Hi All
Do we think Opencart should take security more seriously?
or is that the responsibility of the site owners?
I think it's a bit of both.
Take this, Opencart.com scores a big fat F (fail) here
https://securityheaders.com/?q=opencart ... directs=on
and here
https://www.htbridge.com/websec/?id=1nvubsLR
I've implemented most of these on an actual OC website and got an A on securityheader.com.
but I can't implement a safe Content Policy without adding 'unsafe' options because (at least my version 2) opencart uses lots of inline javascript.
(just tested a fresh install of OC3, F for fail again )
What do you score?
Do we think Opencart should take security more seriously?
or is that the responsibility of the site owners?
I think it's a bit of both.
Take this, Opencart.com scores a big fat F (fail) here
https://securityheaders.com/?q=opencart ... directs=on
and here
https://www.htbridge.com/websec/?id=1nvubsLR
I've implemented most of these on an actual OC website and got an A on securityheader.com.
but I can't implement a safe Content Policy without adding 'unsafe' options because (at least my version 2) opencart uses lots of inline javascript.
(just tested a fresh install of OC3, F for fail again )
What do you score?
Well, there seems to be some mixup in your philosophy , this
https: //www .opencart .com Site Software is a Wordpress Product,
and has nothing to do with OC Software ...
Ernie
https: //www .opencart .com Site Software is a Wordpress Product,
and has nothing to do with OC Software ...
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
No, it doesn't use Wordpress. It uses a custom-tailored version of OpenCart that Daniel has modified specifically for the site. You can tell this by the use of "route" and lots of other standard OpenCart behavior. For example:
https://www.opencart.com/index.php?route=cms/download
It's really just an extended version of OpenCart.
Well you’ve missed my point. Besides it is based off of OC. That’s neither here nor there.
The fact is OC’s own website fails some basic security best practices.
And so does a fresh install of OC itself.
The point is. The very kind and dedicated people behind these properties aren’t looking into security particularly seriously.
So my question still remains. Do we/you think OC fresh install should take this seriously or is it up to site owners.?
Problem I have is that fundamentally some pages require/use inline JavaScript. So without rewriting OC you can’t implemet a strict Content security poloicy on JavaScript.
I’m guessing by the lack of response people don’t care.
Well, there is a lot of talk about GDPR.
Let me say, step one of GDPR is don’t leak data. Ever. If you do the. You’ll get fined from them.
And visa if it involves card data which has been around for ages. And that is not a fun process i can tell you.
So I personally think it should come before ‘nice to haves’ such as users/customers being able to delete an account themselves.
But essentially that’s my question.
Oops, sorry, I did not spend enough time on checking about this ...
---
Well, this might be you opinion, and you're possibly not the only one, still, OC comes forI’m guessing by the lack of response people don’t care.
free, and if one cares, to mock it up, to meet some additional security related Spec's, not
covered by OC, one is also free, to do this. OC never claimed, to have it all, in contrary,
OC always depended on DEV's, to add, what's not planned, to be part of a strictly BASIC
Software. Otherways, OC would not have been able, to generate any Income, to survive !
But, in my case, I was not even aware of those 2 Test-Sites, and what's written there about,
and for 99.9 percent of OC -Users, including me, it looks more like another way of Marketing,
trying, to sell something, by talking about Security Risks, and at worst, leaving the impression
to code-unpro visitors, that their Site is possibly in great danger.
And some of it could not even be implemented by Users, if the don't run their own Servers.
But most also don't plan, to build their own online Fort Knox, but only a simple Online Shop,
wich, as it looks, works quite well. At least, if served by a decent hoster, and built by someone,
at least familiar with CHMODE, .HTACCESS, and setting up OC, as it should be done. It's a
commercially used Software, after all. So, it's up to the User, to take Care, after getting
a free Helper - like in any other Business too, to hopefully get rich quick. And who's not
able to, for what reason ever, shall not succeed, that's the Number One Rule of Competition.
During my OC-Time, I build a few hundreds of Testshops, and experienced a few thousand
hacking attemps since. But not a single one of them was able, to break my Sites, or kill something.
But I am also aware of, that many security-related Topics have been published, all over the place,
claiming, that, under certain circumstances (wich cannot even exist in real), some Badcode could
do some harm somewhere. It's therefore mostly Panic-Talk, but rather seldom of real value, or use.
But that's my personal feeling only, and I am neither a Code Security Specialist, nor a Coder
---
But you already had some problems, as it looks, by seemengly enabling something, to add
additional Code to one of your payment-related files.
Has this also been a 'default' OC failure, or did you just upload 3th-party Code, without
looking at it first ?
Code: Select all
Scumbag got an email EVERY time credit card details entered on my website....
That's not a problem, and some extensions already existed 8+ Years ago, I was even able,it should come before ‘nice to haves’ such as users/customers being able to delete an account themselves.
to make this work as planned.
viewtopic.php?t=22483
---
And for those, unable to make it work for later OC Versions, but serving the European Market,
they could also buy one here, for the simple equivalent of a small Steak and a Beer:
https://www.opencart.com/index.php?rout ... n_id=34030
---
But why did you move up anyway, after having made your OC-2 be secure ?
