Daniel Kerr, the lead developer and project owner of OpenCart has been known to be very angry when confronted with OpenCart security issues. As the project owner, you would suspect a more gentle approach, but instead the approach from Daniel Kerr is very different. Infact, Daniel Kerr has been known to call people liars and idiots, the very same people he wants to use his open source e-commerce platform!
You have Daniel posting on such blogs as TechCrunch saying how "Magento is a poorly coded hog!", and instead to use OpenCart. Do you have the Magento project owner posting on blogs about how OpenCart is written by a boy in his basement, angry at the world, and has his forum run by a bunch of self loving moderators who can't wait to call their users ignorant?
It's attitudes like this that leave serious problems like Security Vulnerabilities unpatched.
For example, there is a Security Vulnerability that allows an attacker to force their way into the Admin CP of OpenCart in version 1.4.8, 1.4.9, and 18.104.22.168.
This code: $this->session->data['token'] = md5(rand(0,15));
Should be: $this->session->data['token'] = md5(mt_rand());
Which is pretty poor coding. Hashes should always be salted and based on random values. However, try telling Daniel this and he will tell you how much of an idiot you are. OpenCart also had an issue where if exec() was enabled you can do a e107 exploit and run remote code execution.
Daniel's response to these issues, after some name calling, is that OpenCart does not have a security vulnerability, AND then post links to security vulnerabilities at competitors sites such as PrestaShop, Magento, osCommerce and ZenCart. What kind of a response is this?
In 2010, a security researcher claims to have found a total of 14 security vulnerabilities in OpenCart, and released a statement that since Daniel Kerr is unwilling to fix them, to quickly move away from OpenCart.
When a researcher sent Daniel an email about this, Daniel replied to the email with: "I prefer if you mind your own business and not bother me or the opencart community. The exploit that is being discussed will be fixed in the next release. I don't need your services. Stop wasting my time. Stop bothering me!"
He's also said things like:
"don't post bullshit security warnngs."
"DO YOU REALLY THINK ITS FUNNY TO POST SOMTHING THATY DOES NOT HAPPEN? WASTING MY TIME TO CHECK THIS!"
"nobody ever complained about this before. I think this bug i caused by you altering something."
"what are yiou trying to say? you know more than me regarding onepage checkout. you think i have not done my own research?"
"this is not opencarts fault. you must have done somethign to cause this."
"if you had actually searched the forum you would know its a permission isssue and you need to change the permissions on the cache directory."
Have you ever seen any response such as this from a project owner? If we are bugging him so much, why does he keep releasing OpenCart versions and wanting us to use them?
The researcher is Eduardo Vela and he says on his blog: "These vulnerabilities are now private, because we think he won't fix them if we make them public (as he hasn't fixed the first ones). And we can't make them public, because thousands of users use OpenCart and they actually manage security sensitive information. (In this case I don't think full disclosure will work). Knowing that Daniel Kerr has a bad history even with fully disclosed vulnerabilities, we are clueless on what to do. The best thing may be to urge everyone to stop using OpenCart as soon as possible."
Daniel really needs anger management and needs to address the issues people are saying OpenCart has. It's serious because his software deals with credit card transactions, so potentially it could be a big problem.