Comments for Magnum Blog http://oshelpers.com/magnum-blog by osHelpers Sun, 05 Feb 2012 04:23:27 +0000 http://wordpress.org/?v=2.7 hourly 1 Comment on Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN! by david http://oshelpers.com/magnum-blog/2010/02/18/creloadedcom-serious-security-issue-february-2010-revealed-oh-no-please-not-again/comment-page-4/#comment-5913 david Fri, 10 Sep 2010 03:48:09 +0000 http://oshelpers.com/magnum-blog/?p=124#comment-5913 May be it is late but I just came across this article so her's my experience the security exploit. I am a site owner not a programmer, many times I came very close of hiring CREhelp but, did not for many reasons... But all of CRE Comunity should give him credit because unlike Sal He emailed every potential CREloaded website soliciting business, which in turn alerted the website owners like me to take action. On the other hand Mr. Sal ignoring such critical issues and not alerting site owners (I am registered CREl oaded user never heard of it) or partners.. even when I questioned my ISP who also sold /installed the CRE loaded package, He outright called the CREhelp scammer and opportunist... but of course I did not trust him and had a different programmer fix it. The point is do not blame CREhelp because he figured it out first! or he used the vacuum to help himself. His action help to resolve the problem one way or another. A mass alert should of went out immediately. So much for upgrading to PCI.. NO WAY! May be it is late but I just came across this article so her’s my experience the security exploit.

I am a site owner not a programmer, many times I came very close of hiring CREhelp but, did not for many reasons…
But all of CRE Comunity should give him credit because unlike Sal He emailed every potential CREloaded website soliciting business, which in turn alerted the website owners like me to take action.
On the other hand Mr. Sal ignoring such critical issues and not alerting site owners (I am registered CREl oaded user never heard of it) or partners.. even when I questioned my ISP who also sold /installed the CRE loaded package, He outright called the CREhelp scammer and opportunist… but of course I did not trust him and had a different programmer fix it.
The point is do not blame CREhelp because he figured it out first! or he used the vacuum to help himself. His action help to resolve the problem one way or another.
A mass alert should of went out immediately. So much for upgrading to PCI.. NO WAY!

]]> Comment on Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN! by Denver Prophit Jr. http://oshelpers.com/magnum-blog/2010/02/18/creloadedcom-serious-security-issue-february-2010-revealed-oh-no-please-not-again/comment-page-4/#comment-5561 Denver Prophit Jr. Sun, 11 Jul 2010 18:44:11 +0000 http://oshelpers.com/magnum-blog/?p=124#comment-5561 Quote: "Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license." As I recall, Mr. Mayer's employment was terminated. He was quite lucky civil litigation was not brought down upon him. A certain amount of privileged access is required to service customer accounts. Mr. Mayer breached that trust. CRE 6.15 FileManager was a 3rd party contribution in open source. The CRE team included it much like the other some 60 contributions into a Chain Reaction Edition of osCommerce. They continue to make strides in resolving CORE cart bugs and our company continues to point them out and seek help and collaborate where we can. We are concerned, however, with their business decision NOT to modify the authorize.net payment module to meet new federal and industry mandate by 2011. In 2011 credit card merchants will be required to decline check card transactions where the funds are not available and offer alternative payment methods while showing the balance available on that card. The CRE guys have decided to corral folks into their merchant reseller program and duplicate their payment checkout pages onto a cloud server that meets PCI DSS D compliance I believe. But, I have not seen any PCI DSS D compliance certification. It's rather costly. I would have hoped that CRE worked with community developers to modify the current authorize.net and many other gateway modules to meet any new mandates. It's a business decision on their part and only the community can take away from it what they may. I still will hope that the true revenue stream is in education and training. Sincerely, Denver Prophit Sec / CTO StrikeHawk eCommerce, Inc. Quote: “Security at Creloaded has been breeched quite a few times now and in the past. The last significant breech which occurred in 2009 involved another former cre employee, Jason Mayer, aka Creguru who managed to email CREloaded’s full customer list a newsletter about his site http://www.freecreloaded.com where versions and patches up to Creloaded 6.2 B2B patch 13 can be obtained at no cost under the GNU/GPL license.” As I recall, Mr. Mayer’s employment was terminated. He was quite lucky civil litigation was not brought down upon him. A certain amount of privileged access is required to service customer accounts. Mr. Mayer breached that trust.

