[quote name=‘ETInteractive’]I just think its a bit irresponsible to openly talk about security holes and get the community in an uproar [/QUOTE]
[quote name=‘ETinteractive’]I don’t think he needs to post them here, but I think he should tell CS-Cart about them so they may help the community and maybe release a patch/hot-fix.[/QUOTE]
Good Point! However I am not the one who opened this discussion!
(Anyone who doesn’t think so, I suggest you read the first few posts a bit closer)
Anyway though, you are absolutely correct on both counts (quoted above) and yes that is precisely why I don’t post technical exploit details in forum communities!
Again for those who apparently keep missing this, back to the basics ----
The topic of discussion is an email someone received from their hosting provider’s automated scanning program to let them know that their CS-Cart was outdated and listed on a “vulnerable” list in one or more of the online security threat databases that the collected version information is checked against … that’s it!
IF version = old
AND version = has security alert in 3rd party database
THEN you get email
(Not really that hard of a concept to follow! – good grief people!)
As a side footnote (and ignoring I also wrote the host’s security checking program), I mentioned that “yes”, working directly in the security field, I too personally have seen a very large amount of attacks against a lot of sites running the very same version of CS-Cart and those attacks are indeed increasing and “yes” I have found and successfully duplicated what they are exploiting specifically but I am sure as to hell not going to post those details publicly but that is apparently where everyone’s brain falls out …
I have already told everyone that it is NOT totally necessary to upgrade but everyone seems to have missed that point as well, probably from the generic scanning alert telling the original poster to “consider upgrading” and everyone still obsessed with that apparently — also ignoring the fact that the message on such a security checking program has to be generic as such given that this program checks the status of several hundred different web applications.
As I also said previously, I would be glad to assist anyone that needs help closing those security holes and pass that same information on to their web hosts assuming they haven’t already been told the same already anyway (as the first thing I do is alert everyone in my contact list on new security discoveries) and chances are even if they are not on my list already, your host might even be monitoring the same databases that I do! Never the less, you’re covered irregardless!
As I have already said several times now and this too seems to be missed entirely — this is just one of hundreds of security issues like this with many, many programs out there each and every week!
In the grand scheme of things, the security issues with CS-Cart 1.3.5 is not really that significant!
No offence dude, but still nothing from you so, I will just ignore any result of your security scanning and hundreds of words regarding 1.3.5 SP4.
Make some effort and read your lines below and stop changing words to make things softer. Empty statements…
[COLOR=“Blue”]What you just described is the automatic default alert message generated from one of my own security scanning applications…
Incidentally, CS-Cart 1.3.5-SP4 is one that does indeed have a number of unresolved security vulnerabilities …
…upgrading would be a good move
I have personally witnessed, at different web hosts, over 50 sites hijacked and all used as spam servers for no other reason than they each were running CS-Cart 1.3.5-SP4 …
Another 27, also running the same version, got their customer credit card data or other information stolen as well by injected code modifications…
and there is a URL reference in the major public security advisory databases…
I have personally seen a large number of sites on CS 1.3.5 SP4 hacked…
YES, 1.3.5 SP4 does indeed have some very major security problems …
1.3.5 sp4 in and of itself but you will need to make a number of modifications to deal with several poorly written code areas that are now being activity exploited heavily …
I have observed how this has been exploited has either to be utilize the CS-Cart program as a spam distribution relays…
I have also located all the areas of code that are currently being exploited by hackers …[/COLOR]
No offence dude, but still nothing from you so, I will just ignore any result of your security scanning and hundreds of words regarding 1.3.5 SP4.
Make some effort and read your lines below and stop changing words to make things softer. Empty statements…
[COLOR=“Blue”]What you just described is the automatic default alert message generated from one of my own security scanning applications…
Incidentally, CS-Cart 1.3.5-SP4 is one that does indeed have a number of unresolved security vulnerabilities …
…upgrading would be a good move
I have personally witnessed, at different web hosts, over 50 sites hijacked and all used as spam servers for no other reason than they each were running CS-Cart 1.3.5-SP4 …
Another 27, also running the same version, got their customer credit card data or other information stolen as well by injected code modifications…
and there is a URL reference in the major public security advisory databases…
I have personally seen a large number of sites on CS 1.3.5 SP4 hacked…
YES, 1.3.5 SP4 does indeed have some very major security problems …
1.3.5 sp4 in and of itself but you will need to make a number of modifications to deal with several poorly written code areas that are now being activity exploited heavily …
I have observed how this has been exploited has either to be utilize the CS-Cart program as a spam distribution relays…
I have also located all the areas of code that are currently being exploited by hackers …[/COLOR]
I saw Elvis…[/QUOTE]
Spiral could be a good politic,SPIRAL FOR PRESIDENT!!!(he knows how to adapt sentences…)HURAYYYYYYYY!!!
