Cart-Lab Blog

X-Cart & E-commerce related news, resources and tips. Postings by: B00MER of Cart-Lab.com


Thursday, April 29, 2004

X-Cart Security (Revised)

Security Focus - X-Cart vulnerability

Since a rather large hole was recently discovered in X-Cart versions, 3.2.x to 3.4.11. It seems to have brought a lot of bad people out of the shadows, since bugs like the Security Focus above have been appearing I am hearing more and more of people getting fraudulent orders as well as some X-Cart's compromised completely.

So, I've decided to write this short article on some of the best methods you can take to make sure your NOT a victim of these bad seeds that want to do nothing but rip you off.

  1. Password protect admin/ and provider/ directories IMMEDIATELY if you have not already.
  2. If you cannot password protect these directories, in X-Cart 3.5.x+ you can edit top.inc.php and rename your admin and provider folders defined here, so they are not as easy to locate.
  3. Change all passwords at least every 30 to 120 days.
  4. Keep an eye out for security patches that Qualiteam releases for X-cart and apply IMMEDIATELY.
  5. Use HTTPS when accessing the X-Cart admin and provider areas ALWAYS.
  6. If you do a database backup to your xcart/log/ directory make sure you remove it after its been downloaded locally.
  7. If you are selling E-Goods use manual processing for CC orders, don't allow for instant processed orders.
  8. 3.5.5+ A new use HTTPS method for customer logins and registration has been added, use this feature!
  9. 3.5.5+ Also has a blowfish encryption to better protect customers data, again, use this feature!
  10. If you are storing credit card numbers, make sure you have PGP/GPG setup properly as well as NOT to store CVV2 codes along side Credit Card numbers.
  11. If your payment processor supports CVV2 or AVS, Use them as it will help detect fraudulent orders.
  12. Change Salt encryption number/letter in config.php before going live.
  13. Set your config.php to a CHMOD 644 and disable all install scripts to CHMOD 000
  14. Never share your passwords with anyone, if you do decide use some type of encryption or over the phone to prevent them from being hijacked.
  15. Always make sure your server has the latest versions or has the latest patches installed of PHP, MySQL, PHPMyAdmin, SendMail, OpenSSH, etc. (Unsure? Contact your hosting provider)
  16. After any upgrade, remove all files/directories under upgrade/
  17. Also to help detour, CHMOD 000 xcart/VERSION this way potiental hackers won't be able to read this file and see what version you are using.
  18. If you are getting lots of fraudulent orders from overseas countries implement the High Fraud Blacklist (link below).
  19. Probably a lot more, got anything you'd like to add Contact me.

Some interesting articles and/or downloads that are worth the time to stop and look over:


  • Cart-Lab Security
  • High Fraud Blacklist (CombatFraud.org)
  • PGP
  • GnuGPG

    Cart-Lab.com: X-cart Resources, and More!

  • Blinkbits
    co.mments
    Delicious
    digg
    Furl it!
    NewsVine
    Reddit
    Spurl
    TailRank
    DZone
    Google Bookmarks
    taggly
    Windows Live Favorites
    addtoany
    technorati



    0 Comments:

    Post a Comment

    << Home