Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Security warning CS-Cart version 1.3.5-SP4 Rate Topic   - - - - -

 
  • clips
  • Aged Resident Loon
  • Members
  • Join Date: 14-Jan 07
  • 1650 posts

Posted 06 January 2010 - 04:29 PM #61

We've heard from Sprial, so I thought I would contact CS to see what they had to say. Here is their reply...

I do not want to blame anyone, but Spiral's message looks a bit preconceived. Everyone knows that it is required to have 777 permissions for some directories of CS-Cart installation or some CS-Cart functions cannot work if the "mod_security" module is installed on the server. Yes, perhaps it is a bit insecure in an ideal situation, but it is the way CS-Cart software was created. And please note that we have done a lot in order to prevent possible exploits or hacker attempts. For example, there are the ".htaccess" files in those directories which should have 777 permissions with the directives which prevent them from the direct access. Unfortunately, it is complicated to prevent all possible vulnerabilities in such a complex software like CS-Cart, that is why some vulnerabilities were found from time to time. But with the help of our clients we were able to solve all the known issues in CS-Cart version 1.3.5 SP4.

Moreover, let me assure you that we do support CS-Cart version 1.3.5 (and even the earlier versions like 1.3.2), we provide consultations on the software functionality or fix the bugs if they are found. The only thing is that a new release of version 1.3.5 (e.g. 1.3.5 SP5 or 1.3.6) is not planned.
Also, if a critical vulnerability is found for CS-Cart version 1.3.5 SP4, a special patch will be released.

By the way, it is up to you whether to take some additional security measures or not. You can forbid the access to your sites for some countries, but please keep in mind that we are in Russia and will be unable to view your site if you need our help.


So according to Kate with CS help, they DO SUPPORT 1.3.5 SP4 still. While they are not coming out with a new release, they will release a patch if there is a vulnerability. So my question to Spiral is will you please PM me with these vulnerabilities so I can get CS to look at them and release a patch if needed.

Also, in regards to the link (secunia.com) that was supposed to show vulnerabilites there is no problems with what was listed in 1.3.5 sp4.

Here is comment from Kate...

I have checked the mentioned vulnerability and found out that it has been fixed in CS-Cart 1.3.5 version.


So please, Spiral, if you are responsible for sending out emails to folks using 1.3.5 sp4 telling them they should upgrade, then you should explain to CS why. It would also be great if you at least let CS-Cart know directly so they can address them. As stated by CS-Cart above, they do still support it. So if there are issues CS can release a patch to fix the problems.

With that, I would vote that the email you are sending to people about 1.3.5 sp4 and the need to upgrade is wrong and you should stop doing it.
Regards,
Jim

 
  • brandonvd
  • is Super Awesome
  • Members
  • Join Date: 19-Dec 06
  • 2633 posts

Posted 06 January 2010 - 05:17 PM #62

Well this has been an interesting read so far. It is funny though. All this started over:

Obsolete and security vulnerable CS-Cart version 1.3.5-SP4 detected on your site. You should consider upgrading.


The message seems kind of true to me. Even CS-Cart says that having to have the premissions at 777 in somewhat insecure. Also since there is a new version of CS-Cart available doesn't that make 1.3.5 sp4 kind of obsolete? The message also says that you should consider upgrading. It doesn't say you have to upgrade.

I know this thread went way beyond the original message. As for that I would recommend doing what you want. You can either communicate with Spiral to see what you can do to strengthen your site or you can choose not to. He isn't holding a gun to your head saying you have to or else.

It seems to me that everyone should just chill out.

Anyways, just my 2 cents.

Brandon

 
  • Tirade
  • Senior Member
  • Members
  • Join Date: 20-Oct 09
  • 253 posts

Posted 06 January 2010 - 06:31 PM #63

Ive got to 2nd Brandon on this.

777 permissions are not ideal nor safe and despite what the CS cart reps reply was I have no permission issues or CS-cart functionality issues and I dont have a single folder set to 777. While Im sure there might be some issues during upgrading, its easy to change permissions then and change back.

1.3.5 is end of life, if you don't think so, wait until the new PCI compliance standards are required and see how quickly you get a 1.3.5 compliant version of CS-Cart (Im actually concerned on how quickly we will get a 2.x compliant version...)

I wont step into the debate on whether or not Spiral is runing around screaming "fire", but he knows his stuff. Is it overkill? Each person will need to make the decision for themselves. I sell furniture and its a high $ transaction. Security for me is my #1 priority. Im not sure what Spiral is or isnt allowed to show from the hosts that he works for but I can show you an example of the attacks I got in the month of Dec.

Posted Image

Since Ive had my server and site secured/upgraded/ip's from China blocked, Ive only had 2 hacking attempts for the month of Jan. The issue are the attempts we never know about because they were successful. None of us can say for sure that our sites are or have never been compromised, but I can say that Im taking every step necessary to reduce my risk and the risk to my customers.

If anyone wants to see my logs just send me a PM.

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 06 January 2010 - 08:51 PM #64

Kate seems to be communicating CS Cart's "default" position on permissions:

Zeke, basically says that depending on your PHP environment you can tighten up permissions as many of us have done. As an example with a SUPHP setup.

http://forum.cs-cart...ew&vbug_id=1446

Any good webhost will have level 3 admins that you can talk to or email with. They will be happy to explain permissions and make suggestions on setting up your account.

This is standard basic information. The good information that Spiral has posted about permissions and a few other issues is all basic information (that system admins know or should know..) Nothing top secret or unique.

Most likely he is simply a system admin for hire to small web hosts that cannot afford their own full time staff. There is nothing wrong with this. What is wrong is crying "Security issue" on a shopping cart forum - for which he should apologize and be forgiven for.

Unless of course he is able to let CS cart know important security information?

In which case I and others will publicly thank him...

Version 4.9.2


 
  • Lee Li Pop
  • Senior Member
  • Members
  • Join Date: 07-Mar 08
  • 941 posts

Posted 07 January 2010 - 11:53 AM #65

Hello Tirade,

Since Ive had my server and site secured/upgraded/ip's from China blocked, Ive only had 2 hacking attempts for the month of Jan.


Block a range of IP, or some countries, is somewhat illusory. Indeed, a professional hacker is using zombie PCs scattered everywhere on earth. How? In publishing and managing downloaded programs contamined of viruses and/or with a pallet full of funny things build for his own aim.

So, blocking some countries than others is somewhat illusory. If a hacker wants target your site and he perceives that you block some countries, he will lead his attack from a country that you think "friend". And so on.

In the worst situations, you'll have to block your own country, because the hacker will use the PC to your neighbors to attack your site.

Remember you this:

Some security experts need to spread fear and terror for their own livelihood.


Lee Li Pop
.
If All Else Fails, Read The Instruction Manual! Knowledge Base 2.x + CS-Cart Instruction Manual

Hosted at Pair.com since 2000. Zero hacking attempts during first 11 years... And counting!

 
  • Tirade
  • Senior Member
  • Members
  • Join Date: 20-Oct 09
  • 253 posts

Posted 07 January 2010 - 02:05 PM #66

The point to blocking IP's isnt just to avoid direct hack attempts its primarily to avoid the vulnerability scanning. All of my business is US only so Im free to block a lot of people.



Hello Tirade,



Block a range of IP, or some countries, is somewhat illusory. Indeed, a professional hacker is using zombie PCs scattered everywhere on earth. How? In publishing and managing downloaded programs contamined of viruses and/or with a pallet full of funny things build for his own aim.

So, blocking some countries than others is somewhat illusory. If a hacker wants target your site and he perceives that you block some countries, he will lead his attack from a country that you think "friend". And so on.

In the worst situations, you'll have to block your own country, because the hacker will use the PC to your neighbors to attack your site.



Lee Li Pop



 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 12 January 2010 - 03:07 PM #67

http://forum.cs-cart...27&postcount=11

 
  • Spiral
  • BANNED
  • Banned
  • Join Date: 02-Aug 09
  • 133 posts

Posted 12 January 2010 - 05:12 PM #68

Brandondvd and Tirade should both be congratulated for staying out of the childish idiocy and clearly trying to bring most everyone else back to some realm of sanity and rational logical intelligence. My hat is off to you both and I agree wholeheartedly with most the things you said in each of your posts!

To termalert, actually that is an excellent idea on the "security updating system" and hopefully CS-Cart will take you up on that suggestion.

However, most of the rest of you are like little children and I have rarely seen so much ignorance, petty arrogance, and collective immature idiocy in one place ....

To gabrieluk and moka in particular, you seem a bit up with yourselves and the abusive remarks from both of you are actually quite amusing.

For your information, I have said nothing "conflicting" whatsoever ...

A little bit of perspective ----

I deal with security issues on a daily basis and in my job I am on the forefront first hand seeing and dealing with hundreds if not thousands of security issues each and every day that you'll most likely never see or hear about.

From that point of view ---

"the problems with 1.3.5-SP4 are really insignificant in the grand scheme of things"

Looking at this from your perspective however ---

Yes maybe it's a significant issue for you and by no means have I said you should ignore this problem as that would indeed be a mistake. I'm just simply saying I personally myself don't consider the issue very significant from my perspective and I made that point earlier because most of you are acting like you really should be in kindergarten and getting overly excited over things that are all very easily fixable --- a thank you would suffice. :rolleyes:

So please, Spiral, if you are responsible for sending out emails to folks using 1.3.5 sp4 telling them they should upgrade ....

This seems to be another point of confusion --- I DID NOT SEND OUT THE EMAIL!

I am the author of the program the user's hosting provider was using and recognized the email message that they quoted and simply stepped in to explain just exactly what it means.

As I have already said repeatedly and the larger point everyone seems to have a knack at ignoring, the particular scanning program in question gets all it's information directly from major public security alert databases and simply compares the version numbers of the running applications against alert notices and lets users know when they should upgrade because security alerts were found for a particular program.

It only finds what has public security alerts and is no where near as sophisticated as the other program I also wrote as well from which Tirade actually posted his alert logs above. Anyway, the version scanning program does not look for CS-Cart specifically and I am not even the source of the original security notice or any of the details of the issue that triggered the alert email being discussed --- I just simply tested and confirmed the issue!

It would also be great if you at least let CS-Cart know directly so they can address them. As stated by CS-Cart above, they do still support it.

The irony of that statement is that they were actually already sent all this information with detailed code examples long before this thread even started.

Bet you didn't know that either, ey? ;)

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 12 January 2010 - 06:00 PM #69

Spiral, let's stop the polemics. As I said, we do not consider this vulnerability as critical (as for me - I don't even consider it as vulnerability) and the same, call it "problem", you can find in ANY web software.

I'd like to say thank you for reporting this, we'll add the notice to installer and admin area to rename the default "admin.php" script in 2.0.12.

Best.

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 12 January 2010 - 07:58 PM #70

I will repeat myself from the thread below:
http://forum.cs-cart...70132#post70132

Changing admin.php to something else was mentioned here dozens of times and it's common for all PHP applications. The only thing I would say is to add a note on the last Installation screen and advice people how and why to do it.

Same like with Installation directory to be removed. Not a rocket science.

This glitch affects ALL applications, not only CS!


Please, let's close this thread, as it was pointless from the begining.
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • Tirade
  • Senior Member
  • Members
  • Join Date: 20-Oct 09
  • 253 posts

Posted 12 January 2010 - 09:49 PM #71

Ok, so someone correct me if Im confused...

1. 3-4 weeks ago Spiral posted that there were/are severe security vulnerabilities in CS-Cart and was hounded for not providing proof.

2. 2 weeks ago a totally different person named leftnode (Vic) posted on his blog that he had discovered some sever vulnerabilities in CS-Cart while reviewing the cart for a client of his. He notified the developers and gave them 2 weeks to disclose the information to its customers before he made the information public.

http://leftnode.com/...-cart-software/

3. Over this 2 week period there have been numerous security posts but no confirmation or denial from the CS-Cart admins and Spiral is stoned for not providing information.

4. Today leftnode (vic) kept to his word and on his blog listed the vulnerabilities that he eluded to 2 weeks ago.

http://leftnode.com/...ftware-cs-cart/

5. It was assumed that leftnode = Spiral, but in fact they arent the same people at all so no one here knows if the vulnerabilities that leftnode blogged about are the same ones that Spiral eluded to or if there are indeed more out there.

Regardless if the vulnerabilities are the same or not the same, the point is there ARE some security concerns, CS-Cart was given 2 weeks to notify its users and they did not, instead today AFTER the information goes public they respond that its not a big deal. I would disagree. Now the optimist in me hopes that the security concerns that Spiral has are indeed the same as leftnode blogged about because Id hate to know there are many more out there and as others start to discover them and make them public knowledge a lot of people are going to lost data or become compromised.

 
  • brandonvd
  • is Super Awesome
  • Members
  • Join Date: 19-Dec 06
  • 2633 posts

Posted 12 January 2010 - 10:23 PM #72

Dang Tirade, what a great summary of events. Of course you left out one important detail. That detail is that this thread all started only by asking what a warning was about.

That warning basically only stated that CS-Cart 1.3.5 sp4 was obsolete and had a vulnerability. Nothing more, nothing less.

Now I don't know the exact vulnerability, but it seems like there is a permissions vulnerability and now there is also the admin vulnerability. So why is everyone complaining so much? Just change your admin to something else and I know that Jobosales posted on a different thread a way to change the permissions problem. I haven't tested his solution myself, but it looks good.

Some people might not consider this important and even CS-Cart says it isn't that big of deal. Maybe it is, maybe it isn't, I don't know. I guess it is really up to you to decide for yourself.

Anyways, hopefully now everyone will cool down and now because of this thread and leftnode's blog all of our carts will be better and more secure in the future.

Brandon

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 12 January 2010 - 10:35 PM #73

Tirade

Read Zeke's post and then read twice what kind of issues Spiral found. Those issues are common for all PHP applications.

You cannot prevent 100% hackers from getting into your site however, you can minimize the risk. PHP itself isn't 100% secure so, we do tricks to improve things.

My simple advice would be:

Use VPS or Dedicated boxes. AVOID SHARED HOSTING. Full stop here.
Do not install additional scripts within CS Cart directory as they can already have security bugs or will have.
Understand CHMOD and HTACCESS [educate yourself here]
Use SSL for Admin section and customer registration/login. It's 10bucks!
Do not use CS backup ever! Use the hosting CP to backup entire public_html+DB to your local PC.
Get a static IP for your home or office and make use of Store Access in CS. Limit access to Admin from well known IPs only!
Change admin.php to something like: hatehackersfcukers.php and then update the config file.
Use secure FTP only for uploading your stuff.
Make your password difficult. My one is: %I{7$cRi1g6c(80. ;)
Save your password on the local PC and encrypt the folder and files inside. In XP+ use right click, Properties -> Advanced -> Encrypt ..... OK. Is it green? Good. Trojans will be useless.
Be suspicious when receiving admin emails from your own website! Check the link!
If you use POP3 to download emails, use secure connection on port 995 instead 110.
Uninstall modules you don't need.
Remove skins you don't need.
Use Firefox in Private Browsing mode. Don't use password managers!
Pray every morning and eat healthy food!

Is there anything else I missed guys?
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • brandonvd
  • is Super Awesome
  • Members
  • Join Date: 19-Dec 06
  • 2633 posts

Posted 12 January 2010 - 10:50 PM #74

Wow Noman those are some pretty good tips. Most I already use, but there are quite a few there I haven't thought of and/or didn't know about. Thank you.

Brandon

 
  • jobosales
  • Senior Member
  • Members
  • Join Date: 04-Nov 06
  • 3114 posts

Posted 12 January 2010 - 11:24 PM #75

Noman-

Thanks for taking the time to post your list. Providing action items does a lot more for advancing security than a bunch of chest-thumping bravado.

Each of us should do whatever we can to secure our stores. If we come across security issues, we should report them to CS-Cart without a bunch of histrionics. And we should hold CS-Cart to high standards regarding security (I am not entirely satisfied with some of their responses regarding security). Hopefully, they will address some of the issues Vic from leftnode identified either as part of PCI compliance or ongoing security efforts.

Bob
CS-Cart 2.0.14 (testing)

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 899 posts

Posted 13 January 2010 - 01:57 AM #76

Noman,

Super post - simple to the point and easy to understand. I shall print it out.

Only one point that I object to is your request to close the thread:

Spiral and his posts while not to be taken seriously 95% of the time are humorous and entertaining.

I think that even his insults are are sort of "Don Rickles" like funny.

On a side note the whole issue of complex passwords is interesting. Of course they are good - but how do we save the passwords?

Example, we use only one computer in my office for passwords related to business and personal financial matters. I change the passwords and put them on a spread sheet on my computer which I print out and save on a USB stick so I am safe in terms of not loosing the password - which is good as I am not a genius like Spiral and forget things all the time.

Now the question is how to I secure my computer against theft both via the internet and internal theft?

I do the usual updated antivirus, firewall and so on but i still worry.

I am not currently doing your suggestion but perhaps in this modern world it is time to do so.

"Save your password on the local PC and encrypt the folder and files inside. In XP+ use right click, Properties -> Advanced -> Encrypt ..... OK. Is it green?"

Version 4.9.2


 
  • moka
  • Senior Member
  • Members
  • Join Date: 09-Feb 08
  • 634 posts

Posted 13 January 2010 - 03:12 AM #77

Spiral,
I apologize if I offended you. I certainly did not mean to be "abusive". I was merely trying to explain that us kindergarteners were freaking out because we were confused. I was trying asking for a little clarification and patience with our state of confusion.

 
  • Spiral
  • BANNED
  • Banned
  • Join Date: 02-Aug 09
  • 133 posts

Posted 13 January 2010 - 04:22 AM #78

... so no one here knows if the vulnerabilities that leftnode blogged about are the same ones that Spiral eluded to or if there are indeed more out there.

Apparently not the same and after seeing your post, I went to go check out this "Vic" person's site that you were talking about and from what I can tell he is talking about some entirely different subject entirely.

The blog page you linked to appears to be talking about "SQL injection" and "Cross Site Scripting" issues and neither of those have any bearing on this discussion whatsoever or anything I was talking about which incidentally for reference has to do with code sanitation or more precisely "the lack of" in certain key places.

It does not surprise me though that someone out there might find additional problems and issues though and only reinforces more the previous discussions about the need for better QA and code review and longer beta testing periods.

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 13 January 2010 - 07:36 AM #79

Traveler

On a side note the whole issue of complex passwords is interesting. Of course they are good - but how do we save the passwords?

In CS, Create as many Admins as you need for your staff [with different priviliges if neccessary] and give them long and difficult passwords. Each Admin of CS should have that password saved into a TXT format [Notepad] on their own computer. When done, encrypt it, also on each PC. Don't print it out or use any USB memory. People can take a picture with any mobile phone if you leave your password printed out on the wall. Not very likely, but it's better to avoid than cure.

Exclude passwords from unprotected backup!

Once a week, be a hacker and try to get to your own passwords all the way. Also, like hackers, eat 3 days old pizza and drink, out of date cola ;)
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • Lee Li Pop
  • Senior Member
  • Members
  • Join Date: 07-Mar 08
  • 941 posts

Posted 13 January 2010 - 09:44 AM #80

And the Winner is...

Noman 1 Posted Image

Posted Image

Spiral KO Posted Image


Lee Li Pop
.
If All Else Fails, Read The Instruction Manual! Knowledge Base 2.x + CS-Cart Instruction Manual

Hosted at Pair.com since 2000. Zero hacking attempts during first 11 years... And counting!