Contributions

All credit goes to the original authors. I only modified the SQL file as it was giving a 1136 error when trying to run the SQL. After reviewing the code the one in last package left out the 1 and 2 before username in the INSERT INTO areas of the command.

This project still had several critical vulnerabilities.

I made the following security changes:
* (HIGH RISK) Fixed mysql injection vulnerability via session_id cookie
* (HIGH RISK) Fixed several if(mysql_affected_rows()) that would trigger TRUE on a failed query if(-1)
* (LOW RISK) Fixed several cross site scripting vulnerabilities. $refer to htmlentities($refer)

* (LOW RISK) Changed addslashes() to mysql_real_escape_string() - when combined with if(-1) above, addslashes() can cause query fails with certain char sets and binary data
* Not security based, but fixed the referrer on LoginAction.php that has been broken in all versions
* Also made other minor changes to improve readability


This is the Complete Package. I based it off of v1.6 by EricK (20 Jan 2008). It incorporates all the changes since then plus my fixes.

I've found this error:

Call to undefined function: tep_db_affected_rows()

So i replaced the function with the old one:

mysql_affected_rows()

Credits: Feartec (me)

This code is correct:
<td class="headerBarContent">  <?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_TOP . '</a>  |  <a href="' . tep_href_link(FILENAME_LOGOFF, '', 'SSL') . '" class="headerLink">' . HEADER_TITLE_LOGOFF . '</a>'; ?></td>

Instead of:
<td class="headerBarContent">  <?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT, '', 'NONSSL') . '" class="headerLink">' . HEADER_TITLE_TOP . '</a>  |  <a href="' . tep_href_link(FILENAME_LOGOFF, '', 'SSL') . '" class="headerLink">' . HEADER_LOGOFF . '</a>'; ?></td>

There is a flaw in the incSession.php logic which assumes that the header() calls will always do the right thing!

A quick fix just includes putting exit(); directly after the header(); statements, so that if the header() fails then your script will exit anyway and will not fall through to allow access to someone not authorised.

A slightly better solution is to replace your incSession.php code with the one included in this archive. This code allows for headers already sent and will try java and plain html redirects and if all fails will exit anyway, thus preventing someone unauthorised gaining access.

This is not the complete package. only includes incSession.php

all credit goes to the original authors for a fantasic patch!

Cheers
Lukec

This is the Complete Package.

I merged the Admin Login Mgt contributions, cleaned-up the code, re-wrote the install instructions and tested on a clean install running on PHP5/MySQL5/PHP5 with register_globals=off.

All credit to the original contributors. Please post questions in the support thread.
http://forums.oscommerce.com/index.php?showtopic=205700

This is the Complete Package.

Regards,
EricK

Sorry for the second post, here is a PHP5 updated LoginAction file to grab the vars from $_POST/$_GET

I think the problem with being constantly re-routed to the login page is the result of a change in PHP5 to use $_COOKIE instead of $HTTP_COOKIE_VARS. Changing the value fixed the problem for me at least. Use this incSession.php to fix the problem (hopefully).

***Only admin_security.php is included.*** Now you'll have the ability to add or delete users. This is crude and needs further development, but it definitely works. In my own store, I actually split this file into 3 files (add, delete, and change login info pages) and added them to a box in column_left. Perhaps someone with more time can write the install instructions on this. Enjoy!

login-geschützt! (in Deutsche sprache)

change admin username password with proper zip file

this contribute allows the users to change the admin username and password when they want.

My original contribute misses out the main file

this contribute allows the uses to change the admin username and password when they want.

* I have republished this after receiving a few PMs from people stating they were not able to open the .zip file I published previously. I was unable to recreate the error but am republishing this per their request.

After a couple hours of frustration I was finally able to get this working. I updated this contribution based on information provided by the Force Secure Admin Pages contribution and information I found in the community thread regarding this contribution. I hope this helps!

After a couple hours of frustration I was finally able to get this working. I updated this contribution based on information provided by the Force Secure Admin Pages contribution and information I found in the community thread regarding this contribution. I hope this helps!

This is a status update.
There have been many user reports in the forum that after instalation, when trying to use this mod, the browser keeps coming back to the loginAction.php page and does not allow the user to continue to the main admin page.
There has been no fix suggested for this bug by the developers or by anyone else.
So be ware that using this contrib' comes at the risk of it not working.

I am just adding to the code of dailce. This would be useful if have used script register_globals_v1.4a to overcome register global settings in PHP.INI

The script worked well for me except that it was not allowing me to login and was not showing logout button on index page.

The entire script is same except 2 minor modifications mentioned in readme

This is working fine now. The addslashes in LoginAction.php are included in this one to prevent mysql injections. I hope you find this to work well, if not please post problem to the forum.

Support thread:

http://forums.oscommerce.com/index.php?showtopic=205700

I was haveing trouble with 1.2 of this pacakge the code in LoinAction.php was giving me trouble.

I have tested this code and it appears to be working fine for me. I simply changed the LoginAction.php code from 1.2. This should work fine for you if not post your problem in the forum.

LoginAction.php had an error in the previous contribution update.

I have reuploaded contribution, but only line 19 in LoginAction.php has been replaced by :
$sQuery = "SELECT ID, MD5(UNIX_TIMESTAMP() + ID + RAND(UNIX_TIMESTAMP())), sGUID FROM administrator WHERE (sName = '" . $psName . "') AND (sPassword = password($psPassword))";

I modified the original version (not the czech version) to add addslashes() to queries variables to prevent users from doing SQL injections on your osCommerce installation.

SECURE ADMINISTRATION
login - logoff

czech version

This contribution comes from the inspiration of Jason D. Agostoni who presented his code in an article on "Security and Sessions in PHP". His article and documentation can be found at:
http://www.devarticles.com/c/a/MySQL/Security-and-Sessions-in-PHP/

I converted his code and made it work for the OSCommerce Admin Panel. This is totally PHP based code that uses sessions. There are not any javascripts or .htaccess files in this code. I was looking for code that is non-intrusive in the OSCommerce code structure and this did the job wonderfully!!

I was concerned if this code would conflict with the Admin session ID: osCAdminID. In all of my testing I have not experienced any problems with it at all.

One major security problem that we needed to solve is that anyone can use the backspace button on their browser to get back into secure areas on many web sites after logoff. We have merchants using their shopping carts in their stores where security is important from customers and other employees.

Javascripts only work when people have javascripts enabled and .htaccess allows browsers to use the back button to gain access after logoff. I was able to add some code in the logoff.php file which writes a "logged off" tag to the session ID. This prevents anyone from gaining access again after logoff.