Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security advice for 2.3.1?


Guest

Recommended Posts

Hi, I know that V2.3.1 has included alot of security fixes that V2.2 wasn't originally released with, but I would like to know if all the suggestions for fixes given in the thread for 2.2 (http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/) have been included or if there are still some of those that the user should implement (I couldn't find the release notes for V2.3.0 on this site to check):

 

So, (from the list given in the 2.2 thread) I assume V2.3.1 has been written to includes fixes for the following, but would appreciate a confirmation:

 

Preventing any injection attacks

Stopping Cross Site Scripting attacks

Cleans the query string

 

The filemanager appears to have been removed.

 

So for a new install of V2.3.1 would there only be the basic file permission and password suggestions to be implemented to the new version, and maybe addons for IP traps and monitoring for unathorized changes? It would be nice to be able to install it wihtout having to include addons to guard against the above 3 listed.

 

Sorry if this has been answered before, I didn't find anything, and I hope any answers might be useful to other newcomers to V2.3.x in the future.

 

Thanks:)

Link to comment
Share on other sites

Hi, I know that V2.3.1 has included alot of security fixes that V2.2 wasn't originally released with, but I would like to know if all the suggestions for fixes given in the thread for 2.2 (http://forums.oscomm...mmerce-22-site/) have been included or if there are still some of those that the user should implement (I couldn't find the release notes for V2.3.0 on this site to check):

 

2.3 has had a lot of work done by the development team all currently known hacks have been dealt with and the code updated to be compatible with the current versions of PHP ( currently 5.3.X ). Then again the core was never really the key problem .. yes there was the admin vulnerability which was serious but other than that the core code always was solid .. the problem was and still is the contributions.

 

The core code is written by professional developers in a controlled environment .. the contributions are written in the main by individuals often with very low coding skills and more often than not with no thought to security.

 

To safeguard against poor contributions I would suggest that you install Security Pro which safeguards one important hacking vector which is the querystring.

 

A lot has been said recently re: hacks and I'm not convinced that the majority of those hacks were due to vulnerabilities in osCommerce. If you are on a shared server and that shared server gets hacked then your osCommerce installation is pretty much open to attack whatever you do.

 

One thing you can do is whenever you set the permissions of a directory to writeable add to it a .htaccess file containing the standard code used by 2.3.X in the images directory.

 

<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe){:content:}quot;>
  Order Deny,Allow
  Deny from all
</FilesMatch>

 

If you know that the files in the writeable directory will never be parsed by PHP you could also add above it: -

 

php_flag engine off

 

With the engine off PHP cannot parse the files whatever their extension. ( some hosts do not allow this setting so if you get a server error take it out ).

 

other than that hopefully your server has mod_security installed and a decent firewall.

 

This is not an inclusive post but I hope it gets you started.

Link to comment
Share on other sites

Thank you very much for your quick reply - that is very useful information and I thought (hoped) that the security fixes would mean Security Pro wasn't needed any more. Glad I asked some questions!:)

Link to comment
Share on other sites

please note that the code I posted from the .htaccess in the images directory has been wrecked by the forum .. please take the code from the file.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...