VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Comments about VP-ASP
 A better way of dealing with security updates
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Neilt
Starting Member

44 Posts

Posted - April 15 2008 :  10:18:20  Show Profile  Reply with Quote
I'm generally a big fan of vpasp but the way in which security patches have been handled lately is letting you down.

Prior to today all patches were listed so that it was fairly easy to find what changes needed applying.

Now we are supposed to download patches, but there is no indication of what the most recent changes are.

e.g. for v6.5 I was up to date as of yesterday (paypalresult.asp changes) but am not clear what - if any - other changes have been made since then.

The readme is headed 19th February, has a filedate of 28th March, but was issued on 15th April. In addition several of the files included in the patch have dates that are later than 19th February.

To compound this, filedates and comments within the files don't tie up. e.g. shopcustomerform.asp is dated 14/4/2008 and yet a search for 'security' within the file only shows 2 entries from February.

I was up to date yesterday. What do I need to do today?

I appreciate the efforts to maintain security, but there seems little thought towards making it easy - and minimising the time taken - for customers to implement the corrections to security loopholes.

Please can you improve your communication.

Thank you.

Neilt
Starting Member

44 Posts

Posted - April 15 2008 :  11:27:05  Show Profile  Reply with Quote
This was trigged by visiting the admin home page for a version 5.5 site. I was advised that a 'critical update was required'. On closer inspection this referred to versions 6 and 6.5.

However when I log into our version 6.5 site there is no such 'urgent' message just a neutral "read more about security measures at.."

I - and our client - just find the inconsistencies and inaccuracies unnecessarily confusing. e.g. to date there has been no email received advising us of this critical action...
Go to Top of Page

Steve2507
VP-ASP Expert

590 Posts

Posted - April 15 2008 :  11:44:08  Show Profile  Reply with Quote
That's strange, because our 6.5 site had the message on it this morning.

Let's be fair Neilt, the guys at VP are in a catch 22 situation. If they announce more details of patchs and security measures it makes it easier for the hackers, but makes it more difficult for us (I have 6 sites to update with 4 more in production so I feel your pain).

Lets take the scenario that they give even more details and the hackers life becomes easier, you will then start to complain that you are being hacked, which will mean that you have to do even more updates and get annoyed again, or worse you have some very late nights patching your sites after the hackers have struck.

I agree that the current situation is not the best but I firmly believe VP are doing their best (now where's my commission?).

VP support - how about this for a suggestion? You have probably had a number of users (myself included) contact you regarding hackers and patching (thank you again for the help). You can therefore build up a list of people who are most vunerable to the hacker (i.e. those that have been hit and so are on the hackers hit list), why not create a mailing list of these people and then if you need to send out an urgent update you can contact them directly as well as use the standard method. The email could then contain a little more information as Neilt wants.

There is one error in the files you have distributed, in shopmysqlsubs.asp lines 1023 and 1094 are:
fieldvalue = request.form(fieldname)

However according to an earlier update they should be:
fieldvalue = cleanchars(request.form(fieldname))
I'm assuming the cleanchars one is correct.


Steve
Sex toys from a UK sex shop
Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - April 15 2008 :  12:16:28  Show Profile  Reply with Quote
I had a surprise data injection on my own v5.0 site this past weekend, and I had some of the same concerns -- I was up to date with all the stuff on the updates page, but there were things in the downloaded patches that I'd never seen. It made me wonder if security patches had been backdated, because there were dates from long ago... but that's not why I'm posting here.

Perpetual free support of all versions of the VP-ASP shopping cart would be nice, but it would also be impractical. Now there is a defined policy that explains how long support will last... it leaves me suddenly without support, but it also drives me to upgrade to v6.50.

Some warning and discussion about this policy change would have been nice, but at least we all know the new rules now.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000