I’m sorry I’m just a bit upset. Looking at the latest update I know the team is working hard to fix some of the issues with Magento but I believe they’ve taken another route to this truly remaining an open source platform. Money takes presidence over everything I realize but ..... I better stop here.
I’m just so pissed at how much time and development effort it would take to repair a merchants site that I recommended Magento on.
I’m looking into updating now so I’ll save some of my comments for a later time. The thing is I don’t see anywhere in the resolved issues some of the security concerns I along with others have addressed within this thread.
Also this forum needs to be replaced with something that going to withstand the usage. This has got to be the worst forum as far as responce times for browsing and submitting.
I’m confused. There were 4 messages in this thread (now 5) and 3 of them were from you, but none of them mention any specific security issues. What are they?
you got a sanitized search bar, theres no other user input from the clients end that i can think off the top of my head that would pose as a security risk.
i think all core files are 403 forbidden.
other general things you should be worried about as security issues is brute force admin backend
Cross Site Scripting (XSS) Vulnerability
But those have been fixed
You can set magento up to make it so security vulnerabilities will not really cause much of a disturbance. Just keep a back up on the server ready to go ex www and wwwbk. If something bad happens you can just change the name of www to wwwBAD and wwwbk to www and load the backup of the db. Also make sure that you file permissions are set up correctly, no chmod -R 777 www. This means that you will not be able to use magento connect to install extensions unless you temporally change file permissions. Also don’t store the cc #s.
Also make sure that you file permissions are set up correctly, no chmod -R 777 www. This means that you will not be able to use magento connect to install extensions unless you temporally change file permissions.
Actually this only applies to hosting providers who are not running suPHP/suEXEC, which is a big headache to users as it may pose some security risks to the hosting users.