CRE 6.15 FileManager was a 3rd party contribution in open source. The CRE team included it much like the other some 60 contributions into a Chain Reaction Edition of osCommerce. They continue to make strides in resolving CORE cart bugs and our company continues to point them out and seek help and collaborate where we can.

We are concerned, however, with their business decision NOT to modify the authorize.net payment module to meet new federal and industry mandate by 2011. In 2011 credit card merchants will be required to decline check card transactions where the funds are not available and offer alternative payment methods while showing the balance available on that card. The CRE guys have decided to corral folks into their merchant reseller program and duplicate their payment checkout pages onto a cloud server that meets PCI DSS D compliance I believe. But, I have not seen any PCI DSS D compliance certification. It’s rather costly. I would have hoped that CRE worked with community developers to modify the current authorize.net and many other gateway modules to meet any new mandates. It’s a business decision on their part and only the community can take away from it what they may.

I still will hope that the true revenue stream is in education and training.

Sincerely,

Denver Prophit
Sec / CTO
StrikeHawk eCommerce, Inc.

]]> Comment on Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN! by admin http://oshelpers.com/magnum-blog/2010/02/18/creloadedcom-serious-security-issue-february-2010-revealed-oh-no-please-not-again/comment-page-1/#comment-4114 admin Fri, 19 Feb 2010 03:39:18 +0000 http://oshelpers.com/magnum-blog/?p=124#comment-4114 not soo fast Sal ... please join me over at http://www.sitepoint.com/forums/showthread.php?t=661312 Here is a question for you, actually 2: - Don't you think that the amount of patch downloads over the past 4-5 months have been a bit low considering the amount of creloaded sites out there even if you count in the 200 non-unique views of your sticky announcement about this security issue. So you have not felt the need at any point to inform customers, directly via email, in form of a newsletter announcement about the severeness of the issue? Here are 2 screen shots from a little while ago: http://www.oshelpers.com/Screenshot%20-%202_18_2010%20,%208_38_56%20PM.jpg http://www.oshelpers.com/Screenshot%20-%202_18_2010%20,%209_06_40%20PM.jpg not soo fast Sal … please join me over at http://www.sitepoint.com/forums/showthread.php?t=661312

Here is a question for you, actually 2:

- Don’t you think that the amount of patch downloads over the past 4-5 months have been a bit low considering the amount of creloaded sites out there even if you count in the 200 non-unique views of your sticky announcement about this security issue.

So you have not felt the need at any point to inform customers, directly via email, in form of a newsletter announcement about the severeness of the issue?

Here are 2 screen shots from a little while ago:
http://www.oshelpers.com/Screenshot%20-%202_18_2010%20,%208_38_56%20PM.jpg
http://www.oshelpers.com/Screenshot%20-%202_18_2010%20,%209_06_40%20PM.jpg

]]> Comment on Creloaded.com - SERIOUS Security Issue February 2010 revealed …oh no PLEASE, NOT AGAIN! by Sal http://oshelpers.com/magnum-blog/2010/02/18/creloadedcom-serious-security-issue-february-2010-revealed-oh-no-please-not-again/comment-page-1/#comment-4110 Sal Thu, 18 Feb 2010 23:26:59 +0000 http://oshelpers.com/magnum-blog/?p=124#comment-4110 1. I'm not the CEO. Greg McGraw is. 2. the security exploit was in OSCOMMERCE core and effects all oscommerce variants including ours and zencart and all others. 3. we released a patch for this last year. http://www.creloaded.com/fdm_folder_files.php?fPath=0_69 and ran header ads and forum posts alerting our community. CRE Loaded is not facing any liability issues since we identified and released a patch in a timely manner, such a thing that all application developers do. This code exploit and fix underscores the necessity to take security issue seriously and keep all your applications up to date. I appreciate your efforts in the community, but please lets not do the community harm with incorrect statements about CRE Loaded. Sal Iozzia 1. I’m not the CEO. Greg McGraw is.
2. the security exploit was in OSCOMMERCE core and effects all oscommerce variants including ours and zencart and all others.
3. we released a patch for this last year.
http://www.creloaded.com/fdm_folder_files.php?fPath=0_69 and ran header ads and forum posts alerting our community.

