Security

There are several flaws within Internet Explorer 6, some well known and some not so well known. With serious attacks, there are also tiny apps called keystroke-logging Trojan horses, which capture IDs, passwords, and credit card information as you type them. This happens without users even knowing there’s anything wrong. At this time, only Windows users are at risk; Mac and Linux users, are safe … for now.

As a side note: Mac have long since stopped supporting Internet Explorer and now suggests Safari, Opera and Firefox as the ideal browser software.

Microsoft launched its war against Netscape a few years ago. We were encouraged to ‘optimise for Internet Explorer’ and were lured by the ability to display flashing images and pretty sounds. Internet Explorer now holds a commanding 95% of the browser market and due to its dominance, the engineers have been pretty slack with browser innovations and making the software secure.

In the wake of serious security events, Microsoft announced instructions to secure Internet Explorer. Put simply, you need to increase security settings within Internet Explorer - turn off Javascript and ActiveX* and start reading email as plain text (because Outlook uses Internet Explorer to render HTML). In other words, we should turn off all that web developers were told to optimise for. No more flashing images, great sounds - just bland, old flat web pages.

There’s one flaw that Microsoft fixed six years ago in Internet Explorer 3.0 and 4.0 that resurfaced in versions 5.01, 5.5, and 6.0. Microsoft has since posted a patch for one of the new Internet Explorer flaws, but it waited a week to do so, and this patch still doesn’t resolve all the problems.
If you decide to stick with IE, you can also stop remote-access Trojan horses with a good personal desktop firewall included within Norton Internet Security and McAfee Internet Security. Finally, several of the banking Trojans can be removed with apps such as Spybot Search and Destroy and Ad-aware, plus antivirus apps. If you aren’t currently checking for spyware, you should be. And if you aren’t running antivirus protection, well, now’s a really good time.

IE6 and Web Design

IE6 was released in 2001 and was the most widely used browser until September 2007 when Firefox became more popular. However, even now IE6 users outweigh the users on IE7.

Many users feel that they don’t need to upgrade their browser - after all, they can view websites and download their email - why bother? From a design point of view, more and more web developers will stop catering for IE6 and websites will look less attractive, forcing users to upgrade.
This isn’t due to developers becoming lazy, we are trying to encourage the use of standards compliant browsers such as Firefox, Safari, Opera and even IE7. With the beta version of IE8 due out, this will become even more apparent.

We have moved into a new phase of the web. With the advent of new technologies and new developments, IE6 is now just too old to accommodate these changes which in turn, holds back the advancement of the web. IE6 is not standards compliant and is therefore not a part of the present or the future.

Whereas a site can look fantastic in other browsers, it is, when viewed through IE6, often a complete mess. Padding appears when not asked for, images are not aligned properly throwing the whole site out of whack and extra line breaks are added. ARRGH!! This is the time when developers cry

IE6 does not support PNG images. With high speed internet connections, developers are not as concerned with the size of images and the need to optimise as much as possible. PNG’s are high quality images that allow for transparency - rather like a high quality GIF. These are a great way of including more detailed gradients or backgrounds. However, in order to make these work in IE6, we need to create ‘hacks’ and special style sheets just to accommodate - this in turn adds to the development time and overall cost of the website.

At this time, developers have managed to fix more of the common problems with ‘hacks’ and know what to test for but there is always something new to fix. At present, we end up making a special style sheet for a browser that is now 7 years old.

So the main question is ‘why don’t users upgrade?’ Is it due to the upgrade being a download and they don’t feel they can trust it .. or is it down to ‘what they feel comfortable with?’ - There are great browsers out there so get browsing and enjoy viewing web sites as they were meant to be viewed.

1. Download Internet Explorer 7
2. Download Firefox
3. Download Opera
4. Download Internet Explorer 8 beta

* ActiveX is a component object model (COM) developed by Microsoft for Windows platforms. By using the COM runtime, developers can create software components that perform a particular function or a set of functions. A software can then compose one or more components in order to provide the functionality it intends to.[1] Many Microsoft Windows applications — including many of those from Microsoftsuch as Internet Explorer, Microsoft Office, Microsoft Visual Studio, Windows Media Player, etc. — use ActiveX controls to build their feature set as well as encapsulate their functionality as ActiveX controls so that the functionality can be embedded in other applications. Internet Explorer also allows the ActiveX controls to be embedded inside web pages.

