• 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      Yikes, that is embarassing.

      Is opencart written in PHP? Bcrypt has been a thing for decades now, and is literally a drop in replacement that handles salting et al. If the developer was hesitant to implement that, I’d rather go use Magento or shudder Shopify

      • Zikeji@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        One of the first things I did when I took over an old php project was convert to bcrypt and add logic to automatically upgrade the hash on their next login (and in case you’re wondering, we also removed the old insurance hashes and the upgrade logic after a while, forcing remaining users to do a password reset).

  • HairHeel@programming.dev
    link
    fedilink
    English
    arrow-up
    29
    ·
    11 months ago

    This is one of the things I talk about when people ask what the difference is between junior and senior developers.

    A lot of security is just box-checking. A lot of it is hypothetical and relies on attackers exploiting a chain of multiple bugs that they probably won’t ever find…. But you still gotta fix it.

    There’s no point in being so proud of your code and dismissing security concerns because you’re arrogant enough to think it can’t happen to you. Just learn to fix it and move on with your life.

  • jon@lemmy.tf
    link
    fedilink
    English
    arrow-up
    22
    ·
    11 months ago

    Maybe someone should fork Opencart and patch the security vulnerabilities and try to drive people away from this guy’s repo, since he’s just combative anytime someone raises a concern.

    Or quit using his code altogether.

    • phx@lemmy.ca
      link
      fedilink
      arrow-up
      13
      ·
      11 months ago

      Given a rant like this I wouldn’t be trusting his code. Admin access to a backend and ability to write to the underlying filesystem+configs are two different layers. Yeah in many cases they may be the same admin, but not necessarily. It also means a compromised admin UI user can modify the underlying system to hide their tracks.

      It’s like saying it’s ok to have a hypervisor breakout because it requires you to have root in the underlying VM to exploit and only trusted admins have root…

    • floofloof@lemmy.ca
      link
      fedilink
      English
      arrow-up
      17
      ·
      11 months ago

      Wow, his response. Someone needs to fork this project because this guy isn’t living in the real world.

    • Skull giver@popplesburger.hilciferous.nl
      link
      fedilink
      arrow-up
      8
      arrow-down
      3
      ·
      edit-2
      11 months ago

      Nah, I’m with this dev on this one.

      To make this work, you need the session cookie of an admin, or be able to set the cookie on an admin’s computer. This “attack” works against almost any website, including Lemmy. In fact, the requirement for the URL token makes OpenCart more secure than 90% of websites out there.

      He sure didn’t respond professionally, but if this is the kind of “security vulnerabilities” he has to deal with every day, I totally understand.

      There are bigger OpenCart issues that do warrant a better response, of course.

  • Skull giver@popplesburger.hilciferous.nl
    link
    fedilink
    arrow-up
    16
    ·
    11 months ago

    Reads like this guy needs a break if he gets upset about such a common and relatively insignificant security issue. There’s no shame in forgetting to sanitise user input in weird scenarios, it happens to every application out there, why get hostile? Fix the regex, say “thanks”, that’s it.

  • corsicanguppy@lemmy.ca
    link
    fedilink
    arrow-up
    14
    arrow-down
    1
    ·
    11 months ago

    I’ve been in this guy’s shoes.

    I used to code a particular project that was somewhat popular in its own little niche. Some guy trying to make a name for himself must have gone through the docs and done everything it said not to; then reports that in such a case, it’s insecure.

    The other project members and I basically said “well stop doing everything it says not to”. But Jerome makes a web page about it; generates a lot of buzz. We amended our docs to restate that if you do all the dumb things, you’ll look dumb. And we linked to his page.

    Not proud, but we had bigger fish to fry.

  • 7heo@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    11 months ago

    This is just pointless drama. It’s an emotional shitshow with way too much ego from all participants. The reaction from the Dev is actually bad, but the OG CVE is equally bad.

    On one hand, I don’t expect an app to let me inject code even as an admin. That’s just very bad form, and asking for trouble.

    On the other hand, arguably, if an attacker has admin access, you’re toast. So that’s also hardly a CVE.

    Now, all the involved people have terrible written expression, poor grammar, and are even omitting entire chunks of sentences.

    And then there’s the content… Nah, this is just noise. Absolute junk. Sorry, but IMHO this has nothing to do in this community.