eCommerce News & Resources by oscommerceuniversity.com

While playing catch up on some of my reading recently, I’ve noticed a number of posts about CRE Loaded admin security.  Much of this was prompted by the publication of a PHP_SELF related vulnerability which affected both the admin and catalog pages.

One pretty good article on the topic can be found on the infotales.com blog  – http://www.infotales.com/hardening-protecting-cre-loaded-admin-area/.   Some good stuff there including inventive use of a security by obscurity method long implicit in osCommerce based code but little used.  So far, the post has garnered only one commit – Steve Makin’s note on Sept 1st to the effect that simply leaving the admin out of robots.txt accomplishes the same thing.   I tend to disagree.

The only “benefit” to removing the admin folder from the robots.txt file is to allow legitimate bots to attempt to spider the admin space.  Make an error in the IP based protection setup recommended in the Infotale article and they will do so.  Ostensibly, removing the folder ID from the robots.txt file will prevent it from being published to “bad bots” and reduce exposure.  This misses the point that the default admin folder location is ALREADY KNOWN to operators of bots used to locate vulnerable websites and is specifically looked for by any competent cracker of osCommerce based sites.  This is reason enough to actually move the admin location if you are looking to gain some security by obscurity for your site.

The Infotale article also suggests that the admin should be secured by .htaccess rules which restrict access to specific IP addresses,  require additional passwords for the admin folder and using secure user names and passwords.  The first two are great options to use, widely available and in many cases implementable using your hosting control panel.  The IP restriction may be tricky to impossible, if your web access relies on a service which does frequent IP switching.   The final suggestion , to use secure user names and passwords is probably the most frequently overlooked element of ecommerce security.    I’d add to this, USE YOUR USER ID AND PASSWORD ONLY IN SECURED ENVIRONMENTS.

Why?  Because the most common form of ecommerce site cracking seen in the pertinent anecdotal evidence has been and remains the social hack.   Crackers may be the same service provider who tweaks your code to allow the latest greatest SEO URL’s to be used, entering using the authentication you gave them for purposes very different than what you had in mind.  Equally overlooked is the fellow overlooking your shoulder as you type your own authentication on the keyboard at a wireless hotspot or public machine at an Internet Cafe.   These types of cracks are great reasons to follow PCI compliance rules related to password changes and strength.

While it would be great if CRE Loaded and other web store software supported the tools needed to implement password rotation and strength policies, you can do this without  such tools built into the cart.  It requires a bit of extra work, but the results may be well worth it as our experience is that sites hosted in more secure environments and managed using less risky habits tend to outperform other sites by at least 2 to 1.   Two tools useful in doing so are PhpMyAdmin and Keepass.  Any other password manager will do, and so would any database tool, but PhpMyAdmin is widely available, and Keepass is free.  The combination makes them ideal candidates for managing password policies manually when the need exists.

First, know your applications structure well enough to pick out which table to monitor.  CRE Loaded uses the admin table to store admin account data, including the ID, password and (most importantly for our purposes) the date field reflecting the last modification of the account record – in this case the admin_modified field.  Using PhpMyAdmin – check this table and look for dates which are older than the maximum allowed password age as set by your store policy.  When you find them, email the address in the admin_email_address field to remind them it is time to change their password using KeePass or your required password manager using the required settings on the password generator.   Don’t forget to recheck to make sure this is done within the required timeframe (2 business days is quite reasonable).    Good luck, and good security!

E-commerce web site setup can be quite a complex process.  It is quite easy to lose track of the fine details and fail to address them.  This was brought to my attention recently by a spate of Link Submission approval requests and a couple of contacts asking why I had failed to approve them.  The reason was simple – they had violated several of the basic rules of link exchange courtesy.

In most cases the back link to this site was simply not present.  In other cases, the back link was present, but the site linking back was not the same as the site for which a link was requested.   In most cases the site content was in no way relevant to the purposes of  or content on this website.   Many of these issues are common when link campaigns are being conducted by unscrupulous “SEO service” firms.  But, they can be equally common among inexperienced site operators new to  link exchanges or bona fide service providers who are just in too big a hurry to get links requests out.   While you can’t do much about the former, the latter offers some opportunity to do two things.  Acquire some relevant back links for your site, and avoiding wasting time on irrelevant garbage links.  Doing so requires that you go beyond simply adjusting the available configuration values in your Link Manager system and provide some informative language on the link system pages.  Let’s look at how that is done.

