Vectors of attack

Say, there is a discovered vulnerability, how can your site be located, and tested for an attack?



I am playing the devil’s advocate:

1. How can YOUR store with Cs-Cart can be locaded amoung other billions of websites?
   
   
   
   Well, google assisted search is used to find specific website that fit the attack vector.
   
   For CS-Shopping cart it is: [search in google]
   
   +“home about us contact us gift certificates promotions sitemap”
   
   
   
   That string pretty much unites all skins and ALL stores running Cs-Cart can be found.
   
   Thus, an attacker will have a complete list of most stores with this cart.
   
   
   
2. How can an attacker know what version you are running?
   
   
   
   Easy, seems like another boo-boo. The changelog.txt in the root dir. Open it and it will tell you EXACTLY what version you are running.
   
   
   
   example: www.mystore.com/changelog.txt
   
   
   
   Very strange that HTACCESS does not block it…
   
   
   
   --------------------------------
   
   
   
   As you see, if there is a possible attack discovered on cs-cart, stores are easy to discover and read their version to see if it is vulnerable.
   
   
   
   I’d delete changelog.txt just in case. Also helps to use totally custom and re-designed skin.

I think that’s a good catch, just change the order of the lines in the Design → Quicklinks. I just deleted all those .txt files in the root directory since their no need to have them.



I’m also testing the addition of these lines in the .htaccess allowing access to specific .php files only from my home IP (production) and local IP (development). Seems to be working ok.





order deny,allow

deny from all

allow from 66.77.88.99 127.0.0.1

You don’t need to look at the changelog. At any time you can do [url]Instant Demo - CS-Cart Multi-Vendor Demo Try Free for 15 days

This is bad.

[quote name=‘Triplets’]You don’t need to look at the changelog. At any time you can do [url]Instant Demo - CS-Cart Multi-Vendor Demo Try Free for 15 days



I am not sure how big of a deal this is, however, it has always bothered me somewhat that your store version can be easily displayed with ?version.



I normally delete the store version from config.php so it can’t be displayed.



I would rather it be displayed in the admin panel as “Your Current Version = 2.0.13”

I agree with Struck, I don’t see why the version matters.



I also agree that it would be nice if the version was displayed in the admin and wasn’t available to everyone.



Brandon

I tried to add this to the “Ideas” section, however, I have no votes left! :o

[quote name=‘Triplets’]You don’t need to look at the changelog. At any time you can do [url]Instant Demo - CS-Cart Multi-Vendor Demo Try Free for 15 days



I always remove the code that allows this from my cart. It is very easy to remove. Just open the init.php file in your cs-cart’s root directory and comment out or delete the following code:


if (isset($_REQUEST['version'])) {
die(PRODUCT_NAME . ': version ' . PRODUCT_VERSION . (PRODUCT_STATUS != '' ? (' (' . PRODUCT_STATUS . ')') : '') . '');
}


It is very simple why a version number available to general public is dangerous:

• Vulnerabilities are present in older versions (hopefully they are fixed in latest builds)
  
• Not everybody upgrades right away, new versions require modifications to the existing custom code and it may take time to implement an upgrade
  
• If version numbers are available, it is easy to find sites that are still not upgraded, the search process can be automated…
  
• Some hacks more or less “hands-on” and a hacker will choose a target where he would most likely to succeed.
  
• Blatantly advertising version leads to cherry picking. This leads to larger number of successful attacks.
  
• Advertising version numbers is good for hackers, bad for business.

[quote name=‘adodric’]I always remove the code that allows this from my cart. It is very easy to remove. Just open the init.php file in your cs-cart’s root directory and comment out or delete the following code:


if (isset($_REQUEST['version'])) {
die(PRODUCT_NAME . ': version ' . PRODUCT_VERSION . (PRODUCT_STATUS != '' ? (' (' . PRODUCT_STATUS . ')') : '') . '');
}
[/QUOTE]



It is more fun just to change the line in your config.php to something like this:

define(‘PRODUCT_VERSION’, ‘Magento-Enterprise Version $30K’);

[quote name=‘Struck’]I tried to add this to the “Ideas” section, however, I have no votes left! :o[/QUOTE]

One of the downsides to the UserVoice system is that you cannot create an idea without a vote which means it will not be a central repository for all requests/suggestions - the most ideas anyone could post would be 10 even if they had 30 good ideas.



Or as JesseLeeStringer put it:

[QUOTE]10 Votes for 2000 ideas? :([/QUOTE]



Bob

[quote name=‘Triplets’]You don’t need to look at the changelog. At any time you can do [url]Instant Demo - CS-Cart Multi-Vendor Demo Try Free for 15 days

/facepalm



duly updated :twisted:



changelog & license files removed also… sheesh kabab why is this stuff just left laying around?