All this security talk...

This might better help explain the “not a big deal” SQL injections that have been eluded to recently.



[url]http://www.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/[/url]



Great read for 99% of the people in the forum.

Extremely good Article there Tirade.

50% of all attacks I recieve are XSS whereas I get a few SQL attacks every so often.

After all the “entertaining” posts on cs-cart and security, I had to laugh when the actual technical description of the vulnerability was revealed. The sequence of events that has to occur for this vulnerability to be exploited is unreal and unbelievable that it would ever occur. Now yes it should be fixed, but these security experts blow things WAAAAY out of proportion. But I understand why, it keeps them employed.



If I understand correctly this is what needs to occur to be exploited.


  1. You need to be logged into your cs-cart admin panel
  2. While logged in, in another browser window you need to surf to a malicious web page or click on a malicious link.
  3. This malicious site has to specifically somehow know you are using cs-cart (not the millions of other carts out there) and know what your admin filename is (admin.php).



    Come on, the odds of this are beyond my concern.



    David

Some people are getting paranoid about it instead of trying to understand the risk and learn how to prevent your sites from being hacked. This isn’t so difficult! Leave CS Cart to CS people and you do your homework regarding hosting security or ask a Pro (avoid one here)



I will repeat myself dozens of times and I hope, people will start understanding that it’s not possible to rely 100% on CS Cart when comes to security of your web server. Google is your friend!



Use bloody SSL, use difficult passwords, do not call your database DATABASE!, change admin.php, do not follow strange looking links in emails you receive from your web store and avoid shared hosting!



My lord! I think, I’m gonna write a long list of what to do and how.

We must understand that CS is not out-of-the-box solution as they claim it to be. No way. You must work hard to make CS-Cart work for you.



We have wasted thousands of words and all we got is this silly “Less Critical” bug from Secunia discovered by Vic. Good for both of them. I can hack any website. All I need is your admin password. Hehehe.

Mines admin admin, isn’t everyone’s the same?? :confused: LOL LOL

I made mine AdMiN aDmIn to confuse even the most talented of hackers :smiley:

[quote name=‘Struck’]I made mine AdMiN aDmIn to confuse even the most talented of hackers :D[/QUOTE]



If this is a joke, then OK, but if not, then ---- files are not case sensitive :frowning:

[quote name=‘Tirade’]This might better help explain the “not a big deal” SQL injections that have been eluded to recently.



[url]http://www.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/[/url]



Great read for 99% of the people in the forum.[/QUOTE]

Fyeah…!

That was good!I feel like almost an expert!:cool: (I think i can start reffering some Host Provider jejejejeje:p )

[QUOTE]I made mine AdMiN aDmIn to confuse even the most talented of hackers :smiley:



If this is a joke, then OK, but if not, then ---- files are not case sensitive [/QUOTE]



Hi Noman,

Yeah, it was a joke, as in that was my new user name & password! :wink:

[quote name=‘Struck’]Hi Noman,

Yeah, it was a joke, as in that was my new user name & password! ;)[/QUOTE]

I will be doing the same…Is there a limit of characteres to rename the file?I usually use always 30.

Tirade,



Great article.



I am going to read it several times.

[quote name=‘Struck’]I made mine AdMiN aDmIn to confuse even the most talented of hackers :D[/QUOTE] LOL :stuck_out_tongue:


[quote name=‘Noman’]If this is a joke, then OK, but if not, then ---- files are not case sensitive :([/QUOTE] Oh Noman :oops: LOL

[quote name=‘Noman’] ---- files are not case sensitive :([/QUOTE]

Actually under Linux they are! :wink: