Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

All this security talk... Rate Topic   - - - - -

 
  • Tirade
  • Senior Member
  • Members
  • Join Date: 20-Oct 09
  • 253 posts

Posted 15 January 2010 - 05:44 AM #1

This might better help explain the "not a big deal" SQL injections that have been eluded to recently.

http://www.smashingm...of-the-problem/

Great read for 99% of the people in the forum.

 

Posted 15 January 2010 - 05:50 AM #2

Extremely good Article there Tirade.
50% of all attacks I recieve are XSS whereas I get a few SQL attacks every so often.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • Triplets
  • Senior Member
  • Members
  • Join Date: 23-Sep 08
  • 1176 posts

Posted 15 January 2010 - 05:05 PM #3

After all the "entertaining" posts on cs-cart and security, I had to laugh when the actual technical description of the vulnerability was revealed. The sequence of events that has to occur for this vulnerability to be exploited is unreal and unbelievable that it would ever occur. Now yes it should be fixed, but these security experts blow things WAAAAY out of proportion. But I understand why, it keeps them employed.

If I understand correctly this is what needs to occur to be exploited.

1) You need to be logged into your cs-cart admin panel
2) While logged in, in another browser window you need to surf to a malicious web page or click on a malicious link.
3) This malicious site has to specifically somehow know you are using cs-cart (not the millions of other carts out there) and know what your admin filename is (admin.php).

Come on, the odds of this are beyond my concern.

David

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 15 January 2010 - 05:36 PM #4

Some people are getting paranoid about it instead of trying to understand the risk and learn how to prevent your sites from being hacked. This isn't so difficult! Leave CS Cart to CS people and you do your homework regarding hosting security or ask a Pro (avoid one here)

I will repeat myself dozens of times and I hope, people will start understanding that it’s not possible to rely 100% on CS Cart when comes to security of your web server. Google is your friend!

Use bloody SSL, use difficult passwords, do not call your database DATABASE!, change admin.php, do not follow strange looking links in emails you receive from your web store and avoid shared hosting!

My lord! I think, I’m gonna write a long list of what to do and how.
We must understand that CS is not out-of-the-box solution as they claim it to be. No way. You must work hard to make CS-Cart work for you.

We have wasted thousands of words and all we got is this silly “Less Critical” bug from Secunia discovered by Vic. Good for both of them. I can hack any website. All I need is your admin password. Hehehe.
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 15 January 2010 - 08:04 PM #5

Mines admin admin, isn't everyone's the same?? :confused: LOL LOL

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • Struck
  • Teetering on Genious
  • Members
  • Join Date: 07-Mar 09
  • 2502 posts

Posted 15 January 2010 - 10:33 PM #6

I made mine AdMiN aDmIn to confuse even the most talented of hackers :D
Cooking with Gas on Version 4.1.2 (But proceeding with caution....)

 
  • Noman
  • Senior Member
  • Members
  • Join Date: 29-Oct 07
  • 526 posts

Posted 15 January 2010 - 11:32 PM #7

I made mine AdMiN aDmIn to confuse even the most talented of hackers :D


If this is a joke, then OK, but if not, then ---- files are not case sensitive :(
I'm Number 1, so why try harder?

CIA wannabe or having doubts and need some answers?
Spy Gadgets and CCTV Equipment

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 16 January 2010 - 01:23 AM #8

This might better help explain the "not a big deal" SQL injections that have been eluded to recently.

http://www.smashingm...of-the-problem/

Great read for 99% of the people in the forum.

Fyeah....!
That was good!I feel like almost an expert!:cool: (I think i can start reffering some Host Provider jejejejeje:p )
Number 1

 
  • Struck
  • Teetering on Genious
  • Members
  • Join Date: 07-Mar 09
  • 2502 posts

Posted 16 January 2010 - 06:00 PM #9

I made mine AdMiN aDmIn to confuse even the most talented of hackers :D

If this is a joke, then OK, but if not, then ---- files are not case sensitive


Hi Noman,
Yeah, it was a joke, as in that was my new user name & password! ;)
Cooking with Gas on Version 4.1.2 (But proceeding with caution....)

 
  • gabrieluk
  • Senior Member
  • Members
  • Join Date: 21-Jul 09
  • 133 posts

Posted 16 January 2010 - 11:28 PM #10

Hi Noman,
Yeah, it was a joke, as in that was my new user name & password! ;)

I will be doing the same....Is there a limit of characteres to rename the file?I usually use always 30.
Number 1

 
  • Traveler
  • Senior Member
  • Members
  • Join Date: 02-Feb 07
  • 897 posts

Posted 17 January 2010 - 02:12 PM #11

Tirade,

Great article.

I am going to read it several times.

Version 4.9.2


 
  • BarryH
  • Senior Member
  • Members
  • Join Date: 03-Sep 07
  • 1459 posts

Posted 17 January 2010 - 03:12 PM #12

I made mine AdMiN aDmIn to confuse even the most talented of hackers :D

LOL :P

If this is a joke, then OK, but if not, then ---- files are not case sensitive :(

Oh Noman :oops: LOL

BarryH

 

CS-Cart v4.4.3 (Plus one being developed v4.5.2 SP2)
UK User


 
  • Spiral
  • BANNED
  • Banned
  • Join Date: 02-Aug 09
  • 133 posts

Posted 19 January 2010 - 01:33 AM #13

---- files are not case sensitive :(

Actually under Linux they are! ;)