osCommerce Security Flaw?

GameCode

This is an in depth topic, but what are your thoughts on osCommerce's quality of coding and related security issues?

For instance, could their use of depreciated http_get_vars() and http_post_vars() along with register_globals=on in an attempt to protect incoming variables become a very real security risk?

Thanks in advance.

MarkR

osCommerce quality of coding is very low. It's a very complicated application, without too much thought.

Their modules system does not allow modules enough flexibility, so it is frequently necessary to modify core pages.

Their presentation uses a very heavy deprecated system of having lots of spacer images etc, and hence cannot be styled properly with CSS. The HTML is much larger than it should be and loads too slowly.

Their own application contains serious amounts of duplicated code, which are for exactly the same purpose just written out time and time again, making maintenence difficult.

And the register_globals does not fill me with confidence either.

But I use it anyway, because it is what customers want.

Mark

Weedpacket

http://www.securityspace.com/ lists three vulnerabilities for osCommerce; two cross-site scripting flaws and one filesystem exposure.
This is another link that might provide information.

For your specific example, yes: if the authors use uninitialised variables at any time and register_globals is turned on, attackers could slip anything into those variables. Using $HTTP_POST_VARS etc. is not in itself any more of a risk than $POST; the difference between them is one of convenience: $POST is always available, while $HTTP_POST_VARS is an ordinary global that has to be declared as such in functions. Aside from that, there's no difference in their content.

GameCode

Weedpacket and MarkR,

Thanks for the reply. I have to say I'm not surprised with the existing security flaws in osCommerce.

On the other hand, I am somewhat enlightened that no mass-level breach has been conducted since their last bug fix.

The reason for my post was to both spark debate about security in osCommerce, but also what may be done to fix it.

In your opinion, is it worth it to fix these issues, especially with PHP5/Zend moving quickly forward (osCommerce would not be backwards compatible, I believe)?

As for the HTML & PHP "spaghetti code", I assume one could strip all HTML formatting tags from the code, insert call-tags inside a site-wide template, and allow any layout to work with osCommerce. But, I also assume this is a highly laborious task--one which still ignores security flaws to boot.

Thanks again for your thoughts on this. We're looking for a fully customizable e-commerce solution--hoping it'd be osCommerce--but are now having seriuos doubts until these issues are resolved.

I wonder what other applications out there will fit the bill, or at least give us the heavy features--both front & backend--and require a decent amount of code maintainence for full customization and security.

Thoughts?

--gc