Template Fluorspar

[carlwhat]

Just a little FYI. If a file is renamed using old or bak, it may still be run by the system AND, any *.bak files on a server are a direct PCI violation.

please point us to where on the PCIDSS website we can see that any .bak files are a violation of PCI. i have never seen that, and i would like to...

...I can easily find what I did by searching for *.bst.

Yes, it's a valid file extension but requires a special viewer to open on line.

this is really not correct. text files can be opened by a text editor, no matter their extension. renaming a file's extension does not automatically make the file a valid version of said extension.

keeping backup files on a web server is not a good idea. one must ensure that the web serving software (ie apache) is probably configured to not serve up those files. else anyone can see them if they know where to look.

[dbltoe]

It's been years since we had this come up in a PCI scan. I added it to lat9's override cheatsheet in 2013 Can't find the link as I didn't have it bookmarked.

As you pointed out, a lot of files can be opened in a standard file editor. When you have something like the configure.php temporarily set to 644 for remote editing or FTP, a configure.bak could be left behind with all the database connection information a hacker would need.

If a mod is downloaded, extracted, edited and then uploaded from your computer; it will often have a .bak in the mix. Even the commercial items like UlteraEdit that I use will leave a .bak. I have even seen them in the zip of older mods. If we edit any mod files, we do a file search for *.bak prior to FTP just to make sure none get transferred.

We used to have a cron for weekly eradication of .bak files but they are so few and far between that we just use cPanel after any significant work is done on a site.

BTW I used the example of .bst because it does take a text editor with extra features to open. https://fileinfo.com/extension/bst

[carlwhat]

i really do not want to get into another pissing match....

just because the information is on your cheat-sheet does not make it true.

having a file called confidential.bak on your server, that simply has the text 'everything is good' does not put you in violation of PCI. in fact, depending on what payment modules you have enabled, your website may not even be in scope.

current trends in PCI compliance refer to reducing scope. the smaller the scope, the less items one needs to worry about being in compliance.

there is a reason to have websites under version control. just because you are using a commercial piece of software does necessarily mean it is better. it only means you paid for it.

i am frequently reminded of the phrase: "it's a bad craftsman who blames his tools."

having file fragments that are not blocked from being served up by your web site is not a good idea. i would not keep any old files up on a server in a directory that apache serves up.

finally, if you are running anything less than php 7.4, and your website is in scope, you are in violation of PCI.

[dbltoe]

i really do not want to get into another pissing match....

Then why are you always the "yeah, but" guy?

[Beav]

Zencart Version 1.5.7d. not an upgrade.
installed using zc_install.
PHP version 7.4.23.
Fluorspar template version 1.8.
www.legendcycle.net

I'm getting everything working the way I want but I noticed if I add a product to the cart from the product detail page everything is good. However if I add a product to the cart from the category page it displays "Successfully added Product to the cart ..." at the top of the page but also says "Sorry, the product was not found".

If I change the settings in admin to: Display cart after adding product, It goes to the cart as expected but when I click "continue shopping" it then takes me to the page that says "Sorry, the product was not found".

I switched to the standard template and it doesn't do this.

[g2ktcf]

Has anyone installed this on 1.5.8a? I am in emergency mode since my isp dropped the phone version I needed. I know there were issues with going to any php 8+

[g2ktcf]

phone = php ...I am wondering if I am just silly this am or I got bit by an overzealous autocorrect lol