Re: Shopping cart other than OSCommerce? [LONG]
From owner-freebsd-questi...@freebsd.org Wed Dec 8 18:35:17 2010 Date: Wed, 8 Dec 2010 19:34:53 -0500 From: Jerry freebsd.u...@seibercom.net To: FreeBSD freebsd-questions@freebsd.org Subject: Re: Shopping cart other than OSCommerce? [LONG] On Thu, 09 Dec 2010 10:07:57 +1000 Da Rock freebsd-questi...@herveybayaustralia.com.au articulated: [snip] And thats why Facebook and all those social network sites are bad news. What happened to anonymity on the internet? Everyone I know worth their salt steers well clear of them... Nothing is foolproof to a sufficiently talented fool. Or as some say, Make it idiot proof and someone will make a better idiot. The formal version is: For any fool-proof system, there exists a =sufficiently-determined= fool capable of breaking it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce? [LONG]
On Wed, Dec 08, 2010 at 07:34:53PM -0500, Jerry wrote: On Thu, 09 Dec 2010 10:07:57 +1000 Da Rock freebsd-questi...@herveybayaustralia.com.au articulated: [snip] And thats why Facebook and all those social network sites are bad news. What happened to anonymity on the internet? Everyone I know worth their salt steers well clear of them... Nothing is foolproof to a sufficiently talented fool. Or as some say, Make it idiot proof and someone will make a better idiot. There is nothing inherently bad with Facebook or any of its imitators. The acronym PEBKAC accurately describes the true nature of problem. The inclusion of anonymity has nothing to do with the problem. My take on facebook--just joined--that it's an excellent way to waste time if you want to. Maybe reconnect with people you haven't seen for years... . -- Jerry ??? freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Everyone is entitled to be stupid, but some abuse the privilege. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org -- Gary Kline kl...@thought.org http://www.thought.org Public Service Unix Journey Toward the Dawn, E-Book: http://www.thought.org The 7.97a release of Jottings: http://jottings.thought.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On 12/08/10 10:57, Chuck Swiger wrote: On Dec 7, 2010, at 4:27 PM, Da Rock wrote: One to point out the obvious, and two to clarify your view here: why not php? Php was the scripting used, but if used poorly will create a security risk in the web app. That means that the vulnerability is the coder's problem; not php itself. God knows how many references there are to what not to do for security reasons on the php site. Vulnerabilities due to bad coding is not the fault of the language used, otherwise we wouldn't be using c, c++, etc. I ask because I'm coding web apps in php myself, and I'm curious to know if my view is in error... I would disagree and argue that vulnerabilities due to bad coding often reflect flaws in the language being used. For example, a vast range of buffer overflows, null pointer dereference issues, etc are entirely a consequence of C-based languages which permit arbitrary pointer arithmetic. Tools like valgrind and Purify were later created to help add runtime array and memory buffer bounds-checking to C/C++ which other languages (Java, Python, etc) already provide by raising an index out of range exception or similar. As for PHP and security, well, when someone ends up getting married to three abusive drunks in a row, there is more going on with that then random chance or even bad luck. I've got an archive of a couple of years worth of list traffic from full-disclosure bugt...@securityfocus, and nearly a third of the messages involve PHP or software written in PHP. That's about twice as many as the next largest category, which is vulnerabilities in Windows (including stuff like Adobe Flash/Reader). Regards, Thanks for the heads up. What language do you recommend then based on these security reports? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On 12/07/10 22:42, Jerry wrote: On Tue, 07 Dec 2010 16:10:38 -0600 Jorge Biquezjbiq...@intranet.com.mx articulated: [snip] I have found several already with Google just not sure what path to follow and that's why I wanted to know what suggestions other has on what are using actually under Freebsd. Of course there are several ones, some look very good and promising yes. I don't think that FreeBSD offers much in that arena in the ports system. A quick perusal only turned up two candidates. http://www.freebsd.org/cgi/ports.cgi?query=shoppingstype=allsektion=all You might be able to locate others though. This search produces a lot more, including oscommerce and magento http://www.freebsd.org/cgi/ports.cgi?query=commercestype=allsektion=all -- Although the wombat is real and the dragon is not, few know what a wombat looks like, but everyone knows what a dragon looks like. -- Avram Davidson, _Adventures in Unhistory_ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On