[prev in list] [next in list] [prev in thread] [next in thread]
List: osc-announce
Subject: [OSC-ANNOUNCE] [WEEKLY] Issue #25: March 17, 2003
From: Harald Ponce de Leon <hpdl () oscommerce ! com>
Date: 2003-03-17 23:50:37
[Download RAW message or body]
By Harald Ponce de Leon
March 17, 2003
Security And Privacy Proposal
Filenames And Database Tables Definitions
Cross Site Scripting Vulnerabilities
Tax Implementation Update
New Wiki Documentation Site
Contributions Added/Updated In The Last 3 Days
Security And Privacy Proposal
The Security And Privacy Proposal discussed on the Developers forum has been realized \
and is now in CVS.
The implementation introduces a new Sessions configuration group with three \
parameters:
SESSION_WRITE_DIRECTORY (default /tmp)
It is recommended to change the location of where the file based sessions are being \
stored as /tmp is generally accessible to all users on the server.
SESSION_FORCE_COOKIE_USE (default False)
When enabled, sessions are only started when a set cookie is readable.
As cookies are depended on, this option will only successfully work when HTTP and \
HTTPS servers have the same top level domain, for example:
http://www.server.com and https://ssl.server.com will work, whereas
http://www.server.com and https://www.ssl.com/server/ will not work.
SESSION_CHECK_SSL_SESSION_ID (default False)
When enabled, the SSL_SESSION_ID automatically generated on secure HTTPS requests is \
stored in the session and verified on subsequent secure HTTPS requests. If the value \
has changed the customer must log in again to continue their actions.
Ross Lapkoff and Marcel van Lieshout are looking for workarounds on the \
SESSION_FORCE_COOKIE_USE option for it to be able to work on servers that use shared \
SSL certificates.
The discussions of the proposal can be read at:
http://forums.oscommerce.com/viewtopic.php?t=31928
The updated proposal is available at the new Wiki documentation site at:
http://wiki.oscommerce.com/proposalSecurityAndPrivacy
Filenames And Database Tables Definitions
During the implementation of the Security And Privacy Proposal, the \
application_top.php file on the Catalog went through a clean-up process.
Part of the process moved the filename and database table definitions to their own \
files.
This will ease the merging of the Catalog and Administration Tool files when it \
occurs for Milestone 4.
Cross Site Scripting Vulnerabilities
Daniel Alcántara de la Hoz alerted the team of 2 cross site scripting vulnerabilities \
existing in catalog/includes/header.php.
These and other vulnerabilities have been fixed, and can be seen with the Bug \
Reporter by viewing all Cross Site Scripting reports.
As these vulnerabilities exist on the developing Milestone releases, no point release \
of Milestone 1 will be made available.
Point releases will be made available when vulnerabilities are found on stable \
project releases.
The Cross Site Scripting bug reports can be seen here:
http://www.oscommerce.com/community/bugs/action,search/type,Cross Site Scripting
Tax Implementation Updates
The tax implementation has been updated again as tax rates that were meant to be \
compounded were not compounding at all.
Updates were also made on the tep_round() function as PHPs native number_format() and \
round() functions produced different results when float and string values were \
parsed.
A bug report at PHP was opened due to this issue but turned out to be a \
float/mathematical issue instead of a PHP issue.
The updated tep_round() function now produces the expected results but may again be \
updated soon to increase its performance.
The PHP bug report can be seen here:
http://bugs.php.net/bug.php?id=22712
An updated proposal for the tax implementation can be read at the new Wiki \
documentation site at:
http://wiki.oscommerce.com/proposalTaxes
New Wiki Documentation Site
A new Wiki documentation site has been setup to start a public effort in writing \
documentation for the project.
Melinda Odom from oscdox fame has contributed a lot of help related documentation, \
Ian Wilson has started off the programming documentation, and Harald Ponce de Leon \
has started off the proposals section.
If you're interested in participating in the effort, or have questions to the Wiki \
site in general, get in touch at the Wiki forum channel provided at:
http://forums.oscommerce.com/viewforum.php?f=15
The Wiki documentation site can be reached at:
http://wiki.oscommerce.com
Live Shops List
Recent Live Shop entries are still pending to be activated which will be done during \
the week.
Contributions Added/Updated In The Last 3 Days
AdminLogin-0.0.5
SVFlix Bank Transfer
Low Stock Report
MS1 to L5 db upgrade
french-zone france metropolitaine
Product Attributes - Option Type Feature
Gift Certificates - Generic
Protx Form Payment Module
PaySystems Module
Add Shopping Cart Info to Your Header
Big Images
Customer specific discount percentage
ot_commission 1.0
Bluepay Web Link Gateway
Ship 2 Pay v1.0 (MS1)
PDF data_sheet maker 1.1
Banner Picture Hack in Banner Manager
Infoboxes outside OSC
newsdesk_v_1.4_tarred
admin_controlled_bestsellers_images_scroll
NewsDesk
Card Zapper
Conditions, Privacy & Shipping with MySQL v1.0
_______________________________________________
osCommerce, Announcements Mailing List
http://two.pairlist.net/mailman/listinfo/osc-announce
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic