UPDATE: Please see this follow-up post.
Last summer we were working on an e-commerce site that integrated Cart66 with WordPress. As part of the development effort there, my team at Crowd Favorite discovered a vulnerability in Cart66.
We reported this to the Cart 66 team on July 11, 2011 and received the following response on July 12, 2011:
Alex,
We are aware of this issue and are working on a solution. I dont have a date for the fix but we’ll keep you posted.
Last week (on April 10, 2012) I received the following email:
Hello Alex,
We haven’t heard from you in 3 or more weeks so we are going to go ahead and solve this ticket. Do not hesitate to reply if you have any further questions.
My guess is that this is an automated email generated by their ticket system, but it reminded me I’d never properly followed up on the issue. We tested the current version of Cart66 (version 1.4.5) and the vulnerability is still present.
At WordCamp San Francisco last summer I posed a question during the Q&A session to get input from others on the best way to handle this situation. The agreed on course of action was to:
- Responsibly disclose the issue privately to the developer.
- Give the developer time to address the issue.
- Go public with the information if the issue is not addressed (it’s more important to let the users of the software know about the issue than it is to extend any “security by obscurity”).
As such, we plan to release the details of this vulnerability in two weeks (on April 30th).
We sincerely hope that the Cart66 team will address the vulnerability with a release that fixes the issue before this time (and responsibly notify their customers of the issue and the importance of upgrading). However, given the overall lack of response we’ve seen from the Cart66 team on this issue, my recommendation would be to evaluate other e-commerce solutions.
Thanks for posting this, Alex. I’ve been digging around in the Cart66 code for the last couple of months in order to add some missing features, and have come across something that looked suspicious… Now I’m motivated to dig a lot further.
New on @alexkingorg: Warning: Cart66 Vulnerability http://t.co/ADaUmZZl
Alex King: Warning: Cart66 Vulnerability: Last summer we were working on an e-commerce site that integrated Cart… http://t.co/uauquxi2
@markjaquith since u’ve used Cart66 a lot. Thoughts on http://t.co/YlBod8ni
@wp_smith @markjaquith I guess that means I have 2 weeks to move my client out of Cart66. *sigh*
@wp_smith I hope they respond… it’s not cool for a security issue to remain unfixed for so long.
Having been required to go down similar routes as you, Alex, I can say that if you have found only one, you haven’t found them all.
Warning: Cart66 Vulnerability: http://t.co/jluxyjgr
Cart66, please fix your vulnerability. By the time people are mass tweeting about it, you’ve waited too long.
Cart66 vulnerability will go public within two weeks (after being reported almost a year ago!). http://t.co/QztBu3ls
Alex King: Warning: Cart66 Vulnerability http://t.co/zqbiHg0A
Warning: Cart66 Vulnerability http://t.co/IU9UZFn6 #wordpress #webdev #ecommerce #security
Warning: Cart66 Vulnerability http://t.co/YJPonCln #wpse
Wow, just wow. 1 year and a half not fixing a known security issue? Not cool @cart66
Heads up. There’s a Cart66 vulnerability. http://t.co/euUw52AK
Vulnerability in Cart66 for #WordPress http://t.co/Ws6sPXXJ /via @alexkingorg @Ipstenu
There will be a security release tomorrow resolving the vulnerability mentioned by @alexkingorg
We’ll be releasing a security update that resolves this problem tomorrow.
.@alexkingorg Kudos for getting @cart66 to pull their head out of their ass.
@alexkingorg thanks for pushing @cart66 to get this resolved. Unbelievable that it would take a threat to make it happen.
Warning: Cart66 Vulnerability http://t.co/bZSwTKtM via @alexkingorg #wordpress #ecommerce #cart66
Not surprised at all that they didn’t get back to you. I discovered a vulnerability with another WordPress shopping cart a few years back. I forgot what one. We told them, never got a reply. The developer spoke at WordCamp Portland, we talked to him. He took offence to what we had to say, and didn’t seem for it to be a big deal. Sadly it appears most WP shopping carts just aren’t taken seriously. If you want to do ecommerce use a real shopping cart. It will also help with growth down the road with integration into order management software. Afterall, what good is the shopping cart, if you can’t manage the orders and scale for growth.
We ended up using WooCommerce successfully for our project last summer. They develop the plugin in the open on GitHub and accept pull requests.
WooCommerce seems to work well. As long as the customer knows how to handle the orders. The last thing a merchant wants is to not be prepped when a high traffic site picks something up and you get 2k orders in 8 hours. I wish I knew what I knew now, and was prepared for that.
Just wanted to let everyone know that we released an update this morning that resolves this vulnerability. We do think it is a big deal. We do take it seriously. We are very embarrassed that Alex’s ticket slipped through the cracks. We have posted a message written by Lee Blue, the owner of Reality66, about this issue here: http://cart66.com/20[...]ility-fixed/
[…] released a new version this morning, addressing the vulnerability I posted about yesterday. A one-day turn-around to address a security issue is excellent (even if the stink from 9 months of […]
Alex King: Warning: Cart66 Vulnerability http://t.co/zk742yZb #wordpress