HTTP vs HTTPS pages - as designed?

[Brian1234]

Hi,

I'm repairing our zen-cart store a bit after developers (and I use that term loosely) messed some things up on us. I have the secure pages 'lock' displaying properly in the browser again but notice not all logged-in user pages are using https. I think this is normal operation and I'm all set, but would like to confirm this is as-designed.

Pages that show as https:
Customer Log-in
Customer Log-out
Customer Checkout
Customer My Account page

Pages that show as http (even when logged in):
Home
Product Pages (and notices like privacy policy)
Shopping Cart (this one is one I'm really wondering about)


Version: Zen Cart 1.3.8a

From includes/configure.php:
define('HTTP_SERVER', 'http://www.example.com');
define('HTTPS_SERVER', 'https://www.example.com');

// Use secure webserver for checkout procedure?
define('ENABLE_SSL', 'true');


From admin/includes/configure.php:

define('HTTP_SERVER', 'http://www.example.com');
define('HTTPS_SERVER', 'https://www.example.com');
define('HTTP_CATALOG_SERVER', 'http://www.example.com');
define('HTTPS_CATALOG_SERVER', 'https://www.example.com');

// Use secure webserver for catalog module and/or admin areas?
define('ENABLE_SSL_CATALOG', 'true');
define('ENABLE_SSL_ADMIN', 'true');

[DrByte]

That is normal.

[Brian1234]

Thanks!

[schoolboy]

Version: Zen Cart 1.3.8a

This version is increasingly vulnerable.

Today I received messages from 2 past clients reporting "odd" behaviour, as communicated via the web-host:

Hello,

During a recent security scan on the server we perform to protect accounts, we found the following suspicious script on your account:

-----
User: x x x x x
System: x x x x x

Viewscan found the following security issues:

Script: /home/x x x x x x /public_html/count.php
Reason: r57 shell viewer

Script: /home/x x x x x x /public_html/images/profile.php
Reason: r57 shell viewer

Both clients did not take advantage of our offer to upgrade to 1.3.9.

Now they have problems...