(sorry guys ,the pressure is getting into my nerves…let’s break the ice…)
I am not running 1.3.x and have only been viewing this thread for personal entertainment purposes.
However, has anyone contacted CS-Cart directly to determine if they feel it has vulnerabilites and if so, to determine if they will continue to provide security patches for this older version?
[quote name=‘Triplets’]Without any meat behind these automated emails, I have told all my clients to ignore them.[/QUOTE]
Then you have told your clients incorrectly …
Actually there is very serious “meat” behind them as you put it
The security concerns are in fact very real and alerts don’t go out unless two conditions are at least met bare bones minimum:
1. User’s software is outdated …
2. User’s software version is listed in public security databases as vulnerable …
Optionally, if patch reference is located in #2 searching above from each database check then that information is included automatically in the alert email else a generic alert is sent out telling you that you outdated and make a note that you should probably upgrade.
So the correct response is not “ignore such emails” but rather tell your clients to “ask more questions” …
If you get an email like that, you do indeed have an issue to be concerned about and you should not “ignore” that issue but the solution may be as simple as a patch already released, a few code modifications, or an upgrade to a new version and you’ll need to determine which is appropriate in your situation.
Now regarding the CS-Cart 1.3.5-SP4 issue, here is a few basic log snips a web hosting provider provided to me to post here in this thread on the condition that the last octet is redacted and I make no mention of their customer’s web address where the log data was collected. This should give you all a little better idea and some visualization more as to just exactly the types of things I have been observing and what I have been seeing elsewhere is all very much like what you see below:
(Just for the record, the CS-Cart 1.3.5 site under attack above was not compromised according to the host supplying the log data but this at least provided for a very good illustration of what is being observed in increasing frequency. Much thanks for providing that and also for allowing me to post your log details.)
I would also show you the PHP code that is the underlying reasons why some sites are getting hit with these particular request strings but that could do more harm than good so don’t even bother asking.
Most attempts are unsuccessful and many don’t even target the correct web sites but I have also seen a number of sites attacked in exactly the same manner which were not so lucky and of those, the bulk of the compromises were primarily used to send spam and a few of them were used to steal customer order data.
--------------
Note to the moron script kiddies out there:
The full command strings have been truncated and the detailed variable information including the information to pull of this exploit successfully has been removed.
PS: To the actual hackers, maybe you should try learning about something called a spell checker!
Ok, I’m calling a time out on everyone!! (ok, sorry, mom of 3 here…)
The thread is definitely going down the toilet.
Spiral, I understand your frustration with us from the standpoint that you seem to know a whole heck of a lot more than everyone, but a little patience goes a long way (this is the teacher in me dealing 90 middle schoolers a day). However, name calling and implying that we are brainless does not help.
The frustrations on our part comes from the fact that we don’t understand, which leads to more insults. The problem is we are being told 2 different things. In one post we got:
[quote]
In the grand scheme of things, the security issues with CS-Cart 1.3.5 is not really that significant!
/[/quote]
but we also have from another post
[quote]
YES, 1.3.5 SP4 does indeed have some very major security problems
[/quote]
So yes, when we don’t understand and we get conflicting messages. We are scared. A lot of us feel that we are dmned if we do and dmned if we don’t upgrade.
All I know is the longer this thread goes on with the confusion and insults about security issues, google will eat up this content rich thread and make our sites even more vulnerable to those that wish to search for vulnerable programs!
Don’t worry there are no super serious problems or Spiral would have contacted CS cart by now.
I have also taught middle school (emotionally handicapped kids in my case) and I have lots of patience but Spiral posts in a vague and confusing way which is not the mark of a genius instead it shows that he does not have anything of substance to say.
