[Bradford] ZenCart and security patches

Alice Kaerast kaerast at computergentle.com
Mon Feb 22 11:36:40 UTC 2010 

Whilst Drupal does have regular updates, they happen on a Wednesday
evening and it's usually third-party modules rather than the core
software itself.  And the modules are really easy to upgrade with a
'drush update' and you can clone and version Drupal sites if you use
Aegir.

Since you've mentioned Drupal, you might want to consider using
Ubercart rather than Zencart.  I've not used either though, so wouldn't
be able to give you any further advice here.

You might also want to take a look at whether your server is as secure
as it could be. Presuming you are running Apache, it's probably well
worth considering using mod_security and a decent ruleset in order to
protect potentially vulnerable scripts.  See also the hardened php
project <http://www.hardened-php.net/hphp/a_feature_list.html> and
also <http://www.securityfocus.com/infocus/1706> for an overview of
securing php.

If you've got the time and know what you're looking for then you could
also proactively search for vulnerabilities yourself.

Alice




On Mon, 22 Feb 2010 11:06:45 +0000
Martyn Ranyard <ranyardm at gmail.com> wrote:

> Hi All,
> 
>   Having been frustrated with numerous attacks against my VPS, I
> thought I'd share something that really frustrates me (aside from the
> constant firefighting) :
> 
>   Most hacks against sites come from having outdated web software
> installed (see Drupal's constant updates as an example of this) so
> when you find someone attacking your site, you often update all the
> software, and have to fix templates etc. etc.  That's a fact of life
> and something as a host you should build into the costs of hosting.
> 
>   However, on this particular occasion, it was a ZenCart
> vulnerability that was exploited on my VPS, and I was running the
> latest version.  Well apparently when a new vulnerability is found in
> ZenCart, they provide patches to the app -- in their forum -- and do
> not release a minor version. EVEN when it is a major security
> vulnerability.
> 
>   I am not looking forward to this, but it appears I am now on the
> lookout for an alternative to ZenCart, as any software that requires
> me logging into the forum of the software to check for patches to the
> current stable version is too much of a workload for me.  Does anyone
> else think that this is a ridiculous state of affairs for a project?
> 
>   Perhaps I'm just so jaded by having to repair this install 4 times
> in as many months (I updated all the software to current, there
> shouldn't be any vulnerabilities in current) that what others see as
> reasonable I'm not seeing that way.
> 
>   Anyway, rant over, back to the grind.
> 
> --
> Martyn

More information about the Bradford mailing list