 



Posted in - Browsers and Security, Custom Design, Search Engine Optimisation, Web Design - Comments(0)

Several moderate security issues have been identified in X-Cart. The issues make X-Cart-based stores potentially vulnerable to attackers who wish to make the application inoperable or gain access to the application back-end.

Qualiteam has released the security update which includes the following improvements.

All versions:

- the way adding/updating users worked, which was introduced in the previous patch, is changed,

- protection against SQL errors in case of a wrong productID is added (except versions 4.1.4 - 4.1.10),

- protection against SQL injections during inventory updating is added.

4.0.x branch:

- session variables are now protected from modifications using POST and GET queries,

- for versions 4.0.10 - 4.0.19, the previous patch did not work for stores run in Windows environment. It is now corrected.

4.1.x. branch:

- session variables are now protected from modifications using POST and GET queries,

- the previous patch did not work for stores run in Windows environment. It is now corrected,

- protection for unauthorized access to files using the GiftCertificate module is added,

- (for 4.1.9, 4.1.10) protection against XSS attacks, introduced by the previous patch, is improved,

- (for 4.1.0 - 4.1.8), an error revealed in the previous patch (use of a undeclared function) is fixed.

SEVERITY: Moderate

IMPACT

A malicious user can make an X-Cart-based store inoperable or gain access to the application back- end and sensitive information stored in the users profiles.

AFFECTED VERSIONS

All X-Cart versions from 3.5.X to 4.1.10

SOLUTION

We strongly recommend X-Cart users to install the security fix available in the HelpDesk ‘File Area’. Installation instructions can be found in the README.txt file attached to the .tgz archive.

IMPORTANT!

This security patch MUST be applied only after the previous security patch has been applied.

Should you require any assistance, please do not hesitate to contact Just X-Cart

Several hack attempts on LiteCommerce stores were revealed recently. The intruders tried to use LiteCommerce administrator accounts created by our support engineers earlier for troubleshooting. Qualiteam apologizes for possible inconveniences.

All LiteCommerce users should take the following precautions:

1. in LiteCommerce admin, check section ‘Users’ (menu ‘Management’),
2. remove all administrator accounts that are not used by you or anyone from your staff,
3. if you do detect a suspicious or strange administrator account, you should change passwords for all your profiles.

During internal audit activities X-Cart have identified several moderate security vulnerabilities.

DESCRIPTION and IMPACT

In all X-Cart versions:

1. A malicious provider may ask the store administrator to use special symbols during creation of a provider account. In this case the provider can get access to the store files from the Files directory (or even outside of it).

2. If the installation script has not been removed from the X-Cart web-directory or closed to public access as it is recommended, there is a possibility of gaining the store installation auth code.

In versions 4.0.8-4.0.13:

3. An SQL injection is possible due to a vulnerability in Sales-n-Stats connector module.

These security issues make X-Cart potentially vulnerable to attackers who wish to make X-Cart-based store inoperable or gain access to the application back-end.

SOLUTION

To fix the security vulnerabilities, all X-Cart users should immediately install the security fix issued by Qualiteam.
Please, check your Helpdesk ‘File Area’ sections for the security patch for your X-Cart version. Installation instructions are included into the patch archive, file README.txt.

The security fix also adds an extra protection level against XSS attacks which will augment your store security.

As an additional security measure, you should remove or close to public access /install.php file after you have installed the software.

Please, refer to the “3.2.5 Security Checklist” chapter of the X-Cart manual for instructions.
Users are encouraged to contact Qualiteam tech support to receive help or if any problems are revealed during or after the patch application.

Should you require any assistance, please do not hesitate to contact Just X-Cart

Title: Just X-Cart Blog gets launched
Location: Australia
Description: Designed to help answer questions and provide a discussion area about X-Cart software
Date: 2008-05-19

(1) Meta-data:

Ensure all pages of your site have meta data eg relevant titles, descriptions and keywords. There are a number of SEO tools available that can check keywords density, title and description relevance to page content etc. It takes time to get the right balance and have the meta data and actual page content have relevance, but the time you invest with certainly be worth it.

(2) Images:

Put text/alt tags on images throughout your website. Not only does it provide additional descriptions and information to customers, but it also assists Google to understand better what you page is about and also assist screen-readers to more effectively analysis your website, making it much more user-friendly.

(3) Content & Internal Linking:

Write up a keyword rich homepage introduction to include the words relative to your products/industry + links into your cart categories and directly to your products.

