OpenCart owner turns air blue after researcher discloses serious vuln

[DontAsk]

A recent thread about OC reminded me of this https://www.theregister.com/2023/11/24/opencart_vulnerability_dispute/

I know some on the OC forum can be a tad abrasive or even arrogant, but seriously?

 

[WebDesires]

Yes the owner of OpenCart is a bit of a clown that likes to deflect that fact onto everyone else, calling them clowns for his very poor lack of knowledge.

If you look through Github you will see many instances where he makes poor decisions or rejects great feedback and does what HE wants instead of what the project needs.

I do however partially agree with his frustration in that these exploits (but not his behaviour) for the most part require a larger exploit of the admin login first, however, no matter if your in the admin panel or not the admin panel should be just a secure as a front-end user space.

However you can obviously also upload any custom modifications into a store from admin, so really this makes his points on that subject even more logical, since an attacker can easily just upload custom code in the form of a plugin XML - but either way I do feel it should be addressed even if not taken as critical issue all round.

This guy is the guy who has messed up opencart 4 by removing most of the functionality of plugins, I wonder if part of that was because of what ive mentioned above. Its a real shame because making plugins now for opencart requires other custom plugins to restore the OCMOD/VQMOD systems which we all rely on.

 

[DontAsk]

Yes the owner of OpenCart is a bit of a clown that likes to deflect that fact onto everyone else, calling them clowns for his very poor lack of knowledge.

If you look through Github you will see many instances where he makes poor decisions or rejects great feedback and does what HE wants instead of what the project needs.

Straight out of the Elon Musk playbook.

 

[antropy]

This guy is the guy who has messed up opencart 4 by removing most of the functionality of plugins, I wonder if part of that was because of what ive mentioned above. Its a real shame because making plugins now for opencart requires other custom plugins to restore the OCMOD/VQMOD systems which we all rely on.

OCMOD is back in the next release so all good there.

Paul.

 

[antropy]

I know some on the OC forum can be a tad abrasive or even arrogant, but seriously?

I'm not surprised he's fed up with people pointing out supposed security holes that don't exist, it's a massive waste of his time.

As he says - the demo is there online, and he's given permission to try and hack it ... and yet they can't.

So clearly it's not a real security issue.

Total fake news and I fully understand his frustration, he's too busy for this nonsense.

Paul.

 

[antropy]

Straight out of the Elon Musk playbook.

Elon didn't do too badly

Paul.