Security 101 - Is your site protected?

[bobbob]

Not sure how many people read Smashing Magazine, but they have just done a fantastic intro article on website security. More of a primer than a how-to, but a fantastic read for those who are unfimiliar with the subject.

"read article":http://www.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/ (external link)

The website also contains a wealth of information on all things web design related.

Enjoy!

Mokijo

[Subzerorepair]

Thanks for the info mokijo

[bobbob]

My pleasure Subzero. Reading the security forum here, i realise a good number of PS users are just as clueless as me when it comes to security. Once I get my site live, and I've gained more experience in this regard, I'll make sure I update this thread with any tips etc that I pick up along the way. The first thing I need to address is the whole CHMOD issue (777 permissions anyone? That don't sound right to me...).

Mokijo

[bobbob]

Hello, me again. Was gonna follow up the article I posted with a few tips specific to PS. I'm still a week or two away from going live, so bare with me.

Please feel free to contibute to this thread if you can. From the amount of unanswered questions in this forum, I doubt anyone will. Bit of a shame really as security is THE NO.1 PRIORITY of any ecommerce platform.

I'm sure PS is relatively safe out of the box, but those smelly hackers are always one step ahead of the rest of us...

In the meantime, don't have nightmares and try not to get caught with your pants down ;-)


Mokijo

[bobbob]

Some lite reading for everybody-

"sla.ckers.org":http://sla.ckers.org/forum/

"ha.ckers.org":http://ha.ckers.org/

"webappsec.org":http://projects.webappsec.org

"owasp.org":http://www.owasp.org

"cgisecurity.com":http://www.cgisecurity.com/

"darkreading.com":http://www.darkreading.com/

Knowledge is power. Don't rely on the PS team to keep your site safe.

Regards

Mokijo

[Patric]

Don't rely on the PS team to keep your site safe.

This is certainly not with remarks like this one that we will go further!
As I told you by e-mail, security is our priority while developing the solution. If you have (constructive) suggestions, we are always ready to listen to them.

Our Feature Request is also made for that.

[harpua216]

patric,
why do you constantly stop the security and hack threads or move them to weird locations where no one can find the information? it seems to be only you who is doing this? do you get offended when people talk about the lack of security?
This site has great information, but when it comes to hack attempts or security, you are always the last message and really have nothing constructive to say??
and even though it is a message board, you shouldlnt have to MOD things when people show distaste. it shows a lopsided product group, whos interest is in saving face, not saving websites.

[Patric]

why do you constantly stop the security and hack threads or move them to weird locations where no one can find the information?

Constantly, can you give me examples?

it seems to be only you who is doing this? do you get offended when people talk about the lack of security?

Security problems are a priority for PrestaShop. But when somebody comes on the forum and pretends that PrestaShop has got vulnerabilities, he has to justify his arguments. Else, this would be easy to come and discredit the PrestaShop solution.

If security holes are found, they must be reported (by PM or e-mail, but not in public) to the PrestaShop team as soon as possible.

and even though it is a message board, you shouldlnt have to MOD things when people show distaste.

So, it seems that you missed a lot of messages on the forum... Messages which have not been censored. We never censor messages except if this is really justified (spam, slander, insults, etc.).

it shows a lopsided product group, whos interest is in saving face, not saving websites.

When we are attacked, this is normal that we answer. Especially if the attack is not justified.

[harpua216]

why do you constantly stop the security and hack threads or move them to weird locations where no one can find the information?

Constantly, can you give me examples? smile
http://www.prestashop.com/forums/viewthread/43851/security/how_to_prevent__your_site_got_hack_63
http://www.prestashop.com/forums/viewthread/40862

it seems to be only you who is doing this? do you get offended when people talk about the lack of security?

Security problems are a priority for PrestaShop. But when somebody comes on the forum and pretends that PrestaShop has got vulnerabilities, he has to justify his arguments. Else, this would be easy to come and discredit the PrestaShop solution.

*you have to let him justify his/her arguments then. not tell them either A. you are in the wrong place and it will not be tolerated, or B. he/she is wrong and they dont know.
*Prestashop does have vunerabilities, my buddy just pointed out 3 after I got attacked last night and came here to see some flaming threads with some nuggets of gold information to help me with my problem. But I came to find you were the last one to answer in each of the 3 or 4 threads, and no answer ever came.
*thanks to the people that helped on here, you guys rock!!

If security holes are found, they must be reported (by PM or e-mail, but not in public) to the PrestaShop team as soon as possible.

and even though it is a message board, you shouldlnt have to MOD things when people show distaste.

So, it seems that you missed a lot of messages on the forum… Messages which have not been censored. We never censor messages except if this is really justified (spam, slander, insults, etc.).

*i guess you consider it slander when someone is pissed off about a particular problem and wants to vent?

it shows a lopsided product group, whos interest is in saving face, not saving websites.

When we are attacked, this is normal that we answer. Especially if the attack is not justified.

*it is normal that you answer, if the answer is to help or to continue the conversation, and not be a thread killer...those discussions help other people, even if people are pissed, what comes out is content for people having the same problem

in conclusion, dont be a thread killer, point out scientifically when someone is wrong so we can all share in the information and dont have to waste time with the wrong answers. then everyone can have the right answers/
thanks

[Patric]

For your information, I am not a technician, developer, security expert and so on. I am community manager.

Part of my job is to manage this forum and, when needed, to moderate it. So do not reproach me not to answer about security problems.
I did not closed the topics you mentionned, in one of them I just mentionned that I moved the topic. And in the second one, I just answer to a free attack.
So please, do not try to teach me my job.
This forum has got rules, and moderators and administrators are here to uphold them.

The PrestaShop team members do all their possible to provide a professionnal e-commerce solution. But developers cannot be everywhere.
Anybody can come and discuss on this forum about security problems and questions.

I really find you rude whith me... But maybe I did not understand precisely what you mean.

[Star]

I totally agree with Patric Codron regarding if there is a security hole, please don't report it in public. We don't want people hack our shops because they know there is a security hole on the script.

[bobbob]

Wow, totally forgot about this thread. I did intend to apologise to the PS team for what appeared to be a snide remark. It wasn't meant to be.

I should have laboriously pointed out that the Prestashop software is just one part of a web-based shop. Other important aspects that people forget about are the server that hosts the site, the passwords that have been used, the computer used to access and manage the site, the unofficial add-ons and mods implemented and not forgetting the staff that have access to the back end. In this context, no the PS team won't keep your site safe. They can only ensure the Prestashop software is secure.

Hope this clarifies my remark.

Regarding the rest of the conversation in this thread :zip:

[Patric]

Wow, totally forgot about this thread. I did intend to apologise to the PS team for what appeared to be a snide remark. It wasn't meant to be.

OK, no problem, it's me who did not understand what you said. :red:

Regards.