Author |
Topic |
|
Alan F
VP-CART New User
102 Posts |
Posted - April 27 2007 : 05:35:52
|
Having just looked at my logs it is quite alarming how many people are searching for shopdisplayproducts.asp & shopdisplaycategories.asp &shopexd.asp
I think a security feature that would benefit the software woul be the ability to change these page names similar to shopadmin.asp
Any thoughts
Alan
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - April 27 2007 : 14:26:48
|
I have suggested this same idea before. In the meantime, you might try making new pages that #include the regular VPASP pages. For example, you could have a product-detail.asp that was nothing but
<!-- #include file="shopexd.asp" --> You could use this file as a substitute for shopexd.asp wherever you need to. As long as you don't link to shopexd.asp anywhere, Google and other search engines should not know you use shopexd.asp, and hackers cant find you that way. I was hacked a little more than a year ago, and the bad guy found my site by searching for shopexd.asp. |
|
|
support
Administrator
4679 Posts |
Posted - April 27 2007 : 22:04:49
|
Hi there,
What you need to consider is that if you have the security patches applied and are up to date it wont matter what the hackers search for.
Make sure your site is secure and you will not have a problem.
Ensure you do NOT store credit cards and access your admin through a SSL url and you will be safe.
The reason they search for shopdisplayproducts.asp is because in early versions of VPASP from over 2 years ago there was a vulnerability. If you have an old version of VPASP make sure you patch it to bring it up to date.
You can download patches or find the fixes if you want to apply them yourself at: http://www.vpasp.com/virtprog/info/faq_security.htm
You can use a renamed version of shopexd.asp if you like very easily but realistically it is not going to stop hackers from finding. Securing your site is what will do that.
Alternatively, upgrade to version 6.50 which has been totally rewritten to make it as secure as possible from hackers.
My 2 cents.
Thanks Cam
VP-ASP Support |
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - April 30 2007 : 12:40:12
|
quote: Originally posted by support
What you need to consider is that if you have the security patches applied and are up to date it wont matter what the hackers search for.
Make sure your site is secure and you will not have a problem.
I am not trying to suggest that "security through obscurity" should be the first line of defense against hackers. I only suggest that it can be a useful tool to add to the existing methods of improving site security.
People try SQL injection methods against my non-VPASP pages too -- there's always someone out there who will be willing to try. On the other hand, if a flaw is found in a version of VPASP and a site operator has not yet implemented a fix for that flaw, the site operator may receive some additional margin of safety by not using the standard filenames that hackers may use to search for VPASP sites and use that hypothetical new flaw.
I know that filenames are important for including blocks of code, and I know that changing all the filenames used by VPASP would probably be a logistical nightmare for the developers.
I do agree with Cam's suggestion that customers upgrade to the newest version to gain the benefits of the fixes and new approaches that have been implemented, not to mention the new admin functions. I run a store using version 5.0 and a new store using version 6.50, and the reorganized admin since 5.0 may be reason enough to get an upgrade. :) |
|
|
support
Administrator
4679 Posts |
Posted - May 01 2007 : 02:02:04
|
Well, realistically it is the old stores we are concerned about not being secured but if we were to build a mod for them to install into their site they could realistically apply the patches at the same time and make hiding their pages a moot point.
You could change the file names if you like though. Not my recommendation but certainly something you could do. If you have Dreamweaver you could try doing a sitewide search for say any reference to shopdisplayproducts.asp an change it to your new name and then update the shopdisplayproducts.asp file name to suit.
You then need to think about upgrading problems though and even how to apply patches as well as you will always have to change the patched files to meet your new naming conventions.
Hackers will always find a way to locate your store if they want to. Lovely people really.
However by making sure the patches are applied, and not storing credit cards, it should make the process of running an online store a much safer one.
My 2 cents.
I am going to be at Cebit in Sydney, Australia talking on how to make sure your site is secure in a few days and my strongest message is to simply not store credit cards.
That one thing will make your site 90% safer. The rest is simply a matter of applying any updates or security updates to close the door completely.
Thanks Cam
VP-ASP Support |
|
|
lynch
VP-CART New User
USA
74 Posts |
Posted - May 01 2007 : 12:12:29
|
quote: Originally posted by support
Hackers will always find a way to locate your store if they want to. Lovely people really.
And that's the truth of it. These people seem to have plenty of time to work out new ways to find our sites and try to exploit them.
Changing file names may be a nice add-on idea, but there is no substitute for real data security. |
|
|
|
Topic |
|