Dec 8, 2010, at 5:37 AM, Da Rock wrote: Thanks for the heads up. What language do you recommend then based on these security reports? Well, I've been implementing online stores and content-management/publishing systems written in Java and Objective-C for quite a while, so I'm biased towards those. If I were starting over from scratch today, Ruby or Python would probably enter into the picture for consideration. (Of course, Python threading runs into the GIL issue limiting true concurrency, and the only Ruby implementation around which does better is JRuby, which is Ruby implemented on top of Java.) You don't magically get immunity from SQL injection by using JDBC or EOF or whatever, but using bound variables in queries rather than feeding user input into raw SQL, or invoking stored procedures or user-defined functions instead will mitigate one of the more common security problems. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce? [LONG]
On Tue, 7 Dec 2010 21:23:04 -0700, Dale Scott dalesc...@shaw.ca said: D I'll interpret that as saying a large percentage of the PHP apps vying D for your attention are crap, but buyer beware. Just be careful, have a D healthy level of scepticism, and keep your eyes open. Yup. D I don't know anything about Facebook other than it's PHP-based, but I'm D sure we'd hear about it being hacked on a regular basis if it was. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=216403016 Microsoft and Facebook Team Up to Put the Kibosh on Koobface Mon, 6 Apr 2009 Microsoft and Facebook are working together to protect users from the Koobface worm. Koobface spreads through Facebook and MySpace social networking sites and infects users who run vulnerable versions of Windows. It steals login information so it can hijack accounts and spam users' contact lists. The spam usually contains a link to what is billed as a video, but users who click the link are told they must download a program to watch the clip. If users agree to the download, their machines become infected with malware. Microsoft has added Koobface to its Malicious Software Removal Tool (MSRT), which removed nearly 200,000 instances of Koobface from more than 133,000 computers in two weeks. http://www.theregister.co.uk/2009/05/15/facebook_phishing_scam/ http://technology.timesonline.co.uk/tol/news/tech_and_web/article6294169.ece Another Phishing Attack Targets Facebook Users Fri, 15 May 2009 Users of the social networking site Facebook have been subjected to another phishing attack. The attackers gained access to the social networking site by using legitimate user accounts and then directing the contacts of the compromised accounts to websites containing malicious software. The attackers ostensibly gained access to the initial accounts by exploiting easy-to-guess passwords. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1356896,00.html IT Managers Feel Pressured to Relax Security Policies Wed, 20 May 2009 According to a recent survey of 1,300 IT managers, 86 percent said they were being pressured by company executives, marketing departments, and sales departments to relax web security policies to allow access to web-based platforms such as Google Apps. Nearly half of respondents said some employees bypass security policies to access services like Twitter and Facebook. More than half of the respondents noted that they lacked the means to detect embedded malicious code and prevent URL redirect attacks. http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/ Attack on Twitter and Facebook Was a JoeJob 6-10 Aug 2009 The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger. http://www.scmagazineus.com/Facebook-to-modify-privacy-practices-after-investigation/article/147556/ http://technology.timesonline.co.uk/tol/news/tech_and_web/article6812783.ece Facebook Will Strengthen Privacy Practices 27-28 Aug 2009 In response to an investigation launched by Canada's Office of the Privacy Commissioner, Facebook has agreed to give users more control about the information they share with third-party applications. The applications will be required to get permission from users for every category of personal information they want to access. In addition, users will have the option to deactivate or to even to delete their accounts. If users delete their accounts, all information belonging to that user will be deleted from Facebook servers. http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?source=rss_security Spammers Break Facebook CAPTCHA Thu, 1 Oct 2009 Malware purveyors have managed to break the Facebook CAPTCHA (completely automated public Turing test to tell computers and humans apart), allowing them to automate the creation of Facebook pages. The malicious pages are being used to send links to malicious websites that promote scareware. The pages all have the same photograph, but have different user names. Facebook is taking steps to identify the rogue pages and disable them. http://www.wired.com/epicenter/2010/01/facebook-email/ Rogue Marketers Can Mine Your Info on Facebook Ryan Singel Tue, 5 Jan 2010 A marketer can take a list of 1,000 e-mail addresses, either legally or illegally collected -- and upload those to Facebook through a dummy account -- which then lets the user see all the profiles created using those addresses. Given Facebook's ubiquity and most people's
