|
AlphaWolf
|
Today, through a glitch in some changes we made to a client's OSCommerce setup, we discovered a very serious issue with security in OSCommerce. Because I have just done an extensive search and not seen this issue reported, I won't go in to details. But the end result is that it is VERY easy for someone with virtually NO hacking expetise to have acccess to OSCommerce admin area.
We will be working with some security modules over the next few days to see if these have any impact on this issue, and I just reported it to the OSCommerce team. In the meantime, I am going to quote here a post over on the OSCommerce forums:
1. If you are going to use the standard administration system, LOCK IT DOWN and change the default directory.
2. Install a template mod... I know thats not very security oriented but you will understand....
3. As far as the latest milestone, for my current version, i took the last stable release and spent about 10 hours playing with various contributions from this site, Almost anything you can think of you can get from here. Though, the administration security module i build from scratch, you can find a plethra in the contribution pages.
4. Secure all your directories, and do not run phpmyadmin on the Live server.
5. The most important thing, learn the code, live the code....be one with the code.
|
AlphaOne Technology Support Forums
Author
Logged
