Post by lovol3 » Fri Jun 22, 2018 5:05 am

Hi All

Do we think Opencart should take security more seriously?

or is that the responsibility of the site owners?

I think it's a bit of both.

Take this, Opencart.com scores a big fat F (fail) here
https://securityheaders.com/?q=opencart ... directs=on

and here

https://www.htbridge.com/websec/?id=1nvubsLR

I've implemented most of these on an actual OC website and got an A on securityheader.com.

but I can't implement a safe Content Policy without adding 'unsafe' options because (at least my version 2) opencart uses lots of inline javascript.

(just tested a fresh install of OC3, F for fail again :-\ )

What do you score?

Newbie

Posts

Joined
Thu May 17, 2018 4:05 am

Post by IP_CAM » Fri Jun 22, 2018 7:14 am

Well, there seems to be some mixup in your philosophy , this
https: //www .opencart .com Site Software is a Wordpress Product,
and has nothing to do with OC Software ... :D
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + V-Pro + OpenShop Admin v.1.75 Test Sites
http://www.bigmax.ch - http://www.opencart.li/shop/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Johnathan » Fri Jun 22, 2018 9:51 pm

IP_CAM wrote:
Fri Jun 22, 2018 7:14 am
Well, there seems to be some mixup in your philosophy , this
https: //www .opencart .com Site Software is a Wordpress Product,
and has nothing to do with OC Software ... :D
Ernie
No, it doesn't use Wordpress. It uses a custom-tailored version of OpenCart that Daniel has modified specifically for the site. You can tell this by the use of "route" and lots of other standard OpenCart behavior. For example:

https://www.opencart.com/index.php?route=cms/download

It's really just an extended version of OpenCart.

Image
Image Image Image Image Image Image


User avatar
Global Moderator

Posts

Joined
Fri Dec 18, 2009 3:08 am


Post by lovol2 » Fri Jun 22, 2018 11:04 pm

IP_CAM wrote:
Fri Jun 22, 2018 7:14 am
Well, there seems to be some mixup in your philosophy , this
https: //www .opencart .com Site Software is a Wordpress Product,
and has nothing to do with OC Software ... :D
Ernie
Well you’ve missed my point. Besides it is based off of OC. That’s neither here nor there.

The fact is OC’s own website fails some basic security best practices.

And so does a fresh install of OC itself.

The point is. The very kind and dedicated people behind these properties aren’t looking into security particularly seriously.

So my question still remains. Do we/you think OC fresh install should take this seriously or is it up to site owners.?

Problem I have is that fundamentally some pages require/use inline JavaScript. So without rewriting OC you can’t implemet a strict Content security poloicy on JavaScript.

I’m guessing by the lack of response people don’t care.

Well, there is a lot of talk about GDPR.

Let me say, step one of GDPR is don’t leak data. Ever. If you do the. You’ll get fined from them.

And visa if it involves card data which has been around for ages. And that is not a fun process i can tell you.

So I personally think it should come before ‘nice to haves’ such as users/customers being able to delete an account themselves.

But essentially that’s my question. :)

New member

Posts

Joined
Wed Mar 24, 2010 6:41 am

Post by IP_CAM » Sat Jun 23, 2018 1:36 am

Johnathan wrote:
Fri Jun 22, 2018 9:51 pm
No, it doesn't use Wordpress. It uses a custom-tailored version of OpenCart ...
Oops, sorry, I did not spend enough time on checking about this ... ::)
---
I’m guessing by the lack of response people don’t care.
Well, this might be you opinion, and you're possibly not the only one, still, OC comes for
free, and if one cares, to mock it up, to meet some additional security related Spec's, not
covered by OC, one is also free, to do this. OC never claimed, to have it all, in contrary,
OC always depended on DEV's, to add, what's not planned, to be part of a strictly BASIC
Software. Otherways, OC would not have been able, to generate any Income, to survive !

But, in my case, I was not even aware of those 2 Test-Sites, and what's written there about,
and for 99.9 percent of OC -Users, including me, it looks more like another way of Marketing,
trying, to sell something, by talking about Security Risks, and at worst, leaving the impression
to code-unpro visitors, that their Site is possibly in great danger.

And some of it could not even be implemented by Users, if the don't run their own Servers.
But most also don't plan, to build their own online Fort Knox, but only a simple Online Shop,
wich, as it looks, works quite well. At least, if served by a decent hoster, and built by someone,
at least familiar with CHMODE, .HTACCESS, and setting up OC, as it should be done. It's a
commercially used Software, after all. So, it's up to the User, to take Care, after getting
a free Helper - like in any other Business too, to hopefully get rich quick. And who's not
able to, for what reason ever, shall not succeed, that's the Number One Rule of Competition.

During my OC-Time, I build a few hundreds of Testshops, and experienced a few thousand
hacking attemps since. But not a single one of them was able, to break my Sites, or kill something.
But I am also aware of, that many security-related Topics have been published, all over the place,
claiming, that, under certain circumstances (wich cannot even exist in real), some Badcode could
do some harm somewhere. It's therefore mostly Panic-Talk, but rather seldom of real value, or use.
But that's my personal feeling only, and I am neither a Code Security Specialist, nor a Coder ;)
---
But you already had some problems, as it looks, by seemengly enabling something, to add
additional Code to one of your payment-related files. :choke:
Has this also been a 'default' OC failure, or did you just upload 3th-party Code, without
looking at it first ?