Re: Shopping cart other than OSCommerce? [LONG]
On Wed, Dec 08, 2010 at 04:13:25PM -0500, Karl Vogel wrote: On Tue, 7 Dec 2010 21:23:04 -0700, Dale Scott dalesc...@shaw.ca said: D I'll interpret that as saying a large percentage of the PHP apps vying D for your attention are crap, but buyer beware. Just be careful, have a D healthy level of scepticism, and keep your eyes open. Yup. D I don't know anything about Facebook other than it's PHP-based, but I'm D sure we'd hear about it being hacked on a regular basis if it was. Interesting. Looks like most of these depend on the bad judgement of the user to respond to phishing and similar attacks rather than a flaw in the php code.- though once the user makes the mistake they [unknowingly] allow the attack to insert malware. jerry http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=216403016 Microsoft and Facebook Team Up to Put the Kibosh on Koobface Mon, 6 Apr 2009 Microsoft and Facebook are working together to protect users from the Koobface worm. Koobface spreads through Facebook and MySpace social networking sites and infects users who run vulnerable versions of Windows. It steals login information so it can hijack accounts and spam users' contact lists. The spam usually contains a link to what is billed as a video, but users who click the link are told they must download a program to watch the clip. If users agree to the download, their machines become infected with malware. Microsoft has added Koobface to its Malicious Software Removal Tool (MSRT), which removed nearly 200,000 instances of Koobface from more than 133,000 computers in two weeks. http://www.theregister.co.uk/2009/05/15/facebook_phishing_scam/ http://technology.timesonline.co.uk/tol/news/tech_and_web/article6294169.ece Another Phishing Attack Targets Facebook Users Fri, 15 May 2009 Users of the social networking site Facebook have been subjected to another phishing attack. The attackers gained access to the social networking site by using legitimate user accounts and then directing the contacts of the compromised accounts to websites containing malicious software. The attackers ostensibly gained access to the initial accounts by exploiting easy-to-guess passwords. http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1356896,00.html IT Managers Feel Pressured to Relax Security Policies Wed, 20 May 2009 According to a recent survey of 1,300 IT managers, 86 percent said they were being pressured by company executives, marketing departments, and sales departments to relax web security policies to allow access to web-based platforms such as Google Apps. Nearly half of respondents said some employees bypass security policies to access services like Twitter and Facebook. More than half of the respondents noted that they lacked the means to detect embedded malicious code and prevent URL redirect attacks. http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/ Attack on Twitter and Facebook Was a JoeJob 6-10 Aug 2009 The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger. http://www.scmagazineus.com/Facebook-to-modify-privacy-practices-after-investigation/article/147556/ http://technology.timesonline.co.uk/tol/news/tech_and_web/article6812783.ece Facebook Will Strengthen Privacy Practices 27-28 Aug 2009 In response to an investigation launched by Canada's Office of the Privacy Commissioner, Facebook has agreed to give users more control about the information they share with third-party applications. The applications will be required to get permission from users for every category of personal information they want to access. In addition, users will have the option to deactivate or to even to delete their accounts. If users delete their accounts, all information belonging to that user will be deleted from Facebook servers. http://www.computerworld.com/s/article/9138780/Facebook_Captchas_broken_?source=rss_security Spammers Break Facebook CAPTCHA Thu, 1 Oct 2009 Malware purveyors have managed to break the Facebook CAPTCHA (completely automated public Turing test to tell computers and humans apart), allowing them to automate the creation of Facebook pages. The malicious pages are being used to send links to malicious websites that promote scareware. The pages all have the same photograph, but have different user names. Facebook is taking steps to identify the rogue pages and disable them.
Re: Shopping cart other than OSCommerce?