Like any other system in osCommerce, language files are stored in files which share the name of the systems root file, but are located in the includes/languages/ directory tree.  Huh?

Each osCommerce system has one or more pages associated with it.  Each page is generated by loading a file in your browser. That file is located in the folder which hold the top level of the shopping cart file set.  That folder is the shopping carts web root.  Thus, we refer to that file as a “root file”.

The root file loads a number of related files.  One of these is a “language file”.  Language files are PHP files which contain definitions for “constants”  or “defines”.    They are stored in folders located in a directory defined in the carts configuration file – usually “includes/languages/” relative to the cart root.  Those folders are named after the language used to create the definitions.  So, for the English language file of a cart located in we would look in /home/yourstore/public_html/includes/languages/english for a file with the same name as the file which generates the page we want to modify.

So, to modify the links submission page we will open the links_submit.php file found in this location into our editor.   We are going to do two things.  First, modify the text on the link submission page to give a bit of guidance about what types of links we will accept.  Next, modify the text of the email sent to the submitter to reinforce the stores policy on links.

The definition used for the pages main body text is ‘TEXT_MAIN’.  By default it contains the phrase “Please fill out the following form to submit your website.” and looks like this:  define(‘TEXT_MAIN’,'Please fill out the following form to submit your website.’);

How this is structured is important.  PHP needs to be able to tell what content is static, and which is to be “parsed” for further modifications.  It does this using the quotation marks.  So, including quotation marks requires a process called “escaping” which is best left to a PHP developer with good eyes and a knowledge of how this is done.  See the PHP website for details on constants and strings. For simplicities sake, we are going to do our modification while avoiding the use of quotation marks of any type – in order to avoid creating syntax errors.   So, we change it to the following:

define(‘TEXT_MAIN’, ‘Please fill out the following form to submit your website.
<br>Please note that we accept only RELEVANT links.  This means your site must
be related to building or operating an ecommerce, online shopping or web store
site – or providing education or services to those who are engaged in such
tasks.’);

This adds a bit of specific information about the types of links we want to collect and the sites from which we would prefer to be linked.

Next, we modify the email sent to the submitter.  This is found in the EMAIL_TEXT definition – which starts out looking like this:

define(‘EMAIL_TEXT’, ‘Your link has been successfully submitted at ‘ . STORE_NAME . ‘.
It will be added to our listing as soon as we approve it. You will
receive an email about the status of your submittal. If you have not
received it within the next 48 hours, please contact us before submitting
your link again.’ . “\n\n”);

We change ours to look like this:

define(‘EMAIL_TEXT’, ‘Your link has been successfully submitted at ‘ . STORE_NAME . ‘.
It will be added to our listing as soon as we approve it. You will
receive an email about the status of your submittal. If you have not
received it within the next 48 hours, please contact us before submitting
your link again.<br>Please be aware that we will not accept:
<ul>
<li>Irrelevant links of any type.</li>
<li>Relevantly placed links on or to link farms.</li>
<li>Bait and switch links of any type.</li>
</ul>
‘ . “\n\n”);

This reminds the submitter of our ground rules, and adds a few more details about what we will or won’t accept.

Finally, we modify the  TEXT_LINKS_HELP  definition which holds the help text and looks like this:

define(‘TEXT_LINKS_HELP’, ‘<b>Site Title:</b> A descriptive title for your website.<br><br><b>URL:</b> The absolute web address of your website, including the \’http://\’.<br><br><b>Category:</b> Most appropriate category under which your website falls.<br><br><b>Description:</b> A brief description of your website.<br><br><b>Image URL:</b> The absolute URL of the image you wish to submit, including the \’http://\’. This image will be displayed along with your website link.<br>Eg: http://your-domain.com/path/to/your/image.gif <br><br><b>Full Name:</b> Your full name.<br><br><b>Email:</b> Your email address. Please enter a valid email, as you will be notified via email.<br><br><b>Reciprocal Page:</b> The absolute URL of your links page, where a link to our website will be listed/displayed.<br>Eg: http://your-domain.com/path/to/your/links_page.php<br>This page must be located on your website and that page must be accessible from your front page.<br>’);

