The latest fixes as Yoda listed are still breaking out it errors when I visit a page with product options.
magicessence
27 Jul 2008 4:21 AM
I uploaded the block_order_info per Master Yoda's post at 7/26/08 12:52 PM
and options prices are zero again
SajMalik
27 Jul 2008 12:54 PM
Why don't you put in a support ticket?
- as my option prices still show after uploading the new files you should get your installation checked
on2dvd
29 Jul 2008 1:07 PM
I have Live Person which tracks vistors and the URLs' they visit and even Google.
I just had someone from Saudi Arabia google and enter my sitre using the keywords.
Bloody heck.
Okay, I am not silly enough to put 100% trust in any developer to build 100% hacker proof software, I understand that it is my responsibility to do the best I can to protect my customers personal information from these people.
At least this has been patched now buit what about the future, there will be times that Viart allow this to happen again, the hackers are always one step ahead.
For me, storing credit card numbers in the database is not an option anymore, thankfully I was forced not to do this from my bank and I can now see why. I don't want to be at fault for hundreds of my customers credit cards being comprimised and I emplore every single Viart user to think about this very carefully......
What to do.
1) Remove all credit card numbers and security codes stored in the database. Did you know it is illegal to store security CNV codes? To do thi srun SQL query below
update va_orders set cc_number='', cc_security_code='';
2) Get a payment gateway that is approved by your merchant bank (one that is reputable) and one that doesn't hold you money for you, rather is a simple connection to yoru bank.. Ie, Pay Pal is not one of these and I soon will be droping PayPal as an option.
3) Destroy all credit card details from your personal computer if part of the number was emailed from the shop.
Gone are the days of being Naïve about what your responsibilities are to your customers,
"It is also worth mentioning that ViArt stores all credentials in plain text, so once an attacker has the credentials he is guaranteed access to the application."
This is only true of you do not activate the MD5 option for password encryption in the Global Options. Unfortunately this is not set by default. We have set this and our passwords show up as an MD5 string in the SQL database thus useless for attacker to login to the admin.
In addition we have also immediately installed the patches - so things should be OK for now.