Should We Use OpenCart?
As a continuation of my research into choosing an appropriate shopping cart application for an upcoming project I’m working on I chose to review OpenCart this time. To be honest, I hadn’t even heard of OpenCart until one of the comments from the last post turned me onto it but after reviewing it I am glad I did.
opencart-logo
As mentioned above, OpenCart is another e-commerce platform useful for setting up an online storefront. OpenCart is released under the GNU General Public License version 3 (GPLv3) which means it’s freely available for anyone to use and since OpenCart is written in php it’s right in my wheel house. The main developer of OpenCart is Daniel Kerr who, from what I can gather, is over in Great Britain but not the Australian rules footballer (in case there was some confusion from any Aussies).
Anywho, OpenCart has lot of good features available out of the box with my favorites being the Backup Manager, User Groups, really nice localization (l18n) and internationalization (i18n) options, support for multiple stores and a slick reporting overview. OpenCart also has the one feature I personally love from any and all e-commerce packages; Guest Checkouts. Personally, when I’m buying something from an online store that’s not a 500 pound gorilla like Amazon or Best Buy I hate signing up for an account. Guest checkout is the shit.
The code is really well structured and thought out; it uses a nice implementation of the MVC pattern which made things ridiculously easy to walk through and find out what was going on under the hood. OpenCart appears to be using a home grown MVC framework, which, while, in my opinion a little unnecessary, isn’t at all a big deal. Unfortunately, the code appears to be open to Cross Site Request Forgery (CSRF) attacks and other security issues. More on this in a minute.
The OpenCart administration module is attractive and laid out logically. Everything is ready and available in such a way that most people with experience working with administration panels would feel right at home. It should be noted though that the administration panel will NOT work in Internet Explorer 6.
OpenCart Dashboard
Naturally, OpenCart also ships with the ability to have custom themes and the default theme that ships with OpenCart is quite attractive too. After reviewing the procedure for creating themes though I have to say that I’m not even a little impressed in how themes are supposed to be created; they appear, in my opinion, to be overly complicated, a little convoluted and deviates from the traditional manner used with countless other open source projects.
OpenCart Store
OpenCart has a basic module system though it isn’t what, in my experience, should be considered a module system; in OpenCart a module is more of a sidebar widget. A small distinction to be sure and not really an issue; more of an inconvenience of nomenclature than anything else but something that drives me nuts (can’t we all agree on what these terms mean already?).
There’s also a lot of manual intervention needed when configuring the system. Want to add a module? FTP the module, go to the module section of the admin, click install, click edit and fill out the form (be sure to enable the module too). Want to turn on search engine friendly URLs? Rename the file .htaccess.txt to .htaccess (through FTP or similar) then go to the administration panel, then to the settings area to enable. Very anti user friendly in my opinion.
There are other issues with OpenCart, like the flow for adding images to a product being pretty convoluted, but those are all small in the grand scheme (pretty much all my gripes can be, rightfully, dismissed as design decisions I don’t agree with). Fair enough. What isn’t acceptable is the complete lack of respect the developer has for security in OpenCart or the developers who try to help out in general. This, I’m afraid, is a deal breaker.
May 2010 was actually a pretty fortuitous time for me to research OpenCart; as soon as I began looking into the program I started seeing some discussion on OpenCart which lead me to a forum post on the official OpenCart forums. Another developer had some suggestions on how to improve the style and conventions of OpenCart and, well, Daniel really showed his ass.
Then, not a week later, I see on that there’s another war going on between Daniel and a developer who found some pretty nasty CSRF issues. Again, Daniel showed his ass (along with a good helping of ignorance mixed with arrogance this time) with nothing being resolved.
This was truly the breaking point for me. Why in the world would I ever use software written by someone who, when confronted with the issues, acts like nothing’s wrong? Nope. I have people relying on me to make choices that won’t, you know, ruin their business and OpenCart, for all it’s bells and whistles and nice code and pretty administration panel, is a horrible platform because the developer refuses to do anything about issues when presented with them.
Email
Twitter
Dear Sir, I am not here to comment on your post. I just need your little help. Is multiple store functionality possible in OpenSort? Please, reply! Your help will be appreciated.
Yup; multiple stores are possible though it’s not so straightforward as I would like to setup.
