How to Strongly Enhance the Security of TomatoCart 1.1.8
Written by Jack Yin Tuesday, 6 November 2012
This article is written for the TomatoCart users who are using the v1.1.8. If you are using the previous version rather than v1.1.8, please upgrade your system firstly.
1) Download the security patch for TomatoCart v1.1.8
Please download the security patch at here. Once you update your 1.1.8 system with the security patch, it is necessary to add one language definition for the create account section. You just need to go to Admin->Definitions->Languages->Edit Modules and then click the Add Definition button to add the following language definition:
Definition Group: Account
Definition Key: field_create_account_captcha_check_error
Definition Value: ERROR: Please specify the correct verify code.
Figure 1. Add the language definition
Now, the security of your system is brought to the next level. It could prevent the following attack:
- Bots registering as users automatically
- Session Fixation
- File inclusion vulnerability
In order to ensure the security patch work well, it is necessary to config the system’s setting correctly.
2) Session Service Settings
In order to protect the session identifier between client and server, the session identifier should be recreated when the customer access the sensitive information. Please make sure the Regenerate Session ID setting is true under Admin->Modules->Services->Session.
You also could set Check User Agent to True so as to let the system check the http user agent header. In this way, even if the attacker access the system with the same session id, the system will verify his user agent. If the user agent is different, this request will be disabled.
If the Check IP Address is set to true, the session will be very secure. It means that if a http request from a different ip address with the previous legitimate user, it will be disabled. But this approach has many problems. Most notably, a single user can potentially use a different IP address for each request (as is the case with large ISPs such as AOL), and multiple users can potentially use the same IP address (as is the case in many computer labs using an HTTP proxy). These situations can cause a single user to appear to be many, or many users to appear to be one. So, you need to weigh it by yourself.
Figure 2. Session Service Settings
3) Active The Captcha
In order to prevent the automatic submit request sent with machine to your system in the create account, guestbook, contact us and product review section, please go to admin->Configuration->Configuration->Content Management System and set the Active Captcha to true. In this way, a captcha input field will be displayed in the form and the code value will be checked by the system. It is an effective way to protect your system.
Figure 3. Active The Captcha Code
4)Disable Display Errors
By default TomatoCart displays errors on pages. While useful for debugging purposes it gives hackers a useful tool in attacking your website and looks just plain ugly for regular customers. To disable it go to includes/application_top.php and add the following code at the top of the file:
5) Enable SSL
By default data sent to and from your system is not encrypted. Enabling SSL/HTTPS will ensure data such as customer order data and session id can’t be intercepted during transmission. To do this you must have an SSL certificate installed on your server. Many web hosts will have a shared certificate available on their server (if implemented this may cause warnings to pop up) or you can purchase one separately for your organization (highly recommended).
You could learn how to enable the ssl in tomatocat via the article – How to configuration TomatoCart to work with SSL
The TomatoCart team will continue to enhance the security of v1.1.x. And more articles about the security will be written later.