Chuck Swiger wrote: You don't magically get immunity from SQL injection by using JDBC or EOF or whatever, but using bound variables in queries rather than feeding user input into raw SQL, or invoking stored procedures or user-defined functions instead will mitigate one of the more common security problems. And these practices are Good Practice in any language, including PHP. I think a big part of PHP's problem was that in order to have it widely adopted and to be thought simple enough for $ME to use, the documentation was written in simplest terms, without these types of checks, and inexperienced coders adopted similar practices to write working sites. The real problems with PHP are its ubiquity (not unlike M$ operating systems ... it's an omnipresent target) and the fact that many of the people writing it come from a design background instead of a programming one. A man who has no inkling of the existence of carnivorous animals will not build his house in a tree. My $.02, Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce? [LONG]
On 12/09/10 07:13, Karl Vogel wrote: On Tue, 7 Dec 2010 21:23:04 -0700, Dale Scottdalesc...@shaw.ca said: D I'll interpret that as saying a large percentage of the PHP apps vying D for your attention are crap, but buyer beware. Just be careful, have a D healthy level of scepticism, and keep your eyes open. Yup. D I don't know anything about Facebook other than it's PHP-based, but I'm D sure we'd hear about it being hacked on a regular basis if it was. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=216403016 Microsoft and Facebook Team Up to Put the Kibosh on Koobface Mon, 6 Apr 2009 ... /snip And thats why Facebook and all those social network sites are bad news. What happened to anonymity on the internet? Everyone I know worth their salt steers well clear of them... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce? [LONG]
On Thu, 09 Dec 2010 10:07:57 +1000 Da Rock freebsd-questi...@herveybayaustralia.com.au articulated: [snip] And thats why Facebook and all those social network sites are bad news. What happened to anonymity on the internet? Everyone I know worth their salt steers well clear of them... Nothing is foolproof to a sufficiently talented fool. Or as some say, Make it idiot proof and someone will make a better idiot. There is nothing inherently bad with Facebook or any of its imitators. The acronym PEBKAC accurately describes the true nature of problem. The inclusion of anonymity has nothing to do with the problem. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Everyone is entitled to be stupid, but some abuse the privilege. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On Thursday 09 December 2010 01:07:38 Kevin Kinsey wrote: Chuck Swiger wrote: You don't magically get immunity from SQL injection by using JDBC or EOF or whatever, but using bound variables in queries rather than feeding user input into raw SQL, or invoking stored procedures or user-defined functions instead will mitigate one of the more common security problems. And these practices are Good Practice in any language, including PHP. I think a big part of PHP's problem was [... documentation] I don't think it was just documentation. Perl, for example, comes with a standard way to access databases, DBI, which has good practices like binding variables in queries, escaping of input and output and so on, baked in. PHP comes with builtin functions for accessing MySQL databases, which do nothing at all to help the programmer make sensible decisions and follow best practice. There are database abstraction modules for PHP as far as I know, but if someone decides not to use them, is it still as hard as it was to do things safely using the builtin mysql_* functions? Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Shopping cart other than OSCommerce?
Hello all. I would like to hear your advice, if possible, based on experience about what Shopping cart other than OSCommerce consider as an excellent choice to be run under FreeBSD. With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. I know there are tons of options but would like to hear your comments about what are you using and what do you recommend me to try that have proved that runs fine under Freebsd. The idea is to have 4 domains running the same software (could be multiple instances) under different DOMAINS: If possible that would be multilangua or at least that support English and Spanish, free and it does not matter if uses PHP or something else. SOmething important is that my test machine is an old one running Freebsd 7.3, 2 processors 386 with 1 GB of RAM, once I have running all without problems will move to a newer one that will run Freebsd 8.1. Thanks in advance. Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: http://secunia.com/advisories/product/1308/ Affected By 7 Secunia advisories 44 Vulnerabilities Unpatched29% (2 of 7 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical. http://secunia.com/advisories/33446/ 1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the admin/ folder. Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script. In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
