While OpenCart itself is secure as it could be, sometimes 3-party scripts may make your shop unsecure!
When will this happen or when will this be possible?
Well, basically with every extension you install additionally.
That my sound very rude, but is fact.
While many extensions may be safe, to be on the 'safe side', before you go ahead to install any extension, check first the structure.
To do so, unzip the package locale and see which files are included.
And compare them.
Why comparing?
Basically a well coded extension does NOT need to override any core script!
But if you see that there are files included which will override already installed scripts, be aware and look inside those files (with a qualified editor).
Why is there no need to override already existing scripts?
Because nearly each can be extended if required.
What if you 'detect' a file which will override an already existing?
If you know php and OpenCart it should be easy for your to 'read' the code - if not, contact a developer you trust and let him do the work.
What could happen if a core file will be overriden with a new one?
First (as explained above), there is no reason why it should override!
Second, it could be that some malicious code is embedded and your data gets stolen!
A sample of what could happen is described here in this article: Session Stealer Script
Conclusion: whenever you buy an extension which includes files already included by the standard installation of OpenCart, be very carefully!
And you should open a support ticket, report that extension and request your money back.
Full Stack Web Developer :: Dedicated OpenCart Development & Support DACH Region
Contact for Custom Work / Fast Support.
It's a bit like my previous post, viewtopic.php?f=179&t=171783
Any extension could potentially access your sensitive information, no session hijacking needed. just post the ftp config to your own webserver and you are in.
Any extension could potentially access your sensitive information, no session hijacking needed. just post the ftp config to your own webserver and you are in.
It's not related to OpenCart, but to ANY expandable framework. You can get kinda paranoid here, huh.Tomit wrote:Any extension could potentially access your sensitive information, no session hijacking needed. just post the ftp config to your own webserver and you are in.
Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com
Well, according to Media News, MAGENTO driven Shops seem to have a real
Security Problem, they talk about 6'000 Shops worldwide, 1'000 of them alone in
Germany, potentially in danger !
Many Magento Users obviously don't update their software, in order to save Money.
And this would so again be comparable with OC, and those Numbers, looking around
for paid OC-Mod's, for free, the only way to start a shop, to hopefully somehow make
some Cash flow in. But if such People run into a Problem, what the heck , it's the
risk, one takes, if such is done by thereby knowingly ripping others off...
And most 'regular' Users just have to believe in Web-Security, because most Web-Users
don't know very much about it. So, whoever plans, to really get a secure Place, then
better depends on Extensions, created by known and trustworty Persons, like in real
Life. It's a business, after all, for everybody involved.
But as long as even socalled PRO's advise others, in places like here, to open up parts
of their Servers to '777' ( to probably download their Mod's later ), it's of no use,
to wonder about anything, then some will do such for entire Directories, just to make
sure... - just to mention one small simple Part, belonging to Server Security!
http://www.t-online.de/computer/sicherh ... ecken.html
Ernie
Security Problem, they talk about 6'000 Shops worldwide, 1'000 of them alone in
Germany, potentially in danger !
Many Magento Users obviously don't update their software, in order to save Money.
And this would so again be comparable with OC, and those Numbers, looking around
for paid OC-Mod's, for free, the only way to start a shop, to hopefully somehow make
some Cash flow in. But if such People run into a Problem, what the heck , it's the
risk, one takes, if such is done by thereby knowingly ripping others off...
And most 'regular' Users just have to believe in Web-Security, because most Web-Users
don't know very much about it. So, whoever plans, to really get a secure Place, then
better depends on Extensions, created by known and trustworty Persons, like in real
Life. It's a business, after all, for everybody involved.
But as long as even socalled PRO's advise others, in places like here, to open up parts
of their Servers to '777' ( to probably download their Mod's later ), it's of no use,
to wonder about anything, then some will do such for entire Directories, just to make
sure... - just to mention one small simple Part, belonging to Server Security!
http://www.t-online.de/computer/sicherh ... ecken.html
Ernie
My Github OC Site: https://github.com/IP-CAM
5'200 + FREE OC Extensions, on the World's largest private Github OC Repository Archive Site.
Somebody have actually print a list out of all the stores affected by Javascript malware
At November 2016 there were 5091 stores
https://gitlab.com/gwillem/public-snipp ... pets/28813
Now it is worth mentioning that this only affect stores that do their own online payment transaction.
If you use Paypal in your store, there won't be that much skimming happening... Most of these scums are after the easy money, so they normally tend not to bother with other personal information stored on your site...
But it definitely pays to keep your store update and don't give your details (server & admin access) to nobody!
At November 2016 there were 5091 stores
https://gitlab.com/gwillem/public-snipp ... pets/28813
Now it is worth mentioning that this only affect stores that do their own online payment transaction.
If you use Paypal in your store, there won't be that much skimming happening... Most of these scums are after the easy money, so they normally tend not to bother with other personal information stored on your site...
But it definitely pays to keep your store update and don't give your details (server & admin access) to nobody!
Over 95% of all computer problems can be traced back to the interface between the keyboard and the chair...
That's exactly the problem. I had a customer who has a midsized bike store, and webshop, he used magento and asked me to add some functionality.IP_CAM wrote:Well, according to Media News, MAGENTO driven Shops seem to have a real
Security Problem, they talk about 6'000 Shops worldwide, 1'000 of them alone in
Germany, potentially in danger !
Many Magento Users obviously don't update their software, in order to save Money.
And this would so again be comparable with OC, and those Numbers, looking around
for paid OC-Mod's, for free, the only way to start a shop, to hopefully somehow make
some Cash flow in. But if such People run into a Problem, what the heck , it's the
risk, one takes, if such is done by thereby knowingly ripping others off...
And most 'regular' Users just have to believe in Web-Security, because most Web-Users
don't know very much about it. So, whoever plans, to really get a secure Place, then
better depends on Extensions, created by known and trustworty Persons, like in real
Life. It's a business, after all, for everybody involved.
But as long as even socalled PRO's advise others, in places like here, to open up parts
of their Servers to '777' ( to probably download their Mod's later ), it's of no use,
to wonder about anything, then some will do such for entire Directories, just to make
sure... - just to mention one small simple Part, belonging to Server Security!
http://www.t-online.de/computer/sicherh ... ecken.html
Ernie
I advised him to switch to opencart or shopify, because it would become a costly affair to keep this site running, mainly because:
- development of functionality takes a little longer in magento.
- the webshop he had wasn't updated for 2 years, and full off security holes.
He asked me to add the functionality anyway, and make an offer for updating the 2 year old magento.
Offcourse I was to expensive, and he chose not to have his shop updated at all, and now it's wide open for anyone to get customer information and orders..
Who is online
Users browsing this forum: No registered users and 42 guests