Jump to content

Archived

This topic is now archived and is closed to further replies.

flying_kites

Hostdime Announcement

Recommended Posts

Good Afternoon,

 

UPDATE: This email pertains to clients on Shared/Reseller servers who are currently using osCommerce.

 

We have seen a dramatic increase in attacks against osCommerce installations in recent months. There are several severe unpatched vulnerabilities for osCommerce. There has not been a stable release of osCommerce since January of 2008. The osCommerce project appears to be dead and it is reasonable to assume that the blaring security vulnerabilities in this software will not be patched by its developers. All versions of osCommerce have been confirmed to be vulnerable.

 

We have created mod_security rules to help mitigate these vulnerabilities for our shared and reseller accounts. This may protect your account for the time being, but these mitigations should not be relied on as a long term solution.

 

The only long term solution to ensure the safety of your site is to switch to another ecommerce CMS solution. An actively developed CMS ecommerce solution that you may want to consider is Magento:

www.magentocommerce.com

 

Magento supports similar functionality to osCommerce and is being actively developed and supported by it's developers. The Magento Community Edition is free to download and is developed through an open source community.

 

Other solutions include Zencart which you can still install through your Fantastico interface. Zencart contains much of the same functionality of osCommerce, but it is still in active development.

 

For those absolutely unable to migrate to a different CMS, we recommend that you at least enable cPanel's folder protection system for your osCommerce admin/ directory. You can access this feature through your cPanel interface at: cPanel → Security → “Password Protect Directories”. You can simply select your “admin” directory and specify a username and password. This will protect you from the security bypass vulnerabilities present in the osCommerce software.

 

Beginning December 1, 2010 we are removing support for installing the osCommerce CMS through Fantastico on all of our shared/reseller servers. This will not affect clients who currently have osCommerce installed.

 

Thank you very much for your consideration and if you have any other questions and/or concerns, please feel free to let us know.

 

HostDime.com Management

189 S. Orange Ave

Suite 1500S

Orlando, FL, 32801

hostdime.com

+1(407)756-1126

Share this post


Link to post
Share on other sites

Dear Hostdime.com,

 

In your near-sightedness you have failed to realize that there are new solutions being developed that address the security concerns of the current release.

 

Further, if you offer osCommerce though fantastico for your hosting account customers, then you should take the initiative to us an already patched version of osCommerce.

 

Don't blame oscommerce for it's shortfalls, the onus is on the user to ensure the site is secure until such a time that a patched is released via the solutions area.

 

Please feel free to ask for assistance in a patched cart should you need one to offer to your customers.

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Prior to this announcement, I had some talks with HostDime about their perceptions of osCommerce.

 

We pointed out to them that the security issue they refer to is a known bug and solutions were available on the forum. I specifically told them that users should rename the Admin folder and/or use an .htaccess file to protect Admin.

 

At the time they advised me that they had already decided to drop osCommerce from their fantasico panel because they preceive the project as dead. Their definition of dead is no recent updates to the published code. (So better a bug ridden often patched solution aka Magento to stable osCommerce?)

 

For me to publish a patch for this hack is to publish the hack itself i.e. give people instructions on how to hack the Admin. And therein lies the issue for anyone not on the osCommerce team.

 

The actual RC2a download needs to be patched and instructions give how to upgrade existing installations. The patch is simple and should not take more than an hour to implement. So how about we get it done?

 

Because until osCommerce Rc2a is patched, then inexperienced users will continue to be hacked and continue to report it to their hosting companies and this will just continue to generate bad press for osCommerce and result in the kind of action taken by Hostdime.

Share this post


Link to post
Share on other sites

V2.3 is the patched version. It can be found on GITHUB for download. Although, there may still be a few changes before 2.3 becomes a final release in the 2.x series, it pretty much covers all known issues with RC2a.

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

At the time they advised me that they had already decided to drop osCommerce from their fantasico panel because they preceive the project as dead. Their definition of dead is no recent updates to the published code.

