AbanteCart Community
Shopping Cart Operations => Security => Topic started by: llegrand on September 29, 2014, 11:59:17 AM
-
In regards to the latest security issue - the Shellshock (Bash vulnerability) .
My host has confirmed they have updated the distro on my server with the latest patches and will continue to do so as they are released, but they also caution:
"If you're using CGI to execute your web application, you're trusting Bash (or some other shell) to be free of vulnerabilities that would allow remote execution. It's not just CGI, though; any PHP script that uses shell_exec could be vulnerable. Or an application written in another language which uses a form of shell_exec."
I would like to double check that the software from AbanteCart doesn't execute shell_exec. And I expect other users would also like to know also.
Thanks
Lee
-
AbanteCart have only "system()" call for unpacking tar.gz archives (related to php5.2), but we already replaced this call by native php-function of php5.3 in next AbanteCart version. Also in the previous releases this function usage is not necessary (we have logic with checking there). Anyway you can regulate that potentially danger functions in php.ini (see http://www.cyberciti.biz/faq/linux-unix-apache-lighttpd-phpini-disable-functions/).
-
Thanks llegrand for the concern.
Shell scripts or system commands are dangerous, but not harmful if used smart.
As abolabo pointed out, we stay away from using system commands.
In The future, some operations will require to service AbanteCart with use of shell scripts, but this will be set outside of standard distribution.
-
Thank you for responding to my inquiry, I am happy you've confirmed your continued efforts to do it right and this latest vulnerability is not an issue for Abantecart users.
Thanks for making such great software.
Lee