Suggestions - Remove uploading picture or file to Help Desk

Print Page | Close Window

Remove uploading picture or file to Help Desk

Printed From: ProductCart E-Commerce Solutions
Category: ProductCart
Forum Name: Suggestions
Forum Description: ProductCart Suggestions
URL: https://forum.productcart.com/forum_posts.asp?TID=4691
Printed Date: 21-November-2024 at 11:39pm
Software Version: Web Wiz Forums 12.04 - http://www.webwizforums.com

Topic: Remove uploading picture or file to Help Desk

Posted By: Russ Nobbs
Subject: Remove uploading picture or file to Help Desk
Date Posted: 26-August-2011 at 6:06pm

With the recent security problems it would be worthwhile to allow stores to turn off or deny customers from uploading pictures or files to the Help Desk.

Customers do use the Help Desk. We'd like to eliminate any potential security hole in the future by removing the ability to upload anything except by administrators.

Replies:

Posted By: ProductCart
Date Posted: 27-August-2011 at 8:07pm

Hi Russ,

thanks for your feedback. That could add an additional layer of security and it's a good suggestion for a new feature.

For now, it looks like you can manually turn uploading permissions off in the Help Desk by editing the following line:

AllowUpload="1"

... by changing the 1 to 0.

This must be done in 4 files in the storefront:

- pc\useraddfeedback.asp

- pc\usereditComment.asp

- pc\usereditFeedback.asp

- pc\userviewfeedback.asp

We'll definitely look at turning this into a Control Panel setting in the future.

-------------
The ProductCart Team

Home of ProductCart http://www.productcart.com" rel="nofollow - shopping cart software

Posted By: Russ Nobbs
Date Posted: 01-September-2011 at 2:32am

Thank you for the instructions for manually removing the ability to upload pictures or files. We've taken that step.

Having the ability to turn all customer upload operations off with a single control panel "switch" would be convenient.

We're looking at the advanced security settings ( http://wiki.earlyimpact.com/productcart/settings-security-settings ) to see if there are others that make sense to enable without making the store too complicated for the customer to navigate. After recent exploits of our stores we need to find the best ways to avoid any future intrusion or damage.

Posted By: Hamish
Date Posted: 01-September-2011 at 6:39am

Hi Russ,
Early Impact are, of, course, doing everything possible to prevent exploits , even if they are due to failings in IIS6 as was the case on this occasion. The reality is that even if ProductCart is perfect there is no absolute guarantee that a server is bullet proof. A couple of us use and like Total Commander. You cam use it to carry out a very quick compare of files on the server with a copy previously downloaded, or even better a copy of the files you uploaded. It can also generate MD5 checksums to allow definitive verification that files have not been modified.

-------------
Editing ProductCart Code?

See http://wiki.earlyimpact.com/developers/editcode" rel="nofollow - WIKI Guidelines for Editing ProductCart's ASP Source Code

Posted By: Russ Nobbs
Date Posted: 07-September-2011 at 7:40pm

Hi Hamish,
Yes, there is no absolute guarantee that a server is bullet proof or that someone insider at an operation won't do something to compromise an installation or the data.
Thanks for the suggestion on Total Commander. Here Todd used both EximDif and Beyond Compare.

To keep up with security issues we subscribe to technical security alerts from http://www.us-cert.gov/ and monitor some webmaster sites watching for exploits that could touch our installation.