If you would have been around here more, during those 8 Years, you would have known ...
Good Luck, no offense!
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Thanks Ernie.IP_CAM wrote: ↑Sat Jun 23, 2018 1:36 amOops, sorry, I did not spend enough time on checking about this ...
---Well, this might be you opinion, and you're possibly not the only one, still, OC comes forI’m guessing by the lack of response people don’t care.
free, and if one cares, to mock it up, to meet some additional security related Spec's, not
covered by OC, one is also free, to do this. OC never claimed, to have it all, in contrary,
OC always depended on DEV's, to add, what's not planned, to be part of a strictly BASIC
Software. Otherways, OC would not have been able, to generate any Income, to survive !
But, in my case, I was not even aware of those 2 Test-Sites, and what's written there about,
and for 99.9 percent of OC -Users, including me, it looks more like another way of Marketing,
trying, to sell something, by talking about Security Risks, and at worst, leaving the impression
to code-unpro visitors, that their Site is possibly in great danger.
And some of it could not even be implemented by Users, if the don't run their own Servers.
But most also don't plan, to build their own online Fort Knox, but only a simple Online Shop,
wich, as it looks, works quite well. At least, if served by a decent hoster, and built by someone,
at least familiar with CHMODE, .HTACCESS, and setting up OC, as it should be done. It's a
commercially used Software, after all. So, it's up to the User, to take Care, after getting
a free Helper - like in any other Business too, to hopefully get rich quick. And who's not
able to, for what reason ever, shall not succeed, that's the Number One Rule of Competition.
During my OC-Time, I build a few hundreds of Testshops, and experienced a few thousand
hacking attemps since. But not a single one of them was able, to break my Sites, or kill something.
But I am also aware of, that many security-related Topics have been published, all over the place,
claiming, that, under certain circumstances (wich cannot even exist in real), some Badcode could
do some harm somewhere. It's therefore mostly Panic-Talk, but rather seldom of real value, or use.
But that's my personal feeling only, and I am neither a Code Security Specialist, nor a Coder
---
But you already had some problems, as it looks, by seemengly enabling something, to add
additional Code to one of your payment-related files.
Has this also been a 'default' OC failure, or did you just upload 3th-party Code, without
looking at it first ?---Code: Select all
Scumbag got an email EVERY time credit card details entered on my website....
That's not a problem, and some extensions already existed 8+ Years ago, I was even able,it should come before ‘nice to haves’ such as users/customers being able to delete an account themselves.
to make this work as planned.
viewtopic.php?t=22483
---
And for those, unable to make it work for later OC Versions, but serving the European Market,
they could also buy one here, for the simple equivalent of a small Steak and a Beer:
https://www.opencart.com/index.php?rout ... n_id=34030
---
But why did you move up anyway, after having made your OC-2 be secure ?
If you would have been around here more, during those 8 Years, you would have known ...
Good Luck, no offense!
Ernie
Yes I’ve had a problem in the past, so I do have stronger feeling than most.
No despite the VERY expensive investigation to look at log files. They couldn’t figure out how the guy got in. I do read the code of installed mods too just in case.
However that’s in the past. But yes it makes you a little more aware.
This was more coincidence due to a pen test at work and I thought I’d check OC.
Yes most of those headers are quite simple to fix. I wouldn’t say scare tactics marketing. They exist for a reason. Every browser supports them so must exist for legit but yes as you say limited reasons.
My main concern is that anybody who did edit the files could inject JavaScript into the checkout page and it would run fine.
And since opencart has lots of JavaScript in the html / template pages you can’t apply the security header to prevent that.
All the others I’ve applied.
Some were so simple to do I can’t understand they they wouldn’t be in the default htacess file.
Well, believe me, I really feel with you, but it makes not much sense, to
make a speak, when there are no listeners in the room, but better make
others be part of one's own wisdom, something can so eventually be made
to be a Must, without anybody loosing his/her face. (japonese wisdom)
It's the way, OC grew up, without the need, to try everything out first, on it's own!
If you know, what I'm trying to tell ya ...
Ernie
make a speak, when there are no listeners in the room, but better make
others be part of one's own wisdom, something can so eventually be made
to be a Must, without anybody loosing his/her face. (japonese wisdom)
It's the way, OC grew up, without the need, to try everything out first, on it's own!
If you know, what I'm trying to tell ya ...
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
I came across the same website myself after a security report at work as well. Another good site is https://observatory.mozilla.org
I too have added the easy headers and a very poor CSP because of the inline javascript and styles. It would be nice to have a better security level in OpenCart and the problem is that it's not something that can easily be added by a user, because it would mean going through the entire code base and trying to remove all this inline code and where it is generated.
I'll have a look at improving it myself though, but I don't hold out much hope. It really needs to be done when the site is developed originally.
Allen
I too have added the easy headers and a very poor CSP because of the inline javascript and styles. It would be nice to have a better security level in OpenCart and the problem is that it's not something that can easily be added by a user, because it would mean going through the entire code base and trying to remove all this inline code and where it is generated.
I'll have a look at improving it myself though, but I don't hold out much hope. It really needs to be done when the site is developed originally.
Allen
Who is online
Users browsing this forum: No registered users and 177 guests