eCommerce News & Resources by oscommerceuniversity.com

A server administrator I know referred me to this post on file upload security : http://www.uno-code.com/?q=node/93 this morning. An interesting article, rather well written, and pretty informative. It is obviously targeted at people who are hosting sites on their own server though, so I thought I would take a look at how these recommendations stand up to a shared hosting environment and comment on them from the point of view of a software developer. My tone may wax a bit sarcastic from time to time – this is nothing to do with the author of the original article. I’d like to give some credit to the author, but they really don’t have any ID on their site. No info on the website, no info on the website referred to in the whois information. So, thanks go out to “The Artist Known as Admin AT uno-code.com” , (aka “The Artist”). Whoever they are.

The article centers around 10 things that can be done to achieve file upload security on your Apache based server. Those ten things are:

1. Don’t allow uploads
2. Check MIME type server-side
3. Use mod_security to validate file uploads via a approver script
4. Use suhosin. Suhosin (was/is ?) the hardened-php project
5. Don’t upload to a web accessible directory
6. Pay attention to permissions.
7. Don’t serve certain file types if you need to have a web accessible upload directory.
8. Make sure your /tmp directory is not executable
9. Chroot your Apache environment
10. Use safe_mode and open_basedir

You would think this is a fairly useful list, and perhaps it is. The author addressed each of these issues with a paragraph or so of comments. I’ll summarize those below, and offer discussion..

Don’t Allow Uploads

The Artist apologizes for restating the obvious, and notes that if you disallow file uploads on the entire server, you don’t have to worry about them. Good advice as far as it goes, just not always practical on an eCommerce Server. In any case, the conditions under which a server or server account are rented often do not allow the system administrator a choice here. More on this later.

Check MIME type server-side

Excellent advice. The Artist follows with some practical tips on how to do so, part of what makes the article well worth reading. It is well worth repeating that the mime-types passed during content negotiation may be spoofed and that these should be checked server-side before accepting the file into permanent file storage. The techniques using PEAR’s fileinfo package and GD’s exif_imagetype() should certainly be helpful – provided they are available.

Use mod_security to validate file uploads via a approver script

OK – not a bad idea. But – how? Not so much from a technical standpoint, as from a protocol perspective. File uploads are generally enabled because the site owner needs that feature, and needs certain file types. Should the System Administrator blindly stop an upload without communicating the issue to the site owner?? I don’t think so. The fact is, file validation on uploads is a shared responsibility. Either the system administrator or the application programmer should be providing a service which can be used to assure that validation is done. This is a significant need in shared server space, because simply blocking the upload steps on the tenants rights to access their property – ie, their rented server space. Subjecting all uploads to scanning is a good idea, but this also should not be done without interaction with the site owner. Emailing them on discovery of malicious content upload would be good – and if you can use mod_security or other techniques to tie the content to its source so much the better. In short – don’t do so blindly and capriciously without regard to the site owners need to be aware of events taking place on their site.

Use suhosin. Suhosin (was/is ?) the hardened-php project. Well, maybe. My own experience running PHP software on Suhosin is that it may be hardened, but it requires due diligence in site setup and/or application development for a reasonable level of confidence in application performance to be reached. My experience with PHP development in general tells me that it would be a very good idea not to urn any business software on Suhosin that wasn’t developed on it. (Which by the way – I highly recommend.). So – I don’t disagree with the recommendation, but I think as a flat policy statement it may be better offered to PHP developers than the general public. It leaves the question – why is Suhosin not a standard part of PHP ?

Don’t upload to a web accessible directory. Oh please. Good idea on some servers, and totally irrelevant on others. Depending on the server setup, this just could allow any malicious program escaping validation and scanning free entry into other parts of the server. Do this if and only if your server administrator specifically advises you to, and provides a specific location to which the uploads may be routed. Administrators should make this part of their server setup routine, and include the information in welcome emails.

Pay attention to permissions definitely a good idea – and for system administrators I would add pay attention to ownership as well. Part of the reason for my position on the last suggestion offered.

Don’t serve certain file types if you need to have a web accessible upload directory. Good advice. What file types? Many merchants have little to no clue. This is a place where closer collaboration between hosts and hosts and their clients could really pay off for security – especially when combined with some creative account configuration and construction techniques. For hosts to collect intended usage information and issue focused security advisories could be very helpful to all concerned.