CRE Loaded is not facing any liability issues since we identified and released a patch in a timely manner, such a thing that all application developers do. This code exploit and fix underscores the necessity to take security issue seriously and keep all your applications up to date.

I appreciate your efforts in the community, but please lets not do the community harm with incorrect statements about CRE Loaded.

Sal Iozzia

]]> Comment on The story about CRE and inessential FDMS Clutter by Wholesale PLR http://oshelpers.com/magnum-blog/2009/03/12/the-story-about-cre-and-inessential-fdms-clutter/comment-page-1/#comment-34 Wholesale PLR Mon, 30 Mar 2009 22:51:15 +0000 http://oshelpers.com/magnum-blog/?p=74#comment-34 Valuable content, thanks Valuable content, thanks

]]> Comment on The story about CRE and inessential FDMS Clutter by admin http://oshelpers.com/magnum-blog/2009/03/12/the-story-about-cre-and-inessential-fdms-clutter/comment-page-1/#comment-32 admin Mon, 30 Mar 2009 00:56:07 +0000 http://oshelpers.com/magnum-blog/?p=74#comment-32 plenty my ass, maybe 1 out of 500 plenty my ass, maybe 1 out of 500

]]> Comment on The story about CRE and inessential FDMS Clutter by jon http://oshelpers.com/magnum-blog/2009/03/12/the-story-about-cre-and-inessential-fdms-clutter/comment-page-1/#comment-29 jon Sat, 28 Mar 2009 10:11:11 +0000 http://oshelpers.com/magnum-blog/?p=74#comment-29 There are plenty of companies that require the need for downloadable items. What a Stupid observation. There are plenty of companies that require the need for downloadable items. What a Stupid observation.

]]> Comment on Multi Store Wars - Magento moving into our territory by Dunc http://oshelpers.com/magnum-blog/2009/03/10/multi-store-wars-magento-moving-into-our-territory/comment-page-1/#comment-24 Dunc Fri, 20 Mar 2009 20:45:05 +0000 http://oshelpers.com/magnum-blog/?p=56#comment-24 Whoa - So let me get this straight - $79.99 PER MONTH !!! or $595 to download - for open source community developed code ? - ouch - tell me this anyone ? Is cre 6.3 actually worth that much more than the 6.2 version ? Whoa - So let me get this straight - $79.99 PER MONTH !!! or $595 to download - for open source community developed code ? - ouch - tell me this anyone ? Is cre 6.3 actually worth that much more than the 6.2 version ?

]]> Comment on The story about CRE and inessential FDMS Clutter by Dunc http://oshelpers.com/magnum-blog/2009/03/12/the-story-about-cre-and-inessential-fdms-clutter/comment-page-1/#comment-23 Dunc Fri, 20 Mar 2009 20:42:09 +0000 http://oshelpers.com/magnum-blog/?p=74#comment-23 Yeah Chris man - you tell them. I am still on 6.2 but will be going down your magnum route rather than CRE6.3 - far more value and features for my buck (quid actually). Yeah Chris man - you tell them. I am still on 6.2 but will be going down your magnum route rather than CRE6.3 - far more value and features for my buck (quid actually).

]]> Comment on The story about CRE and inessential FDMS Clutter by goree http://oshelpers.com/magnum-blog/2009/03/12/the-story-about-cre-and-inessential-fdms-clutter/comment-page-1/#comment-21 goree Thu, 19 Mar 2009 08:16:31 +0000 http://oshelpers.com/magnum-blog/?p=74#comment-21 hehe hehe

]]>