Security Bug List - Changelogs - Security though obscurity

[zigon]

Hey

I am running a customized old version of prestashop and wondered if there was a buglist for security flaws within prestashop. I am looking to upgrade but for the meantime i would like to patch any bug security holes in my system.

After a bit of searching i have come to the conclusion that this information is not currently available. Furthermore from viewing the very first post in the topic thread i have concluded that you are operating a security though obscurity policy. This is a dangerous approach to software design especially so when considering this is an oss so essentially obscurity is impossible.

I would like to suggest that now prestashop is becoming a big hit that it is possible certain individuals may target it specifically, therefore not publishing known threats as they arise is only benefiting the bag guys.


I would recommend the following ideas are considered if you do decide to change your policy.

Firstly - Each installation of prestashop has a live news feed as its backend homepage. This gives you a direct link to your users. You also now request the email of people downloading the product, again giving you contact information of your users.

As you have this information i think it is safe to assume you can reach the vast majority of your users if you wished to publish a threat list - therefore negating any claims that publishing a treat list would just be a cheat sheet for any malicious entities and you user base would be none the wiser.

Secondly - I would advice improving your bug reporter (one of the things i like best about your site) to include a category for raising a security threat as the current options do not really cater for this kind of problem. Even if you don't take any of this advice and decide to stay obscure i think maybe you should add your [email protected] to that page (and your forum) and inform people to only contact you of security breaches. In not doing so you are kind of running a 2 policies at the same time, In fact having this thread is kind of a bad idea, i imagine an average user does not have time to read every post looking for possibly problems to fix whereas a determined hacking group just might.

Thirdly - I would advice you to publish this information as a developer maintained list on your wiki. I think this would be better than using this forum or even the bugtracker as it will allow an unclutered, accurate display of information opposed to a 100 posts titled "my site has been hacked"

I understand this will require a lot work to implement but i think you should strongly consider it for the future.

On a similar note i would also request you allow people to post bugs to old versions of the software (and the ability to search by version). I imagine you don't do this as you don't want to have the trouble of maintaining old branches. But as this is oss i think the community can take up some slack. I wouldn't mind if you stated you weren't maintaining them but just as long as they are there.

Thanks in advance and for a great product.

[zigon]

I am bumping this post. As i would really love to hear a reply from one of the Prestashop Team...

Also I'm currently in the process of upgrading my installation of Prestashop and would like some of the points above implemented to help me....

[Sabrina Maréchal]

Hi Zigon,

Thanks for your suggestions, we will consider them.

Please note that we released today PrestaShop v.1.3.1, containing important security fixes.
Everything is detailed there : http://www.prestashop.com/blog/article/prestashop_v131_important_security_update/

We highly recommend to update your shop.

Since I am not really a "technical" girl, I'll ask to one of our developers to answer you in more details

Regards,

[fallenleader]

presta staff, thank you for replying to this topic i've been watching.
Unwilling to bump the topic without cause, i've sat quietly, interested in any response that this member may get from the "team"