TurnKey Linux Virtual Appliance Library
Basil Kurian's picture

Working on Lucid too

Working on Lucid too


Liraz Siri's picture

Took a closer look at Tomato Cart - impressive webapp

I was initially skeptical of Tomato Cart but it seems the main reason so few people have heard of it is that it's so new (about a year old). It's actually an extremely impressive piece of software. It has to be one of the most beautiful and modern ecommerce web applications I have come across. It may not be popular yet, but I think it's going to be and we can help make that happen.

Only a couple of things caught my attention with regards to the TKLPatch:

  • We need to figure out how to make sure the admin interface is accessible only via SSL. This is an e-commerce application where such things matter.
  • The patch embeds an example e-mail for the admin account: admin@tomato-turnkeylinux.org. It's better to use example.com for example e-mails for security reasons. Otherwise it would be possible for an attacker to register the unregistered domain, and use that to compromise any appliance that hadn't yet been fully configured. We should assume are routinely scanning the Internet for vulnerable machines.
  • We'll need to document how to change the admin e-mail or write a di-live hook that does it on installation. Example di-live hooks can be found in the domain-controller, ejabberd, projectpier and torrentserver appliances.
Basil Kurian's picture

Changes applied

Both https and http are working on admin-login URL

admin 's email changed :-D

sed -i "s/admin@tomato-turnkeylinux.org/admin@example.com/" Tomato/overlay/root/config.ini.php
sed -i "s/admin@tomato-turnkeylinux.org/admin@example.com/" Tomato/overlay/root/dbtomato.sql

Basil Kurian's picture

Tested

Tested , working !


Liraz Siri's picture

It would be better if HTTP didn't work for the Admin interface

The problem is that it's easy to access the admin interface from a non-encrypted HTTP connection by mistake. Sometimes you have to try and help protect users from themselves. If we can figure out how to automatically redirect attempts to access the admin interface via http to https.
Basil Kurian's picture

>>It would be better if HTTP

>>It would be better if HTTP didn't work for the Admin interface

You really meant it ?? :-o why ?


Liraz Siri's picture

Because I make mistakes and so does everyone else

I can't tell you how many times I've typed http instead of https. Especially when I'm tired. Woops! Just transmitted my admin password in the clear over the Internet.
Basil Kurian's picture

Sorry

Sorry , yesterday I wrote it in my night shift , I was sleepy , I read that wrongly .... :D


Basil Kurian's picture

Admin URL changed

Only HTTPS is allowed for Admin URL


TomatoCart V1.1 released

Hi!

Only to tell that TomatoCart has just released a new version 1.1.

Tomatocart

I really like the cart system .

Serious Security Flaw in Turnkeylinux TomatoCart 1.1.15

I have a paid TurnkeyCloud instance of TomatoCart running.  

I keep getting warning messages in my turnkey TomatoCart appliance in the TomatoCart Admin interface that version 1.1.15 has serious security flaws and that it's is very important to upgrade to version 1.1.18 or higher where these security issues have been addressed.

The upgrade is quite complex would it be possible to package the update somehow?

http://blog.tomatocart.com/tutorials/tomatocart-v1-1-7-to-v1-1-8-upgrade-guide.html

It would also be advisable to recreate the Tomatocart Appliance from the 1.1.18 version.

Security is paramount for a webshop, so this instance will need to be kept up to date and patched in order to make it usefull.

Thanks for making Linux Appliances easy to use and safe!

Jeremy's picture

The upgrade looks pretty straight forward...

Unless you have manually altered your template files you can skip step 3 (which is 3 quarters of the instructions). Even then, even though it looks involved; if you use an advanced text editor such as Notepad++ or BlueFish it's a simple (although perhaps time consuming) job of find-replace the code.

Before I go any further, I'd like to suggest that it may be best to start a new thread, as this line of query is not quite relevant to the thread here (other than we are talking about TomatoCart) and the thread is very old.

The first thing I would do is do a full backup of your site. Actually probably what i would do would be take a TKLBAM backup and restore to a clean instance (I'd be inclined to use a fresh local VM to test the upgrade). That way you are not working on your 'real' site so if something goes wrong you haven't lost anything. This has the bonus of ensuring that your backup works ok OOTB.

If the backup restores flawlessly all well and good, otherwise you could do a manual backup by copying all the files from /var/www/tomatocart (or something similar) and a DB dump. To ensure that none of your files accidentally get overwritten I would also simply copy this whole folder on your server.

service apache2 stop
cp /var/www/tomatocart /var/www/backup # or whatever the tomatocart folder is called
service apache2 start

Step 1 can be achieved using phpMyAdmin (which can be found on port 12322) or from the MySQL commandline (I would suggest an SSH client so you can copy paste - rather than type it all manually). Or you cold put it all in a .sql file and upload it to your server (again either via phpMyAdmin or upload and execute via commandline).

Step 2 can be acheived using SFTP to update (and overwrite the files). Then just copy your your includes/configure.php, ext/piwik/config/config.ini.php and the templates/glass_gray apparently (according to step 2 on the post you linked to).

I don't use TomatoCart so I probably won't be a lot of really practical TC specific help but may be some assitance if you get stuck. As suggested above, ideally it would be best to start a new forum thread for this work you can put in a link back here if you want). Ideally it would be good to script the solution, then others could follow your lead. Even better would be a TKLPatch that others could apply. But even if you can just report back on how successful it went.

Your suggestion/perspective on the updating of the appliance image etc are somewhat covered with a recent blog post by the core devs (a response to another community member's forum post). And even though you may be using a "paid TurnkeyCloud instance" keep in mind that most of that money doesn't go to TKL, and the bit that does (only applies if you are using TKL on AWS), pays for the costs associated with running this site and creating the images and custom code etc used by TKL. There are only 2 core devs running TKL and they certainly aren't making a killing out of TKL... This is a small free (as in freedom, as well as in beer if you run it locally on your own hardware or virtual infrastructure) open source project.

[update] I had a quick look on the TomatoCart forums and found what may perhaps be some useful info. This looks like an updater script, although it is almost 2 years old so I'm not sure whether it still applies? Also there is a thread concerning an upgrade from v1.1.5 to v1.1.8.x that may be relevant to you (I haven't read through these threads, just found them). If you get stuck you may be able to get some help by posting (a new thread) over there.

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)