Is the track.db file a security risk?

greenspun.com : LUSENET : S-Mart Shopping Cart : One Thread

I wan to start by stating that the S-mart script is great. It took a little while to get working but well worth it in the end. I am still working on the shop and I will post it as soon as we are up and running.

My question: Isn't the track.db file a security risk? It seems as though anyone recognizing the S-mart script could call and download that specific file and retrieve all the Credit Card #'s. I tried it on my server and I got the numbers. Did I set something up wrong?

-- John Paulson (webmaster@accentech.com), June 26, 1998

Answers

*Yes* it is, this has been mentioned before, but should be repeated. The ability to view CC numbers through the web has been moved to the admin script, so that part of it has been fixed. However CC #s are still stored in clear-text in the track.db, which is a *bad thing*! So be careful =)

-- Barry Robison (brobison@stiusa.com), June 28, 1998.

Yes, it is. I renamed track.db to tdb.cgi and set file permissions to read-write-execute (all). I also save it in a different path then in the generic script. If someone does find the new path of the file, they will then have to figure out the new name, then they will receive a 'Server Error' when trying to view it.

You should also worry about securing the tracking script. This should be password protected. There are several scripts available for free that could be added with little effort. Just search.

-- Tom (replyhere@nomail.com), June 26, 1998.


Moderation questions? read the FAQ