VP-ASP :: Shopping Cart Software

Shopping Cart Software Solutions for anywhere in the World

US/Canada(Toll Free): +1 888 587 2278
Europe/UK: +44 (020) 7193 9408
Australia/New Zealand: +61 3 9016 4497

VP-ASP Shopping Cart Customer Forum

Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 VPCart Forum
 Suggestions for future release
 Hackers
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Alan F
VP-ASP New User

102 Posts

Posted - April 27 2007 :  05:35:52  Show Profile  Visit Alan F's Homepage  Reply with Quote
Having just looked at my logs it is quite alarming how many people are searching for shopdisplayproducts.asp & shopdisplaycategories.asp &shopexd.asp

I think a security feature that would benefit the software woul be the ability to change these page names similar to shopadmin.asp

Any thoughts

Alan

lynch
VP-ASP New User

USA
74 Posts

Posted - April 27 2007 :  14:26:48  Show Profile  Reply with Quote
I have suggested this same idea before. In the meantime, you might try making new pages that #include the regular VPASP pages. For example, you could have a product-detail.asp that was nothing but
<!-- #include file="shopexd.asp" -->

You could use this file as a substitute for shopexd.asp wherever you need to. As long as you don't link to shopexd.asp anywhere, Google and other search engines should not know you use shopexd.asp, and hackers cant find you that way.
I was hacked a little more than a year ago, and the bad guy found my site by searching for shopexd.asp.
Go to Top of Page

support
Administrator

4266 Posts

Posted - April 27 2007 :  22:04:49  Show Profile  Visit support's Homepage  Reply with Quote
Hi there,

What you need to consider is that if you have the security patches applied and are up to date it wont matter what the hackers search for.

Make sure your site is secure and you will not have a problem.

Ensure you do NOT store credit cards and access your admin through a SSL url and you will be safe.

The reason they search for shopdisplayproducts.asp is because in early versions of VPASP from over 2 years ago there was a vulnerability. If you have an old version of VPASP make sure you patch it to bring it up to date.

You can download patches or find the fixes if you want to apply them yourself at:
http://www.vpasp.com/virtprog/info/faq_security.htm

You can use a renamed version of shopexd.asp if you like very easily but realistically it is not going to stop hackers from finding. Securing your site is what will do that.

Alternatively, upgrade to version 6.50 which has been totally rewritten to make it as secure as possible from hackers.

My 2 cents.

Thanks
Cam

VP-ASP Support
Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - April 30 2007 :  12:40:12  Show Profile  Reply with Quote
quote:
Originally posted by support

What you need to consider is that if you have the security patches applied and are up to date it wont matter what the hackers search for.

Make sure your site is secure and you will not have a problem.

I am not trying to suggest that "security through obscurity" should be the first line of defense against hackers. I only suggest that it can be a useful tool to add to the existing methods of improving site security.

People try SQL injection methods against my non-VPASP pages too -- there's always someone out there who will be willing to try. On the other hand, if a flaw is found in a version of VPASP and a site operator has not yet implemented a fix for that flaw, the site operator may receive some additional margin of safety by not using the standard filenames that hackers may use to search for VPASP sites and use that hypothetical new flaw.

I know that filenames are important for including blocks of code, and I know that changing all the filenames used by VPASP would probably be a logistical nightmare for the developers.

I do agree with Cam's suggestion that customers upgrade to the newest version to gain the benefits of the fixes and new approaches that have been implemented, not to mention the new admin functions. I run a store using version 5.0 and a new store using version 6.50, and the reorganized admin since 5.0 may be reason enough to get an upgrade. :)
Go to Top of Page

support
Administrator

4266 Posts

Posted - May 01 2007 :  02:02:04  Show Profile  Visit support's Homepage  Reply with Quote
Well, realistically it is the old stores we are concerned about not being secured but if we were to build a mod for them to install into their site they could realistically apply the patches at the same time and make hiding their pages a moot point.

You could change the file names if you like though. Not my recommendation but certainly something you could do. If you have Dreamweaver you could try doing a sitewide search for say any reference to shopdisplayproducts.asp an change it to your new name and then update the shopdisplayproducts.asp file name to suit.

You then need to think about upgrading problems though and even how to apply patches as well as you will always have to change the patched files to meet your new naming conventions.

Hackers will always find a way to locate your store if they want to. Lovely people really.

However by making sure the patches are applied, and not storing credit cards, it should make the process of running an online store a much safer one.

My 2 cents.

I am going to be at Cebit in Sydney, Australia talking on how to make sure your site is secure in a few days and my strongest message is to simply not store credit cards.

That one thing will make your site 90% safer. The rest is simply a matter of applying any updates or security updates to close the door completely.

Thanks
Cam

VP-ASP Support
Go to Top of Page

lynch
VP-ASP New User

USA
74 Posts

Posted - May 01 2007 :  12:12:29  Show Profile  Reply with Quote
quote:
Originally posted by support

Hackers will always find a way to locate your store if they want to. Lovely people really.


And that's the truth of it. These people seem to have plenty of time to work out new ways to find our sites and try to exploit them.

Changing file names may be a nice add-on idea, but there is no substitute for real data security.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000