How make your CS-Cart or Multi-Vendor project more secure¶

Being a business-centric hosting provider for e-commerce we serve the mission of creating an environment of uninterrupted living and continuous growth for each project. That’s why our clients’ security is our main priority. In order to comply with our mission, we accumulate the best industry practices to improve data security and integrity. We take on huge responsibility to create the safest environment for the online business and dedicate a significant part of our time to researching common and new threats and testing our security means and infrastructure.

According to our analysis, the security level maintains high when hosting service provider and project owner cooperate closely and implement a joint strategy in respect to security. That’s why we prepared a list of three main vulnerabilities (security gaps) that can be used by hackers to harm your business or even destroy it, and want to share with you. Paying attention from business owners’ side to these three points will significantly reduce the chances to have your online store breached and private or financial data stolen.

• Development on the production websites
• Sensitive information disclosure
• Old software (ex. outdated CS-Cart and add-ons)
• Opened default ports

Development on the production websites¶

DEV server is meant for raw versions of the product. The software may contain errors and vulnerabilities. If any error/issue occurs on the “dev” project, it can affect “production” website in case they both are on a single server. Plus, development usually leaves lots of impact points and sensitive files exposed.

• Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. A10:2017-Insufficient Logging&Monitoring
• Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, “sph” files, modify other users’ data, change access rights, etc. A2:2017-Broken Authentication, A5:2017-Broken Access Control

Most of that called A6:2017-Security Misconfiguration. Security misconfiguration is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched/upgraded in a timely fashion.

>> phpinfo.php, info.php, test.php, log.txt, error_log, etc.
>> config.local.php.{save,bck,log,lol,old}, backup.zip, old_store/, new_store, etc.
>> sph{1,2,3,4,l,lite}.php, admin.php, adminer.php, etc.

Instead adminer script we recommend using secure installation PHPMyAdmin

Old software (ex. outdated CS-Cart and add-ons)¶

The latest software version is faster, safer and more stable. Upgrade your store or add-ons to protect personal data, rank higher and reduce the number of errors. On the OWASP classification this is A9-Using Components with Known Vulnerabilities.

Opened default ports¶

Opened ports can expose a lot of “helpful” information to hackers. Also, it can be exploited by “auto-hackers” aka script kiddies.

• FTP (21). FTP servers carry numerous vulnerabilities such as plaintext credentials data transport, directory traversals, and cross-site scripting, making port 21 an ideal target. Also, anonymous authentication capabilities.
• MySQL (3306). Remote database connection is an insecure feature.
• Redis (6379). Redis in the web is help for DDoS attacks.