UPDATE: This email pertains to clients on Shared/Reseller servers who are currently using osCommerce.
We have seen a dramatic increase in attacks against osCommerce installations in recent months. There are several severe unpatched vulnerabilities for osCommerce. There has not been a stable release of osCommerce since January of 2008. The osCommerce project appears to be dead and it is reasonable to assume that the blaring security vulnerabilities in this software will not be patched by its developers. All versions of osCommerce have been confirmed to be vulnerable.
We have created mod_security rules to help mitigate these vulnerabilities for our shared and reseller accounts. This may protect your account for the time being, but these mitigations should not be relied on as a long term solution.
The only long term solution to ensure the safety of your site is to switch to another ecommerce CMS solution. An actively developed CMS ecommerce solution that you may want to consider is Magento:
Magento supports similar functionality to osCommerce and is being actively developed and supported by it’s developers. The Magento Community Edition is free to download and is developed through an open source community.
Other solutions include Zencart which you can still install through your Fantastico interface. Zencart contains much of the same functionality of osCommerce, but it is still in active development.
For those absolutely unable to migrate to a different CMS, we recommend that you at least enable cPanel’s folder protection system for your osCommerce admin/ directory. You can access this feature through your cPanel interface at: cPanel ? Security ? “Password Protect Directories”. You can simply select your “admin” directory and specify a username and password. This will protect you from the security bypass vulnerabilities present in the osCommerce software.
Beginning December 1, 2010 we are removing support for installing the osCommerce CMS through Fantastico on all of our shared/reseller servers. This will not affect clients who currently have osCommerce installed.
Thank you very much for your consideration and if you have any other questions and/or concerns, please feel free to let us know.
So then, Hostdime are stopping osCommerce for NEW customers. But allowing existing osCommerce installations to remain. Hmmmm, and this is supposedly about security?
They say that osCommerce is dead. Strange that I am seeing almost daily commits to 2.3 and 3.
They say Magento is being developed through an Open Source Community. Is not osCommerce?
Let’s look at the reality
We all know that osCommerce has it’s problems – and the fact is most of these stem from the lack of released updates from the core team. However, the updates needed to secure osCommerce are released by the community – in any Open Source project it is usually the community who are at the sharp end of development.
For Hostdime to basically dismiss the osCommerce community shows they have a real lack of class.
A challenge to Hostdime
Go and download osCommerce 2.3 and look at all the new features – watch the commits for regular activity. Go to the community and take a look at the handful of committed people who are developing new scripts and giving Technical Support for osCommerce on a daily basis. Will you still say “it’s dead” ?