ZenCart or OpenCart

I am debating between two open source shopping cart packages: OpenCart and ZenCart.

One of the things that I like about ZenCart is that it has many features free out of the box. Especially to add any number of attributes I want to a product.

Does OpenCart have product attributes out of the box?

Any other features in OpenCart that makes it a clear winner over ZenCart?

Thanks,
Chris

As a long time zencart user (from the start)... the parts that have always annoyed me about zen is that they are super popular but have such a terrible design team. The templates still reek of the old oscommerce templates and the controls are mixed in the admin, css, and tpl files so its impossible to get a good looking template. They have lots of built in features, but the admin menu is so mismanaged you can never find anything. OpenCart is definitely on the cusp of next Generation without going too far to a point where its slow. OpenCart is just over a year old and is already much faster, cleaner, and better looking than most other carts out there. After coming to OpenCart from ZenCart, I could never go back.

as far as the attributes. they are called options in opencart and you can have unlimited number of them. They are applied at the product level which can be good or bad. There are some cheap mods that offer more advanced options and global options.

I have tried Zen Cart, Cube Cart, osCommerce, and just about every single solitary service (like eCrater, Buyitsellit, Blujay, Bonanzle, etc). I can say without a doubt...without a doubt...that Opencart beats all the others hands down.

OK, some of y'all might be snickering because I've had a lot of questions about how to do certain things...and that's true. The thing I like about Opencart is that even though I've asked for help I've been able to figure a LOT of things out for myself without getting frustrated like I did with the others. In other words, I have uttered far less 4-letter words setting up my Opencart store. I like that and I know my husband appreciates it!

Opencart has a lot of nice modules, setup and store maintenance is really easy, the templates are nice as is but are pretty easy to modify if you need to, and the users here on the forums are extremely friendly and helpful. I just can't say enough good things about Opencart.

Not sure what the point in asking this was on a opencart forum? Best ask it at a neutral forum.

So to your question of course opencart i'm sure you didn't expect anything else.

Chris, I would recommend to stay away from any shopping cart "owned" by someone with ego problems... Especially if it compromises your website's security as described here:

http://blog.visionsource.org/2010/01/28 ... erability/

Also note that anyone who regularly uses words like "rubbish" to dismiss certain concerns, projects lack of confidence in his own knowledge.

The above is a general statement which doesn't mention any names but I have no doubt that it will be deleted (thereby justifying the above). That's fine with me since it's unlikely that the person deleting this posting will do so without reading it first...

The guy who sent me the email is an idiot. He seems to think he has found some great hack. the hack will not work unless the user is logged in and clicks a link that will redirect them to their own admin control panel.

http://searchsecurity.techtarget.com.au ... ry-attacks

Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.

bmaynard wrote:The information on the techtarget.com.au is so incorrect its not funny. A better article for to read about CSRF attacks is http://shiflett.org/articles/cross-site ... -forgeries which is by Chris Shiflett, a well respected php security professional.

Secunia, a large well trusted website in security has recognized the security flaw and has posted an advisory - http://secunia.com/advisories/38419/. It may be a less critical flaw but if you are not careful it is very easy for a hacker to create their own admin account.

I thank you for addressing the security flaw.
I also think that any security issue, even the smallest, should be taken care of.

I'm not sure how critical it is as a lot of stones has to fall in place to have it exposed.

For anyone who is interested, I have forked OpenCart and applied the security updates (I have also fixed an local file injection issue on windows machines). The project is located at: http://github.com/bmaynard/OpenCart-Secured

It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?

i2Paq wrote:It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?

What?

dbstr wrote:

i2Paq wrote:It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?

What?

Why fork and not share the fix instead.

bmaynard wrote:

i2Paq wrote:It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?

Not sure what you mean? I will be upgrading the fork to the latest version of OC for the foreseeable future. The code is shared, its on GitHub so anyone can download/view the source and see all the changes I have made.

