One of the things that I like about ZenCart is that it has many features free out of the box. Especially to add any number of attributes I want to a product.
Does OpenCart have product attributes out of the box?
Any other features in OpenCart that makes it a clear winner over ZenCart?
Thanks,
Chris
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
OK, some of y'all might be snickering because I've had a lot of questions about how to do certain things...and that's true. The thing I like about Opencart is that even though I've asked for help I've been able to figure a LOT of things out for myself without getting frustrated like I did with the others. In other words, I have uttered far less 4-letter words setting up my Opencart store. I like that and I know my husband appreciates it!
Opencart has a lot of nice modules, setup and store maintenance is really easy, the templates are nice as is but are pretty easy to modify if you need to, and the users here on the forums are extremely friendly and helpful. I just can't say enough good things about Opencart.
Days Gone By Antiques & Collectibles
FREE Continental US Shipping! Great gift ideas for ANY time of year!
http://blog.visionsource.org/2010/01/28 ... erability/
Also note that anyone who regularly uses words like "rubbish" to dismiss certain concerns, projects lack of confidence in his own knowledge.
The above is a general statement which doesn't mention any names but I have no doubt that it will be deleted (thereby justifying the above). That's fine with me since it's unlikely that the person deleting this posting will do so without reading it first...
http://searchsecurity.techtarget.com.au ... ry-attacks
Although browsers are the most common means to execute these attacks, the CSRF vulnerability is not solely limited to them. An attacker can just as easily embed attacks into any document that allows scripting, such as a Word document or Flash file. Given that individuals can do relatively little to protect themselves against these attacks, does the responsibility fall to vendors to fix this problem? There is always a case for browser and application vendors making their products more secure, but security must be balanced against usability. Would you really want to be forced to click "OK" every time you clicked on a link or "Submit" button? I think in this instance, website developers must assess the type of requests their applications are likely to process and implement authentication methods appropriate to the data or instructions in each of them.
OpenCart®
Project Owner & Developer.
I thank you for addressing the security flaw.bmaynard wrote:The information on the techtarget.com.au is so incorrect its not funny. A better article for to read about CSRF attacks is http://shiflett.org/articles/cross-site ... -forgeries which is by Chris Shiflett, a well respected php security professional.
Secunia, a large well trusted website in security has recognized the security flaw and has posted an advisory - http://secunia.com/advisories/38419/. It may be a less critical flaw but if you are not careful it is very easy for a hacker to create their own admin account.
I also think that any security issue, even the smallest, should be taken care of.
I'm not sure how critical it is as a lot of stones has to fall in place to have it exposed.
It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?For anyone who is interested, I have forked OpenCart and applied the security updates (I have also fixed an local file injection issue on windows machines). The project is located at: http://github.com/bmaynard/OpenCart-Secured
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
What?i2Paq wrote:It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?
Request Reviews v1.0 released.
Why fork and not share the fix instead.dbstr wrote:What?i2Paq wrote:It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Still, I think you should have shared your code instead of creating a fork.bmaynard wrote:Not sure what you mean? I will be upgrading the fork to the latest version of OC for the foreseeable future. The code is shared, its on GitHub so anyone can download/view the source and see all the changes I have made.i2Paq wrote:It is a pitty that you forked OC instead of sharing the code. No one will be able to upgrade from your version to the next OC version and keep your security fixes. As you state on your blog you will not upgrade the fork so whats the point of making one?
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
I mean that you should have shared it with this community as a Mod instead of a fork.bmaynard wrote:Do you mean share my code to fix the problem with Daniel? I offered to but he wasn't interested.i2Paq wrote:Still, I think you should have shared your code instead of creating a fork.
That fact that you did not like the way Daniel reacted on your discovery should not mean that the only way to get your "fix" is to use your fork.
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Thanks!
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
OK, I see and I'm glad you see my point.bmaynard wrote:That's a valid point, I think i decided to fork it as it I was asked in the comments to fork it in GitHub and I never thought about release it as an extension (mainly the changes are in the core files).i2Paq wrote:I mean that you should have shared it with this community as a Mod instead of a fork.
That fact that you did not like the way Daniel reacted on your discovery should not mean that the only way to get your "fix" is to use your fork.
If you release it as an extension you do not need to fork every next release to keep the fix in, you could just release an updated fix which would make you a contributor + the code would be where it should be: on these forums.
Second: you would get more credits for your work as more people would have acces to it, others could even finetune your code (if needed) so in the end we will all benefit
Norman in 't Veldt
Moderator OpenCart Forums
_________________ READ and Search BEFORE POSTING _________________
Our FREE search: Find your answer FAST!.
[How to] BTW + Verzend + betaal setup.
Though, as a popular open source software, I think OpenCart needs to either plug the hole or remind users to rename the admin directory.
Security through obscurity isn't exactly a good security practice, although it does add a slight impediment to a hackers attempts. I think looking at the possibility of using nonces (one time tokens) that are appended to forms on submission etc are a way to mitigate CSRF attacks (there are other methods as well - the wikipedia entry for CSRF is a good start for some ideas).wasabi wrote:This CSRF security issue is in fact easy to fix. As Daniel has pointed out here, the problem can be mitigated by renaming the admin directory to something hackers would not know. (Doing so also safeguards the admin panel from a plethora of possible attacks and is a good practice.)
Maybe a solution needs to be considered after all, as a shopping cart needs good security in order to instill customer and user confidence.
Currently unavailable for freelance work and consulting.
As to the fix, Ben Maynard has already proposed a solution that would add one time tokens, as you've mentioned, but the developer of OpenCart would only consider that as "wasting [his] time".
After years of Zen I am finally making the move over to OpenCart now. The code is cleaner, the admin area is more practical and the built in guest checkout is a real gem.
Zen has served me well, but it is now a lumbering dinosaur that belongs in the past.
OpenCart rocks.!!
I'm certainly a Zen Cart stalwart but after seeing a link to an Open Cart store on a forum I use today my opinion was changed so I decided to download it and install on my test server.
Within 2 hours of seeing the code for the first time I managed to reskin it making quite a few changes to the layout, including removing the tabs and placing links back in the menu bar (my preference!).
I was amazed how easy this was when I figured out the masses of nested divs!
One solution will never fit every scenario so I can see Open Cart becoming my alternative choice to Zen for some projects.
I have some projects in Zen which use custom modules which could be a mammoth task to rewrite for Open Cart so I think i'll be working with both.
Here is what I produced within 2 hours of seeing the code!
http://tinyurl.com/y3vnllb
Matt
Users browsing this forum: No registered users and 96 guests