tags:

views:

145

answers:

4

Hi,

I am planning to integrate some opensource shopping cart with my site and I am bit worried about it's security.

Is it that easy to hack osCommerce based website? Because I am thinking to use osCommerce..

Kindly advise.

A: 

Dear Auxi,

I have never tried to hack our site but It seems that oscommerce development has been a bit slow and could be dead. The last realease from oscommerce was an alpha one year ago and never realeased the stable version. I personally prefer Zencart, a brach of oscommerce.

For example you can see that the last realease with some security improvements

Anyway, Zen cart has some advantages appart from a stronger security like being easier to customize.

borjab
+1  A: 

Forget osCommerce - it's not developed anymore and there are many other products out there that have the same functionality and are actively maintained. If it's not maintained, then newly found vulnerabilities are not fixed.

I'd suggest checking out these:

http://www.opencart.com/ - actively developed and seems to do all the things you need. I'm planning to start moving osCommerce sites onto this.

http://www.prestashop.com/ - has a lot of extensions, most of them are sold at their shop

http://www.magentocommerce.com/ - they say that this is THE e-commerce solution. It probably has the most functionalities, but it also knows how to eat up your server resources. Hosting this on a shared hosting is not suggested.

Indrek
A: 

osCommerce is terribly insecure. I wouldn't touch this thing.

Longpoke
A: 

I use oscommerce [osc3alpha], but I modified it as much as possible against script attacks and the likes. One needs also to prevent access to admin [rename it as well], includes, etc. folders by setting up password access. Strong passwords are recommended as always. You can also setup better security using some .htaccess files – a good source of info is askapache.com and remember the old time robots.txt [a also prevent it from being displayed ;)] Also look into creating a chmod to backup your site daily, without overwriting the files, so if you have been hacked, you’ll be up and running on the backup of the day before]

On a personal note [myself being a CEH and network architect], everything is hackable, if they cannot get to your cart, they get to poison your dns, etc… Unfortunately, if your store is their target, they’ll get to you no matter what. All you can do is secure it as much as possible. All the more all open source carts are easily attainable, hence anyone can download the code and look deeply into it for any flows.

I would invite you to check out Tomato Cart http://www.tomatocart.com/ . Its basis OSC3 alpha framework with a million modifications to it. The Chinese guys at it really gave it a boost and its worth looking into, especially the good looking backend area, that acts just like a desktop with analysis features like no other.

Cheers Fab

Fabian Borg