From owner-freebsd-questions@FreeBSD.ORG Tue Dec 7 22:04:48 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 770BB1065673 for ; Tue, 7 Dec 2010 22:04:48 +0000 (UTC) (envelope-from freebsd.user@seibercom.net) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 188E28FC12 for ; Tue, 7 Dec 2010 22:04:47 +0000 (UTC) Received: by ywp6 with SMTP id 6so306673ywp.13 for ; Tue, 07 Dec 2010 14:04:47 -0800 (PST) Received: by 10.151.42.18 with SMTP id u18mr2743365ybj.158.1291759485041; Tue, 07 Dec 2010 14:04:45 -0800 (PST) Received: from scorpio.seibercom.net (cpe-071-077-039-064.nc.res.rr.com [71.77.39.64]) by mx.google.com with ESMTPS id r18sm4278125yba.3.2010.12.07.14.04.43 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 07 Dec 2010 14:04:43 -0800 (PST) Received: from scorpio (zeus [192.168.1.1]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: FreeBSD.user@scorpio.seibercom.net) by scorpio.seibercom.net (Postfix) with ESMTPSA id 477BEE54824 for ; Tue, 7 Dec 2010 17:04:42 -0500 (EST) Date: Tue, 7 Dec 2010 17:04:41 -0500 From: Jerry To: FreeBSD Message-ID: <20101207170441.77f0f6ed@scorpio> In-Reply-To: <3374602400-437630107@intranet.com.mx> References: <3374599093-437630056@intranet.com.mx> <3374602400-437630107@intranet.com.mx> Organization: seibercom.net X-Mailer: Claws Mail 3.7.7 (GTK+ 2.22.1; amd64-portbld-freebsd8.1) Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEUeH4oAAI3//v8LDHmw s8gyNZ/b3ej7+vn+/v////+PjIc8Plaj/TnQAAACNElEQVQ4jaXUvW/aQBQAcFtKGZLFT+YY 3D1SR9SKoRMncE3IggU4kicGi1JYOgQwyYrgnLlSzhsoNkTuVJEp+ef6ztiAoV3aJ+QPfufn s987S/5fQvoXYPjztmfc514Ks+5JfGUCfrzt4+VabF+jwEV4DGEXN8N4p16sPLxHX07/V3qX yfF5D2H6K4V8j9NkyAphvkjBembD5PDFk3zeTzP1jcksyaV9w+d4ELmUoOp8N2p8uQVyhTAT uawnKNH2mie5lJp48mscUcbJUvg0mR6APwAoye9AMyWozY4gAh0vcxa5FJ4TKCuODESWtfkB 8AEQSupUXNIYH8FSC2w8X3eMBNbbVJpJ7MgECO5yJ9DUEWCYkzNAlsRsgwLQ1GkWqELbkDOh 1bUzoHagYkNh9MXlK/MQoA42gTxz2bhPM2DJedm8MZx6cNfJgEZJ5cmwPp5FZ/Ye8O2qTrFV dgOrHkZRBoheJiGrRquwAhnQ6GeTePPerWVmQelAQ5lwNqtvQd2lcooAV74/zR1BIRS19fy5 ru+B/8ReW9pYKMPjt609zDaitHHTGOO+Zu7gHvsKE7XbeE1QVuJXomIFuZgUJdXQdhpqEELc /e8RLjfi+cQ01yMdWot8UcCVxEWHEkcUrsDGuhaIEoM9kfgAR6jxHcmEV7tNURAl8KTHN9iF McKGFHGO62O62UMpbmlVuogQ7ndL8zXCiLeBy3xpfrqaXS/+AHDG4o8AvhuPeezD/3xL/hy/ Adjlg2odglF2AAAAAElFTkSuQmCC Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: Shopping cart other than OSCommerce? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: FreeBSD List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Dec 2010 22:04:48 -0000 On Tue, 07 Dec 2010 15:32:06 -0600 Jorge Biquez articulated: > At 03:01 p.m. 07/12/2010, Chuck Swiger wrote: > >On Dec 7, 2010, at 12:36 PM, Jorge Biquez wrote: > > > With a provider where I had a dedicated server, not running > > FreeBsd , the entire server was hacked and before leaving them, the > > tech support people said that the hacking was because of a problem > > with some libraries under PHP AND OSCOMMERCE. They never could > > prove that but I leave them since the entire server was hacked, not > > information stolen but ONLY that$ all web pages (.html, .php) > > pages where changed, all under different domains and account > > jailed (?) using CPANEL. Anyway. I am not sure how sensible is > > OSCCOmmerce to that since I know it is very popular but I would > > like to test something else. > > > >30 seconds with a Google search suggests that osCommerce has > >unpatched security vulnerabilities which do lead to compromise of > >admin and arbitrary PHP code execution: > > > > http://secunia.com/advisories/product/1308/ > > > >"Affected By 7 Secunia advisories > > 44 Vulnerabilities > > > >Unpatched 29% (2 of 7 Secunia advisories) > > > >Most Critical Unpatched > >The most severe unpatched Secunia advisory affecting osCommerce 2.x, > >with all vendor patches applied, is rated Highly critical." > > > > http://secunia.com/advisories/33446/ > > > >"1) The application allows users to perform certain actions via HTTP > >requests without performing any validity checks to verify the > >requests. This can be exploited to e.g. create additional > >administrator accounts by tricking an administrative user into > >visiting a malicious web site. > > > >2) An error in the authentication mechanism can be exploited to > >bypass authentication checks and gain access to the administrative > >interface in the "admin/" folder. > > > >Successful exploitation allows to upload and execute arbitrary PHP > >code e.g. via the file_manager.php script." > > > >In other words, your former site's tech support people were likely > >right-- the site was almost certainly hacked because of > >osCommerce. Find something else, preferably something which is not > >based upon PHP. > > Thanks for the time and rapid response Mr Chuck. > > Yes. Seems like the guilty one was OSCommerce. I am looking exactly > for other option, as you say maybe not PHP ones and that's why asked > for advice based on experinces of what people is using. I am looking > for python option also. My needs are very simple, even a catalog of > products without the shopping cart will be enough. I am also looking > options that let you add modules. I want to continue using Freebsd, > continue learning and also solve a personal need. > Of course the idea is not to start a war between PHP lovers and any > other language, but options and suggestions are very welcome. Anyway. > I will continue searching. And when I find the solution will posted > here , maybe could be of help to someone. > > By the way. It is great to receive advise from people like you all > guys. I have been on the list for several years and I always learn > something , always. Seriously, have you tried Googling for a potential solution? I just spent a few minutes and found several candidates. -- Jerry ✌ FreeBSD.user@seibercom.net Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __________________________________________________________________