X-Cart Security (Revised)
Security Focus - X-Cart vulnerability
Since a rather large hole was recently discovered in X-Cart versions, 3.2.x to 3.4.11. It seems to have brought a lot of bad people out of the shadows, since bugs like the Security Focus above have been appearing I am hearing more and more of people getting fraudulent orders as well as some X-Cart's compromised completely.
So, I've decided to write this short article on some of the best methods you can take to make sure your NOT a victim of these bad seeds that want to do nothing but rip you off.
- Password protect admin/ and provider/ directories IMMEDIATELY if you have not already.
- If you cannot password protect these directories, in X-Cart 3.5.x+ you can edit top.inc.php and rename your admin and provider folders defined here, so they are not as easy to locate.
- Change all passwords at least every 30 to 120 days.
- Keep an eye out for security patches that Qualiteam releases for X-cart and apply IMMEDIATELY.
- Use HTTPS when accessing the X-Cart admin and provider areas ALWAYS.
- If you do a database backup to your xcart/log/ directory make sure you remove it after its been downloaded locally.
- If you are selling E-Goods use manual processing for CC orders, don't allow for instant processed orders.
- 3.5.5+ A new use HTTPS method for customer logins and registration has been added, use this feature!
- 3.5.5+ Also has a blowfish encryption to better protect customers data, again, use this feature!
- If you are storing credit card numbers, make sure you have PGP/GPG setup properly as well as NOT to store CVV2 codes along side Credit Card numbers.
- If your payment processor supports CVV2 or AVS, Use them as it will help detect fraudulent orders.
- Change Salt encryption number/letter in config.php before going live.
- Set your config.php to a CHMOD 644 and disable all install scripts to CHMOD 000
- Never share your passwords with anyone, if you do decide use some type of encryption or over the phone to prevent them from being hijacked.
- Always make sure your server has the latest versions or has the latest patches installed of PHP, MySQL, PHPMyAdmin, SendMail, OpenSSH, etc. (Unsure? Contact your hosting provider)
- After any upgrade, remove all files/directories under upgrade/
- Also to help detour, CHMOD 000 xcart/VERSION this way potiental hackers won't be able to read this file and see what version you are using.
- If you are getting lots of fraudulent orders from overseas countries implement the High Fraud Blacklist (link below).
- Probably a lot more, got anything you'd like to add Contact me.
Some interesting articles and/or downloads that are worth the time to stop and look over:
Cart-Lab.com: X-cart Resources, and More!
0 Comments:
Post a Comment
<< Home