mariovaldez.net

MV.net forums
It is currently 14 Jul 2016, 00:33

All times are UTC - 7 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 
Author Message
 Post subject: Is this program safe?
PostPosted: 24 Apr 2006, 06:32 
Is this program safe for me website. Being that I have to open up a port, my administrator said it is not safe to run this program, and leaves it vulnerable to attacks.

I really would like to use this, but I am just a little worried. Someone please let me know the risks associated with using this program on my server. Thanks.


Report this post
Top
  
Reply with quote  
PostPosted: 25 Apr 2006, 02:23 
User avatar

Joined: 06 Mar 2003, 03:21
Posts: 447
Location: Monterrey, NL, Mexico
Mike:

> Is this program safe for me website. Being
> that I have to open up a port, my administrator
> said it is not safe to run this program, and
> leaves it vulnerable to attacks. I really would
> like to use this, but I am just a little worried.
> Someone please let me know the risks
> associated with using this program on my
> server. Thanks.

Hi. Let's answer your question. Is OSCPMWin safe? The quick answer is: it depends. The long answer is:

Up to version 1.2.xxx hte OSCPMWin application required a direct link to the MySQL database server. That link, by itself, it is not safe. Why?
a) An attacker (most probably in your own LAN) could sniff the network traffic and see your database password, allowing hin/her to see your orders.
b) If a vulnerability is found for your MySQL server version, an internet worm (for example) could infect your server or at least launch a DOS attack to your server.

That's why those versions of the OSCPMWin application included a SSH-tunnel feature. With the SSH tunnel, the traffic to your MySQL server is encrypted, and the link is not direct but tunneled (meaning the MySQL server is receiving the connection locally, from the tunnel). With the SSH tunnel, both previous attacks cannot be executed.

Ok, with the new beta versions of OSCPMWin (versions 0.4.1.xxx) there is no need for a direct link to the MySQL database. The new beta versions use pure HTTP requests to do the SQL queries, communicating with the PHP server-side script. With this new versions, you can use the SSL package to encrypt all the communications between the OSCPMWin application and the server.

But even if you don't use the SSL encryption, your password is never send by the OSCPMWin, keeping it secure.


As the development of the old-style connection (the direct MySQL link) will be stopped in favor of the new pure HTTP link, I suggest you to do download the latest beta version and test it with your store. As this is a beta version, if you feel unsure, just browse your store, test the backup feature, the searching, etc. A final version will be released in less than two weeks.

Then you can ask your provider to close the MySQL port to keep your store secured.


Questions, comments, suggestions, etc., please post in the forums or contact me.


Regards,

Mario A. Valdez-Ramirez.


Report this post
Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 2 posts ] 

All times are UTC - 7 hours


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group