Success Case: Securing Runtime Logs in osCommerce
November 29, 2024
A customer discovered that email addresses and passwords from login events were being stored in plain text within runtime logs for both the frontend and backend of OSC4. They flagged this as a significant security risk and sought an immediate solution to address the issue.
The osCommerce team promptly acknowledged the concern, explaining that logging processes might inadvertently capture sensitive information from GET/POST variables during login errors. To address the issue, they provided two solutions:
- Immediate Fix: Replace the existing TlMainFileLogWriter.php file with an updated version attached in the support forum link: https://www.oscommerce.com/forums/applications/core/interface/file/attachment.php?id=22191&key=13c79b4436324634790eaf3b9f01fc94
- Future Resolution: Assure the customer that the issue would be permanently resolved in the next software update.
osCommerce demonstrates a proactive approach to addressing customer concerns, offering both immediate and future-proof solutions to ensure robust security in eCommerce environments.