security issues with older version of oscmax?

[earth-friendly]

I've been working on a new website, which is based on osCMax v2.0 (May 2005).
I've made many changes to it, and it is almost ready to go live. (I've been working on it on and off for almost 3 years--yikes!)
But I'm concerned about possible security issues that may have been fixed in more recent versions.

I'd really like to get my new site out there as soon as possible, and avoid unnecessary additional work. But I don't want to release it if it contains any serious vulnerabilities. What would you suggest?

- Should I attempt to upgrade it to v2.0.2 which was recently announced? I didn't see any straight-forward way of going from my version to this version, and it looks like something that could take hours/days/weeks to accomplish.

- It there a list of security fixes that I should make? I don't need the latest/greatest fixes to contributions, since I've spent a lot of time getting things to work ok for my site.
(Is register_globals an issue? I currently have it turned on in a php.ini file, but I've read that it may go away. A link to a tutorial on how to fix it??)

Please, any help you can give me would be greatly appreciated! I want to get this new site out there already--it will be so great to finally get it finished!

Thanks so much for any help with this!
-Lori-

[ridexbuilder]

A casual observation: given the 3yr timescale to get this far, another month is surely worth 'sacrificing' to get an up to date version.

[earth-friendly]

Thank you for your response. However, I was hoping to go live with my site in the next couple of weeks. I've been doing this part-time, and I've been hoping to make it a real successful business, with a professional-looking website, to replace the old-fashioned bare-bones website that I have now.

I have made so many of my own changes to my site, that I wouldn't know where to start, in trying to upgrade from the 5/2005 version 2.0 to this current version of 2.0.2. When I try doing diffs on certain files, many things have been totally rewritten. Also, would I need to upgrade to each intermediate version? I haven't seen instructions that would upgrade from my version to the current version.

Is it possible to just get a list of security vulnerabilities that I need to fix, and just fix those? I really don't need to fix bugs in mods that I am not even using. I could look through all the bug fixes that were reported, but I don't know if that's the best approach.
Also, is there a description of what I need to change to turn of register_globals? I see that in many places the global arrays $_POST and $_GET are used already, so I don't know if there are significant changes to make for this.

I'd really appreciate some guidance in this. I so much want to make my site live, but I don't want it to go out with major vulnerabilities in it.

Thanks very much for any advice on this--I'd really appreciate it!

Regards,
-Lori-

[jpf]

In order to upgrade - (seeing that your NOT live - neve been yet) we need to know some information.

What was changed....
Any contribution added?
Any core files physically changed (outside of templates and Languages).
Products loaded?
Any payment or shipping methods added or MODDED?


If all you have is mostly template & language file changes and database updates - it should not be hard to update to the latest 2.0 stable.

[earth-friendly]

JPF, Thank you so much for getting back to me!
Here are the main changes I've made to the 5/2005 version of oscmax 2.0:

- MVS 1.1 (This was a really major contribution to incorporate. It involved lots of changes thoughout the code. I see that there is a new version, MVS 1.2, which says: for osC 2.2RC2a, works with Register Globals off. Perhaps this version could be added directly to the latest version of oscmax?)
- Some additional shipping modules that I wrote, for MVS, which are slightly different than the included ones (Per Item Per State 2, First Item Plus, First Item Plus Per State)
- My own Multisite contribution: this was a real biggie. It involves passing around a cgi argument in every link or form submission, which says which multisite you are in, and then certain pages are displayed differently based on the multisite. This affects just about every file of the code. I could attempt to redo this on the new version of oscmax, although it would be a major effort. This also includes a new version of index.php and its template file, which displays the products for certain categories, based on the multisite argument
- Category Tree Quantity Value Break Discount
- Category Trees Minimum Order Quantity Value
- Second Address Line and/or Address Enhancer
- myob
- authorizenet_aim module
- AuthorizeNet Seal
- MVS ship estimator
- Order Editor for MVS
- Custom Sort Order
- Master Password
- Spiders Updated File
- Tell a Friend (modified)
- Various changes to the checkout process, to display things differently. The checkout_success page has changed: I display different cross-sell items, based on the multisite argument.
- Changes to the boxes, because of my new display changes
- Many additional minor changes, fixes

- Over 200 products loaded. I've been using Easy Populate. I modified it with a bunch of additional database fields that I've added to product description table

At the beginning, I was very good about documenting all my changes, but then I got sloppy about it, not realizing that I might at some point need to upgrade to a new version of oscmax because of security updates.

