[prev in list] [next in list] [prev in thread] [next in thread] 

List:       osc-general
Subject:    [OSC-GENERAL] Security bug: Demos show this as well - or what's the fix?
From:       Charles Cotton <ccotton () twinseas ! net>
Date:       2002-05-31 16:58:16
[Download RAW message or body]

This message was sent from: General Mailing List.
<http://www.oscommerce.com/community.php/forum,1/action,read/i,30932/t,30932> 
----------------------------------------------------------------

freshly downloaded version 2.1

There have been many messages posted concerning how a shopper who logs in
AFTER they put items into their cart are directed to checkout_payment.php
NONSSL.

Someone posted a fix to change:

if (@$HTTP_POST_VARS['connection'] == 'secure') {
s/b:
if (@$HTTP_POST_VARS['connection'] == 'SSL') {

this WORKS on my local RH 7.1 Linux server, but not on my remote rack
(running, alas, PLESK)

Tooling through the ONLINE DEMOS HERE AT OSCOMMERCE, I notice the demos do
NOT foward you to a secure page.

I have visited TWO demo shops and yes, I did what I was told NOT TO DO, and
have registered, but VIOLA!  they didn't take credit cards!

THIS SHOULD BE IN A FAQ OR THIS IS A MAJOR SECURITY BUG!

I've played with TEP before, but I didn't have a real use for it.

I'm holding off a client now because I can't recommend this with this MAJOR
SECURITY BUG WHICH NO ONE SEEMS TO WANT TO ANSWER THE MANY PEOPLE REPORTING
IT!

PLEASE CORRECT ME!



_______________________________________________
osCommerce, General Mailing List
http://two.pairlist.net/mailman/listinfo/osc-general
[prev in list] [next in list] [prev in thread] [next in thread]