Yeah, it’s a multi store, but not a multi vendor. It shouldn’t be too hard to nut it out especially in a MVC system, so if no one else does it, I’m going to eventually give it a try.
I think I read on the forums that Opencart is not ever going to go this way anyway, but it would be a nice system to have. Maybe even a parallel fork that is constantly updated with the features of the most current system – as they would be so similar anyway.
I think there is something wrong with you to be posting my comments in your blog. Nice review of opencart but there is a lot i don’t agree with. You are comparing opencart to which applications? When you claim adding images to a product being pretty convoluted? what application does this better?
“Another developer had some suggestions on how to improve the style and conventions of OpenCart and, well, Daniel really showed his ass.”
The developer was not being helpful and was quite mis-informed about the right way to do things.
He was spreading mis infromation about opencart to anyone visiting the forums.
“pretty nasty CSRF issues. Again, Daniel showed his ass (along with a good helping of ignorance mixed with arrogance this time) with nothing being resolved.”
This will be resolved in the next version. I never said i was not going to fix it but i got sick of the guy harrasing me about it. The amazing thing is when i told him to stop bothering me he posts in his blog to everyone, look what he said look what he said to me!
If your such a good programmer then plase post me the best application you have written! Post me somethign that has more features than opencart or better web design since I did everythign from the artwork, db, html, css javascript and php my self.
Fucking grow up you idiot!
Hi Daniel,
I admit, I am arrogant and cocky and, sometimes I like to act superior too (just ask my girlfriend
). I know this about myself and, you know what? It’s not a big deal because I listen to feedback and criticism with respect and don’t turn into a child at the helpful, yet sometimes redundant, criticism.
I wasn’t comparing OpenCart to anything in particular; the point of the post (which I admit may have been unclear) was to evaluate OpenCart for an upcoming project I have planned. So, it was a broad review focusing on features, code, stability and community. To be honest with you, OpenCart far exceeded my expectations in all aspects except community and stability. You’ve truly put together an amazing project and you should be proud.
That being said, your attitude and response to criticism is, like I said in the post, abysmal. Frankly, obnoxious and immature would be a step up at this point. Do you not recognize that OpenCart and you are, at this point, synonymous? Your behavior reflects upon the project man and right now, you make your amazing and wonderful project look like a ghetto of childish behavior and incompetence. Even having gone through the code and basically falling in love with the parts and components and the very philosophy of the code it’s a no-go because instead of focusing on damage control you’re fanning the flames and allowing the trolls something to discuss. My clients don’t want to lose money man and I have no faith that OpenCart is secure. Deal with it.
Even your comment on this post starts out so nice but quickly ends with you, once again, showing your ass. How mature do you think it looks that you sign off with something so base (and lacking in imagination) as “Fucking grow up you idiot!”?
My comments about the Image Manager stemmed from the lack of an instinctual process. When adding an image it is not at all intuitive to click on the unmarked image next to the thumbnail after clicking “Add Image”. Add to that the fact that if there are any form submission issues all the images are lost. This is a problem. If you don’t agree, well it’s your project man, do what you want. Bitching about the criticism though doesn’t solve a thing though. Ever. Own that someone disagrees with you (like this is the first or last time that’s going to happen) and be honest; anything less makes you and OpenCart look less, ahem… open.
I have no doubt that, to you, in all your intelligence, the user in the forums was wrong. As I said, your code is GOOD. But, what kind of a response was that? What possible outcome were you expecting other than to get completely outed saying such things and calling people names and, basically, just being a jerk?
A far better response would have been to either ignore the post (I tend to ignore the things I don’t agree with rather than fight) or been a professional and just said “Thanks, I’ll take it under advisement.”.
I’m glad to hear that the CSRF issues will be resolved in the next release. From your responses and, what appeared to be, ignorance on the topic (with comments about virus protection making the issue moot) it appeared that this was NOT going to happen without a fork.
As for Ben and his post, it’s the Internet man and those of us with blogs (myself included), well we’re all attention whores. Personally, I see no problem with him making the communication public simply because from the language it DIDN’T look like you were going to take it seriously. That’s a problem that required the drastic step. Were you to be responsive and open Ben would be the dick for his post. As it stands though, I look at Ben’s post as a warning to everyone currently using OpenCart as to the security holes that it looked like you were either ignorant of or ignoring.
As to my chops as a programmer (really?!?! that’s the tact you’re taking?) take a look at my portfolio.
Thank you for taking the time to respond to my points Daniel. I can only imagine the constraints on your time and I do appreciate the opportunity to discuss this post with you.
Eric
Wow. this Daniel guy is truly a moron. He doesn’t understand CSRF (duhh.. yeah, you have to be logged in…. and click a link…. OR view a page with the link embedded as img srcf… ever so unlikely!). Like he’s never even heard of CSRF and has no idea why every framrwork includes anti-CSRF tokens. And then on top of it, he acts all angry?
It’s rare to see such complacent stupidity. Actually arguing against fixing this… wow…. I certainly will never use OpenCart.
I want to defend Opencart. It is truly not a horrible platform to us ‘civilians’ – quite the contrary!
I’ve been blown away by it.
OK, I’m not a developer – but I have spent a lot of time trying other carts. These include the Cube and Prestashop. Prestashop is good, but not quite there for us at this time.
Opencart contains a lot of functionality that users need, by which I mean shop owners AND customers: but it isn’t top heavy with a lot of functions you don’t need.
For example, I don’t want something that tracks inventory and creates invoices, and emails my customers every time I blow my nose
Just kidding, but I already have inventory tracking and an accounting system. I just need a selling framework.
On top of that, this cart offers a gorgeous shopfront out of the box, the same for the admin side; a guest checkout (fab); attractive and easy checkout process (vital), ajax functionality, which means the shopper isn’t bounced out to checkout every time they add to cart, and it’s fast loading too. I also figured out how to customise it a lot faster than the other ones I tried. I haven’t really had a problem with modules either, but maybe I’m not smart/experienced enough to notice issues there.
I gather you’re not impressed with theme generation, though, Eric. I had a much harder time with Prestashop, but that is also probably because I’m a ‘civilian’.
The security flaws have either been fixed or will be shortly. There WAS a lot of hot air about that. I hope people won’t be afraid of raising concerns again, without it turning into a flame war, which solves nothing.
BTW I’m not going to excuse rudeness, not at all. I just think it would be a shame to reject software because of personality problems…..though I guess you are concerned about your clients, which is not an issue for me. Still, if all successful software developers were always nice to everyone, where would (*unnamed billionaire*) or (*unnamed millionaire*) be?
Interesting post, though, and so is the one on Prestashop. Thank you.
Hi Lexie,
I couldn’t agree with you more! OpenCart is a very nice piece of software in every way imaginable with the exceptions being, as I laid out above, the security flaws and the community. In fact, I was so blown away by it that until I started digging into the community I had already begun convincing the team that this was the one to go with.
None of the issues I saw as far as theme generation, image manager or anything having to do with the actual interface were relevant compared to the gain from the whole. Subjectivity should never be used for this type of decision.
It’s just, as you said, I have to worry about my clients. But that worry, and the cost associated with anything going wrong, can NOT be underestimated and from what I witnessed the OpenCart developer was ignorant of the most basic security concerns and turned downright confrontational when confronted with it. No matter how good a program is, or how much I like a program, I can’t (hell, won’t) put my client’s financial security at risk like that.
That being said though, I am really optimistic about OpenCart and if the security holes are fixed ASAP then I see no reason why it couldn’t overtake the competition and become the standard. I do believe Daniel has the talent, skill and knowledge to do just that (no pressure there…) he just, and this is only my opinion here, has to fail more and get used to the Internet trolls (also, not an easy thing to do but a necessary growing pain that he HAS to go through anyway).
Thanks again Lexie,
Eric
Thank you very much for replying, Eric, I really appreciate it.
I think I understand your point more clearly. You’re not concerned with security flaws per se (which seem common enough), nor even personalities: but there is a question mark in your mind about whether future problems will be properly dealt with? And your risk assessment strategy tells you not to proceed at this time. I think anyone would respect that.
I may feel confident, and whilst I do think Daniel and the team will come through, I’ve only got myself to answer to if I’m wrong. And as I said, quite seriously, I don’t have enough knowledge to make a good judgment on some of the matters you mentioned.
Can I say that I’m impressed by your magnamity and willingness to keep an open mind. Wish I could afford your services to build my shop…but then I’d make you use Opencart!
