evertek

**skraps** · 20 Dec 2011, 07:35 AM

I wrote a script to retrieve and convert the evertek csv to easy populate format. Now apparently I have to mod the core to allow curl to login. Anyone done this? This is the only thing holding it everything up. Thanks!

**DrByte** · 20 Dec 2011, 09:30 AM

You said your script converts a CSV to EasyPopulate format. If it's only converting data formats, why does it need to login to anything?

**skraps** · 20 Dec 2011, 02:09 PM

So it can auto update the database with new / updated values with out having to manually doing it your self. Auto shop updating :) I have already made a google page for it. So hopefully more people can make a use of it. I don't even run my own e-store this is for someone else.

**skraps** · 20 Dec 2011, 03:01 PM

I'm trying to avoid actually messing with the database. zen cart and easy populate are already really good at manipulating the data in the db, so I'd rather just let them do those tasks. The only problem I was having was getting easy populate to accept the csv file. That problem is past but now, when I try to login to curl I get the regular login page with the same token.

Iv managed to scrape the token. And post the admin_name admin_pass securityToken also submit=Login but its not working that way.

**DrByte** · 20 Dec 2011, 08:01 PM

Have you considered the implications of PCI DSS with your application? If you're creating something which gains access to the store's backend administration tools, then you need to ensure your code is totally secure. Anyone using your application puts themselves at risk if they allow outsiders (ie your application) to login.

www.pcisecuritystandards.org

Just something to keep in mind and ensure you alert people about when you give people your code.

**BlindSide** · 20 Dec 2011, 08:26 PM

I think you may be overthinking your problem. Why not move your code into the Zen Cart admin. I don't see why your conversion couldn't occur on a page inside the Admin...

**skraps** · 21 Dec 2011, 02:55 AM

The whole config file is encrypted with AES 256 bit encryption , the worst security issue would be dns poisoning w/ a man in the middle attack. I got it to work while keeping the security token feature working. The script doesn't access the admin page directly.

You can read about it here. http://jackiecraigsparks.wordpress.c...s-in-zen-cart/ Im going to post the code in the next day on google code. I'm working on putting ajax into it.

You can even trigger the script from your home/office pc, phone or tablet device to keep your login creds stored in the config private from preying eyes.

Now the whole security of the config is flawed when run from the same server on a cron job. Thanks for the link on PCI security standards. I will read that for sure.

**skraps** · 21 Dec 2011, 02:57 AM

BlindSide: does the admin allow me to run like a cron job?

**skraps** · 21 Dec 2011, 02:59 AM

The dns poisoning /w man in the middle would only allow a sql injection if the easy populate script didn't sanitize the csv.

**BlindSide** · 24 Dec 2011, 05:17 PM

Originally Posted by skraps

BlindSide: does the admin allow me to run like a cron job?

The Zen Cart Admin is designed to serve webpages, and has no native recognition for cron jobs. However PHP code located in the Admin (or anywhere else for that matter) can be executed in a cronjob.

The concern DrByte and I have is that you're hacking around the login, which violates PCI.

Does the cronjob itself need to login, or are you logging in for a user so they can configure stuff?

Thread: evertek

Thread Tools

Search Thread

Display

evertek

Re: evertek

Re: evertek

Re: evertek

Re: evertek

Re: evertek

Re: evertek

Re: evertek

Re: evertek

Re: evertek

Bookmarks

Bookmarks

Posting Permissions