Good Afternoon,
UPDATE: This email pertains to clients on Shared/Reseller servers who are currently using osCommerce.
We have seen a dramatic increase in attacks against osCommerce installations in recent months. There are several severe unpatched vulnerabilities for osCommerce. There has not been a stable release of osCommerce since January of 2008. The osCommerce project appears to be dead and it is reasonable to assume that the blaring security vulnerabilities in this software will not be patched by its developers. All versions of osCommerce have been confirmed to be vulnerable.
We have created mod_security rules to help mitigate these vulnerabilities for our shared and reseller accounts. This may protect your account for the time being, but these mitigations should not be relied on as a long term solution.
The only long term solution to ensure the safety of your site is to switch to another ecommerce CMS solution. An actively developed CMS ecommerce solution that you may want to consider is Magento:
www.magentocommerce.comMagento supports similar functionality to osCommerce and is being actively developed and supported by it’s developers. The Magento Community Edition is free to download and is developed through an open source community.
Other solutions include Zencart which you can still install through your Fantastico interface. Zencart contains much of the same functionality of osCommerce, but it is still in active development.
For those absolutely unable to migrate to a different CMS, we recommend that you at least enable cPanel’s folder protection system for your osCommerce admin/ directory. You can access this feature through your cPanel interface at: cPanel ? Security ? “Password Protect Directories”. You can simply select your “admin” directory and specify a username and password. This will protect you from the security bypass vulnerabilities present in the osCommerce software.
Beginning December 1, 2010 we are removing support for installing the osCommerce CMS through Fantastico on all of our shared/reseller servers. This will not affect clients who currently have osCommerce installed.
Thank you very much for your consideration and if you have any other questions and/or concerns, please feel free to let us know.
So then, Hostdime are stopping osCommerce for NEW customers. But allowing existing osCommerce installations to remain. Hmmmm, and this is supposedly about security?
They say that osCommerce is dead. Strange that I am seeing almost daily commits to 2.3 and 3.
They say Magento is being developed through an Open Source Community. Is not osCommerce?
Let’s look at the reality
We all know that osCommerce has it’s problems – and the fact is most of these stem from the lack of released updates from the core team. However, the updates needed to secure osCommerce are released by the community – in any Open Source project it is usually the community who are at the sharp end of development.
For Hostdime to basically dismiss the osCommerce community shows they have a real lack of class.
A challenge to Hostdime
Go and download osCommerce 2.3 and look at all the new features – watch the commits for regular activity. Go to the community and take a look at the handful of committed people who are developing new scripts and giving Technical Support for osCommerce on a daily basis. Will you still say “it’s dead” ?
And they are suggesting sticking Magento on their shared servers. I don’t think they understand ecommerce do they? Magento is useless on a dedicted server let alone a shared server.
In my view, the problem is that a user who installs osCommerce 2.2 doesn’t know that there are security holes which he has to manually fix after the setup.
The response from Hostdime to this blog entry;
Which re-iterates the BS offered in their original email to their customers. Basically they are removing osCommerce from Fantastico, yet leaving unsecured, hackable sites on their servers. Duh.
Paul – I think you are correct – they simply don’t understand eCommerce. Magento on shared?
Mike – if you buy a car and someone crashed into you, would you not take it to the garage to get it repaired?
“Mike – if you buy a car and someone crashed into you, would you not take it to the garage to get it repaired?”
> Of course I would repair it, but in my view that’s not the point. The problem is that “they” sell cars which always crashes when you drive it and nobody tell you that.
What I really mean: There should be at minimum a note on the download site of osCommerce 2.2. HPDL can do this in 1 minute or less if want.
I can see where Mike is coming from.
Magento is good where by if there is an update or urgent fix it pops up as soon as you log into the admin section. You have to click thet you’ve read it before it disappears. I realise there is an RSS feed now showing in the backend of osC2.3 but that can be turned off.
If a standard non-techie user sees a pop up message then maybe they would think to do something.
The point is that osCommerce has never claimed to be the one size fits all – if anyone runs a business they do their homework. Or perhaps they don’t. Either way, if they use a tool without knowing at least a little how it works (and perhaps more importantly, how it doesn’t work!), then it is obvious that at some point they will run into trouble. It’s like owning a car but being a learner driver. What’s the point.
Mike, after you installed osCommerce, are you running it without any further changes? No new logo? No design? No SEO stuff? No nothing?
“They say Magento is being developed through an Open Source Community”
Yea right its so “open” doesn’t even exist in the open source repositories.
For the osC the issue comes because of the admin end. It got bad with the RC versions because they added a login page. And of course you cannot protect the application’s folders from the application itself in a practical way. Certain server configuration need to apply and it is server dependent (.htpasswd, .htaccess for apache etc). If you see the old MS release doesn’t have a login prompt that forces the user to ask immediately questions how to secure the back-end.
Mark – exactly right – I argued against adding that login page in admin at the time of release. My idea was that it takes the user into a flase sense of security. I tried looking for the thread, but it could have been in a private forum in the osc site (when I was a community sponsor).
The threads I remember back in 07 about the RC are long removed. There were various complains among them was the admin issue and despite the second release it wasn’t fixed. There were also bug reports in jira about the admin which were closed without fixing them.