Keep smiling, L
Hi Lexie,
You almost had it; I’m also really concerned about the security holes. I could never recommend or install a program that had known security holes and weren’t fixed. This could be mitigated through confidence that the developer would have the issue fixed shortly but, in this case, it didn’t look like Daniel would even do that much.
Every program has bugs and every program has security holes. We worry about the ones we don’t know about but when we KNOW about one, it should never be a concern because it’s fixed ASAP. This one has been known about in OpenCart for 4 months and nothing has been done about it except talk about how nothing will be done about it.
Eric
ok many thanks and sorry about the rudness. I just get pissed at all the stupied stuf people a minority of people are saying.
I have narrowed my choice down to Opencart, Zen Cart and PrestaShop.
Out of all of those, the only one who seems to have a face is Opencart.
Considering I am also liking the feature set and GPL license … I think I will pick Opencart.
Wow, it’s funny how the exact same comment came from a different IP address and a different email address and was flagged as spam. I’m leaving this here so people will know that this was SPAM!! SPAM!! SPAM!!! SPAM!! SPAM!! SPAM!!! SPAM!! SPAM!! SPAM!!!
I am very concerned about about security. If I find somthing that needs fixing I will fix it. Look at my past releases. If people report a bug its normal fixed and a new release is out the next day.
I have found though the the a lot of the people that are leading the current charge againest OpenCart are ex-members who have been banned for trying to fork the project or people that have been banned not just by me but other moderators.
If i had listen to this guy:
http://forum.opencart.com/viewtopic.php?p=72582#p72582
I would have put the project back about 2 years. I have enough experience with PHP and OOP to know which are the right ways and wrong ways of coding applications.
As for the the CSFR problem. he risk is very low and it was going to be addressed. The problem is though to create a token would mean changes to every admin page. To behonest the CSFR should not happen, but because the browsers have changed their behaviour and kept cookies cached even after the browser was closed it causes problems. If you click a link from an email then cookies in another tab should not be transfered to the new tab if the cookie had a lifetime of 0. The life time set to 0 means the cookie dies after you close the browser and should not be passed to any other window or tab.
Hi Daniel,
I have no doubt that by your standards you’re up on the security fixes. The thing is though that Ben put forth his post in January (4 freaking months ago?!?!?) and you have yet to do anything about the issue but pass the buck and call people names.
Listening to your peers is an important part of being a professional. Believe me, if you think you’re smarter than everyone else in the world you’re sorely mistaken. In my experience, those who think they’re smarter and better than everyone else are usually so blinded by their individual glory and achievements as to have lost all perspective. A dangerous place for anyone but especially programmers because of the potential damage that can be caused.
So, if the suggestions in the forum post (and, to me, they appeared to be suggestions) weren’t agreeable to you why not just explain that like an adult? Why go off the deep end and start calling him names and being a jackass about the whole thing? Was it at all worth it? Do you enjoy having your credibility called into question and responding to random people on the Internet?
Point being though that I don’t think there was any expectation that you accept all his suggestions verbatim and without question. That would be ridiculous. What was expected though was that you would respond like an adult and a professional. Instead, you went the way you did and probably started all of this (that’s the order I started seeing everything anyway).
As to the risk of a CSRF attack, it may be low for you (and I disagree that the risk is low) but not for those of us who are responsible for the choices we make. Think about it man, there’s a bug in your software that has the potential to destroy someone’s business and livelihood. So what if you think it has a low chance of happening? If a high profile site was using OpenCart and someone targeted them they would be hosed. End of story. This is NOT outside the realm of possibility and considering the stakes it’s just atrocious risk management not to fix ASAP much less 4 months later.
And, yes, in a perfect world where the browsers all work the way we each want then CSRF wouldn’t be possible. But you know what? They DON’T. Wish all you want but the browsers work the way they do and there’s NOTHING you can do about it (at least anytime soon). To try and pawn the fact that YOUR code has a security hole onto the browsers is just lame. You need to build for reality instead of an idealized fantasy where browsers don’t have security vulnerabilities. Make your peace with that ASAP. Please, for all our sakes
It’s you project and your code and IT’S YOUR FAULT. Stop looking for scapegoats and just fix it already.
Or don’t. But don’t be surprised when people start talking about OpenCart being insecure and written by a developer who doesn’t care about his project enough to make sure that KNOWN security holes are fixed in a timely fashion.