Exactly what I've been complaining about here for ages. It doesn't matter that a patched version is available on github, the version that might eventually see the light of day as 2.3 (I'm not holding my breath). The only thing that counts in the court of public opinion is a reasonably steady stream of officially released versions, available for download on the Website > Solutions > Downloads tab on this page. But no-o-o-o-o-o, we stay at one Release Candidate for almost three years! I'm sorry, but Harald and his crew have killed osCommerce by not knowing how to run releases. Until 2.3 and 3.0 Golds come out (if they ever do), more and more packagers are going to follow Hostdime's example and drop osC in favor of something perceived to be actively supported. I wouldn't be surprised to hear of Fantastico itself dropping osC! I wouldn't blame them.

 

Because until osCommerce Rc2a is patched, then inexperienced users will continue to be hacked and continue to report it to their hosting companies and this will just continue to generate bad press for osCommerce and result in the kind of action taken by Hostdime.

Yep. Inexperienced users and those relying on Third Party packagers will continue to use 2.2 RC2a and won't have any idea that lots of security patches need to be applied. This can only give osC a worse and worse reputation. 2.2 Gold should have been released within a few months of 2.2 RC2a, and work started on 2.3.

Share this post


Link to post
Share on other sites

V2.3 is the patched version. It can be found on GITHUB for download. Although, there may still be a few changes before 2.3 becomes a final release in the 2.x series, it pretty much covers all known issues with RC2a.

 

 

Chris

 

V2.3? Really? I guess we'd all like to know when ...


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

Yep. Inexperienced users and those relying on Third Party packagers will continue to use 2.2 RC2a and won't have any idea that lots of security patches need to be applied. This can only give osC a worse and worse reputation. 2.2 Gold should have been released within a few months of 2.2 RC2a, and work started on 2.3.

I question the comment about lots of security patches. That is just playing the message that RC2a is insecure which apart from the Admin issues I don't think is at all true.

 

But worse that what you mention is that you have companies like TemplateMonster selling old osCommerce templates that still use MS2.2. And let's not even start on how badly the designs have been integrated into the code ...


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

OK so here is the github link for what as of 8 September 2010 is now called 2.3.

 

http://github.com/osCommerce/oscommerce2/tree/master/catalog/

 

Seems like here are a lot of (recent) changes that don't appear to be related to patching bugs such as "Integrate the 960 Grid System CSS framework into the core template: Replace contentHeading CSS definition with h2"

 

Would it not be better to just get this verison out there?


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

OK so here is the github link for what as of 8 September 2010 is now called 2.3.

 

http://github.com/osCommerce/oscommerce2/tree/master/catalog/

 

Seems like here are a lot of (recent) changes that don't appear to be related to patching bugs such as "Integrate the 960 Grid System CSS framework into the core template: Replace contentHeading CSS definition with h2"

 

Would it not be better to just get this verison out there?

 

Since I installed osC about 2 month ago I have read posts in this forum every day and applied all contribs, etc. on the pinned osC security thread. Before I spend much more of my time/effort adding items to my osC store, etc. should I now go look for another free e-commerce solution available from my web host (or another web host)!? I am currently running v2.2 RC2a, with the all the contribs/patches as far as I know. This thread has me concerned that using osC was not such a good idea since it sounds like osC is not being actively supported (in 2 years!) for security. And finding/applying contribs has been hap-hazard at best, at least for me. I'm not complaining as I know there are many in this forum that actively contribute to the security of osC, and they are to be commended. But I was initially under the impression that osC was being actively supported by a large development community and that security patches would be regularly posted. Now I'm not so sure that is the case :( I hope I'm wrong, but this thread has me concerned as I am beginning to spend a lot of time and effort developing my osC store, and I'd prefer it not be time wasted if osC is dying a slow death as far as future development.... Thanks.

Share this post


Link to post
Share on other sites

Since I installed osC about 2 month ago I have read posts in this forum every day and applied all contribs, etc. on the pinned osC security thread. Before I spend much more of my time/effort adding items to my osC store, etc. should I now go look for another free e-commerce solution available from my web host (or another web host)!? I am currently running v2.2 RC2a, with the all the contribs/patches as far as I know. This thread has me concerned that using osC was not such a good idea since it sounds like osC is not being actively supported (in 2 years!) for security. And finding/applying contribs has been hap-hazard at best, at least for me. I'm not complaining as I know there are many in this forum that actively contribute to the security of osC, and they are to be commended. But I was initially under the impression that osC was being actively supported by a large development community and that security patches would be regularly posted. Now I'm not so sure that is the case :( I hope I'm wrong, but this thread has me concerned as I am beginning to spend a lot of time and effort developing my osC store, and I'd prefer it not be time wasted if osC is dying a slow death as far as future development.... Thanks.

You couldn't be more wrong. The problem is that the hosting providers wanted to provide a commercial e-commerce solution to their customers but did not want to pay anything for it so they used an open source solution, and provided no support for it. Then, the get rich quick kiddies never used the Support button in the admin section until it was too late, or not at all.

 

It is all due to the hosting providers market competition...

 

If you are here then you are getting the support you need and will know in a timely manner when the next release comes out.


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

RC2a is a good solution and if you have kept it patched then you have nothing to be concerned about.

 

There is no open source solution that does not require updates. osCommerce is one of the few that require updates only about once a year. Others are monthly. Look at Magento release log and you can see that. Worst culprit of course is WordPress - that almost feels like weekly!

 

And let's not forget that osCommerce does not present itself as a package like Magento and Zen Cart do. osCommerce is a building block for an eCommerce solution. You take it and you customize both its design and functionality to build a unique solution. It is not a cookie cutter.

 

The sooner V2.3 comes out to kill all this "project is dead" talk the better.

 

And by the way, the Fantastico osCommerce installation is "osCommerce MS2.2 RC2a + BUYSAFE" version. I am not even sure where that comes from and who is responsible for keeping it patched. Anyone know?


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

Seems like here are a lot of (recent) changes that don't appear to be related to patching bugs such as "Integrate the 960 Grid System CSS framework into the core template: Replace contentHeading CSS definition with h2"

 

Would it not be better to just get this verison out there?

Quite definitely. That's exactly my complaint about 2.2 Gold not being released years ago. I don't care whether Harald & Co. want to gild the lily with updating the 2.x stream to change to CSS-driven layout and a more modular code design, but that should have waited for the 2.3 cycle, after 2.2 was finalized with all the known security and stability problems fixed (and maybe the PHP 5.3 and MySQL 5 problems fixed too). It's up to them how many enhancements and new features should go into the 2.x stream, but 2.2 should have been out there long ago. It's criminal how they keep pushing back 2.3 (what should have been 2.2 Gold) to cram more stuff into it, the "final release". That's not the way to manage a product!

Share this post


Link to post
Share on other sites

I agree. 2.2 should only be patched for security issues.

 

Keep other changes for V3.


Kym

Projects Director @ ozEworks.com

Share this post


Link to post
Share on other sites

One thing to consider in all of this nonsense is that Fantastico is vey bad at keeping patches and security updates on the scripts it offers

 

Softaculous seems to be far more proactive in relation to this, and hosts can quite easily add their own patched or v2.3 copy to it, i think its more that Fantastico is near dead not oscommerce

Share this post


Link to post
Share on other sites

I agree. 2.2 should only be patched for security issues.

 

Keep other changes for V3.

 

 

I'll second that. My big concern is that the new CSS-driven layout and top/bottom templates is going to make a significant percentage of add-ons incompatible with their current instructions, and some popular ones (like Simple Multi-Images w/ Fancy Popups for example) that are no longer supported by the original creator will become orphaned.

 

It's already hard enough for new users to figure out what add-ons to install. This is going to unnecessarily complicate things a lot.

Share this post


Link to post
Share on other sites

×