Announcement

Collapse

Posting Rules

Posting Rules
This forum was created to help 3dcart users share tips on getting the best out of the service, offer knowledge and experiences about e-commerce in general, and to promote a positive environment in which our merchants can request/dispense advice regarding best practices.

The forum was not created for 3dcart users to submit requests for customer support. Any support related thread will be removed and a support ticket will be placed on your behalf. If you have technical difficulties please visit http://support.3dcart.com.

The 3dcart forum is also not intended to be a medium in which to express dissatisfaction about 3dcart's service, policies or its management and staff. Threads of this nature will also be removed from the forum. If a support issue with your 3dcart store was not resolved in a satisfactory manner; or if you feel that a particular 3dcart offering/policy is not to your liking, please let us know by emailing [email protected] so we can address your concerns directly.

Again, our purpose is to cultivate a positive learning environment for our merchants rather than platform in which to express grievances.

Very Important Rules:
* Never give away your store administration login/password in this forum.

Should you need technical help, please let 3dcart staff help.
Also, please be aware that 3dcart staff will NEVER need to ask for your 3dcart related passwords.

General Rules:
* While debate and discussion are acceptable, we will never tolerate rudeness, insulting posts, personal attacks or inflammatory posts. Our decision is final in these matters.
* Please refrain from posting meaningless threads, one word (or short) nonsensical posts, or similar postings.
* Multiple or repeated posting in order to increase your post count is not allowed.
* Advertising, spamming and trolling is not allowed. This includes using the forum email and Private message system to spam other members.
* We also do not allow posts that are sexual in nature.
* Please wait at least 24 hours before bumping posts.
* Discussion of illegal activities such as software and music piracy and other intellectual property violations are not allowed.
* Each member is allowed one login account. Registering with multiple accounts is not allowed.
* We reserve the right to remove offensive posts without notice.
* We also reserve the right to remove postings which are in violation of our specified posting rules
* Also, while these rules cover most common situations, they cannot anticipate everything. Consequently, we reserve the right to take any actions we deem appropriate to ensure these forums are not disrupted or abused in any way.
* You cannot post any affiliate or referral links, or post anything asking for a referral. Such posts will be subject to removal.
* You cannot post advertisements or notices for contests.
* We also reserve the right to ban anyone who willfully violates the forum rules, as access to our support forums are a privilege and not a right. A banned customer is still entitled to support from the support system, but will not be able to participate in the forum.
See more
See less

Export/Import File Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Export/Import File Security

    The following seems like an issue.

    Any file you import or export (customers, products, categories, etc...) in the admin has a copy saved in either assets/imports or assets/exports. I found that these files can be accessed without being logged into the admin. My stomach turned when I was able to access a customer export file without being in the admin. Shouldn't this require you to be logged into the admin? The names generated for the csv files are to obvious and all have the same basic layout: type_userid_date-time.csv.

    Sample File Name:
    categories_56_2-6-2019-123456.csv
    customers_56_2-6-2019-123456.csv

    url: example.com/assets/exports/customers_1_2-6-2019-123456.csv

    Or maybe I'm just over thinking it and its highly unlikely someone will ever get one of these files.

  • #2
    imp_file.csv under assets/imports may be a bigger issue, since its the same on all stores and doesn't require knowing the date, time, or anything else. But restricting everything to only someone logged into admin wouldn't work, since there are 3rd party apps and such that grab certain files from the same spot. For example Google pulls our product reviews from that folder on a weekly schedule. I guess more granular permissions would be the right solution.

    Comment

    Working...
    X