You have a choice here man, you can either step up and join the big boys in the big boy world or you can expect OpenCart to join the ghetto along with Oscommerce, ZenCart and Dolphin CMS. It really is that simple.
If it sounds like I’m being harsh it’s because I’m very familiar with this situation; I know the logic doesn’t escape you either which makes the whole thing sound like a discussion about ego vs logic. I also know that you’re a really talented programmer who could whip out a solution if you just wanted to. Please do.
Eric
Daniel will do fix in the next version, can’t wait for the new release!! after tnext realease, I think opencart will be the king!
Daniel man, you need to start treating other people that are trying to help you with some respect. You may disagree 100% with them, but swearing at them, what will that solve? It just makes you look childish.
If you keep this up, what do you think is going to happen when people Google your name about web development?
Also, if a store does fall victim to CSRF, what do you think will happen to the reputation of OpenCart?
Opencart is great, & from the way I see it, built in a very similar way to the CodeIgniter MVC framework. It’s a great separation of presentation and logical code.
You should definitely give it a shot.
I can see that Daniel is still learning about public relations and internet etiquette, or maybe he’s decided that this is the way he wants to conduct himself, I don’t know; but it shouldn’t have any bearing on your choice of shopping cart and doesn’t reflect on the rest of the Opencart community. Daniel hasn’t added or subtracted anything from my personal experience of Opencart, so I’m sure you will be able to look at the code on it’s own and find it useful.
I’m not saying I wouldn’t give it a go for a future project. I will always consider a project based on the project, not the people who are involved.
For one, I love the Kohana framework, but I have seen the BDFL be a bit harsh on new users (this has seemed to have stopped however).
I wouldn’t use OpenCart until the CSRF stuff is fixed, and the attitude towards security from its developers is taken more seriously. I’d seriously love to consider it one day soon.
BTW, Daniel, you can be commended for creating a popular open source cart. We all know that is no easy task.
Happy coding!
I like how the title of this blog is “Should We Use OpenCart”.
The author of the blog seems to think he has some big following and that his opinion actually matters to a lot of people.
Same with Alex, who thinks hes talking for an entire community of opencart users. I already have a very strong community that supports my work and my teams work. There are a lot more blogs, forum messages etc.. that are in favour of using OpenCart.
So far the people I have had a go at were not part of the community and only registered on my forums to give there unwanted opinions. They where unwatned because the person did not have the experiance to understand the coding desisions I had made and decided to critise the project for them.
As for Ben and his CSRF blog, its funny that when I told him to get lost he starts his own OpenCart fork. I told him where to go once and had to tell hm a second time after he started advertsing his fork in the forums.
This is his blog… he can say anything he wants, everything that’s true, and everything that’s not.
That’s why you need to stay away from this stuff Daniel, it’s not good for your reputation & it’s not good for the Opencart community as a whole.
If you see negativity, or criticism that frustrates you, seriously, get out of there – Don’t answer it. It doesn’t require a response from you. PM me or email me and I’ll deal with it or just let someone else step in. You don’t need to turn a simple support request into a personal attack.
Daniel,
We’ve already been over this; you and I already had what I thought was a pleasant discussion. I had thought you were moving on man. I’m disappointed you’re still quick to go on the offensive…
Let it go.
Eric
pleasant conversation?? if you really read through all the comments here, you can see how mr eric here non-stop criticising Daniel even after he apologised and offering a fix..yes he is rude with words but can fully understand why he is mad and can’t put up with all these craps..for God’s sake people please be abit more grateful and know he doesn’t owe you a single cent..if you don’t like it don’t use it, not posting stuff like this and pretend to be professional…what gives..? no I m neither Daniel nor related to him but someone from Malaysia since you are going check my ip and what not…(sorry I really can’t stand sht like this)
Hi Sun yen,
I’m sorry you feel that we’re all ganging up on Daniel; that’s not obvious to me when I read through the thread but I could be too close. What is obvious, to me at least, is that Daniel keeps responding so offensively to criticism which wouldn’t be so bad, I guess, except that he’s the developer of a software platform with a HUGE security hole in it. Were Daniel just some “dude” then, yeah, in that context everyone’s a dick gaining up on some poor dude.
Except, he’s not some dude. Thousands of sites are vulnerable to exploitation and instead of fixing issues Daniel decides it’s best to feed the trolls and make ridiculous statements and claims. You may not agree with it but that IS noteworthy and worthy of a discussion.
