Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Important security note! Rate Topic   - - - - -

 
  • zeke
  • Megamind
  • Administrators
  • Join Date: 01-Nov 05
  • 472 posts

Posted 09 November 2006 - 05:21 PM #1

Dear CS-Cart users,

Due to the several recent incidents related to the illegal usage of the CS-Cart installation script, our company decided to send a letter of strong recommendation to all CS-Cart users and ask you to REMOVE or RENAME 'install.php' script inside CS-Cart installation folder to avoid unauthorized reinstalling of the software or its modification.

Feel free to contact us if you need any assistance or help related to this issue. Our specialists will be glad to help you.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 09 November 2006 - 06:24 PM #2

I guess reading the manual or reading the information on the install process pages that states "REMOVE or RENAME install.php when your install is complete" is just too much to ask users to do.

My patience for users asking questions because they are too lazy to read the manual is growing thin around here.

It may NOT be the best manual, but if you didnt bother to read it, then thats your fault.

RTFM!
Pimpin' skins since v1.0

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 09 November 2006 - 06:26 PM #3

and another thing. Use the SEARCH box at the top. many of these questions are already answered.
Pimpin' skins since v1.0

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 09 November 2006 - 06:37 PM #4

ETI,

If someones post seems trivial or redundant simply ignore it! No reason to be crass.

Ryan

 
  • ryan
  • Member
  • Members
  • Join Date: 05-Dec 05
  • 79 posts

Posted 09 November 2006 - 07:19 PM #5

dont like it, tough shit.

Wow and to think, you're "Head Moderator".

 
  • roban
  • Senior Member
  • Moderators
  • Join Date: 23-Oct 06
  • 1132 posts

Posted 09 November 2006 - 07:31 PM #6

I'm an SMod and Admin at other boards and have a problem with people not using the search function. It is just too easy to ask a question rather than to do a little research. I would imagine there aren't too many questions that have not already been asked and answered dozens of times. What we have done to ameliorate the problem is to make sticky posts with answers to many common questions. This has, in effect cut down on the amount of double postings but not all.

I do think however, that as an executive of this board you might exercise some restraint in language. I get my frustrations out in the Admin lounge. Just my 2 cents.

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 09 November 2006 - 07:35 PM #7

thanks for the reply roban.

can i join your admin lounge? LOL
Pimpin' skins since v1.0

 
  • roban
  • Senior Member
  • Moderators
  • Join Date: 23-Oct 06
  • 1132 posts

Posted 09 November 2006 - 07:42 PM #8

Any time bud...any time. LMAO

 

Posted 09 November 2006 - 08:14 PM #9

REMOVE or RENAME 'install.php' script inside CS-Cart installation folder to avoid unauthorized reinstalling of the software or its modification.

There should be code in install.php that looks for a prior install. One method to prevent a new install is to require the config.php file to be manually deleted via ftp prior install.php running and recreating it. Making the user delete or rename install.php will be an on-going problem.

Larry
SculptingStudio.com
DigitalOcean VM

Ubuntu 14.04

Nginx


 
  • roban
  • Senior Member
  • Moderators
  • Join Date: 23-Oct 06
  • 1132 posts

Posted 09 November 2006 - 08:19 PM #10

One way would be to have the shop be unusable as long as the file is present. To view the front end, you'd have to delete or rename it. I'm not a coder but something like in index.php:

if($glob['installed']==0){

header("location: install.php");
exit;

} elseif((file_exists($glob['rootDir']."/install.php")&& $glob['installed']==1)){

echo "<strong>WARNING</strong> - Your store will not function until install.php is deleted from the server.";
exit;

}

 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 09 November 2006 - 08:21 PM #11

Ive seen other scripts do that, check for install.php, if there display a msg about removing it and do nothnig else til its gone.

good idea.
Pimpin' skins since v1.0

 

Posted 09 November 2006 - 10:12 PM #12

This is an easy fix and should be in 1.3.4-sp1.

Larry
SculptingStudio.com
DigitalOcean VM

Ubuntu 14.04

Nginx


 
  • TonyK
  • Member
  • Members
  • Join Date: 03-Mar 06
  • 1686 posts

Posted 09 November 2006 - 10:13 PM #13

Thnx Roban for the code.
Pimpin' skins since v1.0

 
  • willow1872
  • Senior Member
  • Banned
  • Join Date: 02-Nov 06
  • 153 posts

Posted 10 November 2006 - 11:12 AM #14

Im also a Moderator and Admin on one of the same boards as Roban and it does get anoying. Ive only had to ask two questions since being here and that is mainly thanks to the manual and reading through the forum. The search function here isnt so great though as it seems to search every word rather than the string which does get frustrating :(

Overall though this forum is very well laid out and the manual is very comprehensive :D

Andi

 
  • MikeK
  • Senior Member
  • Members
  • Join Date: 26-Apr 06
  • 434 posts

Posted 10 November 2006 - 07:58 PM #15

As a veteran going back to the days of 2400 baud dialup modems and DOS based bulletin boards, I've done my share of SAdmin duties on several large forums and I can tell you this; Nothing, and I mean nothing, kills a pleasurable forum experience faster that people publicly arguing. It doesn't matter if it's member to member, or Admin to member.

