VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Security SQL Injection Issues
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Kamin
Starting Member

USA
30 Posts

Posted - June 24 2004 :  19:48:32  Show Profile  Visit Kamin's Homepage  Reply with Quote
I was just wondering if VPASP as addressed these issues posted by www.securityfocus.com

http://www.securityfocus.com/bid/10536
http://www.securityfocus.com/bid/10534
http://www.securityfocus.com/bid/10530
http://www.securityfocus.com/bid/9164
http://www.securityfocus.com/bid/9967

Each of these listed effects VPASP 4.0 to 5.0
I recently had a site compromised due to this issue. Thankfully I chose the option not to store the credit card information in the database. They were able to obtain a few e-mail address's but that's about it. I thought I had things setup to be pretty secure. Access database off the webpath, followed all the instructions listed on this site to secure the site, but these appear to be newly discovered exploits. If there are fix's available to prevent these types of attacks please let me know.

Kamin

support
Administrator

4266 Posts

Posted - June 24 2004 :  22:59:53  Show Profile  Visit support's Homepage  Reply with Quote
All this issues have been addressed in VP-ASP 5.0 and for previous releases in our security fixes. Based on our evaluation. most are harmless if our other guidelines were followed such as hiding the VP-ASP admin system and using dual passwords.

We recommend everyone review our security Guidelines and associated fixes. www.vpasp.com/virtprog/info/faq_security.htm

We recommend as standard
1. Make sure the database cannot de downloaded by a hacker (most important)
2. Hide the admin system using Shop Configuration options
3. Use dual password login to admin system
4. Delete all conversion and diagnostic tools.
Files starting conv, diag, create and for releases prior to 5.0 shopa_sessionlist.asp, shopdbtest.asp in addition to the above.
5. Periodically review this site for any important updates


Howard Kadetz
Vp-ASP



Go to Top of Page

greatphoto
VP-ASP Super User

USA
304 Posts

Posted - July 03 2004 :  14:35:04  Show Profile  Reply with Quote
It is very unfortunate that the recommendations continue to change without full notification to the owners of VP-ASP stores.

Security precautions are covered in section 38 of the Developer's Guide (http://www.vpasp.com/virtprog/vpasp500developer.pdf). Unfortunately, the information presented there is incomplete. Even conscientious developers who follow ALL of the recommendations found there will be potentially vulnerable.

Section 38.7 covers the removing of extra files. It recommends removal of files starting with Convert..., as well as diag_sessionlist.asp and diag_dbtest.asp. It does does not mention removal of files starting with "create" or "shoptmptest.asp"

The list above does not recommend removal of "cachefix.asp" or shoptmptest.asp but the faq suggests removing ALL files starting with the letter "c". Should we remove cachefix.asp as a security precaution?

Please begin (or publicize it if already begun) a program where all developers or merchants that have purchased your cart can sign up for a mailing list for security recommendation updates as you discover them.It is not feasible to recommend periodic review of the web site for changes. How frequent of a check is frequent enough? Even a very frequent check of twice a month may not be sufficient. If you discover a new vulnerability, all store owners need to know immediately. A delay until the next time they happen to check the web site and happen to notice a subtle additon to the recommendations may be too late: their store may have already been compromised.

Nathan



Edited by - greatphoto on July 03 2004 19:03:45
Go to Top of Page

greatphoto
VP-ASP Super User

USA
304 Posts

Posted - July 03 2004 :  16:04:24  Show Profile  Reply with Quote
Oh my, I just found a recent security threat posting that lists another file that should be deleted that is not listed elsewhere. http://www.vpasp.com/virtprog/info/faq_securityfixes.htm states that "mysql....asp" files should also be deleted! The page goes on to say "This has been a security warning for years," but I have been unable to find any other reference in the documentation or faqs listed above that recommend removal of this file.



Edited by - greatphoto on July 03 2004 19:05:36
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000