As to Daniel offering a fix as far as I know that hasn’t happened yet even after more than 6 months since the discovery and a separate developer offering a solution. Add to that Daniels intentional mangling of the code to prevent the Secured OpenCart patch to work and it’s fairly obvious we’re dealing with something outside the professional and competent programmer paradigm.
As to being grateful, frankly, that’s just nonsense Sun. If someone offers you something (free or not) and after building a business and livelihood on top of that “thing” you find out your business can be taken away through a KNOWN exploit that the developer is arguing against existing much less fixing you have every right, in my opinion, to be pissed and vocal about it. As I said, people’s livelihoods are at stake here.
The problem with your advice of “don’t use it” is that people are already using it. Me, personally, no I won’t use it. I see that the code has security holes in it and the developer is difficult to work with. Fine. But for all those sites and businesses that are using OpenCart; should they just shut up and act like everything’s ok and good? Or should they be worried that their site and business will go away one day? That they won’t be able to feed their families or pay their bills? They SHOULD be worried.
As to the IP thing; WordPress does that for me man. It’s an automatic thing where all comments get tagged with their IP address. It isn’t an active thing I do.
Eric
Hey Eric,
I had a question, as my web designer/developer is an OpenCart fan, me not knowning much about coding/programming, but having been in the IT/Security field for the last 10+ years started doing my research and came across your blog… .which I’m very glad I did!!
What version of OpenCart is affected by this CSRF attack, and has a new release/security patch been issued yet??
I am in the process of launching my own online clothing store… knowing that this software has a known Security Hole, and from what I’ve read doesn’t seem to be much of a high-priority issue to the designer, well that SURE IS A DEAL BREAKER to me.
I could careless about the politics involved, my business, my reputation is at stake here, so I need to know if I should go with another Developer/Designer at this point!!!
Thanks!
COFB
Hi Chris,
I just checked the OpenCart site and it does appear that the bug has been “fixed” by adding a CAPTCHA to the user edit page (so instead of fixing the issue they put another layer on top of the broken piece to prevent execution). This was in the 1.4.8 branch.
So, to answer your question, yes the issue is technically resolved though I wouldn’t say it was fixed but obfuscated instead. Do with that what you will I guess.
Eric
no eric you are wrong!
the problem has been fixed by adding a token system.
Just like having the site owner being aware of not clicking links from emails while being logged to the opencart adminstration should be enough to stop the hack.
Also like beign carful when running downloaded programs and then visiting your online banking.
Hi Daniel,
As I said, I checked the site only and from what I saw in the changelog for the version I referenced it says that the CSRF issue was fixed by adding a CAPTCHA. My bad if that’s not accurate.
Eric
Yeah Eric, it now has a token system that doesn’t allow the CSRF attack to take place anymore. The token is created every time the user logs into their admin section. It follows every submission and every url even the json requests have the token.
I would invite people who know more about this stuff to give a working example of a CSRF attack on a version 1.4.8. – Up till now it’s all taboo and user paranoia, without the user actually knowing what’s going on.
If security is as important as we all claim, then we really need to prove our case before making accusations, for whatever motive. If we are trying to help, then it is even more important that we show people, so that they understand the risks.
My bad there Joseph; I only did a cursory inspection looking at the changelogs and it says that CAPTCHA is used to prevent CSRF. It wasn’t intentional or anything.
I do think it’s misleading to claim that the CSRF issue before 1.4.8 was taboo and user paranoia though. That’s just flat our wrong and not at all true; the exploit in OpenCart was very real and possible. The CSRF issue was brought to Daniels attention along with a proof of concept and fix by Ben Maynard. According to Ben he DID present all of the stuff needed to not only acknowledge the issue but also to fix it as well. Daniel chose to go on the offensive and show how ignorant he is/was to CSRF attacks.
That’s the issue and the point of the post. Not that OpenCart sucks (which it does not) but that when the developer was confronted he went jackass instead of either educating those who took the time to inform (like a professional) or fixing the issue (like a professional). Behavior like that is completely relevant criteria when choosing a software platform to build a business on top of and it absolutely should be taken into account.
Eric
You’re right, I used the word taboo and downplayed it too much. I agree with all of what’s been said about security issues, & about the way these issues were handled. It’s just not the expected response, I know, but that’s another issue entirely.
