I can never find a comprehensive post of security issues, so I've started a list. I'm definitely no XCart pro, but I'll try to maintain the list and update this top post with input from the more experienced users.
That said, I'm listing the top issues I've found with security, and what to do to prevent their abuse:
1 - After installation, remove your install.php file, and any other install files from add-on modules.
2 - Lock your "log" and "sql" directories.
Best way is to use ".htaccess" files denying permission entirely. To check the effectiveness, browse to a link like:
If you don't get access, that's good. If you can see files, you've got a potential hole.
3 - Don't keep backups in th "log" directory.
Make a backup when you need one, copy it away, and remove the original. I have a script that makes a backup each night into a secure directory.
4 - Always log into your admin area with https:
5 - Force all cart pages to be used by customers in secure (https) mode.
- Check these boxex in General Settings:
Do not redirect customers from HTTPS to HTTP:
Use HTTPS for users' login and registration:
Warning: You need to make sure you have your https configured correctly at the server level before you do this or you will lock yourself out of the store! For non-windows servers, you need to set up a symlink, which links the http and https directories.
6 - Put an "index.php" file in each subdirectory of the cart to prevent directory browsing.
The only text you need in these files is a re-direct to your homepage. Alternatively, some hosts will disable directory listing for you.
7 - (NOTE: FOR 4.0 versions only) Change your SALT code at installation.
To do this, you NEED to be logged in as "master", then change config.php and re-upload it. Change this section:
$CRYPT_SALT = 85
$START_CHAR_CODE = 100
85 and 100 are the defaults. Change them. Then, before logging out, change your "master" password. Then log out and back in.
This changes all encryption of passwords and credit card info. So if you already have that info in there, DON'T change this, or it will be unreadable. See other threads for more details, or download all of your cc info before doing this.