Author Topic: Any vulnerability with the Shellshock (bash) and AbanteCart software?  (Read 7593 times)

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1498
  • Karma: +392/-3
    • View Profile
In regards to the latest security issue -  the Shellshock  (Bash vulnerability) .
My host has confirmed they have updated the distro on my server with the latest patches and will continue to do so as they are released,  but they also caution:

"If you're using CGI to execute your web application, you're trusting Bash (or some other shell) to be free of vulnerabilities that would allow remote execution. It's not just CGI, though; any PHP script that uses shell_exec could be vulnerable. Or an application written in another language which uses a form of shell_exec."

I would like to double check that the software from AbanteCart  doesn't execute shell_exec.   And I expect other users would also like to know also.

Thanks
Lee

Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 1785
  • Karma: +249/-11
  • web for all, all for web!
    • View Profile
    • AbanteCart
Re: Any vulnerability with the Shellshock (bash) and AbanteCart software?
« Reply #1 on: September 30, 2014, 04:36:14 AM »
AbanteCart have only "system()" call for unpacking tar.gz archives (related to php5.2), but we already replaced this call by native php-function of php5.3 in next AbanteCart version. Also in the previous releases this function usage is not necessary (we have logic with checking there). Anyway you can regulate that potentially danger functions in php.ini (see http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/).
“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens

Offline eCommerce Core

  • Administrator
  • Hero Member
  • *****
  • Posts: 1600
  • Karma: +93/-1
    • View Profile
Re: Any vulnerability with the Shellshock (bash) and AbanteCart software?
« Reply #2 on: September 30, 2014, 07:56:17 AM »
Thanks llegrand for the concern.

Shell scripts or system commands are dangerous, but not harmful if used smart.
As abolabo pointed out, we stay away from using system commands.

In The future, some operations will require to service AbanteCart with use of shell scripts, but this will be set outside of standard distribution. 
“If you’re in the luckiest one per cent of humanity, you owe it to the rest of humanity to think about the other 99 per cent.”
― Warren Buffett

Offline llegrand

  • Hero Member
  • *****
  • Posts: 1498
  • Karma: +392/-3
    • View Profile
Re: Any vulnerability with the Shellshock (bash) and AbanteCart software?
« Reply #3 on: September 30, 2014, 08:48:41 AM »
Thank you for responding to my inquiry, I am happy you've confirmed your continued efforts to do it right and this latest vulnerability is not an issue for Abantecart users.

Thanks for making such great software.
Lee

 

Powered by SMFPacks Social Login Mod