Loaded Commerce Community

Our web developer has reported that a customer of his has had their site security breached due to the fopen setting in combo with folder permissions of 777 on version 6.2 sp1 patch 14.

anyone else get this ? what gets effected if fopen is switched off ?
i see version 6.3 requires fopen to be on as well ...

thanks
simon

ALSO what is interesting is that I was going to install CRE Loaded Ver 6.3.3 onto my server and during the installation it indicated that the allow_url_fopen was turned off. I contacted CRE and they told me to contact my Web Host, so I did.

I quickly got the following reply:
"I am sorry but unfortunately that is not something that we will be able to enable for you. Using allow_url_fopen is a huge security risk and you may want to consider contacting the developers of the cart for an alternative as that is not a good idea to use for a shopping cart anyway"

I got back on CRE's website and had a chat session with Kirk, He told me (more or less) CRE 6.3 is MUCH more secure than 6.2, when I asked him about the allow_url_fopen issue he told me that everything had to be Green in order to install. He told me that I should look for another host that would allow it to be "on".

I also did a quick search about the "allow_url_open" and I found this:

From http://phpsec.org/projects/phpsecinfo/t ... fopen.html
"PHP Security Consorium"

If enabled, allow_url_fopen allows PHP's file functions -- such as file_get_contents() and the include and require statements -- can retrieve data from remote locations, like an FTP or web site. Programmers frequently forget this and don't do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. A large number of code injection vulnerabilities reported in PHP-based web applications are caused by the combination of enabling allow_url_fopen and bad input filtering.

I have yet to call CRE and ask why it has to be on... What kind of bothers me is I have some conflicting things going on, and apparently it can be exploited as ber soundzgood2. The purpose of allow_url_fopen is for retrieving "External Data" I am yet to figure out what kind of external data the program needs in V 6.2 SP1 and 6.3 in order to run correctly. I spoke with the person that helped me set develop my store the first time and his initial thought was to make sure that whomever installs the program that it checks with CRE to make sure it is a legitimate copy.

At this point in all honesty, I am strongly considering going with another shopping cart. Even though I have a TON of work into customizing my software with V6.2, and a ton of parts that I would have to transfer over, security risks are not something that I inherently need... Nor my customers need...

John

I sent CRE an email and this is what they told me...

Honestly it does not tell me what it really does, or why I need it. There are some specifics, but I was hoping they could tell me exactly what would not be working and which files etc...
-----------------------------------
Thanks for your email.

The system requirements are essential when using our software if you want it to run and install optimally.

I asked our senior developer to review your email and he told me to tell you this:

A: CRE has good input filtering. allow_url_fopen is necessary fo a lot of functionality including 1) checking that directories or files are writeable, 2) writing to debug logs, 3) returning filename components of path, checking disk free space, file sizes, etc.
[1:47:53 PM] Scott L (datazen) Development Manager (-4 GMT) says: You do not need it to "run" CRE Loaded however some functionality will be limited. The install requires it to check files and folder permissions

We recommend you change hosting environments if your host is not willing to meet your software needs.

Thank you.


Regards,
Sabrina Hogan

thanks John, good to know.
simon / soundzgood2

Funny thing is, how many of the same folks who give you this advice will often suggest using cURL or sockets instead. Gee, how brilliant.

The serious issue here is always, always, always bad input filtering. Period.

When you need external site access (and most ecommerce sites do!) then you need input filtering. It does not matter if you use curl, sockets (as in http_client.php) or fopen urls - the problem is the filtering. CRE has done a lot to add filtering to the underlying, frequently flawed osCommerce or osCommerce contribution code. Serious hosts do more with mod_security. The combination tends to work pretty darn well.

David