My 6.4B2B site was hacked late 2010, they were able to "zombie" all my sites under the hosting account by coming in through CRE cart and use all sites as spam email platform for a few hours. After struggling for many month to find all hacked and injected files we managed to fix it but the site had damages we could not repair, some blocks in the right column stopped displaying. I was thinking of moving to Prestashop then but it was somewhat working so did not. We did not use any local CC processing or store any CC information so there was no concern for that matter, nothing of value to steal from us.

Then again last Friday we got hacked, this time it's more serious they injected malwares, it's probably a different hacker. My site is very small, it's very specialized and targets a very small group of interest, it's more a hobby than a business with few visitors so it is of zero value to a hacker to put any work to it, especially that the hacks block the site from loading and the host automatically blocks mass emailing but it is of great annoyance to me, business is zero when the site is down and I do not have the financial resources to hire someone to repair it. Some SOBs really should get a life but I guess they like wasting their time and other people's time, let's introduce death penalty to malicious web hackers.

In all seriousness I'm saying this because owners of 6.4 sites either MUST upgrade to 6.5 hoping it is more secure or go to another shopping cart because 6.4 has wholes obviously. For my part I decided to move on; while CRE is a great cart that I am used to for almost 4 years, it is built on an older platform and most importantly I lost confidence in CRE's ability to be a dynamic company while the competition is constantly upgrading their code. Additionally, the pricing does not fit my budget, it will be cheaper for me to go new with Prestashop than upgrading to 6.5 - just more time consuming. If I did not get hacked, I had no good reason to leave CRE however.

It's a fr*!kin waste of time when hackers do this (understatement) and I can imagine how annoyed you were.

There are a few points I'd add in here IMO too:

- upgrading to 6.5 won't close security issues. as you pointed out, the (cre) cart itself is built on old code which isn't being maintained regularly. (cre) loaded has always been about jamming as many features into a cart as possible. whether they all work together or whether they create security loopholes, is a 'next release' concern.
- an equally as large risk is from some pretty weak security habits of the cart owners (not referring to the OP specifically) but the number of carts that are still running very old versions and /admin folders with passwords that never get changed, version/patch info on display, no use of htaccess files, running upload directories with no filtering, redundant admin accounts ...
- if you do get hacked and the server is never fully wiped / rebuilt, you really haven't fixed things for the next install so will be vulnerable to getting done again. this of course is difficult to do on a hosted server ... so time to change hosts maybe
- whether you store payment information or not, customer information (email address, mailing addresses, order history) is of value ... and none of your customers will thank you for getting it passed on to a hacker in this age of ID fraud
- (cre) loaded seems now to be a payment gateway first and cart supplier a distant second. there doesn't seem to be any evidence of ongoing development, patch releases or community tracker.
- there isn't a cart around that is unhackable (just more frequently updated code) and if your admin is getting news feeds from the cart builders, you're vulnerable too (as per this last year when prestashop.com got hacked itself)

Simon

Simon, thanks for your advice and smart comments as always.

You are correct, I have myself purchased from CRE carts that were very old, one reason owners do not upgrade I think is that it is not easy to do so, especially when there are mods in the cart which with OSCommerce is almost always necessary. Prestashop makes that process much easier although not perfect yet but they have improved it and certainly will again, it can be done with no programming knowledge and they walk you through it very precisely.

I bet most don't change passwords, I do every 3 months for my part and use very secure passwords that I can't remember myself without a chichi but that did not help in this case as they did not come in by the front door.

It's a matter of commitment to grow and do the right thing with the right product. Prestashop has that drive currently while CRE is falling asleep. They listen and respond to clients, even those who do not pay, CRE does not or so it appears. How long was it since the last patch? 18 months I think? There should be patch releases every quarter at least IMO.

CRE should take notice of these comments, I'm not bashing just trying to point out what's wrong with the company, they must make money and CRE secure is a way but I can see they will not be around much longer if they do not change strategy and LISTEN. It's sad because it's a good product besides the fact that the underlying code needs an serious overhaul. I remember a few years ago a programmer active on this forum (I won't say his name), great guy, had pointed out to SAL hundreds of bugs and programming errors in 6.3 and he offered to fix them for a small fee. CRE refused denying the existence of these code issues, but it's with smart programmers like him who can see through code like an "autistic genius" that CRE can get better. They missed out big time on a great opportunity to do the right thing.

You are correct about hackers, nothing will stop them, it has some good in it as it pushes developers to stay on their toes and always improve their codes. In my case it pushes me to improve my cart as well, maybe think about a more appealing site design and so on and find some good in adversity. I'm not the only one who has been hacked on a 6.4, at the first occurrence I researched it and they were all over the web, and not only OSCommerce sites from that hacker group. But, why is CRE silent about the issue? I can't imagine they do not know about it (I think i even told them), compare this to Prestashop response, they were on top of it immediately, alerted the world and fixed it within 24 hours.

... and that's the bit there that sums it up - (Cre) Loaded won't go into paying for fixes. Patches generally only occur when individuals like Jason and Gerald have contributed for free - 6.5 code was donated - hence the big delay between releases.

Prestashop, Opencart and a couple of others are definitely on the rise in comparison. It'll be technology jumps in the base systems (eg the jump to php 6) that'll eventually decide the future of these carts and whether the support is there then for them, as that shift will call for a complete rewrite of the code. I suspect oscommerce carts will thin out, (Cre) Loaded possibly being one of them as as you say, the support by the company just doesn't seem to be there.

Simon

php6 is no longer in the pipeline, move to prestashop you'll be glad you did.

How do you mean "php6 is no longer in the pipeline" ?

Simon

There was a small announcement in November, that php6 would be shelved and the new features would be in 5.4. Try and find it on php.net, no longer even available. It has quietly disappeared.

PHP 6 has been history for ages now.

Yes, the code base here has been aging quite a bit and could be better maintained.

That said, while we are looking at new carts to support, and do plan to roll out products for other carts this year, our CRE Loaded sites continue to fare well in the current web environment.

Even our older carts remain secure and functional - largely due to elements of our PCI compliant hosting platform..

Password changes and secure access methods go a long way towards keeping a store up and operating without these kinds of security issues...

David