How to Strongly Enhance the Security of TomatoCart 1.1.8

This article is written for the TomatoCart users who are using the v1.1.8. If you are using the previous version rather than v1.1.8, please upgrade your system firstly.

1) Download the security patch for TomatoCart v1.1.8

Please download the security patch at here. Once you update your 1.1.8 system with the security patch, it is necessary to add one language definition for the create account section. You just need to go to Admin->Definitions->Languages->Edit Modules and then click the Add Definition button to add the following language definition:

Definition Group: Account

Definition Key: field_create_account_captcha_check_error

Definition Value: ERROR: Please specify the correct verify code.

Figure 1. Add the language definition

Now, the security of your system is brought to the next level. It could prevent the following attack:

  1. Bots registering as users automatically
  2. Session Fixation
  3. File inclusion vulnerability
  4. XSS
  5. CSRF

In order to ensure the security patch work well, it is necessary to config the system’s setting correctly.

2) Session Service Settings

In order to protect the session identifier between client and server, the session identifier should be recreated when the customer access the sensitive information. Please make sure the Regenerate Session ID setting is true under Admin->Modules->Services->Session.

You also could set Check User Agent to True so as to let the system check the http user agent header. In this way, even if the attacker access the system with the same session id, the system will verify his user agent. If the user agent is different, this request will be disabled.

If the Check IP Address is set to true, the session will be very secure. It means that if a http request from a different ip address with the previous legitimate user, it will be disabled. But this approach has many problems. Most notably, a single user can potentially use a different IP address for each request (as is the case with large ISPs such as AOL), and multiple users can potentially use the same IP address (as is the case in many computer labs using an HTTP proxy). These situations can cause a single user to appear to be many, or many users to appear to be one. So, you need to weigh it by yourself.

Figure 2. Session Service Settings

3) Active The Captcha

In order to prevent the automatic submit request sent with machine to your system in the create account, guestbook, contact us and product review section, please go to admin->Configuration->Configuration->Content Management System and set the Active Captcha to true. In this way, a captcha input field will be displayed in the form and the code value will be checked by the system. It is an effective way to protect your system.

Figure 3. Active The Captcha Code

4)Disable Display Errors

By default TomatoCart displays errors on pages. While useful for debugging purposes it gives hackers a useful tool in attacking your website and looks just plain ugly for regular customers. To disable it go to includes/application_top.php and add the following code at the top of the file:

ini_set(‘display_errors’, ‘0’);

5) Enable SSL

By default data sent to and from your system is not encrypted. Enabling SSL/HTTPS will ensure data such as customer order data and session id can’t be intercepted during transmission. To do this you must have an SSL certificate installed on your server. Many web hosts will have a shared certificate available on their server (if implemented this may cause warnings to pop up) or you can purchase one separately for your organization (highly recommended).

You could learn how to enable the ssl in tomatocat via the article – How to configuration TomatoCart to work with SSL

The TomatoCart team will continue to enhance the security of v1.1.x. And more articles about the security will be written later.

Looking for quality TomatoCart Hosting? Look no further than Arvixe Web Hosting!

Tags: , , , , , , | Posted under TomatoCart | RSS 2.0

Author Spotlight

Jack Yin

TomatoCart Developer & Co Founder - Arvixe Web Hosting / TomatoCart Community Liaison

2 Comments on How to Strongly Enhance the Security of TomatoCart 1.1.8

  1. I think this is one of the most significant information for me.
    And i am glad reading your article. But want to remark on few
    general things, The site style is ideal, the articles is really great
    : D. Good job, cheers

    • Jack Yin says:

      Thanks for your positive comment. If you need our technical support, don’t hesitate to contact us! Are you an Arvixe user? We provide free technical support service for the Arvixe users.

Leave a Reply

Your email address will not be published. Required fields are marked *