Code: Select all

Scumbag got an email EVERY time credit card details entered on my website....
---
it should come before ‘nice to haves’ such as users/customers being able to delete an account themselves.
That's not a problem, and some extensions already existed 8+ Years ago, I was even able,
to make this work as planned. ::)
viewtopic.php?t=22483
---
And for those, unable to make it work for later OC Versions, but serving the European Market,
they could also buy one here, for the simple equivalent of a small Steak and a Beer: :laugh:
https://www.opencart.com/index.php?rout ... n_id=34030
---
But why did you move up anyway, after having made your OC-2 be secure ?
If you would have been around here more, during those 8 Years, you would have known ...
Good Luck, no offense! ;)
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + V-Pro + OpenShop Admin v.1.75 Test Sites
http://www.bigmax.ch - http://www.opencart.li/shop/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by lovol2 » Sat Jun 23, 2018 2:29 am

IP_CAM wrote:
Sat Jun 23, 2018 1:36 am
Johnathan wrote:
Fri Jun 22, 2018 9:51 pm
No, it doesn't use Wordpress. It uses a custom-tailored version of OpenCart ...
Oops, sorry, I did not spend enough time on checking about this ... ::)
---
I’m guessing by the lack of response people don’t care.
Well, this might be you opinion, and you're possibly not the only one, still, OC comes for
free, and if one cares, to mock it up, to meet some additional security related Spec's, not
covered by OC, one is also free, to do this. OC never claimed, to have it all, in contrary,
OC always depended on DEV's, to add, what's not planned, to be part of a strictly BASIC
Software. Otherways, OC would not have been able, to generate any Income, to survive !

But, in my case, I was not even aware of those 2 Test-Sites, and what's written there about,
and for 99.9 percent of OC -Users, including me, it looks more like another way of Marketing,
trying, to sell something, by talking about Security Risks, and at worst, leaving the impression
to code-unpro visitors, that their Site is possibly in great danger.

And some of it could not even be implemented by Users, if the don't run their own Servers.
But most also don't plan, to build their own online Fort Knox, but only a simple Online Shop,
wich, as it looks, works quite well. At least, if served by a decent hoster, and built by someone,
at least familiar with CHMODE, .HTACCESS, and setting up OC, as it should be done. It's a
commercially used Software, after all. So, it's up to the User, to take Care, after getting
a free Helper - like in any other Business too, to hopefully get rich quick. And who's not
able to, for what reason ever, shall not succeed, that's the Number One Rule of Competition.

During my OC-Time, I build a few hundreds of Testshops, and experienced a few thousand
hacking attemps since. But not a single one of them was able, to break my Sites, or kill something.
But I am also aware of, that many security-related Topics have been published, all over the place,
claiming, that, under certain circumstances (wich cannot even exist in real), some Badcode could
do some harm somewhere. It's therefore mostly Panic-Talk, but rather seldom of real value, or use.
But that's my personal feeling only, and I am neither a Code Security Specialist, nor a Coder ;)
---
But you already had some problems, as it looks, by seemengly enabling something, to add
additional Code to one of your payment-related files. :choke:
Has this also been a 'default' OC failure, or did you just upload 3th-party Code, without
looking at it first ?

Code: Select all

Scumbag got an email EVERY time credit card details entered on my website....
---
it should come before ‘nice to haves’ such as users/customers being able to delete an account themselves.
That's not a problem, and some extensions already existed 8+ Years ago, I was even able,
to make this work as planned. ::)
viewtopic.php?t=22483
---
And for those, unable to make it work for later OC Versions, but serving the European Market,
they could also buy one here, for the simple equivalent of a small Steak and a Beer: :laugh:
https://www.opencart.com/index.php?rout ... n_id=34030
---
But why did you move up anyway, after having made your OC-2 be secure ?
If you would have been around here more, during those 8 Years, you would have known ...
Good Luck, no offense! ;)
Ernie
Thanks Ernie.

Yes I’ve had a problem in the past, so I do have stronger feeling than most.

No despite the VERY expensive investigation to look at log files. They couldn’t figure out how the guy got in. I do read the code of installed mods too just in case.

However that’s in the past. But yes it makes you a little more aware.

This was more coincidence due to a pen test at work and I thought I’d check OC.

Yes most of those headers are quite simple to fix. I wouldn’t say scare tactics marketing. They exist for a reason. Every browser supports them so must exist for legit but yes as you say limited reasons.

My main concern is that anybody who did edit the files could inject JavaScript into the checkout page and it would run fine.

And since opencart has lots of JavaScript in the html / template pages you can’t apply the security header to prevent that.

All the others I’ve applied.

Some were so simple to do I can’t understand they they wouldn’t be in the default htacess file.

New member

Posts

Joined
Wed Mar 24, 2010 6:41 am

Post by IP_CAM » Sat Jun 23, 2018 9:51 am

Well, believe me, I really feel with you, but it makes not much sense, to
make a speak, when there are no listeners in the room, but better make
others be part of one's own wisdom, something can so eventually be made
to be a Must, without anybody loosing his/her face. (japonese wisdom) ::)
It's the way, OC grew up, without the need, to try everything out first, on it's own!
If you know, what I'm trying to tell ya ... :D
Ernie

Ernie's OpenCart v.1.5.6.5 LIGHT + V-Pro + OpenShop Admin v.1.75 Test Sites
http://www.bigmax.ch - http://www.opencart.li/shop/
Image


User avatar
Guru Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland
Who is online

Users browsing this forum: No registered users and 14 guests