Security Issues with qEngine Family

There are some reports about security problems with qEngine & its family (Kemana & Cart Engine). The security problems are as follow:

1. Administrators can upload harmful files, eg: php, cgi, etc.
2. Some modules may be run with dangerous parameters (administrators only).
3. Predictable database back up files.

Problems #1 & #2 are only accessible from administration panels only, so it can't be accessed by guests or regular users (non administrators). Regular users simply can't access the administration panel & can't upload such files. So my advice for these problems is to give administrators access to trusted people only (which you should have been done in the first place, btw). If you are the only administrator in your site, you are very safe.

And for problem #3, my advice is to rename the database backup files in /admin/backup folder. Or better yet, delete the files after you have downloaded them.

These problems will be fixed in the future releases.

If you have any questions about these problems, don't hestitate to contact me.