Hello all. Thanks for the time and rapid response Mr Chuck. Yes. Seems like the guilty one was OSCommerce. I am looking exactly for other option, as you say maybe not PHP ones and that's why asked for advice based on experinces of what people is using. I am looking for python option also. My needs are very simple, even a catalog of products without the shopping cart will be enough. I am also looking options that let you add modules. I want to continue using Freebsd, continue learning and also solve a personal need. Of course the idea is not to start a war between PHP lovers and any other language, but options and suggestions are very welcome. Anyway. I will continue searching. And when I find the solution will posted here , maybe could be of help to someone. By the way. It is great to receive advise from people like you all guys. I have been on the list for several years and I always learn something , always. Thanks to all Jorge Biquez At 03:01 p.m. 07/12/2010, Chuck Swiger wrote: On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: http://secunia.com/advisories/product/1308/ Affected By7 Secunia advisories 44 Vulnerabilities Unpatched 29% (2 of 7 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical. http://secunia.com/advisories/33446/ 1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the admin/ folder. Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script. In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On Tue, 07 Dec 2010 15:32:06 -0600 Jorge Biquez jbiq...@intranet.com.mx articulated: At 03:01 p.m. 07/12/2010, Chuck Swiger wrote: On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: http://secunia.com/advisories/product/1308/ Affected By7 Secunia advisories 44 Vulnerabilities Unpatched 29% (2 of 7 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical. http://secunia.com/advisories/33446/ 1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the admin/ folder. Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script. In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. Thanks for the time and rapid response Mr Chuck. Yes. Seems like the guilty one was OSCommerce. I am looking exactly for other option, as you say maybe not PHP ones and that's why asked for advice based on experinces of what people is using. I am looking for python option also. My needs are very simple, even a catalog of products without the shopping cart will be enough. I am also looking options that let you add modules. I want to continue using Freebsd, continue learning and also solve a personal need. Of course the idea is not to start a war between PHP lovers and any other language, but options and suggestions are very welcome. Anyway. I will continue searching. And when I find the solution will posted here , maybe could be of help to someone. By the way. It is great to receive advise from people like you all guys. I have been on the list for several years and I always learn something , always. Seriously, have you tried Googling for a potential solution? I just spent a few minutes and found several candidates. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
At 04:04 p.m. 07/12/2010, you wrote: On Tue, 07 Dec 2010 15:32:06 -0600 Jorge Biquez jbiq...@intranet.com.mx articulated: At 03:01 p.m. 07/12/2010, Chuck Swiger wrote: On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: http://secunia.com/advisories/product/1308/ Affected By7 Secunia advisories 44 Vulnerabilities Unpatched 29% (2 of 7 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical. http://secunia.com/advisories/33446/ 1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the admin/ folder. Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script. In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. Thanks for the time and rapid response Mr Chuck. Yes. Seems like the guilty one was OSCommerce. I am looking exactly for other option, as you say maybe not PHP ones and that's why asked for advice based on experinces of what people is using. I am looking for python option also. My needs are very simple, even a catalog of products without the shopping cart will be enough. I am also looking options that let you add modules. I want to continue using Freebsd, continue learning and also solve a personal need. Of course the idea is not to start a war between PHP lovers and any other language, but options and suggestions are very welcome. Anyway. I will continue searching. And when I find the solution will posted here , maybe could be of help to someone. By the way. It is great to receive advise from people like you all guys. I have been on the list for several years and I always learn something , always. Seriously, have you tried Googling for a potential solution? I just spent a few minutes and found several candidates. -- Jerry â freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ Hello. I have found several already with Google just not sure what path to follow and that's why I wanted to know what suggestions other has on what are using actually under Freebsd. Of course there are several ones, some look very good and promising yes. Thanks in advance Jorge Biquez ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On 07/12/2010 21:32, Jorge Biquez wrote: Seems like the guilty one was OSCommerce. I am looking exactly for other option, as you say maybe not PHP ones and that's why asked for advice based on experinces of what people is using. Take a look at Magento -- it's in ports: www/magento. Despite being written in PHP, Magento is not bad security wise. There's a company behind it which is very actively developing the application, and they are receptive and responsive to reports of security problems, or bugs in general. Many household name companies are using it. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: Shopping cart other than OSCommerce?
