Author Topic: Your website is Very Unsafe  (Read 7783 times)

Offline alevene

  • Full Member
  • ***
  • Posts: 107
  • Karma: +6/-7
    • View Profile
Your website is Very Unsafe
« on: September 23, 2016, 01:30:21 PM »
After struggling with AbanteCart that would not update past 1.2.6, or would export/import, I built a brand new one by hand using the latest 1.2.8 build. I noticed a series of "bugs" or features as some may call them that made the rebuild all the more difficult.

I decided to run a web based security scanner from tinfoilsecurity.com. The scan just finished. The initial headers was Your website is Very Unsafe for both the new and the production site. The new site had 26 problems, the production site, 23.

Here are some of the details from the most severe of the twenty-six vulnerabilities listed on the new site. I do not know if I can caused some, but I haven't done a lot more than adding products/categories and so on. I suggest running your own free scan.

   
Vulnerability Name    URL    Variable    Rescan   Severity       
   
Cross-Site Request Forgery   /index.php   loginFrm            
   
Cross-Site Request Forgery   /index.php   SubscriberFrm            
   
Unencrypted password form   /index.php   password            
   
Clickjacking   /               
   
Directory listing is enabled.   /storefront/view/default/javascript/               

I also ran the scan on the production site using 1.2.6 that has fewer problems that 1.2.8, even though 1.2.6 has been in use for a long time!
   
Vulnerability Name    URL    Variable    Rescan   Severity       
   
Cross-Site Scripting in event attribute of HTML element   /index.php   sort            
   
Cross-Site Scripting in event attribute of HTML element   /index.php   manufacturer_id            

Comments?

Offline abolabo

  • core-developer
  • Administrator
  • Hero Member
  • *****
  • Posts: 2046
  • Karma: +318/-13
  • web for all, all for web!
    • View Profile
    • AbanteCart
Re: Your website is Very Unsafe
« Reply #1 on: September 26, 2016, 03:20:30 AM »

After struggling with AbanteCart that would not update past 1.2.6, or would export/import, I built a brand new one by hand using the latest 1.2.8 build. I noticed a series of "bugs" or features as some may call them that made the rebuild all the more difficult.

I decided to run a web based security scanner from tinfoilsecurity.com. The scan just finished. The initial headers was Your website is Very Unsafe for both the new and the production site. The new site had 26 problems, the production site, 23.

Here are some of the details from the most severe of the twenty-six vulnerabilities listed on the new site. I do not know if I can caused some, but I haven't done a lot more than adding products/categories and so on. I suggest running your own free scan.

   
Vulnerability Name    URL    Variable    Rescan   Severity       
   
Cross-Site Request Forgery   /index.php   loginFrm            
   
Cross-Site Request Forgery   /index.php   SubscriberFrm            
   
Unencrypted password form   /index.php   password            
   
Clickjacking   /               
   
Directory listing is enabled.   /storefront/view/default/javascript/               

I also ran the scan on the production site using 1.2.6 that has fewer problems that 1.2.8, even though 1.2.6 has been in use for a long time!
   
Vulnerability Name    URL    Variable    Rescan   Severity       
   
Cross-Site Scripting in event attribute of HTML element   /index.php   sort            
   
Cross-Site Scripting in event attribute of HTML element   /index.php   manufacturer_id            

Comments?

Thank you for your message.
We always welcome attention to our software product.

Before start discussion we need to know:
1. Is you store URL setting value equal URL of browser address bar?
2. Request Forgery is unable to do without changing your html-code on web-page. https://en.wikipedia.org/wiki/Cross-site_request_forgery
Quote
If an attacker is able to find a reproducible link that executes a specific action on the target page while the victim is logged in there, they are able to embed such link on a page they control and trick the victim into opening it.
That's means attacker needs to paste some js or html code into your cart.  Can you please show us how do that without access to admin side (or other way)?
3. " Directory listing is enabled.   /storefront/view/default/javascript/ " it's a apache web-server misconfiguration issue, not related to AbanteCart code at all.
Anyway, you can disable directory listing with directive "Options -Indexes" inside your .htaccess file or via global server configuration.
4. "Cross-Site Scripting in event attribute of HTML element"  - what html-element and page?

Best regards,
Dmitry


“No one is useless in this world who lightens the burdens of another.”
― Charles Dickens

Offline alevene

  • Full Member
  • ***
  • Posts: 107
  • Karma: +6/-7
    • View Profile
Re: Your website is Very Unsafe
« Reply #2 on: September 26, 2016, 08:20:19 AM »
Both sites have the respective website URLs listed.

The point of my ad hoc research is that I've spent a lot of time trying to move from 1.2.6 to the current 1.2.8 thinking that 1.2.6 was a hack waiting to happen.

When I ran this review on both sites and found that the production site has fewer issues, and are on the same host, my urgency has been diminished to the point of waiting for the next release 1.2.9, upgrading the almost finished 1.2.8 and then retesting.

I have no doubt that there are fixed for both sites, and time available I'll investigate closely. I may even finish the 1.2.8 and move production to it.

It's just a shame that the upgrade process is iffy, and that AbanteCart or a developer doesn't sell a ROBUST utility to make a site to site relocation easy. It's a long and manual labor intensive process.

Imagine is WordPress or Joomla had the same upgrade issues!

 

Powered by SMFPacks Social Login Mod