Brocksburn Posted March 8, 2004 Share Posted March 8, 2004 An acquaintance uses osCommerce for her online store (I'm not sure what version, but earlier than milestone 2.2) and she has recently had a bit of a scare. Someone she knows who is supposedly an IT expert has told her that even though her site uses SSL when processing customer details, anyone who knows osC could type in "a certain command" (a path?) that will give them access to her customers' personal information. This expert has also told her that leaving personal data vulnerable like this leaves her open to huge financial penalties. I'm sorry I don't have any more information than this, it's all third-hand and I don't know how credible this "expert" is or whether he's scaremongering because he has an ulterior motive, but I said I would ask the assembled gurus on the forum whether there are any known "holes" in osC that could be exploited. Obviously, I have a passing interest in this myself as I have a webstore due to go live this month! Any thoughts? Cheers, Ellie Link to comment Share on other sites More sharing options...
wizardsandwars Posted March 8, 2004 Share Posted March 8, 2004 I certainly wouldn't be storing CC numbers on a webserver, if that's what she is doing. Even if they were eccrypted and she held the encryption key, it would still make me nervous. The SSL does nothing against the hacker that knows and can exploit a backdoor into your MySQL database. SSL only encrypts the data while it is beigns transferred from the customer to you. ------------------------------------------------------------------------------------------------------------------------- NOTE: As of Oct 2006, I'm not as active in this forum as I used to be, but I still work with osC quite a bit. If you have a question about any of my posts here, your best bet is to contact me though either Email or PM in my profile, and I'll be happy to help. Link to comment Share on other sites More sharing options...
Brocksburn Posted March 8, 2004 Author Share Posted March 8, 2004 I've got no idea what she's doing - I certainly wouldn't store CC numbers on a webserver either! - and I'm trying to get more info about what she was told. All I know at the moment is that she was given a path that when typed in gives access to the customers' records; she tried it, and it did. I thought it must be something to do with the admin folder not having been renamed, but that still requires a username and password for access. Are there any known backdoors for MySQL? I googled and found references to some exploits in 3.23.54 which have since been fixed but I don't know what version she's using. I'm inclined to think it's scaremongering but I thought if it was in any way true, someone onhere would know about it. Cheers, Wizards! Ellie Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.