We modify it so it looks like this:

define(‘TEXT_LINKS_HELP’, ‘<b>Site Title:</b> A descriptive title for your website.<br><br><b>URL:</b> The absolute web address of your website, including the \’http://\’.<br><br><b>Category:</b> Most appropriate category under which your website falls.<br><br><b>Description:</b> A brief description of your website.<br><br><b>Image URL:</b> The absolute URL of the image you wish to submit, including the \’http://\’. This image will be displayed along with your website link.<br>Eg: http://your-domain.com/path/to/your/image.gif <br><br><b>Full Name:</b> Your full name.<br><br><b>Email:</b> Your email address. Please enter a valid email, as you will be notified via email.<br><br><b>Reciprocal Page:</b> The absolute URL of your links page, where a link to our website will be listed/displayed.<br>Eg: http://your-domain.com/path/to/your/links_page.php<br>This page must be located on your website and that page must be accessible from your front page.<br><br><b>Link Relevance:</b> Your link must be relevant to ecommerce or ecommerce education to be accepted.’);

Now that we have these modifications in place, we can expect some improvement in the percentage of submitted links which are mutually beneficial to us and the submitting web sites.   Note that this technique can also be applied to important pages such as the checkout process and account creation pages in order to  improve their usability.   Making similar changes in the other language file sets will help keep your cart well prepared to deal business in a multi-lingual environment.

In his post on CRE Loaded Clutter , Chris at oshelpers.com describes FDMS as inessential clutter in the course of presenting what is essentially an explanation of why CRE Loaded 6.3 is so overpriced for the feature set.

I beg to differ on this specific point.

Perhaps, as the system designer responsible for FDMS and the Chief Operating Officer of the firm which sold the system I have a few biases of my own here.  Download related issues in CRE Loaded accounted for a respectable portion of system complaints before FDMS development.  The existing download system lacked some pretty obvious marketing tools and capabilities.  The reporting systems sucked.  Those issues were just about enough by themselves.  Add to them the negative impact of the “Zero Weight Guessing Game” in the checkout and shipping routines which affect 100% of all cart users and the development of  FDMS  and its eventual inclusion into the core distributions was completely justified.  The market demand was also more like 20% than the 0.2% Chris estimates off the cuff.    The system also made it a lot easier for shops with physical products to offer product related downloads such as instruction manuals, user guides and brochures  — pushing the number of potential benefactors even higher.  The list of reasons why FDMS is both essential and “A Good Thing” goes on and on.   Inessential is not justified here – though it is certainly fair to say the system is  over-priced when considered against other needs clammering for attention in the CRE Loaded code base.

CRE Loaded actually did a splendid job of selecting contributions for inclusion in the cart up to the 6.2 release.  In fact, it came very close to continuing that streak in the 6.2 release itself.  Ugly story there that I might tell someday, but not today. Fact remains that the top features in any CRE Loaded distribution can still be found in the top downloads of all time for osCommerce contributions and most of them remain in the top 50 if not the top 10 out of over 5000 candidates.

What Chris missed,  ignored  or chose not to  communicate there is that beginning with 6.2, CRE Loaded was no longer to be a “loading project” but a development project. Not a secret at all.  I certainly mentioned it in the CRE Loaded forums as I drove development in a new direction and I am pretty sure Chris was there to see it.    It was the right course then and a better one today.

The problem is that Chainreaction has an issue with steering a course that  calls on building a development company.  A problem with any course that relies on providing value to the community for which the community feels a need to pay.   The fact that so much clutter of any type remains is a reflection of this problem as much as anything.   That 107 of 114  feature requests made over the past 3 years remain open, many of them unanswered much less un-implemented is a clear sign of the weakness of Chainreaction Ecommerce ‘s  commitment to meet community needs.

Our latest video, CRE Loaded Manual Order Creator retails for only $15.00 USD and includes up to 6 minutes of live animation slides with voice narrative on every aspect of creating a manual order within CRE Loaded 6.2.13.1 Standard, Pro & B2B. For more details, click the link below.

• Lesson 1
  • Payment Method Configuration
  • Shipping Method Configuration
  • New Customers
  • Existing Customers
• Lesson 2
  • Quickly search and use existing customers
  • Enter new customers
  • Customer IDs
  • Using the drop down selectors
• Lesson 3
  • Selecting a category
  • Selecting a product
  • Assigning attributes
• Lesson 4
  • Adding Tax
  • Adding Shipping Method and price
  • Selecting Payment Method
  • Adding Discount
  • Adding Comments
• Lesson 5
  • Updating your order
  • Printing Invoices
  • Printing Packing Slips

More Info: CRE Loaded Admin Manual Order Entry

In an unpublished article I started on October 15, I stated “Kerry Watson’s new article was posted today on ecommerceguide.com. You can find it at: http://www.ecommerce-guide.com/news/news/article.php/3777841 . It is entitled, “Can Iozzia Get the CRE Loaded Love Back?”. The short answer is no.”