On Tue, 07 Dec 2010 16:10:38 -0600 Jorge Biquez jbiq...@intranet.com.mx articulated: [snip] I have found several already with Google just not sure what path to follow and that's why I wanted to know what suggestions other has on what are using actually under Freebsd. Of course there are several ones, some look very good and promising yes. I don't think that FreeBSD offers much in that arena in the ports system. A quick perusal only turned up two candidates. http://www.freebsd.org/cgi/ports.cgi?query=shoppingstype=allsektion=all You might be able to locate others though. -- Jerry ✌ freebsd.u...@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ I'm so broke I can't even pay attention. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On 12/08/10 07:01, Chuck Swiger wrote: On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: With a provider where I had a dedicated server, not running FreeBsd , the entire server was hacked and before leaving them, the tech support people said that the hacking was because of a problem with some libraries under PHP AND OSCOMMERCE. They never could prove that but I leave them since the entire server was hacked, not information stolen but ONLY that$ all web pages (.html, .php) pages where changed, all under different domains and account jailed (?) using CPANEL. Anyway. I am not sure how sensible is OSCCOmmerce to that since I know it is very popular but I would like to test something else. 30 seconds with a Google search suggests that osCommerce has unpatched security vulnerabilities which do lead to compromise of admin and arbitrary PHP code execution: http://secunia.com/advisories/product/1308/ Affected By7 Secunia advisories 44 Vulnerabilities Unpatched29% (2 of 7 Secunia advisories) Most Critical Unpatched The most severe unpatched Secunia advisory affecting osCommerce 2.x, with all vendor patches applied, is rated Highly critical. http://secunia.com/advisories/33446/ 1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create additional administrator accounts by tricking an administrative user into visiting a malicious web site. 2) An error in the authentication mechanism can be exploited to bypass authentication checks and gain access to the administrative interface in the admin/ folder. Successful exploitation allows to upload and execute arbitrary PHP code e.g. via the file_manager.php script. In other words, your former site's tech support people were likely right-- the site was almost certainly hacked because of osCommerce. Find something else, preferably something which is not based upon PHP. Regards, One to point out the obvious, and two to clarify your view here: why not php? Php was the scripting used, but if used poorly will create a security risk in the web app. That means that the vulnerability is the coder's problem; not php itself. God knows how many references there are to what not to do for security reasons on the php site. Vulnerabilities due to bad coding is not the fault of the language used, otherwise we wouldn't be using c, c++, etc. I ask because I'm coding web apps in php myself, and I'm curious to know if my view is in error... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Shopping cart other than OSCommerce?
On Dec 7, 2010, at 4:27 PM, Da Rock wrote: One to point out the obvious, and two to clarify your view here: why not php? Php was the scripting used, but if used poorly will create a security risk in the web app. That means that the vulnerability is the coder's problem; not php itself. God knows how many references there are to what not to do for security reasons on the php site. Vulnerabilities due to bad coding is not the fault of the language used, otherwise we wouldn't be using c, c++, etc. I ask because I'm coding web apps in php myself, and I'm curious to know if my view is in error... I would disagree and argue that vulnerabilities due to bad coding often reflect flaws in the language being used. For example, a vast range of buffer overflows, null pointer dereference issues, etc are entirely a consequence of C-based languages which permit arbitrary pointer arithmetic. Tools like valgrind and Purify were later created to help add runtime array and memory buffer bounds-checking to C/C++ which other languages (Java, Python, etc) already provide by raising an index out of range exception or similar. As for PHP and security, well, when someone ends up getting married to three abusive drunks in a row, there is more going on with that then random chance or even bad luck. I've got an archive of a couple of years worth of list traffic from full-disclosure bugt...@securityfocus, and nearly a third of the messages involve PHP or software written in PHP. That's about twice as many as the next largest category, which is vulnerabilities in Windows (including stuff like Adobe Flash/Reader). Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Shopping cart other than OSCommerce?
As for PHP and security, well, when someone ends up getting married to three abusive drunks in a row, there is more going on with that then random chance or even bad luck. I'll interpret that as saying a large percentage of the PHP apps vying for your attention are crap, but buyer beware. Just be careful, have a healthy level of scepticism, and keep your eyes open. I'm amazed at the ease with which a good looking web app can be created, and with complete and total disregard for the most basic software development best practices. However, that doesn't mean all apps are crap, just like there are still guys gals out there worth tying your life to. In my experience (which is probably more than some, but certainly not much compared to some others), MediaWiki, MantisBT, Moodle, and Drupal are mature, reliable and generally secure PHP-based applications. They have good documentation, active communities, and are honest and prompt with security advisories (and also pretty prompt with security updates). I'm sure there must be others (e.g., I don't know anything about Facebook other than it's PHP-based, but I'm sure we'd hear about it being hacked on a regular basis if it was). Dale ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
