PrestaShop vulnerability handling

[phrasespot]

Consider the following fictitious scenario:

 

A vulnerability is found in PrestaShop default package. This vulnerability may potentially affect any current installation. Developers and community managers are informed and the vulnerability is fixed. However unless a new version is released and everyone updates to that version yet to be released, current installation base will be at risk.

 

For the record

 

1) Does PrestaShop agree that keeping vulnerabilities secret does not make anyone safer?

 

2) Does PrestaShop publish an advisory for the merchants who may be affected by this vulnerability? If so what is the medium used for that announcement? How long does PrestaShop consider a reasonable period before an advisory is published after they learned about and fixed the vulnerability?

 

3) Is there a page where the past and current advisories are displayed, à la http://www.mozilla.org/security/announce/? If not, why not?

 

4) Is the fix ported to earlier versions in the form of a patch so the existing installations can be protected from this vulnerability without needing to update?

 

Thanks

[Bazze]

The questions you raise are in my opinion very important.

 

I personally haven't seen that the PrestaShop team ever released a "critical security update", which either means that there never been any critical security holes to fill (which seems strange since all applications have bugs/security holes) or it means that they are just keeping it quiet and fixing it to the next version.

 

Since the PrestaShop application doesn't really have an auto update feature for security updates it would be insane to release any detailed information about security holes that are discovered since people rarely update their PrestaShop application. So atm I would say it's up to the PrestaShop team to keep their users safe (by keeping any security holes to themselves). However, if their had been an auto update feature for security updates they should announce all security related issues and letting the users take the responsibility of keeping their shops safe (by updating using a very easy auto update feature).

 

I'm not sure I'm answering all of your questions, but I just wanted to speak my mind and start a discussion - and hopefully a PrestaShop representative will join in.

Edited August 24, 2012 by Bazze (see edit history)

[oka]

http://packetstormsecurity.org/files/116047

[phrasespot]

Since the PrestaShop application doesn't really have an auto update feature for security updates it would be insane to release any detailed information about security holes that are discovered since people rarely update their PrestaShop application. So atm I would say it's up to the PrestaShop team to keep their users safe (by keeping any security holes to themselves).

 

This seems to be the reaction from people w/o a security background (and sadly some security pros as well) but consider that the attacker already knows it. If one person found it, there is no reason that it is not also found by people who are actively looking at the code for such occurences. They will not tell you. By keeping it a secret you are only harming the merchant who is unaware of the situation.

 

As a merchant what would you prefer? Knowing about an unfixed vulnerability that may compromise your server, your customers info, your bank/paypal account and if necessary shutting your shop down until it is fixed, or hiring someone to fix it if not fixed by PS team in a timely manner. Or being ignorant of it even though it may already be known by, albeit a handful, other people whose intentions may be malicious or otherwise.

 

When it comes to security vulnerabilities what you don't know can hurt you.

Edited September 15, 2012 by phrasespot (see edit history)

[clayton29657]

I know from my stand point of view security is the biggest part of owning a website. That's just me. My IT guys tell me sometimes I need to relax because I take it very serious. If there are loop-holes with any and all prestashop versions I need to be aware of. There's no excuse to not tell everyone about security issues.

[Dh42]

It is for most of us. More so really for people that develop shops. We have more shops to worry about. There really needs to be a bigger inner circle of people that know about these things.

[Bazze]

This seems to be the reaction from people w/o a security background (and sadly some security pros as well) but consider that the attacker already knows it. If one person found it, there is no reason that it is not also found by people who are actively looking at the code for such occurences. They will not tell you. By keeping it a secret you are only harming the merchant who is unaware of the situation.

I'm not saying that it's a good way not to announce all security holes found. What I said was that if you develop an application which is very difficult to update you would put all your users at risk if you were to anounce all security holes that are discovered. Since there is no easy and quick way to update, no one will, and therefore you expose all your users to these risks more than necessary. Of course, the security holes still exists even though they aren't announced, but by announcing them you'll let people know that maybe didn't know before (e.g. script kiddies etc).

 

So don't missunderstand me, I'm a big fan of the Kerckhoffs's principle. Well, more the Shannon's maxim, but they're about the same -- you get the point.