Hi Alice,<div><br></div><div> Therin lies the problem - time - when you're asked by a friend to "set them up a website" (or in this case a webshop), you expect that getting the latest version of the software and extracting it should include fixes for all the known vulnerabilities - not going to the forums of that shop software to identify 18 month-old bugs that haven't been fixed in the main release.</div>
<div><br></div><div> I don't actually use Drupal myself, but thanks for the note of the integrated cart.</div><div><br></div><div> The server is already Suhosin enabled and without taking time out to ensure that all the sites work with full hardened php, I can't just install that unfortunately. Next time I get some spare time, I'll have a look at mod_security, but the trouble with that (as with .htaccess rulesets that can be drawn up to protect almost anything) is that with off-the-shelf products such as zencart, drupal, joomla, osCommerce etc. you don't write them yourself so don't know intimately what is used where. I guess re-inventing the wheel has certain benefits. :(</div>
<div><br></div><div> As for proactively searching for vulnerabilities... not really what I'd like to be doing with my spare time, what little of it I have, and really my point (well okay, it wasn't really a point, more a rant) was that I shouldn't have to be - hell the admin side of ZenCart has a magic button saying "Check for new versions", click it and it says you have the latest version. That really should be enough, certainly not leaving you open to 19 month-old vulnerabilities.</div>
<div><br></div><div>--</div><div>Martyn</div><div><br><div class="gmail_quote">On 22 February 2010 11:36, Alice Kaerast <span dir="ltr"><<a href="mailto:kaerast@computergentle.com">kaerast@computergentle.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
Whilst Drupal does have regular updates, they happen on a Wednesday<br>
evening and it's usually third-party modules rather than the core<br>
software itself. And the modules are really easy to upgrade with a<br>
'drush update' and you can clone and version Drupal sites if you use<br>
Aegir.<br>
<br>
Since you've mentioned Drupal, you might want to consider using<br>
Ubercart rather than Zencart. I've not used either though, so wouldn't<br>
be able to give you any further advice here.<br>
<br>
You might also want to take a look at whether your server is as secure<br>
as it could be. Presuming you are running Apache, it's probably well<br>
worth considering using mod_security and a decent ruleset in order to<br>
protect potentially vulnerable scripts. See also the hardened php<br>
project <<a href="http://www.hardened-php.net/hphp/a_feature_list.html" target="_blank">http://www.hardened-php.net/hphp/a_feature_list.html</a>> and<br>
also <<a href="http://www.securityfocus.com/infocus/1706" target="_blank">http://www.securityfocus.com/infocus/1706</a>> for an overview of<br>
securing php.<br>
<br>
If you've got the time and know what you're looking for then you could<br>
also proactively search for vulnerabilities yourself.<br>
<br>
Alice<br>
<div><div></div><div class="h5"><br>
<br>
<br>
<br>
On Mon, 22 Feb 2010 11:06:45 +0000<br>
Martyn Ranyard <<a href="mailto:ranyardm@gmail.com">ranyardm@gmail.com</a>> wrote:<br>
<br>
> Hi All,<br>
><br>
> Having been frustrated with numerous attacks against my VPS, I<br>
> thought I'd share something that really frustrates me (aside from the<br>
> constant firefighting) :<br>
><br>
> Most hacks against sites come from having outdated web software<br>
> installed (see Drupal's constant updates as an example of this) so<br>
> when you find someone attacking your site, you often update all the<br>
> software, and have to fix templates etc. etc. That's a fact of life<br>
> and something as a host you should build into the costs of hosting.<br>
><br>
> However, on this particular occasion, it was a ZenCart<br>
> vulnerability that was exploited on my VPS, and I was running the<br>
> latest version. Well apparently when a new vulnerability is found in<br>
> ZenCart, they provide patches to the app -- in their forum -- and do<br>
> not release a minor version. EVEN when it is a major security<br>
> vulnerability.<br>
><br>
> I am not looking forward to this, but it appears I am now on the<br>
> lookout for an alternative to ZenCart, as any software that requires<br>
> me logging into the forum of the software to check for patches to the<br>
> current stable version is too much of a workload for me. Does anyone<br>
> else think that this is a ridiculous state of affairs for a project?<br>
><br>
> Perhaps I'm just so jaded by having to repair this install 4 times<br>
> in as many months (I updated all the software to current, there<br>
> shouldn't be any vulnerabilities in current) that what others see as<br>
> reasonable I'm not seeing that way.<br>
><br>
> Anyway, rant over, back to the grind.<br>
><br>
> --<br>
> Martyn<br>
<br>
<br>
</div></div>_______________________________________________<br>
Bradford mailing list<br>
<a href="mailto:Bradford@mailman.lug.org.uk">Bradford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/bradford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/bradford</a><br>
</blockquote></div><br></div>