Installing this module some issues have come to light. I was hoping these could be addressed.

1. The very fact that this module installs/writes files and installer functions/files are not removed post successful installation is not secure.

I would think that anyone installing this module could certainly and more safely run an SQL patch.

2. The creating of filenames which have no associated function, such as .bak is a vulnerability and PCI fail.

There is no need for this as certainly we do not want to be overwriting existing template files anyhow. Detailed merging instructions should likely be included in the place of the "installer"

Additionally, this thread is not listed in the documentation and should be added, as the instructions for using the installer are quite complicated.... More so than just installing the module without it would be.

I find it troubling that once installed even, deletion of these .bak files disables the module.

I am not trying to beat anyone up, but clearly this module is something shop owners need and always have needed... However, it makes no sense to take PCI certified software and in one shot make it vulnerable and PCI fail.

I would be willing to help out as I can, but I lack the GD/IMageMagick skills to port this to 1.5.0.

~Melanie