So, is there any hope here? What would you suggest?
Should I somehow get a list of security fixes, and make those changes to my current version? Or would it be best to attempt to make all my changes to the newest version of oscmax? Any suggestions on how best to accomplish that? I'm thinking that might be the best way to go, also so I can incorporate future security updates. But I am really overwhelmed about where to start.

I would greatly appreciate any suggestions that you might have. This is a wonderful system that has been developed by a bunch of great people! I really want to make this live as soon as I can, but I want it to be as secure as possible.

I'd be happy to let you see the current work in progress, if that will help.

Thanks in advance for any help you can give me. I really appreciate it!
Regards,
-Lori-

[jpf]

Will not be easy. This is a really old version of oscmax and has several updates since.

Do you have Beyond Compare or other file compare tools? - Compare your modified file with a clean version from 2005. MARK/COMMENT any and all CODE changes you have done.

Compare the MARKED version to a clean copy of 2.0 stable (ignore the "install" directory - except for the osCMax.sql file). Pay attention to any code you changed and weather that specific code changed in stable......


Carefully copy over your changes.

Upgrade your database with the new tables/entries.

[earth-friendly]

Thanks very much for the guidance!
A few more questions before I start on this monumental task:

- For security fixes, is it possible that any of the contributions I added, or any of the changes I made, might have inadvertently undone any of the security fixes that were made?

- I think I saw that register_globals and register_long_arrays are now set to off? I haven't had luck finding a tutorial or document which describe the changes you need to make to your code, to change these settings. Can you point me to something?

- Any other security issues or major code changes I should be aware of, when I'm doing the upgrade?

- Should I do the newest MVS addon (1.2) instead of my current changes (MVS 1.1)? 1.2 says it works with register_globals off.

- Templates: how do I approach changes to templates? I've made massive changes to mine. Should I compare the clean 2005 version templates with the 2.0 stable templates, to see what has changed, and then make those changes to my version? Or is it not necessary--can I just use my templates as-is?

- sql changes: to clarify, should I start from my db, see what new tables/fields/entries are in the 2.0 stable sql, and add those? Basically, compare all the table definitions of the 2 versions, and look at the table entries in the 2.0 stable?

- Compare utility: I got winmerge, but am not crazy about it--is Beyond Compare really good? I usually just go onto unix and do a diff, but that's hard to work with if you have massive changes.

- Version control: do you have a recommendation for some sort of version control that I should do for the future, in order to make this process easier next time?

Thanks again for all your help!

[ridexbuilder]

For Windows, I've found Notepad++ does a fair job at doing a compare. For Linux, Meld is shaping up nicely.
Personally, and given your circumstances, I'd go for a fresh install of 2.0.2 on a development site.
Use MySQLFront (or similar) to compare/transfer data to the new database.
Code a new template to (closely) match your old one.
Add in the most up-to-date contributions to match your original install.

(Good Luck BTW)

[earth-friendly]

Thanks for the info, and the good luck wishes! I'll need it!
A few questions left:

- Templates: I've made such massive changes to my html layout, that I don't think it would be possible to do a comparison of changes between those and the 2005 version. Any hope of doing a comparison of changes between the original 2005 version and the 2.0 stable version, and adding those changes into my current version? Or are there too many changes there too? Any other suggestions?

- Security fixes: any pointers to docs on changing code to go with register_globals and register_long_arrays off? (That's in the 2.0 stable, right?) Any other security fixes I need to make sure I adhere to, when I add in my changes? I don't suppose I can just plop my current templates in as-is? (wishful thinking?)

- Version control: any recommendations on version control that I should do for the future, in order to make this process easier next time? I could just create a change log, and document in detail all the changes I make as I go along. That's kind of crude, but it might do the job. Something else you would recommend?

Thanks JPF and Ridexbuilder for your help and support! I'm almost ready to dive in and attempt this massive undertaking.

Regards,
-Lori-

[ridexbuilder]

Not sure if something like PySVN Workbench would be useful (I'm using it for 'Max). Maybe Michael could comment on its' suitability (or similar, like Git) for a homebrew version control system.