New Release and Patch Testing

[Guest timecrisis]

Hi All,

OK first I am not having a go at anyone on these forums and I am not having a go at Brooky personally.

This is business (for me anyway) , I am having a go a Devillion Ltd.

I am a paying customer for CubeCart and I view this as a commercial product.

I understand that any script will have bugs and security updates are a always required.

That said, I am not happy with the way new releases and patches are released for the following reasons:

1: Apparent lack of basic testing before release.

2: Lack of any documentation explaining changes made and reasons.

I would ask anyone else who feels similarly to me to post below and maybe someone will take notice.

Like I have said before I held my tongue with the release of 3.0.6 but I feel I have to speak up.

I think the above would be for the greater good and will make CC a better product and sell more copies. I recommend CubeCart quite often to people but I cannot continue to recommend the product if the current way of releasing updates continues.

I feel bad having to post this type of post at this time of year too..I know there are many good coders working on the fixes as we speak..Thankyou and keep up the good work. Non coders like me rely on you!

I just don't feel that they should have to do all this work (although PHP freaks like Sir William probably get off on all this code)

Anyone?

[roban]

My thoughts on this can be found here: http://www.cubecart.com/site/forums/index....topic=14887&hl=

[Guest]

Well, I'm new to CubeCart as of 3.0.6, but I haven't come across all that many bugs or problems with it. My impression of the 3.0.7 release is that brooky was about to leave town when he got hacked and realized there was a major security hole that needed plugging fast. So 3.0.7 was rushed out, and the security fix was not completely tested.

To me this is understandable and human and doesn't imply a general problem. It takes a long time to properly test code on different systems and environments, and apparently he just didn't have it. I bet he's been sweating over this his whole vacation also.

Perhaps if there were more than one core developer than this situation could have been avoided. And I also would love more explanation in the release files (a change log at minimum). Overall though I think that CC seems on track to me, although suggestions and constructive criticism can't hurt.

[Guest timecrisis]

I agree that it is a great script.

Yes there should be more than one person testing code...I would like to hear if this is the case? I have no idea how many paying customers there are but surely enough to pay for a coder/tester.

How long has this security hole been there and would some security esting have found this easily?

I appreciate that Brooky needs a holiday as we all do....Maybe a laptop would be a good investment for Brooky?

I and others have been asking for documentation for a while with no response.

The security releases are one thing, but 3.0.7 upgrade (and still does) errored when you clicked on a product, this cannot have been tested at all before release?

[Guest SuesBrownies]

I see where you are going. It is the stupid mistakes that piss you off. It doesnt take more than 5 minutes to run through all the files via browser and see if everything displays with no errors. Doing this, would have simply eliminated the parser T word does not exist error on viewProd.inc.php and product options in admin panel.

I am not aware of any other, I am using all 3 of paypal's gateways. Is there a problem with any of them?

[Guest MoNeY4LiFe]

I agree with you all, only problem is I WISH I would've read the forums before updating... >=/

1

[Guest]

I see where you are going. It is the stupid mistakes that piss you off. It doesnt take more than 5 minutes to run through all the files via browser and see if everything displays with no errors. Doing this, would have simply eliminated the parser T word does not exist error on viewProd.inc.php and product options in admin panel.

I would bet that the text that caused this error was not in the files that brooky was testing. It looks to me as if he was chatting in another window (about how stressful the situation was) and he accidentally typed in the wrong window. So he may have tested that code quite a bit and just added that text by accident at the end (and if he had been here to deal with it he probably would've just fixed the download and almost no one would've ever seen that blooper).

[Guest]

Here's a thought for you why get a laptop surely then he will not be on holiday?

There are plenty of testers in here but as stated this was a rush job to get the hole plugged and has probably ruined brooky's holiday for worrying about it.

And it was tested but remember this updates,patches etc are for cubecart and thus can not be made responsible if you have modded or changed ur store/code etc.

We are here to help you and are trying are best to assist you and the others.

please bear with us through this.

[Guest estelle]

I understand that Brooky went overseas somewhere for new years, but I was still disappointed that I didn't hear from him (Develion Ltd) at all for four days. This product is used internationally and last I heard there were over 210,000 live stores. I think he has a responsibility to all of us (at those of us who have licenced our stores) to provide us with a working patch (without the 403 errors), but more importantly to just show his face around the forums and address people's concerns, holiday or not.

And on a separate issue, perhaps there should be something added to the forum rules document about what procedure should be followed if someone discovers that their site has been hacked.

[Guest woodbtreasures]

And on a separate issue, perhaps there should be something added to the forum rules document about what procedure should be followed if someone discovers that their site has been hacked.

estelle what possible purpose could there be for that

[Guest]

Let's take this recent instance. Somebody got hacked. They posted info about that in several places around the net. Other hackers saw that and the number of attacks and attack attempts skyrocketed.

If you saw that a car dealer closed up shop and left keys in all their cars over night, would you call the dealer or the radio station? You'd call either the dealership owners/managers (if you could of course) or the police. Telling anybody else until they rectified it would be escalating a security risk of course.

