Post by OSWorX » Wed Jan 13, 2010 1:53 am

For me the latest (1.4.0.0) has a high security leak: empty folders - e.g. try: http://demo.opencart.com/catalog/.
I mean every folder within the OC installation is NOT secured (if directory listing is enabled and no rewrite in the .htaccess is given).

An easy fix for this could be putting an index.html in each OC folder like:

Code: Select all

<html><body bgcolor="#FFFFFF"></body></html>
Better than nothing and will not blast the package too much.

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Yakiv » Wed Jan 13, 2010 2:19 am

joomx wrote:For me the latest (1.4.0.0) has a high security leak: empty folders - e.g. try: http://demo.opencart.com/catalog/.
I mean every folder within the OC installation is NOT secured (if directory listing is enabled and no rewrite in the .htaccess is given).

An easy fix for this could be putting an index.html in each OC folder like:

Code: Select all

<html><body bgcolor="#FFFFFF"></body></html>
Better than nothing and will not blast the package too much.
You must be on some pathetic hosting that all of your directories are open like that, by default. Do a little searching on the internet, about apache.

Active Member

Posts

Joined
Tue Dec 15, 2009 5:31 pm

Post by OSWorX » Wed Jan 13, 2010 2:44 am

Try the link i provided ... and than talk with Daniel.

Because of my experience, I know too many provider having this open.
Or/and I know many website owners they do NOT know what they are doing and enabling this setting in their cpanel!

Maybe I am paranoid, but about security no discussion (more this issue is solved with really nothing).

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Yakiv » Wed Jan 13, 2010 2:57 am

joomx wrote:Try the link i provided ... and than talk with Daniel.

Because of my experience, I know too many provider having this open.
Or/and I know many website owners they do NOT know what they are doing and enabling this setting in their cpanel!

Maybe I am paranoid, but about security no discussion (more this issue is solved with really nothing).
In this day and age, with apache, I really don't think developers need to waste their time putting stupid index.html files into every blank folder.

Active Member

Posts

Joined
Tue Dec 15, 2009 5:31 pm

Post by Qphoria » Wed Jan 13, 2010 3:36 am

joomx wrote:For me the latest (1.4.0.0) has a high security leak: empty folders - e.g. try: http://demo.opencart.com/catalog/.
I mean every folder within the OC installation is NOT secured (if directory listing is enabled and no rewrite in the .htaccess is given).

An easy fix for this could be putting an index.html in each OC folder like:

Code: Select all

<html><body bgcolor="#FFFFFF"></body></html>
Better than nothing and will not blast the package too much.
Apache does allow a good htaccess method of doing it.

If you were to do the index file method, the best way IMO is adding an index.php file to each subdir and inside that file you put:

Code: Select all

<? header("Location: ../"); ?>
That way it always redirects it back home whenever you try to load a folder.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by OSWorX » Wed Jan 13, 2010 3:50 am

Thanks Qphoria.
I know to solve this issue, but how many others do?

I just wanted to highlight this issue (while some here are thinking in another way ....).
But securing websites (and NOT trusting providers) should be one of the highest priority.
Because nobody can trust hist provider, or webmaster, or admin.
And not everybody is such an expert like those who are thinking it is wasting time to put something somewhere (folders or htaccess).

Finally OC should be save - out of the box!

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Qphoria » Wed Jan 13, 2010 4:49 am

Well thats what I'm saying. OpenCart should either use the htaccess to do it.. or use the index.php method in the core

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Yakiv » Wed Jan 13, 2010 5:10 am

joomx wrote:But securing websites (and NOT trusting providers) should be one of the highest priority.
Because nobody can trust hist provider, or webmaster, or admin.
What I am saying is, chose another hosting company then. By default, when a shared hosting or a VPS is created, it should be automatically secured, as far as folders. The message: get another hosting company.

Active Member

Posts

Joined
Tue Dec 15, 2009 5:31 pm

Post by OSWorX » Wed Jan 13, 2010 5:39 am

Yakiv wrote:
joomx wrote:But securing websites (and NOT trusting providers) should be one of the highest priority.
Because nobody can trust hist provider, or webmaster, or admin.
What I am saying is, chose another hosting company then. By default, when a shared hosting or a VPS is created, it should be automatically secured, as far as folders. The message: get another hosting company.
Well I am really sorry, but i own actually more than 15 servers.
All of them are secure - none of them got hacked in the last 8 years.
I am my own 'hosting company' and my technicians know their job - very well.

What about you are talking should be normal!
But how many 'providers' (which not should wear this title!) are out there who do NOT know what they are doing?
Except putting customer on customer (x.xxx on each server) - while the environement itself is php 4.x, apache 1.x and NO additional security mods or something else.

We cannot expect that each customer is an expert and know exactly what he is buying (from the provider who is promising everything to get many customers).

Lets finish this discussion.

p.s.: I am always laughing when i look inside the SLA's of an provider (if he has this) and he promising an uptime of 99,9% ...
Did one of his costumers ever calculated what this really means??!!
Can only hope that nobody is hosting a shop on one of these servers!

Custom Development | Individuelle Entwicklung | Support & Bugfixes

Image Image Image


User avatar
Guru Member

Posts

Joined
Mon Jan 11, 2010 10:52 pm
Location - Austria

Post by Yakiv » Wed Jan 13, 2010 8:06 am

I got your point. I value your opinion.

Active Member

Posts

Joined
Tue Dec 15, 2009 5:31 pm
Who is online

Users browsing this forum: No registered users and 7 guests