I say this not to berate Spiral but so that we do not take the blame for not being rocket scientists - we are all hard working concerned shop owners not idiots as Spiral seems to enjoy suggesting.
My positive win/win solution still holds:
Let Spiral contact CS cart and if they agree with him that he is a genius and make a security update I will make a donation to the United Nations childrens fund.
You are a teacher will you join me in pledging say $5?
On a side note:
Dealing with middle school kids is way harder than this shopping cart issue.
I base my statement on the fact that High school kids are at least trying to be cool, and Elementary kids are young enough that they can be controlled with a look and a serious voice.
Middle schoolers are neither here nor there - very, very hard work. I appreciate all school teachers - keep up the good work, thank you!.
I too am enjoying this thread. It is making me dive in a little deaper to make sure all of our sites (and our customers information) are as secure as possible.
Let Spiral contact CS cart and if they agree with him that he is a genius and make a security update I will make a donation to the United Nations childrens fund.
You are a teacher will you join me in pledging say $5?
On a side note:
Dealing with middle school kids is way harder than this shopping cart issue.
I base my statement on the fact that High school kids are at least trying to be cool, and Elementary kids are young enough that they can be controlled with a look and a serious voice.
Middle schoolers are neither here nor there - very, very hard work. I appreciate all school teachers - keep up the good work, thank you!.[/QUOTE]
I’ll throw in another $100! Let’s get this thing fixed… I don’t have the time or guts to upgrade until this summer.
Middle schoolers are a lot of work, but they keep me laughing, which makes it sooo worth it! Technically, I really could quit my day job with my store, but I would miss the kids too much!
I’m feed up,this is(hopefully) my last post in this thread.Cs cart sp4 is a good’n old GOLDEN PIECE OF CODE.I think i have brains,and it’s not for coincidence that many people here stick with the past(especially brainless developers like me…).
Conclusion:
The FALSE ALARM is nothing more than A MARKETING STRATEGY TO PERSUADE PEOPLE TO SIGN UP WITH A “SAFE” HOST PROVIDER.
Is all i got to say…(but i think all the brainless people got that anyway!!!)
Let’s end it and stop wasting this nice white space here.
Spiral is actually doing harm to hard working CS guys writing all those false statements. Simple as that. As a new potential customer of CS, I would run away and ask for a refund after reading his comments about CS Cart, poorly written code and security issues, which won’t be resolved if any found in 1.3.5.
Also, he’s wasting people’s time contributing to this thread. After hundreds of words - we have still nothing.
Some people may be under impression with him as a security specialist. Let me tell you, if he is one, then he is the very unprofessional one. Full stop here.
[COLOR=“Red”]And now, I will be happy to challenge him[/COLOR]. I will offer him 100 bucks for hacking my 1.3.5 with SP4, with no extra security settings except for what is provided with CS.
Someone has offered another 100$ and other gentleman extra 5$. This makes 205$ for a few minutes of work. Are you up for the challenge SPIRAL? All I’m asking for is to inject your nickname to one of the pages we have or extract customers’ details.
If successful, I won’t ask for any details, if not, people will show you your place.
My URL will be send to you by PM when you’re ready. You will have 24h.
[quote name=‘Noman’]Spiral is actually doing harm to hard working CS guys writing all those false statements. Simple as that. As a new potential customer of CS, I would run away and ask for a refund after reading his comments about CS Cart, poorly written code and security issues, which won’t be resolved if any found in 1.3.5.[/quote]
You’re 100% right… Unfortunatly.
Reader who is looking for a safe shopping cart, powerful and easy to manage, CS-Cart is for you.
CS-Cart is it Safe?
Definitely YES.
Why write this?
Look for yourself the number of complaints coming from thousands of CS-Cart users regarding the safety of CS-Cart: None!
Shouting “Fire!” is easy. Giving evidence is a little more complicated.
Spiral far has written us some fine words about some alleged hacked websites, but he didn’t bring us yet notanyformalproof.
Shouting “Fire!” for the sole benefit of the company whom hires him is discourteous.
Especially if his allegations are not substantiated by evidence.
CS-Cart is the best shopping cart on the place. Easy, Powerfull and Safe.