However, I only beg that developers who make these types of claims try to give examples of how they themselves could exploit it & not just in opencart – in any situation or software. Ben Maynard did to some extent, but then, I’m guessing due to the response he received, he no longer wanted to help.
Some exploits are socially engineered, others are so transparent that you won’t even notice.
I would feel ‘safer’ in the knowledge that if there is a security hole that someone has found, that they would take it as seriously as they claim, & document it, to allow other developers to secure their versions.
Well said and good advice Joseph
Hi,
Is the CSRF issue fixed now?
Thanks
Paul
Yes, it has been fixed.
I am not a coder,so I can only rely on the coding expertise of others.Logging into the admin of Open Cart is an absolute breath of fresh air in comparison to a lot of other carts.Front end isnt exactly bad either.I suppose like many other future shop owners-we just want a stable cart that just functions,and has enough support in the community to find solutions for any issues that arise.
A shopping cart must be a complex thing to pull off-even with a community effort of very bright minds.
Good Lord…
I’m very new to OpenCart, so I’m hardly here to defend it, the lead developer, or the OC community. I *do* find it odd that there’s so much hub-bub over CSRF issue, yet you (the author) use WordPress, which is grossly insecure.
CSRF is nothing new, cPanel had it and didn’t see the issue as urgent, though they did eventually fix it. You’d have to be simultaneously logged into another site (banking, etc) and also be logged into the OC admin panel.
http://www.cpanel.net/2009/08/cpanel-security-update-csrf-cross-site-request-forgery.html
I don’t mean to be argumentative here, but I see the author and some of the commenters acting like OC is the first software to have bugs or issues, and that it’s somehow “unworthy” because of that. Truth is *all* software has bugs. If you don’t get that then come back when your voice changes. The true test of any software / open-source community is how the bugs / issues are dealt with.
Yes, IMO Daniel could have handled a lot of interactions a whole lot better. Honestly, that goes for roughly 80% of developers out there. Guess what? Lack of social skills is par for the course. Wish it were different, but it’s not. Welcome the the world of geeks. They suck at communication.
I dare anyone to find ANY software: commercial or open source, that’s never had a security issue. Please…take your time. I’ll wait.
It won’t prove anything by finding a piece of software that hasn’t had any security issues.
In my opinion, security wasn’t the real issue here, the issue was the response received.
The response received led to blogs & bad publicity about a piece of software that is free.
Both sides had expectations that were not being met – this is about people, not software or security.
If you can’t communicate, then you should just write the code, and be done. Let developers that can communicate, pick up the code and explain it to people.
This is old news… lets just move on
For the price you pay for opencart, you get a very easy to use shopping cart. You also get access to a forum where you can find more resources to further extend your own store from templates, modules and complete overhauls. Sure it’s not at the oscommerce stage, but I invite people to look at other carts, then look at opencart and you’ll see how easy it is to use in comparison.
You will do things so much faster in Opencart & you’ll wonder how you got by without it.
Amen man; This is old news… lets just move on. Daniel fixed the issue so all we’re doing here is feeding a fire that’s already burned out.
I’m disabling comments here tomorrow (to give Daniel time to do his customary response
)
Hi David,
No where do I say that Open Cart shouldn’t be used because of the insecurities; I said it shouldn’t be used because the developer, at the time, didn’t seem to know how to handle criticism and had straight out refused to fix known security issues. That’s the issue here.
Think of it another way; imagine if Toyota’s response to the Prius acceleration issue was to call people names all the while claiming that there was no issue and doing nothing about it. At the very least you’d be cautious about doing business with them. Exaggerated analogy, to be sure, but the idea is the same. Open Cart had an issue and they were notified and instead of fixing it they went on the offensive.
But, as Daniel himself was kind enough to point out, the issue has been fixed. So, while I’m not as reticent to use Open Cart as I once was, I’m still a long way off from recommending it (at least until I see some maturity out of the community).
To be honest, I’m a little annoyed at the straw men you’ve setup though. What does WordPress being insecure have to do with an online e-commerce solution that once had security holes that went unresolved because of personality issues with the lead developer? Who said that there’s software with no security issues and how did you make that connection between the article and the comments to make these conclusions?
Please… take your time. I’ll wait.
Eric