Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security of customers' personal data


Brocksburn

Recommended Posts

An acquaintance uses osCommerce for her online store (I'm not sure what version, but earlier than milestone 2.2) and she has recently had a bit of a scare.

 

Someone she knows who is supposedly an IT expert has told her that even though her site uses SSL when processing customer details, anyone who knows osC could type in "a certain command" (a path?) that will give them access to her customers' personal information. This expert has also told her that leaving personal data vulnerable like this leaves her open to huge financial penalties.

 

I'm sorry I don't have any more information than this, it's all third-hand and I don't know how credible this "expert" is or whether he's scaremongering because he has an ulterior motive, but I said I would ask the assembled gurus on the forum whether there are any known "holes" in osC that could be exploited.

 

Obviously, I have a passing interest in this myself as I have a webstore due to go live this month!

 

Any thoughts?

 

Cheers,

Ellie

Link to comment
Share on other sites

I certainly wouldn't be storing CC numbers on a webserver, if that's what she is doing. Even if they were eccrypted and she held the encryption key, it would still make me nervous.

 

The SSL does nothing against the hacker that knows and can exploit a backdoor into your MySQL database. SSL only encrypts the data while it is beigns transferred from the customer to you.

-------------------------------------------------------------------------------------------------------------------------

NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit.

If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help.

Link to comment
Share on other sites

I've got no idea what she's doing - I certainly wouldn't store CC numbers on a webserver either! - and I'm trying to get more info about what she was told. All I know at the moment is that she was given a path that when typed in gives access to the customers' records; she tried it, and it did.

 

I thought it must be something to do with the admin folder not having been renamed, but that still requires a username and password for access.

 

Are there any known backdoors for MySQL? I googled and found references to some exploits in 3.23.54 which have since been fixed but I don't know what version she's using.

 

I'm inclined to think it's scaremongering but I thought if it was in any way true, someone onhere would know about it.

 

Cheers, Wizards!

 

Ellie

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...