Still, I think you should have shared your code instead of creating a fork.

bmaynard wrote:

i2Paq wrote:Still, I think you should have shared your code instead of creating a fork.

Do you mean share my code to fix the problem with Daniel? I offered to but he wasn't interested.

I mean that you should have shared it with this community as a Mod instead of a fork.

That fact that you did not like the way Daniel reacted on your discovery should not mean that the only way to get your "fix" is to use your fork.

http://github.com/bmaynard/OpenCart-Sec ... 5282a5d73d

There you go.

dbstr wrote:http://github.com/bmaynard/OpenCart-Sec ... 5282a5d73d

There you go.

Thanks!

bmaynard wrote:

i2Paq wrote:I mean that you should have shared it with this community as a Mod instead of a fork.

That fact that you did not like the way Daniel reacted on your discovery should not mean that the only way to get your "fix" is to use your fork.

That's a valid point, I think i decided to fork it as it I was asked in the comments to fork it in GitHub and I never thought about release it as an extension (mainly the changes are in the core files).

OK, I see and I'm glad you see my point.

If you release it as an extension you do not need to fork every next release to keep the fix in, you could just release an updated fix which would make you a contributor + the code would be where it should be: on these forums.
Second: you would get more credits for your work as more people would have acces to it, others could even finetune your code (if needed) so in the end we will all benefit

This CSRF security issue is in fact easy to fix. As Daniel has pointed out here, the problem can be mitigated by renaming the admin directory to something hackers would not know. (Doing so also safeguards the admin panel from a plethora of possible attacks and is a good practice.)

Though, as a popular open source software, I think OpenCart needs to either plug the hole or remind users to rename the admin directory.

wasabi wrote:This CSRF security issue is in fact easy to fix. As Daniel has pointed out here, the problem can be mitigated by renaming the admin directory to something hackers would not know. (Doing so also safeguards the admin panel from a plethora of possible attacks and is a good practice.)

Security through obscurity isn't exactly a good security practice, although it does add a slight impediment to a hackers attempts. I think looking at the possibility of using nonces (one time tokens) that are appended to forms on submission etc are a way to mitigate CSRF attacks (there are other methods as well - the wikipedia entry for CSRF is a good start for some ideas).

Maybe a solution needs to be considered after all, as a shopping cart needs good security in order to instill customer and user confidence.

Opps, it looks like my original post is leading people to think that renaming the admin truly fixes the problem, which is false and I apologize. In this case, however, obscurity does effectively discourage hackers to take advantage of the exploit. Regardless, I would still rename my admin to discourage various other hacking attempts. It also buys you time should a 0-day attack is discovered.

As to the fix, Ben Maynard has already proposed a solution that would add one time tokens, as you've mentioned, but the developer of OpenCart would only consider that as "wasting [his] time".

I am a long time user of Zen Cart and that is not totally free from hacker attacks, with new security vulnerabilities found on a regular basis.

After years of Zen I am finally making the move over to OpenCart now. The code is cleaner, the admin area is more practical and the built in guest checkout is a real gem.

Zen has served me well, but it is now a lumbering dinosaur that belongs in the past.

OpenCart rocks.!!

Hello everyone,

I'm certainly a Zen Cart stalwart but after seeing a link to an Open Cart store on a forum I use today my opinion was changed so I decided to download it and install on my test server.

Within 2 hours of seeing the code for the first time I managed to reskin it making quite a few changes to the layout, including removing the tabs and placing links back in the menu bar (my preference!).

I was amazed how easy this was when I figured out the masses of nested divs!

One solution will never fit every scenario so I can see Open Cart becoming my alternative choice to Zen for some projects.

I have some projects in Zen which use custom modules which could be a mammoth task to rewrite for Open Cart so I think i'll be working with both.

Here is what I produced within 2 hours of seeing the code!
http://tinyurl.com/y3vnllb

Matt