Post by OSWorX » Tue Jan 03, 2017 6:13 pm

While OpenCart itself is secure as it could be, sometimes 3-party scripts may make your shop unsecure!
When will this happen or when will this be possible?

Well, basically with every extension you install additionally.
That my sound very rude, but is fact.
While many extensions may be safe, to be on the 'safe side', before you go ahead to install any extension, check first the structure.

To do so, unzip the package locale and see which files are included.
And compare them.
Why comparing?
Basically a well coded extension does NOT need to override any core script!
But if you see that there are files included which will override already installed scripts, be aware and look inside those files (with a qualified editor).

Why is there no need to override already existing scripts?
Because nearly each can be extended if required.

What if you 'detect' a file which will override an already existing?
If you know php and OpenCart it should be easy for your to 'read' the code - if not, contact a developer you trust and let him do the work.

What could happen if a core file will be overriden with a new one?
First (as explained above), there is no reason why it should override!
Second, it could be that some malicious code is embedded and your data gets stolen!

A sample of what could happen is described here in this article: Session Stealer Script

Conclusion: whenever you buy an extension which includes files already included by the standard installation of OpenCart, be very carefully!
And you should open a support ticket, report that extension and request your money back.

Image


User avatar

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Tomit » Tue Jan 03, 2017 9:11 pm

It's a bit like my previous post, viewtopic.php?f=179&t=171783

Any extension could potentially access your sensitive information, no session hijacking needed. just post the ftp config to your own webserver and you are in.

Image



Posts

Joined
Sat Sep 14, 2013 9:54 pm
Location - Netherlands

Post by thekrotek » Sat Jan 14, 2017 3:15 pm

Tomit wrote:Any extension could potentially access your sensitive information, no session hijacking needed. just post the ftp config to your own webserver and you are in.
It's not related to OpenCart, but to ANY expandable framework. You can get kinda paranoid here, huh.

Image


User avatar

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by IP_CAM » Mon Jan 16, 2017 8:19 am

Well, according to Media News, MAGENTO driven Shops seem to have a real
Security Problem, they talk about 6'000 Shops worldwide, 1'000 of them alone in
Germany, potentially in danger ! :o
Many Magento Users obviously don't update their software, in order to save Money.

And this would so again be comparable with OC, and those Numbers, looking around
for paid OC-Mod's, for free, the only way to start a shop, to hopefully somehow make
some Cash flow in. But if such People run into a Problem, what the heck :P , it's the
risk, one takes, if such is done by thereby knowingly ripping others off... :-X

And most 'regular' Users just have to believe in Web-Security, because most Web-Users
don't know very much about it. So, whoever plans, to really get a secure Place, then
better depends on Extensions, created by known and trustworty Persons, like in real
Life. It's a business, after all, for everybody involved.

But as long as even socalled PRO's advise others, in places like here, to open up parts
of their Servers to '777' ( to probably download their Mod's later :D ), it's of no use,
to wonder about anything, then some will do such for entire Directories, just to make
sure... :D - just to mention one small simple Part, belonging to Server Security!

http://www.t-online.de/computer/sicherh ... ecken.html

Ernie

Ernie's OpenShop 1.5.6.5 with the free responsive OC Bootstrap 3 Theme:
http://www.evelo.li
Image


User avatar

Posts

Joined
Tue Mar 04, 2014 1:37 am
Location - Switzerland

Post by Burt65 » Mon Jan 16, 2017 8:47 am

Somebody have actually print a list out of all the stores affected by Javascript malware

At November 2016 there were 5091 stores

https://gitlab.com/gwillem/public-snipp ... pets/28813

Now it is worth mentioning that this only affect stores that do their own online payment transaction.

If you use Paypal in your store, there won't be that much skimming happening... Most of these scums are after the easy money, so they normally tend not to bother with other personal information stored on your site...

But it definitely pays to keep your store update and don't give your details (server & admin access) to nobody!

Over 95% of all computer problems can be traced back to the interface between the keyboard and the chair...


User avatar

Posts

Joined
Mon Nov 18, 2013 3:23 pm
Location - Oz

Post by Tomit » Mon Jan 16, 2017 7:25 pm

IP_CAM wrote:Well, according to Media News, MAGENTO driven Shops seem to have a real
Security Problem, they talk about 6'000 Shops worldwide, 1'000 of them alone in
Germany, potentially in danger ! :o
Many Magento Users obviously don't update their software, in order to save Money.

And this would so again be comparable with OC, and those Numbers, looking around
for paid OC-Mod's, for free, the only way to start a shop, to hopefully somehow make
some Cash flow in. But if such People run into a Problem, what the heck :P , it's the
risk, one takes, if such is done by thereby knowingly ripping others off... :-X

And most 'regular' Users just have to believe in Web-Security, because most Web-Users
don't know very much about it. So, whoever plans, to really get a secure Place, then
better depends on Extensions, created by known and trustworty Persons, like in real
Life. It's a business, after all, for everybody involved.

But as long as even socalled PRO's advise others, in places like here, to open up parts
of their Servers to '777' ( to probably download their Mod's later :D ), it's of no use,
to wonder about anything, then some will do such for entire Directories, just to make
sure... :D - just to mention one small simple Part, belonging to Server Security!

http://www.t-online.de/computer/sicherh ... ecken.html

Ernie
That's exactly the problem. I had a customer who has a midsized bike store, and webshop, he used magento and asked me to add some functionality.

I advised him to switch to opencart or shopify, because it would become a costly affair to keep this site running, mainly because:
- development of functionality takes a little longer in magento.
- the webshop he had wasn't updated for 2 years, and full off security holes.

He asked me to add the functionality anyway, and make an offer for updating the 2 year old magento.
Offcourse I was to expensive, and he chose not to have his shop updated at all, and now it's wide open for anyone to get customer information and orders..

Image



Posts

Joined
Sat Sep 14, 2013 9:54 pm
Location - Netherlands
Who is online

Users browsing this forum: No registered users and 3 guests