mariovaldez.net
http://www.mariovaldez.net/webapps/forums/

Is this program safe?
http://www.mariovaldez.net/webapps/forums/viewtopic.php?f=12&t=315
Page 1 of 1

Author:  Mike [ 24 Apr 2006, 06:32 ]
Post subject:  Is this program safe?

Is this program safe for me website. Being that I have to open up a port, my administrator said it is not safe to run this program, and leaves it vulnerable to attacks.

I really would like to use this, but I am just a little worried. Someone please let me know the risks associated with using this program on my server. Thanks.

Author:  mvaldez [ 25 Apr 2006, 02:23 ]
Post subject:  Use SSH or better yet... try the new beta version...

Mike:

> Is this program safe for me website. Being
> that I have to open up a port, my administrator
> said it is not safe to run this program, and
> leaves it vulnerable to attacks. I really would
> like to use this, but I am just a little worried.
> Someone please let me know the risks
> associated with using this program on my
> server. Thanks.

Hi. Let's answer your question. Is OSCPMWin safe? The quick answer is: it depends. The long answer is:

Up to version 1.2.xxx hte OSCPMWin application required a direct link to the MySQL database server. That link, by itself, it is not safe. Why?
a) An attacker (most probably in your own LAN) could sniff the network traffic and see your database password, allowing hin/her to see your orders.
b) If a vulnerability is found for your MySQL server version, an internet worm (for example) could infect your server or at least launch a DOS attack to your server.

That's why those versions of the OSCPMWin application included a SSH-tunnel feature. With the SSH tunnel, the traffic to your MySQL server is encrypted, and the link is not direct but tunneled (meaning the MySQL server is receiving the connection locally, from the tunnel). With the SSH tunnel, both previous attacks cannot be executed.

Ok, with the new beta versions of OSCPMWin (versions 0.4.1.xxx) there is no need for a direct link to the MySQL database. The new beta versions use pure HTTP requests to do the SQL queries, communicating with the PHP server-side script. With this new versions, you can use the SSL package to encrypt all the communications between the OSCPMWin application and the server.

But even if you don't use the SSL encryption, your password is never send by the OSCPMWin, keeping it secure.


As the development of the old-style connection (the direct MySQL link) will be stopped in favor of the new pure HTTP link, I suggest you to do download the latest beta version and test it with your store. As this is a beta version, if you feel unsure, just browse your store, test the backup feature, the searching, etc. A final version will be released in less than two weeks.

Then you can ask your provider to close the MySQL port to keep your store secured.


Questions, comments, suggestions, etc., please post in the forums or contact me.


Regards,

Mario A. Valdez-Ramirez.

Page 1 of 1 All times are UTC - 7 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/