While I still think I blew off a bit more steam than I want to publicize so quickly after Chain Reaction’s devastating implosion (or indeed – at all), events since then have made me reconsider addressing the issue in this venue though not the conclusion of my initial paragraph.  First off was the management of the all too expected eruption of steam following Sal’s “grand return” and the unbanning of a number of long time community members who were neither happy at being banned, or impressed with claims of change.  One of the most vociferous was Michael DesMarais of Supreme Center Hosting .

Read More

But is it? There seems plenty of reason to doubt whether the approach is either new or open source. My original concept when proposing CRE Loaded commercialization was to charge a standard fee per copy distributed with a 30 to 90 day support window, following which support could be obtained on a contract basis. Revenues would be further augmented by internally developed documentation and education offerings made available both directly to the public on Chain Reaction’s own site, and via a distribution network of existing community vendors. The value of the software would be increased by ongoing addition of new features designed and built in house, and refactoring of the core code to bring it into alignment with the current PHP and MySQL feature sets and changes in the security environment.

What has emerged appears to be little more than SaaS without the second S. Here is why.

The “manual” posted on the latest incarnation of their website is a thinly disguised knock off of Kerry Watson’s 6.2 Users Manual. They may argue that there are few other ways to state the programs use, and that just may be. But why can’t the ‘designers’ of the software do any better? They should for example, have access to and include information on input formats and boundaries, and systemic capabilities and limitations which are not readily available to the non-programmer. Such information is not, as of the date of this writing, available in their “users guide”. Their “educational program” consists of a page buried 3-5 levels deep in their site which asks the users to inform Chain Reaction of their educational needs so that content can be developed. So much for educational and documentation support.

Their new releases are “subscription” based. But there is some room for question as to just what users would be subscribing. What does Chain Reaction deliver in return for its charges?

Read More

Once more the Evil Over Lords Imperial Storm Troopers (AKA Chain Reaction Ecommerce)  strikes a blow for Open Source excellence at their customers expense.  How you might ask?  As well you should.  The answer does yeild a certain amount of amusement, if one’s sense of humer partakes of a certain twisted bent.

This morning, CRE Loaded store users began drawing to my attention the sudden onset of error messages from Internet Explorer whenever an Admin page was rendered.  The error noted that some of the page content was subject to a security certificate flaw.  On examination of the pages, we found the expected suspect.  Once more Chain Reaction has used its 175,000 users as alarm clocks to remind them to renew a security certificate.  This is, I believe, at 3 years running.  Is this now company tradition?  Rumors abound of a pool for next years renewal date..

Security Certificate Expired.

In the meantime, if you have better things to do with your time than call CRE support to remind them of a job they should already have done (and who doesn’t), or you’re one of those clued in people who know better than to simply click “accept this content” whenever you encounter this error (and we sincerely hope you are – bad habit!), you might want to join us in the Open Source University Forums to find out how to remove the offending links from YOUR CRE Loaded cart.

Recently a blog entry by Anna Bergman entitled, “Why Would you Want Cre Loaded for your E-store?” was brought to my attention.  Not only for its content, but due to the nature of a reply to that post.

First, lets address Anna’s content.  She notes that:

“CRE Loaded currently has 39 additional modules over and above the many that are already included in the default OsCommerce installation. CRE Loaded also offers powerful shopping cart solutions in both the free and paid editions. CRE Loaded has a better template system and its “affiliate manager” allows you to specify the per sale payment percentage rate for each of your affiliate accounts as well as providing a tiered structure that is based on sales performance.”

This is not quite the truth.  CRE Loaded contains considerably MORE than 39 additional modules, and even more modifications to that module set intended to make it more powerful and convenient than its stock osCommerce parent.  Further, it has had a large number of security related modifications added.  I’m proud of the work I carried out first as Project Manager, then as Chief Operating Officer, and happy to be recognized as a founder of CRE Loaded. Read More

Pursuant to my post earlier this month (“A River Runs Through It”), much progress has been made. We are now high and dry with new carpet and complete repairs to the damaged areas of the house.

While getting all this done has taken some time, some surprising progress has been made in advancing professional content – if sometimes indirectly.

