-
osCommerce 2.2 Milestone 2 060817 Update Released
An update to the osCommerce 2.2 Milestone 2 version has been released that addresses security related issues and bug reports that exist in the released version.
It is recommended for osCommerce 2.2 Milestone 2 store owners to apply the changes to their installations due to the security issues and bug reports that have been fixed. The changes involved are minimal, do not break compatibility with contributions, and further strengthens the security of the shop installation.
This update release focuses solely on security related issues and bug reports, and does not introduce any new features that have been made for the next development milestone release.
This release is a full release package containing updated source files (including the updates from the 051113 Update release), documentation, and information on what changes have been made to easily apply to existing installations.
This update release includes the following changes:
* Magic Quotes Compatibility Layer Fix
* Parse GET Variables In Cache Functions
* PHP 3 Session ID XSS Issue
* Product Attributes SQL Injection
* Resize Images To Round Numbers
* Use The Correct Country Name Value When Formatting Addresses
* Prevent The Session ID Being Passed In Tell-A-Friend E-Mails
* Properly Remove Deleted Products That Exist In Shopping Carts
The documented changes found inside the download package can be seen here:
http://www.oscommerce.com/ext/update-20060817.html
The 2.2 Milestone 2 060817 Update release involves the following file changes for the security and bug fixes made:
catalog/admin/includes/functions/compatibility.php (2 diffs)
catalog/admin/includes/functions/general.php (1 diff)
catalog/includes/classes/sessions.php (1 diff)
catalog/includes/classes/shopping_cart.php (2 diffs)
catalog/includes/functions/cache.php (4 diffs)
catalog/includes/functions/compatibility.php (2 diffs)
catalog/includes/functions/general.php (2 diffs)
catalog/includes/functions/html_output.php (1 diff)
catalog/shopping_cart.php (1 diff)
catalog/tell_a_friend.php (2 diffs)
We'd like to thank James Bercegay from GulfTech Security Research (http://www.gulftech.org) for bringing security issues to our attention.
This update release can be downloaded from:
http://www.oscommerce.com/solutions/downloads
This announcement can be discussed on the community support forums at:
http://forums.oscommerce.com/index.php?showtopic=223556
2006-08-17 23:35:20 UTC by hpdl
-
osCommerce 2.2 Milestone 2
We proudly present the immediate availability of the second milestone release of osCommerce 2.2, which is on demonstration at the LinuxTag 2003 event in Karlsruhe, Germany. The Milestone 2 release contains numerous updates to strengthen the security on both client and server side of operations. osCommerce, formerly titled The Exchange Project, is a feature packed out-of-the-box online shop ecommerce solution for both PHP3 and PHP4 web servers. Maintenance is made easy with a friendly GUI thats given to the Administration Tool.
The "Security and Privacy Proposal" was realized to strengthen security on the client side, whos main purpose is to protect the clients session ID. This includes a 'force cookie usage' feature which prevents the session ID from appearing on the url, a feature to prevent search engine spiders from generating session IDs which were stored as part of their index, and client IP address, browser (user agent), and secure session ID (for SSL servers) verification.
The "Strip and Parse Proposal" and security audit updates were realized to strengthen the security on the server side, which includes parsing all user input for storage and display purposes, and having removed most PHP notice messages when error reporting has been set to 'E_ALL'.
Numerous layout changes have also been made throughout the Catalog to improve the user interface and experience for the customer, and the Installation and Update module has been updated with a new theme layout for a more simplified procedure for store administrators.
Shared SSL servers are now properly supported, with the possibility to fine tune session and cookie related parameters for both normal HTTP server and secure HTTPS servers.
We'd like to thank the community for the continuing support, with each Milestone release more exciting than the last release, we look forward to bringing you the remaining Milestone releases that will lead to a finalized and rock solid 2.2 release.
A complete feature guide for osCommerce 2.2 will be presented when osCommerce 2.2 is finalized and released to the public.
The latest milestone releases can be downloaded at:
http://www.oscommerce.com/downloads/milestones
The public Workboard is available at:
http://www.oscommerce.com/community/workboard
Keeping up to date with the projects progress can be done via the Weekly Summary reports at:
http://www.oscommerce.com/community/weekly
This announcement can be discussed at the community support forums here:
http://forums.oscommerce.com/viewtopic.php?p=195296
2003-07-14 12:06:52 UTC by hpdl
-
osCommerce 2.2 Milestone 1
We proudly present the immediate availability of the first milestone release of osCommerce 2.2, our first public release in nearly two years since Preview Release 2.1. osCommerce 2.2-MS1 is bundled with the Catalog frontend and the Administration Tool backend, and is available in 3 languages - English, German, and Spanish.
With a lot of work gone into the long development cycle, the release of 2.2-MS1 includes a wide range of feature enhancements, additions, and security updates that will form the rock-solid foundation which 2.2 and subsequent releases will be built on.
Nearing the end of the long 2.2 development cycle, milestone releases are made to show what is expected for the 2.2 release.
One of the most user friendly features introduced is the new web-based installation module, which can setup the database and configuration files automatically after providing some server parameter values. It is also possible to upgrade a Preview Release 2.1 database to the new structure, without losing product, customer, or order information. (As always, upgrading should be performed on a backup copy of the database first)
User interface issues have been a top priority in the development cycle, with certain areas on the catalog having been updated to be more customer friendly, and at the same time increasing the performance in the backend where possible.
Some areas are still pending to be updated, which will be performed in upcoming milestone releases.
The quality of the 2.2 release will increase greatly with the milestone path set, as bug reports can now be fixed on a frozen release instead of the development daily snapshot releases - making it easier for developers to pinpoint where the problem areas are and to fix it accordingly in a much saner manner.
A Workboard is publicly available which shows the defined milestone path set, with specific amounts of work being attached to a specific milestone release, leading up to a finalized osCommerce 2.2 release package.
We'd like to thank the community for their support during the long development phase, and are excited in presenting the upcoming milestone releases in the near future.
A complete feature guide for osCommerce 2.2 will be presented when osCommerce 2.2 is finalized and released to the public.
The latest milestone releases can be downloaded at:
http://www.oscommerce.com/downloads/milestones
The public Workboard is available at:
http://www.oscommerce.com/community/workboard
Keeping up to date with the projects progress can be done via the Weekly Summary reports at:
http://www.oscommerce.com/community/weekly
2003-02-18 01:58:18 UTC by hpdl
-
New Support Site Online
The new support site is now online, to meet the demands from developers, supporters, and users.
The support services are currently offline due to the move to the new hosting server, but should go online piece-by-piece within the next few days.
Until the nameservers are in sync, you can reach the new support site at:
http://66.39.98.164/
2001-10-12 12:02:16 UTC by hpdl
