properly, they can create vulnerabilities...

As of php 4.2.0, register globals is off by default in php - previously, they were on by default. Alot of applications still rely on register globals and as such, we are in a bit of a transition period. Some hosts choose to have them off, however, the majority are keeping them on for now - simply because alot of the more common apps still require them (ie osCommerce) You can read more about this here: http://ca3.php.net/register_globals

Andrew - http://www.cartikahosting.com "

 

So how can one use osCommerce and be protected?

Link to comment
Share on other sites

I just found out from this forum http://www.ozzu.com/hosting-forum/hosting-...rce-t45717.html that oscommerce has vulnerabilities because of register_globals

 

...here "Register globals are a "directive" within php. The world is moving away from register globals - if they arent used properly, they can create vulnerabilities...

As of php 4.2.0, register globals is off by default in php - previously, they were on by default. Alot of applications still rely on register globals and as such, we are in a bit of a transition period. Some hosts choose to have them off, however, the majority are keeping them on for now - simply because alot of the more common apps still require them (ie osCommerce) You can read more about this here: http://ca3.php.net/register_globals

Andrew - http://www.cartikahosting.com "

 

So how can one use osCommerce and be protected?

 

osC has been compatible with register globals off for some time.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

I just found out from this forum http://www.ozzu.com/hosting-forum/hosting-...rce-t45717.html that oscommerce has vulnerabilities because of register_globals

 

That is simply not true, oscommerce does not have vulnerabilities because of register_globals being on.

 

register_globals is only a security issue if variables are not initialised before use. The core oscommerce code is very solidly written and does not suffer from this problem.

 

Having said that, the same can not be said of uncontrolled contributions.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...