Prestashop Overall Security

[danPr]

Hey,

 

I have already sent an email to PS but didn't get any reply (and will not get it). So I think this topic gets totally underestimated. I even don't know how PS handle basic security things, they do not mention it.

So maybe some forum members can elaborate on this, as the official PS developers seem to ignore it :/

 

Parts of the Email:

 

I want to build a online shop and my main concern and decision focus (also for more and more people) is "how secure is the ecommerce shop? what vulnerabilities exist? was there a recent hacking accident?
how do the developers advertise security? and many more".
So security is really crucial for an ecommerce system and unfortunately all big
ecommerce shops seem to miss this by not focusing on it and not mentioning anything about it (abantecart and http://arastta.org/ seems to be the only who explain it in more detail).
I think also Magento now focuses more and more on security, as vulnerabilities leaked (e.g. they now have a security feed, contact mail etc.).

 

 

I asked them several points, among others:

 

• Do you have a security feed, or only the Prestashop blog/build blog itself?
• Do you use a static code analyser for finding security flaws or do you check against https://www.owasp.org/index.php/Main_Page flaws?
• Do you have security experts in your team? How do you handle tokens, hashing? Which cryptographic methods are used?
• How do you handle modules in your marketplace, are they getting reviewed or is their code getting reviewed against potential flaws.  (Just as an example, I have seen a Live Search module in Opencart, downloaded several times !, which is still vulnerable to a simple sql injection because in the backend it simply contructs a sql query without proper validation.)
• How do you check the quality of community modules, certificated prestashop partner modules and the modules of Prestashop itself? What is the difference for me as a security concerned buyer? Should I prefer the modules of Prestashop? Do you have additional checks for them?
• How do you check your code quality on github? Can anyone! commit a feature or change something in the core like introduce flaws intentionally? Are these core changes getting peer reviewed by a Prestashop developer? Are any changes getting peer-reviewed?
• Wouldn't it be probaly better to implement some kind of permission/API system for all the modules? (e.g. a module wants some kind of user input (like in a form) but only gets this via a API request from the core, and the core correctly validates it beforehand.)

 

[...] I would be glad to see a security measurements overview on your features site especially with the techniques or countermeasures implemented in Prestashop. [...]

I think it is not fair to get no answer at all.

I agree some points are rather detailed but it is not the right way to just ignore it. This was meant to be also some kind of feedback.

 

Thank you in advance for taking your time, maybe some of you know more about these points.

 

Best regards,

Daniel

Edited November 3, 2015 by danPr (see edit history)

[Simonas Invertus]

Why exactly do you want to have these answers?

 

I can answer a few for you.

Module review is very strict. From my experience they check every query and it is impossible to do SQL injection. BUT if the module is not sold on Prestashop MarketPlace you can find anything. Personally I would not trust free modules that you can find in this forum.

 

Difference between community modules and certified partners is marketing it has nothing to do with how code is written. You should prefer modules that have the best support and you can find in the forum who does the job bad. It a shame that there is no hall of fame for good support. 

 

No offence, but I can not understand who in his sane mind would ask such questions.  This is open source, it means that if you have questions about security, you open the code yourself and check. If you have trouble trusting people writing good modules, you do not buy them, you write what you need yourself and then you are sure that it is secure. 

[danPr]

Hey Simonas,

 

Why exactly do you want to have these answers?

To be able to compare various ecommerce systems regarding their security focus and taking this into account.

As I said, I want to build an ecommerce shop and security is getting more and more important (lookup the various CVE's of Magento). Especially in the ecommerce industry this is really crucial.

If data theft occurs, think of the brand damage for a shop system (e.g. prestashop), the brand damage for a merchant. If customer data is affected this gets even worse (think of possible legal effects) etc. There are many scenarios.

 

I can answer a few for you.

Module review is very strict. From my experience they check every query and it is impossible to do SQL injection. BUT if the module is not sold on Prestashop MarketPlace you can find anything. Personally I would not trust free modules that you can find in this forum.

 

Difference between community modules and certified partners is marketing it has nothing to do with how code is written. You should prefer modules that have the best support and you can find in the forum who does the job bad. It a shame that there is no hall of fame for good support. 

This was also my first guess, but unfortunately there is no official security statement from Prestashop itself! Regarding modules written by non official Prestashop developers (also the certified ones) see my point below.

 

No offence, but I can not understand who in his sane mind would ask such questions.  This is open source, it means that if you have questions about security, you open the code yourself and check. If you have trouble trusting people writing good modules, you do not buy them, you write what you need yourself and then you are sure that it is secure. 

In particular, you as a security related person should understand it and the possible consequences.

 

As an example, I remember reading something about Prestashop using md5 (which is a broken cryptographic hash algorithm) in conjunction with a constant salt for passwords. (I don't remember the exact forge tickets, forum entries)  EDIT: The problem was there was no "no per-user salting".

 

I think with the financial background Prestashop has (I have read something about a 8 million dollar financial aid), something like this should not happen! There are best practices, recommendations for such things, even an external security audit would be possible.

 

Yes I am ware this is open source, but PS also addresses non developers, simple merchants who want to simply build an online shop, not reviewing any code or checking module developers. No offence, but I know as much about the certified or non certified modules developers as about the official Prestashop developers, not very much. I don't know anything about their security measures or their quality assurance.

 

Prestashop probably spends a lot on other things, like marketing, their 1 million dollar fond and the free Prestashop cloud service, but from my point of view this is all not primarly necessary. In the long term, the main points and strategic goals should include modularity, security and performance.

 

Best regards,

Daniel

Edited November 4, 2015 by danPr (see edit history)

[Simonas Invertus]

Just to clear something. I am not security person as a job description. Security is my hobby. 

 

You ask such questions as you would like to build amazon on prestashop, but how really big your shop would be? 

And if it would be really big you first concern should be not security, but the speed. You can have most secure website in the world but if it is slow nobody would buy from you.

 

Most likely data theft would occur if you:

1) Have third party custom made modules for bad developers. (Not sold on the marketplace)

2) You host on shared hosting and somebody else is hacked.

3) You passwords are too weak or get stolen.

 

I did not like that thing about MD5 too, but they are going to change it in the future. I guess in PS1.7

Still passwords are encoded and they use salt, so it is possible to get them only in theory. 

 

Simple merchants would never ask such questions as ask you. They ask: if it is easy to manage stock? if it is fast? how can I customize it?

And Prestashop does good job to answer simple merchants needs.

 

Talking about long term you should read they plans on PS1.7 and I guess you could contribute to improve the security aspect. 

[danPr]

Hey Simonas,

 

Just to clear something. I am not security person as a job description. Security is my hobby. 

 

You ask such questions as you would like to build amazon on prestashop, but how really big your shop would be? 

And if it would be really big you first concern should be not security, but the speed. You can have most secure website in the world but if it is slow nobody would buy from you.

I think security should not be a question of size! and of course finding the right balance between security and performance is not always easy. Please don't exaggerate, you can take care of both aspects.

 

Simple merchants would never ask such questions as ask you. They ask: if it is easy to manage stock? if it is fast? how can I customize it?

And Prestashop does good job to answer simple merchants needs.

 

Talking about long term you should read they plans on PS1.7 and I guess you could contribute to improve the security aspect. 

 

Yes I have already read the plans for PS 1.7 in advance (I am following the build blog and some pull requests), it seems good, especially the template change.

Don't get me wrong, I think Prestashop and its community is really great (I already mentioned that in the email to not give the impression I am just criticising everything), but security in general is important and, handled correctly, can make Prestashop stand out even further, compared to its competitors.

 

Best regards,

Daniel