If you haven't seen The 15 minute E-Commerce Site CLICK HERE
I'm currently looking for Contract jobs, Contact Me if you are interested. Dave.
Security Silence Dec 21
About a month ago ror_ecommerce had its first security announcement. The fix was super simple and the vulnerability was limited to MySQL. Given that most users of ror_ecommerce use postgres on heroku the scope of the problem should be limited.
That stated my concern is this announcement mostly fell on deaf ears. In fact, I'd bet the only people listening are hackers trying to take advantage of the vulnerability. This has me very concerned. I've found similar issues with OSS that actually list the companies that use their software. This is an announcement to every hacker of what sites use the software and are vulnerable.
I personally gave phone calls out to sites that I knew have ror_ecommerce in production. Luckily they all use postgres so they were never vulnerable. I'm not going to name names, but if you maintain OSS please DO NOT name the companies that use the software unless they personally ask for the advertisement. It is selfish and irresponsible to list these companies.
ROR_ecommerce's Security Fix
As for the specific fix, the commit can be found here:
For more details on the fix click the link below: (BTW this is an issue with many Rails applications)
If you have code that looks like this:
@user = User.find_by_perishable_token( params[:id] )
You might want to change the code to look like this:
@user = User.find_by_perishable_token( params[:id].to_s )
On MySQL at the very best you have a bug. Worst case you have a security vulnerability. Happy Coding!