First, work has begun on my technical report on ATS templating for CRE Loaded. This already includes 160+ pages of content and appears to be turning into Inside CRE Loaded: Volume 2.

Next, having acquired a partner, Denver Prophit to operate Hosting-4-creloaded.com on behalf of StrikeHawk Hosting, we have added a developer to our staff who will be working with us to develop consistently maintained professional documentation of osCommerce based releases. This is a welcome addition and we look forward to gaining momentum on generation of content and therefore courses.

Recently, I was asked to explain how I thought any company could protect their brand when releasing software under the General Public License. This shortly after I encountered a post stating CRE Loaded “Never made it clear” the software was released under GPL. The second assertion is quickly dealt with. Provided the user can read basic English – the licensing is posted in the footer of every CRE Loaded distribution as follows:

If this does not make it clear the observer is either illiterate, stupid or criminal and hoping his potential victims suffer those conditions.

Frankly, I don’t understand how this long after the initial GPL release anyone could not understand it’s implications. Probably the most important fact about the GPL is that is is a license. Let me say that again – slowly: the General Public License is a LICENSE.

A license is defined by Mirriam-Webster as “ c: a grant by the holder of a copyright or patent to another of any of the rights embodied in the copyright or patent short of an assignment of all rights”. Parse that slowly if you will. “A grant by the holder of a copyright or patent” – the developing authority holds either a copyright, a patent, or both to their software. “short of an assignment of all rights” – the developing authority retains rights to the software. There. Was that so hard?

So, the question is, to what rights to do the developers retain ownership and/or control. The nature of software licensing should make it pretty clear that those rights include the copyright – which the GPL allows them to enforce; and the rights to trademarks, service marks and other tools used to brand the software. Given that anyone in the software industry in general and ecommerce in particular deal with licensing every day by now we should understand this. A huge percentage of all computers sold around the world carry with them a Microsoft software license. This is a given. Yet no one doubts that that license allows them to use the software, but does not give them a right to call themselves Microsoft, claim a partnership with Microsoft, use the Microsoft Logo on their own products or in any other way represent themselves as being a part of Microsoft.

What the osCommerce Project has to say on these issues can be found here, in their own statements on Trademarks and Copyrights. They are well worth reading. In fact, I would go so far as to suggest that they should be required reading of anyone who installs the software. They are easy enough to understand, but equally easy to forget. I am thankful to have been given reason to review them – and plan some site modifications as a result. I want it to be clearly understood that this site is about all Open Source eCommerce, not just osCommerce. Nor is there any connection between this site and the osCommerce project. We are not reviewed or controlled by the project, and other than their clearly identified RSS feeds all content here is copyrighted under terms substantially similar if not identical to those posted by the osCommerce Project.

Their position boils down to normal usage and common sense – materials are copyrighted by the producers, some rights are granted them as the site owner, all software contributed is donated under the same GPL which applies to osCommerce itself, and their trademarks remain theirs. This is as it should be, and not substantially different than many other Open Source projects. Another interesting document which can be found on the osCommerce project site is their Open Source Definition

The first three items are of particular interest here. To quote their document, making fair use, those items are:

• Free Redistribution
  No restrictions are placed on parties from selling of giving away the software.
• Source Code Availability
  The software must include source code and must also allow for binary distributions when there is a well-publicized means of obtaining the source code.
• Derived Works
  Modifications and derived works must be allowed, and must be distributed under the same terms as the license of the original software.

So, getting back to the remaining question of how branding can be protected while the software is given away.

The pertinent GPL Version 2 clause in my opinion is section 7 (aka the “Liberty or Death” clause”). It says the following:

“7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License”So – you can’t stop the software from being given away. But, ” It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims;” Brands and trademarks are property. They are subject to many property rights both implicit and explicit – though these vary significantly from one jurisdiction to the next (one reason there is a GPL 3.x). They existed when the first GPL was written – and this clause has the significance of requiring any further distribution for sale to be clearly identified as “Derived Works“.

So, you can modify commercial GPL software, you can give it away, or sell it. But you legally, morally or ethically cannot do so while claiming to be the original author.

There remain other issues, but from an ethical if not legal standpoint there is no real obstacle to commercializing Open Source software. In fact, there are many issues which push for it – the need or desire of business operators to be able to obtain support, or to acquire a version of the software which is less unstable than the free releases being just two good examples. More on those in a future posting.