How would I go about removing the user carts on 1.3.5sp2,
I have over 1,000 pages of just users with there cart items and I believe it’s causing the database to be huge.
Any help would be appreciated!
Do you mean you want to delete the user account, or delete the users, extra data, i.e. account history.?
In the admin panel under users you may see user carts which I have over 1,000 pages of users with products on there cart which I imagine is making the database rather large.
By the way, I just got an e-mail from hackersafe that there is a vulnerability on this cart;
Name of the vulnerability; MySQL Database Error Disclosure Vulnerability
THE SINGLE BEST WAY TO FIX THIS VULNERABILITY IS TO IDENTIFY THE ACCEPTABLE INPUT FOR EACH FORM PARAMETER AND REJECT INPUT THAT DOES NOT MEET THAT CRITERIA.
The following is an acceptable solution however it is not optimal.
Implement content parsing on data input fields including URL parameters.
Remove the following characters from any user or dynamic database input: (examples in VBScript)
’ (escape the single quote) input = replace( input, “'”, “‘’” )
" (double quote) input = replace( input, “”“”, “” )
) (close parenthesis) input = replace( input, “)”, “” )
( (open parenthesis) input = replace( input, “(”, “” )
; (semi-colon) input = replace( input, “;”, “” )
- (dash) input = replace( input, “-”, “” )
| (pipe) input = replace( input, “|”, “” )
On text input it is recommended to append quotes around the user supplied input.
that’s a fix for the vulnerability, but i don’t know what to actually change or anything.
[quote name=‘gpro’]
By the way, I just got an e-mail from hackersafe that there is a vulnerability on this cart;
[/QUOTE]
I bet they didn’t or couldn’t provide you with a file name and/or exact point in the code where this exploit exits either… I have seen this exact canned report posted elsewhere out on the web and it’s strange that these nasty things never are posted on REAL vulnerability related information sites such as securityfocus or the many others. They are just one of quite a few ‘so called’ professional vulnerability scanning solutions that isn’t worth a grain of salt when it comes to truly doing what they claim they do!
My problem with these services is that they just don’t scan for anything worthwhile nor are they even allowed to do so beyond the IP address you provide to them. What about all the other IP’s and Domains on that same server?. If they were to scan the host server itself and all it’s other domains that could also be security risks to your database and files, they could be facing criminal charges for denial of service or penetration attempts.
I have used HackerGuardian in the past and have clients who even still pay to use some of these others including HackerSafe.
We run extremely tight security on our servers when threat levels are high (some of who I host here know this all too well 
). We use hardware and software IDS solutions that log and block 100’s of security issues daily ranging from basic port scanning to exploit attempts such as; Cross-site scripting, Remote File Includes, SQL Injections and Brute force login attempts.
It’s funny that all of these REAL exploit attempts do get noticed and reported by our IDS systems however these server-probing-super-exploit-scanning-solutions that people pay hundreds of dollars yearly for NEVER show up on our logs. Only once do I remember HackerGuardian set off an alert in the time that we carried that service.
They are very misleading to their customers in the services they provide. I’m trying to figure out how they can promise PCI Compliance when they don’t even probe currently known vulnerabilities and are unable to probe the entire server for possible root/admin level exploits in most cases?
I’m sorry for Hi-Jacking your post here gpro but, this topic is a high area of interest for me because I do web server and application security auditing and as you can tell I have very little respect for these companies.
[offtopic]Scott = Guru.[/offtopic]
What’s the size of your database at the moment GPro?
If you’re using the database to hold images it’s going to make the db huge but I can’t say that I’ve had problems with usercarts to date.
Jesse
Current database size: 8,215,645 bytes
I wont be needing a lot of things such as the wishlist, or mostly all the modules within the cart, would it make a difference if I start removing these tables from the cart, or would it become messy?
Thanks!
I’ve just gotten the same thing from Scanalert related to our site. I probably wouldn’t use the service but my boss insists on it. Did anybody ever figure out a fix for this?