Super strict rules and profanity from a Moderator are counter productive. Requiring people to search before posting a question just says this isn't a friendly place. Consider this, I was the SA for the #1 CAD product in the USA. CAD programs are by nature massively complex and difficult to master. Our forum was constantly barraged with repetitive pleas for help for topics that had been answered hundreds, if not thousands of times. If I felt inclined, I answered the question. Once in a while I'd be too busy to bother with repeating myself, so I would just ignore the post. You know what happened? Someone else stepped up and answered the question.

The net result of this was great. A nube learned something, found a friendly environment in which he/she could feel comfortable asking questions, and most importantly, after reaching a point where they could help others, they always did. The forum became a tight knit community that often provided "Support" much faster and more reliably than the official support channels.

The moral of the story is this: Hostility is unacceptable, especially by a forum moderator. Locking threads and artificially creating a requirement to search first will drive potential customers away, and keep the lurkers in the shadows. (BTW, the search features on this board aren't that impressive.) The net result is people will be less inclined to jump in and return the favors they got when they asked for help and got it. (We were all new at some point.) It also assures that CS-C will be inundated with support requests that would have otherwise been easily handled on the forum.

If "search first" is going to be a requirement, then post that in the forum rules. Until that happens, I'll certainly be happy to return the patience I've received here (when I can).

Cheers,
MikeK

 
  • lesr
  • Junior Member
  • Members
  • Join Date: 15-Jan 06
  • 5 posts

Posted 11 November 2006 - 07:35 AM #16

I guess reading the manual or reading the information on the install process pages that states "REMOVE or RENAME install.php when your install is complete" is just too much to ask users to do.

My patience for users asking questions because they are too lazy to read the manual is growing thin around here.

It may NOT be the best manual, but if you didnt bother to read it, then thats your fault.

RTFM!


I feel very PO reading this BS one of my customers got hacked AGAIN and the last people to install the script was CS-Cart so maybe you should not be blaming customers for not deleting it when your staff don't.


Les Richardson

 
  • S-Combs
  • Senior Member
  • Members
  • Join Date: 09-Nov 06
  • 692 posts

Posted 11 November 2006 - 06:28 PM #17

Sorry to continue with the off-topic comments above about clients not searching prior to posting but there is a very simple solution to this..

You can very simply create a custom FAQ within vBulletin admincp (It's there, why not use it). Admins can give access to the FAQ editor to other staff members who can update it with these annoying repeated questions.

This new FAQ can be linked to in a variety of ways and even made to be required reading prior to posting on the board.

If you don't like the VB FAQ type then there are other commercial and open source types to pick from..

Back on topic:

I agree with some above posts that a function lock should be used if installer files are still on server however this is bringing a question to mind..

Isn't there already embedded security that requires an auth code prior to using the installer a second time?

 
  • disneyana
  • Senior Member
  • Members
  • Join Date: 06-Nov 05
  • 130 posts

Posted 16 November 2006 - 09:18 PM #18

Good points by S-Combs, roban and others. I've also read many posts which are not very helpful (originator will say in a later thread that they figured out the problem, but not say HOW they did it). Can these posts be removed? As always, thanks to the mods and other posters for their continued assistance.
- disneyana
CS-Cart v1.3.3
CS-Cart v1.3.4sp3
http://disneyana.com/store

 
  • kloptops
  • Junior Member
  • Members
  • Join Date: 07-Mar 06
  • 5 posts

Posted 21 November 2006 - 11:38 AM #19

Another system that works is when a user try's to install the program, they get given a key (a simple md5sum of some random info will do). They then have to upload that into their shop directory for the installation to continue. If any of you have had the pleasure to install gallery2, you'll know exactly what I mean.

Also I think a cs-cart wiki would be a good idea, that way its not up to the creators to update it. People who know how to do something can share their knowledge, or even explain it another way.

Well that's just my 2 cents, I've always found this forum to be useful when I'm stuck.

BTW! Good job with 3.3.4! :)