OpenCart forum post

1. Hi, my name is Scott Arciszewski and I am a web programmer and security researcher.
2.  
3. Last week I opened a [url=https://github.com/opencart/opencart/pull/1594]github issue[/url] to raise awareness that the encryption library isn't secure. To wit: it's using ECB mode instead of CBC and ciphertexts are not authenticated; additionally, the wrong MCRYPT constant is used (AES is MCRYPT_RIJNDAEL_128 even if a 256-bit key is provided).
4.  
5. The response I received from Daniel Kerr was less than professional (screenshots for the sake of preserving history):
6. [img]https://scott.arciszewski.me/public/gmail-ss.png[/img]
7. [img]https://scott.arciszewski.me/public/github-ss.png[/img]
8.  
9. [b]What does this mean for OpenCart users?[/b]
10.  
11. It means that the owner of OpenCart does not welcome well-meaning security enhancements from volunteers on github, and I would strongly encourage everyone to read the code carefully before they use it in a production system, because if the core developer has an unwelcoming attitude towards security researchers, two things will happen:
12.  
13. 1. Security holes that might have otherwise been fixed will remain open.
14. 2. Jaded security researchers might focus their efforts on exploiting holes rather than fixing them, out of spite.