Anonymous Contact Forms

There are times when an anonymous report is appropriate. It is usually when you are reporting something and don’t need to be involved further.

In that case, completing a contact form with bogus information and an email address at anonymous.com or example.com should pass validation to deliver the message.

I don’t think email validation should discard anonymous reports, unless they are attempts to spam.

http://anonymous.com/
http://www.example.com/

Free X-Cart Installation Checker

The checker is an HTML file that will allow you to enter the URL for your cart, the directory you have installed it in, then offer you links that you can click to see if the server has been properly configured to protect the files.

This tool is valuable for the following:

  • Engineering, security, and QA - to ensure the application was properly installed and protected
  • eCommerce site owners - to check the work of your web development company
  • Credit card gateway companies - to check the security of the application installed for requesting clients
  • Security - to identify risk areas for applications
  • Hosting companites - to check client accounts after security problems

You do not have to install it on a server, you can run it from the desktop. It does not require any server access beyond the browser. No passwords, no database access, no FTP, no SSH. It doesn’t use AJAX, it won’t log into your cart. It won’t analyze the results.

It is a very simple, free tool that runs under IE.

If you would like a copy, you must either have a live cart running, or be part of a web development company. Use an email with the domain name of the cart, or your web dev company, and I will send you the HTML - in a text file. Requests can be made through the contact form on this blog.

Please don’t use gmail, hotmail, yahoo or other free accounts. You will not receive any response.

The reason the page isn’t posted for public access it that it would make it very easy for people to quickly check a cart’s vulnerabilities. Limiting the distribution is for security. This is not an attempt to collect email addresses or domains that are running X-Cart. I know how to find carts. :)

Work isn't necessarily Profit

Never forget that even if you are working hard, if it costs more to deliver the goods or services than you receive, you are still losing money.

If you don’t know what it costs, you are probably losing money.

If you don’t know how much you have been paid, you are probably losing money.

If you don’t know the basic operating costs and overhead for your company, you are probably losing money.

Partnerships

  • A partnership doesn’t imply direct revenue generation or sales support
  • A partnership should help all parties reach their goals
  • A partnership should raise the level of service for the end user
  • A partnership should be respected by all parties
  • Partnership participation costs should be clearly defined and understood by all parties
  • Levels of participation should be allowed, and partners should be able to ‘opt-out’ of opportunities

Risks of Web-Based Application Management

Many web applications can be configured through the application. This is extremely valuable, especially for users that don’t have SSH access and don’t want to use FTP. The danger is that in order for web access to work, the web server must have write privileges into the directories. This creates a security risk.

Set the file permissions to 644, and the owner to the account owner, not the web server. This has an added benefit of limiting write privileges for configuration files to people with SSH/FTP access, not just application administration.

Try to set up the web server such that requests for files in compiled or cached template directories are denied for all users. In many cases, this will work, because template files are often included into other files at runtime. In the event that malicious files are placed in the directory, they cannot be served.

Remove the application name and version data from the page source. Suppress the delivery of detailed web server headers. The less information delivered, the better.

Change the admin access URLs from the default or standard names (such as admin), to something else. Delete or rename the installation directory or files. Be sure to use secure passwords.

Always disable directory display, to prevent people from browsing through the file system.

Be sure the server software is up to date, use mod_security (modsecurity.org), keep PHP up-to-date, and especially, the applications. Monitor the access and error logs. Backup the database and filesystem frequently (automate it). Periodically, SSH in to check the filesystem.