Shopping cart other than OSCommerce?

Tue Dec 7 22:04:48 UTC 2010

On Tue, 07 Dec 2010 15:32:06 -0600
Jorge Biquez <jbiquez at intranet.com.mx> articulated:

> At 03:01 p.m. 07/12/2010, Chuck Swiger wrote:
> >On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote:
> > > With a provider where I had a dedicated server, not running 
> > FreeBsd , the entire server was hacked and before leaving them, the 
> > tech support people said that the hacking was because of a problem 
> > with some libraries under PHP AND OSCOMMERCE. They never could 
> > prove that but I leave them since the entire server was hacked, not 
> > information stolen but ONLY that$ all  web pages (.html, .php) 
> > pages where changed, all under different domains  and account 
> > jailed (?) using CPANEL. Anyway. I am not sure how sensible is 
> > OSCCOmmerce to that since I know it is very popular but I would 
> > like to test something else.
> >
> >30 seconds with a Google search suggests that osCommerce has 
> >unpatched security vulnerabilities which do lead to compromise of 
> >admin and arbitrary PHP code execution:
> >
> >   http://secunia.com/advisories/product/1308/
> >
> >"Affected By    7 Secunia advisories
> >                 44 Vulnerabilities
> >
> >Unpatched       29% (2 of 7 Secunia advisories)
> >
> >Most Critical Unpatched
> >The most severe unpatched Secunia advisory affecting osCommerce 2.x, 
> >with all vendor patches applied, is rated Highly critical."
> >
> >   http://secunia.com/advisories/33446/
> >
> >"1) The application allows users to perform certain actions via HTTP 
> >requests without performing any validity checks to verify the 
> >requests. This can be exploited to e.g. create additional 
> >administrator accounts by tricking an administrative user into 
> >visiting a malicious web site.
> >
> >2) An error in the authentication mechanism can be exploited to 
> >bypass authentication checks and gain access to the administrative 
> >interface in the "admin/" folder.
> >
> >Successful exploitation allows to upload and execute arbitrary PHP 
> >code e.g. via the file_manager.php script."
> >
> >In other words, your former site's tech support people were likely 
> >right-- the site was almost certainly hacked because of 
> >osCommerce.  Find something else, preferably something which is not 
> >based upon PHP.
> 
> Thanks for the time and rapid response Mr Chuck.
> 
> Yes. Seems like the guilty one was OSCommerce. I am looking exactly 
> for other option, as you say maybe not PHP ones and that's why asked 
> for advice based on experinces of what people is using. I am looking 
> for python option also. My needs are very simple, even a catalog of 
> products without the shopping cart will be enough. I am also looking 
> options that let you add modules. I want to continue using Freebsd, 
> continue learning and also solve a personal need.
>   Of course the idea is not to start a war between PHP lovers and any 
> other language, but options and suggestions are very welcome. Anyway. 
> I will continue searching. And when I find the solution will posted 
> here , maybe could be of help to someone.
> 
> By the way. It is great to receive advise from people like you all 
> guys. I have been on the list for several years and I always learn 
> something , always.

Seriously, have you tried Googling for a potential solution? I just
spent a few minutes and found several candidates.

-- 
Jerry ✌
FreeBSD.user at seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__________________________________________________________________