Make sure your /tmp directory is not executable. Not bad advice at all. Here is another for use in a shared hosting ecommerce environment – make sure your users can create their own space in the /tmp directory separate from any other users space, provide such separate space up front or advise the use of database stored sessions. Why? Session identifiers are generally pseudo random in nature – but the key portion of that description is “Pseudo”. The total number of times I have seen an exchange of confidential customer information occur because of shared /tmp directory space is quite small in terms of the total number of annual transactions which occured on the servers obverved – but are in double digits, which was quite enough for the people involved. If a host wants to lease server space to ecommerce sites, they should be aware of this and offer guidance to the best solution for their server configuration up front.

Chroot your Apache environment – great advice anytime, I think.

Use safe_mode and open_basedir – way off_base. Sorry Artist – but safe_mode is going away in PHP 6, or hadn’t you heard? Every server administrator should be aware of this change – nor is it a bad thing. It may be a mode, but it is not safe nor does it assure code safety any more than turning Register Globals off. During the time safe_mode was available it diverted attention from other secure programming techniques by interfering substantially with access to normal programming techniques. No security tool provided by a mere application development language can substitute for a secure implementation of basic services including email, shell, FTP and web servers and the close attention to file ownership, and permissions advised above. Offer tutorials in the secure use of the services you make available as part of your business. Orient your customers as to security policy, then enforce it. Most of them will thank you, and those that won’t need to be elsewhere.

Recently, I was asked to explain how I thought any company could protect their brand when releasing software under the General Public License. This shortly after I encountered a post stating CRE Loaded “Never made it clear” the software was released under GPL. The second assertion is quickly dealt with. Provided the user can read basic English – the licensing is posted in the footer of every CRE Loaded distribution as follows:

If this does not make it clear the observer is either illiterate, stupid or criminal and hoping his potential victims suffer those conditions.

Frankly, I don’t understand how this long after the initial GPL release anyone could not understand it’s implications. Probably the most important fact about the GPL is that is is a license. Let me say that again – slowly: the General Public License is a LICENSE.

A license is defined by Mirriam-Webster as “ c: a grant by the holder of a copyright or patent to another of any of the rights embodied in the copyright or patent short of an assignment of all rights”. Parse that slowly if you will. “A grant by the holder of a copyright or patent” – the developing authority holds either a copyright, a patent, or both to their software. “short of an assignment of all rights” – the developing authority retains rights to the software. There. Was that so hard?

So, the question is, to what rights to do the developers retain ownership and/or control. The nature of software licensing should make it pretty clear that those rights include the copyright – which the GPL allows them to enforce; and the rights to trademarks, service marks and other tools used to brand the software. Given that anyone in the software industry in general and ecommerce in particular deal with licensing every day by now we should understand this. A huge percentage of all computers sold around the world carry with them a Microsoft software license. This is a given. Yet no one doubts that that license allows them to use the software, but does not give them a right to call themselves Microsoft, claim a partnership with Microsoft, use the Microsoft Logo on their own products or in any other way represent themselves as being a part of Microsoft.

What the osCommerce Project has to say on these issues can be found here, in their own statements on Trademarks and Copyrights. They are well worth reading. In fact, I would go so far as to suggest that they should be required reading of anyone who installs the software. They are easy enough to understand, but equally easy to forget. I am thankful to have been given reason to review them – and plan some site modifications as a result. I want it to be clearly understood that this site is about all Open Source eCommerce, not just osCommerce. Nor is there any connection between this site and the osCommerce project. We are not reviewed or controlled by the project, and other than their clearly identified RSS feeds all content here is copyrighted under terms substantially similar if not identical to those posted by the osCommerce Project.

Their position boils down to normal usage and common sense – materials are copyrighted by the producers, some rights are granted them as the site owner, all software contributed is donated under the same GPL which applies to osCommerce itself, and their trademarks remain theirs. This is as it should be, and not substantially different than many other Open Source projects. Another interesting document which can be found on the osCommerce project site is their Open Source Definition

The first three items are of particular interest here. To quote their document, making fair use, those items are:

• Free Redistribution
  No restrictions are placed on parties from selling of giving away the software.
• Source Code Availability
  The software must include source code and must also allow for binary distributions when there is a well-publicized means of obtaining the source code.
• Derived Works
  Modifications and derived works must be allowed, and must be distributed under the same terms as the license of the original software.

So, getting back to the remaining question of how branding can be protected while the software is given away.

The pertinent GPL Version 2 clause in my opinion is section 7 (aka the “Liberty or Death” clause”). It says the following:

“7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License”So – you can’t stop the software from being given away. But, ” It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims;” Brands and trademarks are property. They are subject to many property rights both implicit and explicit – though these vary significantly from one jurisdiction to the next (one reason there is a GPL 3.x). They existed when the first GPL was written – and this clause has the significance of requiring any further distribution for sale to be clearly identified as “Derived Works“.

So, you can modify commercial GPL software, you can give it away, or sell it. But you legally, morally or ethically cannot do so while claiming to be the original author.

There remain other issues, but from an ethical if not legal standpoint there is no real obstacle to commercializing Open Source software. In fact, there are many issues which push for it – the need or desire of business operators to be able to obtain support, or to acquire a version of the software which is less unstable than the free releases being just two good examples. More on those in a future posting.

I’ve been subjected to a bit of distraction lately. The office has been sinking.

Well, not literally sinking, you understand, but definitely moist. It began about a month ago when my better half noticed moisture in the carpet. A lot of moisture.

This drew our attention. It was surrounding a book case so we scurried to save the contents, move the furniture and begin the diagnostic process. The water was clear, which thankfully let out sewer blockage as a potential cause. Unfortunately, we were unable to immediately rule out groundwater leakage, a broken water pipe or act of God.

It happened on a weekend of course, immediately after the complex staff left for the day. The remainder of the weekend was spent soaking hydrogen dioxide from the rug, and hoping for a cessation in the persistent precipitation. Ok, constant rain, damn it. It took three days to get a thorough examination finished. This involved partially demolishing a wall, revealing one small hole in a pipe. It had to be the main fresh water inlet for the entire building and it was. By this time, the water was starting to rise – and primary line or not, I was doubtful that the small leak we had located was sufficient to account for the amount of water soaking the floor of the center of our connubial bliss. A plumber was summoned, but by this time another weekend had arrived, and of course they were unable to locate the cut off valve for the building. This ran to another 3 days of delay while they arranged first to locate said cut off valve, determine it was nonfunctional and arrange to turn off the water for the entire complex. This to repair a leak less than an sixteenth of an inch in diameter in a two inch pipe. Oh joy.

We were advised not to expect immediate relief from our inundation (Latin inundatus, past participle of inundare, see water) - it was expected that water would continue to seep from soaked dry wall for another (you guessed it), three days. This though the dry wall itself was largely, well – dry. I informed our plumber and the maintenance supervisor that I doubted this strongly based on my extensive experience in nursing urological disorders in a tone that was dry if not rye.

Three days later, the river still ran. In fact, it ran rather more strongly than before. Again, I visited the maintenance supervisor and issued him a situation advisory. Once more he inspected the source of our fountain and again, dry wall suffered the indignant abuse necessary to fully expose the source of the flow. While moisture was visible, and the presence of the leak was clear, the source remained elusive A consultant was called in – and the culprit finally localized. It was beneath the concrete. More calls to plumbers, and bids solicited. Not good news. In this southern town, obtaining a bid alone can take 15 to 30 days. Still, not all news was bad. The persistent nature of the issue finally drew the attention of the complex manager, who revealed to her new maintenance supervisor the availability of a carpet extractor and blowers. The situation began to improve.

So, as I write this entry I am listening to the tune of a high speed blower which attempts in vain to dry my soaked floor coverings and contemplating just how much I have accomplished in the past month despite my frequent towel soaking and spinning evolutions and contemplating search engine optimization. Why? One of my better events of the past month was getting to chat with Pitstop (Darel), a denizen of the CRE Loaded forums with a significant interest in SEO techniques and a number of opinions which closely match my own. We have begun a series of posts in the universities forums to address this topic, and will be referring to this entry from time to time to point out some important SEO do’s and don’ts.

Check the forum link CRE Loaded Hints and Tips section for more SEO commentary from both Daren and myself, and have a dry day.