Another serious problem with the install process

[TopWebNames]

I just installed the latest version yesterday. In addition to the install process NOT putting the database information into the system > config.php file, therby making my website only generate an error; then after me discovering this and fixing it by adding the database information into the file manually... my admin username and password didn't work, and when I clicked "Forgot password", it said: "No match for Username and Email", so this information didn't get added/entered either!

I also sent a query to my hosting provider, HostGator about this that the install process displayed:

PHP Settings    Current Settings    Required Settings
Register Globals:    On    Off    Bad


THIS is what HostGator tech support replied:

"That setting can be changed in the php.ini file in the YourDomainName.com/ directory. However, the php.ini file that is present seems to have been placed there by the AbanteCart install and explicitly sets that setting to Off, so you may wish to confirm that setting with them."

Meaning, that the install process ADDED the "Off" setting, then marked it as "Bad"!

1 - What should I do?

2 - These things need to be addressed and fixed as soon as possible.

[abolabo]

1. put into your php.ini line

register_globals = Off

2. problem was addressed at beginning of development. Abantecart do processing and resetting all global variables by everytime.
But we do not recommends use abantecart with enabled register_globals directive.
Abantecart have no any security holes.

[TopWebNames]

1. put into your php.ini line

register_globals = Off

2. problem was addressed at beginning of development. Abantecart do processing and resetting all global variables by everytime.
But we do not recommends use abantecart with enabled register_globals directive.
Abantecart have no any security holes.

Hi abolabo,

1- Thanks for your explanation.

2 - One of the many reasons that I selected AbanteCart, after being seriously disappointed with OpenCart, nopCommerce, and a few others, was that you have been reported in many reviews and on many forums as seriously caring and trying to be as secure as possible.  This is also why I'm spending my very limited, valuable time to report things to you... to help you make AbanteCart the best and most secure that you can.  I'm NOT complaining, I'm trying to pitch in and be helpful.

3 - You say that the install process purposely sets the register_globals to OFF, and I'm glad that you do if it causes a security risk to have it on.  Then WHY does your install process then report the "OFF" setting as "BAD"?  I think this needs to be changed.

4 - In the installation instructions, it says: "For Linux/Unix make sure the following folders and files are writable
chmod 0777 admin/system/backup/
chmod 0777 download/
chmod 0777 extensions/
chmod 0777 image/
chmod 0777 image/thumbnails/
chmod 0777 system/
chmod 0777 system/config.php
chmod 0777 system/cache/
chmod 0777 system/logs/"

Doing this is causes a serious security risk!  Many, if not most or even all hosting companies not only tell you not to use 0777... they actually will BLOCK your website if you have any 0777 settings!  HostGator tech support wrote this:  "The problem with 777 file permissions is that it means the file is writable by anyone. Anyone else could modify the file, including the web server. It is recommended that the web server be able to read the files or execute the files, but there are times when you want the web server to have write access it just isn't that common. The outside risk is that someone could find a flaw in your site and use that flaw to rewrite your files."

I strongly suggest that you change the installation instructions.

[abolabo]

3 - You say that the install process purposely sets the register_globals to OFF, and I'm glad that you do if it causes a security risk to have it on.  Then WHY does your install process then report the "OFF" setting as "BAD"?  I think this needs to be changed.

php do not give ability to change that directive "on-a-fly". We just can to reset all globals variable in that case.
by the way, this directive marked as deprecated in php 5.3 and removed in php 5.4.
When we show "BAD" we try to notify user about potential security risks with 3d-party php scripts, but not abantecart! Register_globals is not critical configuration setting.

4 - In the installation instructions, it says: "For Linux/Unix make sure the following folders and files are writable
chmod 0777 admin/system/backup/
chmod 0777 download/
chmod 0777 extensions/
chmod 0777 image/
chmod 0777 image/thumbnails/
chmod 0777 system/
chmod 0777 system/config.php
chmod 0777 system/cache/
chmod 0777 system/logs/"

Doing this is causes a serious security risk!  Many, if not most or even all hosting companies not only tell you not to use 0777... they actually will BLOCK your website if you have any 0777 settings!  HostGator tech support wrote this:  "The problem with 777 file permissions is that it means the file is writable by anyone. Anyone else could modify the file, including the web server. It is recommended that the web server be able to read the files or execute the files, but there are times when you want the web server to have write access it just isn't that common. The outside risk is that someone could find a flaw in your site and use that flaw to rewrite your files."

I strongly suggest that you change the installation instructions.
[/quote]

no any risks! The input point of all requests of abantecart is file index.php.  All other files just includes into it and running with permissions of index.php.
regarding hosting providers  suggests..."writable by anyone" means anyone who login in shell as user. Usually, php scripts runs with web-server's permissions.
Abantecart have it's own upgrade controller that replaced old files and adds new, by another words, it needs to write permissions for automatic upgrade.
if you do not plan to upgrade abantecart automatically you can set all permissions for files to 644 and folders 755 and change file owner (i think it's paranoic mode:))
To damage some core-file you needs to run some bad php-script. But to do this without ftp or shell access?
How to upload it and get http-access for run?
Can i look on working exploit for abantecart?
Thank you.

p.s. Maybe my answer will seem a little harsh, but it is not. Just English is not my native language.