• 𝒍𝒆𝒎𝒂𝒏𝒏@lemmy.one
      link
      fedilink
      arrow-up
      3
      ·
      11 months ago

      Yikes, that is embarassing.

      Is opencart written in PHP? Bcrypt has been a thing for decades now, and is literally a drop in replacement that handles salting et al. If the developer was hesitant to implement that, I’d rather go use Magento or shudder Shopify

      • Zikeji@programming.dev
        link
        fedilink
        English
        arrow-up
        2
        ·
        11 months ago

        One of the first things I did when I took over an old php project was convert to bcrypt and add logic to automatically upgrade the hash on their next login (and in case you’re wondering, we also removed the old insurance hashes and the upgrade logic after a while, forcing remaining users to do a password reset).

  • HairHeel@programming.dev
    link
    fedilink
    English
    arrow-up
    28
    ·
    11 months ago

    This is one of the things I talk about when people ask what the difference is between junior and senior developers.

    A lot of security is just box-checking. A lot of it is hypothetical and relies on attackers exploiting a chain of multiple bugs that they probably won’t ever find…. But you still gotta fix it.

    There’s no point in being so proud of your code and dismissing security concerns because you’re arrogant enough to think it can’t happen to you. Just learn to fix it and move on with your life.

  • jon@lemmy.tf
    link
    fedilink
    English
    arrow-up
    21
    ·
    11 months ago

    Maybe someone should fork Opencart and patch the security vulnerabilities and try to drive people away from this guy’s repo, since he’s just combative anytime someone raises a concern.

    Or quit using his code altogether.

    • phx@lemmy.ca
      link
      fedilink
      arrow-up
      13
      ·
      11 months ago

      Given a rant like this I wouldn’t be trusting his code. Admin access to a backend and ability to write to the underlying filesystem+configs are two different layers. Yeah in many cases they may be the same admin, but not necessarily. It also means a compromised admin UI user can modify the underlying system to hide their tracks.

      It’s like saying it’s ok to have a hypervisor breakout because it requires you to have root in the underlying VM to exploit and only trusted admins have root…

  • corsicanguppy@lemmy.ca
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    11 months ago

    I’ve been in this guy’s shoes.

    I used to code a particular project that was somewhat popular in its own little niche. Some guy trying to make a name for himself must have gone through the docs and done everything it said not to; then reports that in such a case, it’s insecure.

    The other project members and I basically said “well stop doing everything it says not to”. But Jerome makes a web page about it; generates a lot of buzz. We amended our docs to restate that if you do all the dumb things, you’ll look dumb. And we linked to his page.

    Not proud, but we had bigger fish to fry.

  • 7heo@lemmy.ml
    link
    fedilink
    arrow-up
    6
    ·
    edit-2
    11 months ago

    This is just pointless drama. It’s an emotional shitshow with way too much ego from all participants. The reaction from the Dev is actually bad, but the OG CVE is equally bad.

    On one hand, I don’t expect an app to let me inject code even as an admin. That’s just very bad form, and asking for trouble.

    On the other hand, arguably, if an attacker has admin access, you’re toast. So that’s also hardly a CVE.

    Now, all the involved people have terrible written expression, poor grammar, and are even omitting entire chunks of sentences.

    And then there’s the content… Nah, this is just noise. Absolute junk. Sorry, but IMHO this has nothing to do in this community.