:w00t:

[Guest theorbo]

The unfortunate thing is that you will never be able to keep people from spouting off about this sort of problem everywhere they can. phpBB has been trying to contain security reports for TEN YEARS (I know this for a fact, I've been using their software that long, and a member of their fora for that long ditto) - it doesn't work, not then and not now.

A person with a problem of this sort is all too eager to vomit the info anywhere heesh has available, as if heesh is the only person in the webverse who matters.

[Guest degsey69]

I agree with estelle that it was a bad choice of Brooky to release a new version over the holidays and not be available for any problems.

Perhaps in the future he could release it to the moderators and programers as a beta version for testing, that way, live money making sites are not being exposed if there is a problem.

Sir William has a point also, you do not go down to the jail house and shout that the lock is broken on your house. Again maybe the moderators in the future should remove the thread which identifies any security threat and pm the member and copy brooky the removed post.

Hind sight is 20/20 I know but there are some lesons to be learnt here :w00t:

[Guest]

There is a plan underway now to setup a group of us to preview all future releases before it goes live. I've submitted a list of proposed testers to Brooky. Not sure when that will be implemented though.

:w00t:

[Guest estelle]

Sir William has a point also, you do not go down to the jail house and shout that the lock is broken on your house. Again maybe the moderators in the future should remove the thread which identifies any security threat and pm the member and copy brooky the removed post.

I believe this is exactly what happened. I mean, I'm sure the hacker posted about it elsewhere. But one person who got hacked posted here in the General Support forum with full information showing how the hacker had gained full access to his files and database. It was deleted shortly afterwards, but once its been posted here it goes out to anyone's mailbox who's subscribed to that forum (myself being one of the people who are subscribed). And sent emails can never be deleted

This is exactly why I hope no one writes an offline credit card gateway for CubeCart. Much better if a third party is responsible for your customers credit card details :P

[Guest Puppy]

Sir William has a point also, you do not go down to the jail house and shout that the lock is broken on your house. Again maybe the moderators in the future should remove the thread which identifies any security threat and pm the member and copy brooky the removed post.

I believe this is exactly what happened. I mean, I'm sure the hacker posted about it elsewhere. But one person who got hacked posted here in the General Support forum with full information showing how the hacker had gained full access to his files and database. It was deleted shortly afterwards, but once its been posted here it goes out to anyone's mailbox who's subscribed to that forum (myself being one of the people who are subscribed). And sent emails can never be deleted

This is exactly why I hope no one writes an offline credit card gateway for CubeCart. Much better if a third party is responsible for your customers credit card details

I believe this is me you are talking about.

I'd like to stand up and apologise, as I am a coding newbie, I only thought that if we knew how they were hacking we could patch it and it wouldn't matter how they got in cos they couldn't anymore. I'm terribly sorry, I really didn't mean to make the situation worse. I just haven't been educated with forums enough to know the procedures, and wish in some form that I could have been told earlier. I'm still learning, and no I wasn't hacked, I just felt really bad for the people who were hacked and tried to find ways I could help... but did the opposite. Sorry...:D

[Guest estelle]

Puppy, don't worry about all this . I wasn't referring to you, and as far as I know you haven't done anything wrong. I was simply referring to a post here in the CubeCart forums that contained the web server log entries of a successful hack. This particular post was deleted quite quickly and I now feel that it probably had no impact anyway. Besides, its been one big learning experience for every one of us, and its wonderful that you were trying to help

I hope that everyone now takes regular backups of both their files and database, and keeps track of all the mods they have installed to help if a quick upgrade is ever required again. And lastly, everyone ought to test their own store thoroughly before going live with any changes, because there is a million and one different combinations of software and server configurations and Brooky (etc) will never be able to test them all.

[Guest Puppy]

Puppy, don't worry about all this . I wasn't referring to you, and as far as I know you haven't done anything wrong. I was simply referring to a post here in the CubeCart forums that contained the web server log entries of a successful hack. This particular post was deleted quite quickly and I now feel that it probably had no impact anyway. Besides, its been one big learning experience for every one of us, and its wonderful that you were trying to help

I hope that everyone now takes regular backups of both their files and database, and keeps track of all the mods they have installed to help if a quick upgrade is ever required again. And lastly, everyone ought to test their own store thoroughly before going live with any changes, because there is a million and one different combinations of software and server configurations and Brooky (etc) will never be able to test them all.

Thank you estelle.

I have learned a lot from these forums and gained respect for a lot of people here (thank you for the many mods you've provided my store with). It has been devastating to see some of my favourite CC stores been hacked. Thank you and the active members for the ongoing support. :)

[Guest timecrisis]

aaaaw,

Group hug!

:wub:

[Guest degsey69]

Puppy

This was a learning curve for everybody and you have helped the rest by informng the forum asap.

As these perverted idiots continue to disrupt honest hardworking businesses by their schoolboy pranks and dishonest and annoying spam scripts, we have to be vigilant in the protection of our websites.

So I say thank you for raising the alarm here and being honest. ;)