[Bradford] ZenCart and security patches

Martyn Ranyard ranyardm at gmail.com
Mon Feb 22 13:23:14 UTC 2010 

Hi Alice,

  Therin lies the problem - time - when you're asked by a friend to "set
them up a website" (or in this case a webshop), you expect that getting the
latest version of the software and extracting it should include fixes for
all the known vulnerabilities - not going to the forums of that shop
software to identify 18 month-old bugs that haven't been fixed in the main
release.

  I don't actually use Drupal myself, but thanks for the note of the
integrated cart.

  The server is already Suhosin enabled and without taking time out to
ensure that all the sites work with full hardened php, I can't just install
that unfortunately.  Next time I get some spare time, I'll have a look at
mod_security, but the trouble with that (as with .htaccess rulesets that can
be drawn up to protect almost anything) is that with off-the-shelf products
such as zencart, drupal, joomla, osCommerce etc. you don't write them
yourself so don't know intimately what is used where.  I guess re-inventing
the wheel has certain benefits. :(

  As for proactively searching for vulnerabilities... not really what I'd
like to be doing with my spare time, what little of it I have, and really my
point (well okay, it wasn't really a point, more a rant) was that I
shouldn't have to be - hell the admin side of ZenCart has a magic button
saying "Check for new versions", click it and it says you have the latest
version.  That really should be enough, certainly not leaving you open to 19
month-old vulnerabilities.

--
Martyn

On 22 February 2010 11:36, Alice Kaerast <kaerast at computergentle.com> wrote:

>
> Whilst Drupal does have regular updates, they happen on a Wednesday
> evening and it's usually third-party modules rather than the core
> software itself.  And the modules are really easy to upgrade with a
> 'drush update' and you can clone and version Drupal sites if you use
> Aegir.
>
> Since you've mentioned Drupal, you might want to consider using
> Ubercart rather than Zencart.  I've not used either though, so wouldn't
> be able to give you any further advice here.
>
> You might also want to take a look at whether your server is as secure
> as it could be. Presuming you are running Apache, it's probably well
> worth considering using mod_security and a decent ruleset in order to
> protect potentially vulnerable scripts.  See also the hardened php
> project <http://www.hardened-php.net/hphp/a_feature_list.html> and
> also <http://www.securityfocus.com/infocus/1706> for an overview of
> securing php.
>
> If you've got the time and know what you're looking for then you could
> also proactively search for vulnerabilities yourself.
>
> Alice
>
>
>
>
> On Mon, 22 Feb 2010 11:06:45 +0000
> Martyn Ranyard <ranyardm at gmail.com> wrote:
>
> > Hi All,
> >
> >   Having been frustrated with numerous attacks against my VPS, I
> > thought I'd share something that really frustrates me (aside from the
> > constant firefighting) :
> >
> >   Most hacks against sites come from having outdated web software
> > installed (see Drupal's constant updates as an example of this) so
> > when you find someone attacking your site, you often update all the
> > software, and have to fix templates etc. etc.  That's a fact of life
> > and something as a host you should build into the costs of hosting.
> >
> >   However, on this particular occasion, it was a ZenCart
> > vulnerability that was exploited on my VPS, and I was running the
> > latest version.  Well apparently when a new vulnerability is found in
> > ZenCart, they provide patches to the app -- in their forum -- and do
> > not release a minor version. EVEN when it is a major security
> > vulnerability.
> >
> >   I am not looking forward to this, but it appears I am now on the
> > lookout for an alternative to ZenCart, as any software that requires
> > me logging into the forum of the software to check for patches to the
> > current stable version is too much of a workload for me.  Does anyone
> > else think that this is a ridiculous state of affairs for a project?
> >
> >   Perhaps I'm just so jaded by having to repair this install 4 times
> > in as many months (I updated all the software to current, there
> > shouldn't be any vulnerabilities in current) that what others see as
> > reasonable I'm not seeing that way.
> >
> >   Anyway, rant over, back to the grind.
> >
> > --
> > Martyn
>
>
> _______________________________________________
> Bradford mailing list
> Bradford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/bradford
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/bradford/attachments/20100222/4b1efd73/attachment.htm

More information about the Bradford mailing list