(4) Google Stuff:

• Click here for the one-stop shop for Webmaster resources
• Click here for webmaster guidelines. These tips will assist Google to find, index and rank your site
• Create a site map - click here to generate your site map online
• Create a Webmaster acccount so you can add site maps, manage robot text files and more.
• Create a Google Adwords campaign focusing on keywords that people are looking for and be willing to pay more than necessary on the keyword/s for 1-2 months. Once you start getting the click-thru history then you can knock the cost back to less. Click here to sign up.

(5) Forums:

Find forums that you can give your professional opinion on. Don’t just go into the forum and tell everyone to come and visit your site – this is not the objective. Instead, find forums that you can assist others with your knowledge. Take the emphasis of trying to promote your business, and place it on actually answering a question to the best of your ability. Ensure, however, to put your website URL in your signature so that when you do post comments to a forum with your answer goes up your web address.

(6) DMOZ Submission:

Sign up in the DMOZ directory - http://www.dmoz.org/  (ensure to drill down into the specific category, one only, that you want to be listed under, then click on ‘Suggest URL’ from top of page)

(7) Resources/Links:

Actively seek to place your link on sites with good pagerank, or that are popular and within your industry type. We strongly advise against link-farms and simply exchanging links for the sake of it. You can also place on this page links to other sites that you feel your visitors may find useful. Ensure to have written into your Privacy Statement however that all external links are provided to them as a courtesy and that you are not responsible for the content or activities of the business etc should your customer visit the links.

(8) Be Proactive:

Make regular changes, updates, add pages to your existing website. Add pages but do not delete existing ones, not change the actual names of the pages. All pages of your site has ‘history’ attached to them and if you delete pages, or change their names that ‘history’ is lost.

(9) Constant Contact:

Keep in contact with visitors to your and customers. Provide the option of subscribing to your newsletter on your website and then use that email addresses provided to notify site visitors of everything happening in your business, from the launch of new products, upcoming events, specials, sales etc. Whether it be a weekly or even monthly newsletter, the aim is to keep your web address clearly in their minds – and what better way than via their inbox!

(10) Monitor your site:

How can you possibly know what is going on with your website if you don’t actively monitor what’s going on with your website! X-Cart comes inbuilt with a variety of statistics and analysis tools, however, if you really want to view your websites activities get yourself a program that enables you to see where people are coming from, what are the most popular pages, how many ‘unique’ visitors have visited, how did they get to your site eg by search engine search term, adwords link, or other referral link, and the click-path they took through your site. All of this information is invaluable to see how your website is going.

In conjunction with monitoring software/tracking script, keep you own journal of keywords and how you are ranking in the search engines. Just put together a spreadsheet and list down the keywords you want to rank well in. Then weekly take the time to actually type those keywords into Google and see where you are positioned. The only way to tell if you are improving is to check if you are actually improving! If you are, keep doing what you are doing. If not, then at least you are aware that things need to change in order for your search engine success to change.

(11) Add a Blog:

Just like the forums, a blog can be a fantastic place to provide resources and information to your customers and site visitors. It can also encourage regular interest in your site, resulting in repeat visits from people just to see the latest news, review and information you have on your blog.

(12) Reward your customers:

Have incentives to encourage repeat patronage ie all first-time customers you could send a $10.00 gift certificate to - they would have to either come back themselves to redeem it, or forward it on to another person - either way you get another sale, even if you loose $10.00 on the sale itself

(13) Offer regular specials / incentives:

Have ‘special offers’ or bonuses such as free shipping etc, especially o Special Occasions such as Mothers Day, Fathers Day, Valentines, X-Mas, Easter - basically utilise all the special times of the year as a good excuse to have a special, have a sale, have a bonus offer etc

Before we can issue you with an exact quote, we have a few questions:
1. What is the desired name and URL for your new site / store.
2. We will require an approximate structure of your site - ie, site map showing required pages.
3. Do you have a specific name of the product, brand, service you wish to advertise?
4. A logo or any other materials (if exist) which you would like to use in your future design. These would need to be supplied in eps format.
5. Desirable multimedia improvements (if necessary).
6. Special requests, for example color scheme or something else (if there are any).
7. Description of your primary and secondary target groups in terms of age, level of income, demography, behavior, feelings and thoughts regarding your product, etc.
8. Advantages and disadvantages of your main competitors’ Internet resources.
9. URLs of the sites which design you like and those you dislike? This is very important in order to give us an idea of the overall look and feel you are aiming for.
10. Desirable deadlines of the project.