Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Can some help me secure admin area


imran7706

Recommended Posts

Hi i have installed os commerce here http://www.bruhaspati.com/catalog/but i am not being asked to provide any password for entering the admin area here http://www.bruhaspati.com/catalog/admin/

how come any body could change access the admin area and change the settings

can some one out there help me out

in securing the admin area :(

Link to comment
Share on other sites

This is just the way OSC comes. You have to add something to protect it. This can be done with the AdminLogin contribution, an .htaccess file or via your hosts CPanel. The last two methods require a linux server.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

I modified the script so that when a user logs in with an admin login he is automatically transferred to the Admin page, and anyone trying to access the admin pages without being logged in as an admin is sent back to the main catalog home page.

 

Added a field to the "Customers" table, called it auth, it takes (at this time) either a 0 (default) or a 1. 0 is for customer, 1 is for admin. More values could be used to create levels of admin, only allowing an admin user to access the product updates, for example.

 

Create a new user, then go into the database and set the auth field to 1 for that user.

This should be done during database installation.

Also need to add the editing of this field to the customer admin page.

 

Change the query in "login.php" at line 28 to include the new auth field.

    $check_customer_query = tep_db_query("select customers_id, customers_firstname, customers_password, customers_email_address, customers_default_address_id, auth from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'");  // modification of original script

 

Change the "login.php" file after line 40 to check for the admin field, if it's 1 clear the session and then load the session with the auth value and redirect to the admin index page.

// Check that password is good
     if (!tep_validate_password($password, $check_customer['customers_password'])) {
       $error = true;
     } else {
       if (SESSION_RECREATE == 'True') {
         tep_session_recreate();
       }

 // check for admin - modification of original script 
 $auth = $check_customer['auth'];
 if($auth != 0) {
 $_SESSION = array();
 tep_session_register('auth');
 header("Location:admin/index.php"); exit();
 }	// end modification

 

Change the session name in /admin/includes/application_top.php on lines 84 and 95 to be able to continue using the session from the login page.

// define('PHP_SESSION_NAME', 'osCAdminID');
define('PHP_SESSION_NAME', 'osCsid'); // modification of original script
...
// tep_session_name('osCAdminID');
tep_session_name('osCsid'); // modification of original script

 

Add a session check to the /admin/includes/application_top.php file after line 107 and send the user back to the main catalog home page if the auth variable is not set. Login.php only sets this variable if the user is an admin user. This would need extra checking of the value of auth if different levels of admin authorization are implemented.

// let's start our session
tep_session_start();

// Check for login and authorization - modification of original script
// if not logged in with admin auth, return to catalog home page.
if(!isset($_SESSION['auth'])) { header("Location:../index.php"); exit(); } // end modification

 

Gotta love Open Source! If you don't like the way something is working, you can fix it yourself. It also helps being able to see how other scripts implement the functions you want. Personally, I was surprised to see that there was no security for the Admin functions on a major ecommerce package.

Link to comment
Share on other sites

Hi i have installed os commerce here http://www.bruhaspati.com/catalog/but i am not being asked to provide any password for entering the admin area here http://www.bruhaspati.com/catalog/admin/

how come any body could change access the admin area and change the settings

can some one out there help me out

in securing the admin area  :(

Link to comment
Share on other sites

Hi i have installed os commerce here http://www.bruhaspati.com/catalog/but i am not being asked to provide any password for entering the admin area here http://www.bruhaspati.com/catalog/admin/

how come any body could change access the admin area and change the settings

can some one out there help me out

in securing the admin area  :(

 

You can use this script simply save its as say password_maker.php place the file into the admin directory (make sure you have set the file to enable your to write) run the php from your browser

 

www.xxxxx.com/catalog/admin/password_maker.php

 

Enter your user name and require password (keep note of what you put) and the script will build the .htaccess + .htpasswd needed to password protect your directory.

 

The REMOVE the password_maker.php file and next time you try to enter your admin directory you will need the user name & password.

 

Many thanks given to von Lars Brinkmann & Eric Pecoraro for their useful bit of code.

 

Hope this helps

 

Best Regards

 

Gary ([email protected])

 

<?

 

/**************************************************************

 

MAKE .htaccess + .htpasswd

 

Originally by: von Lars Brinkmann ( [email protected] )

einfach die Endung umbenennen.

 

Modified by: Eric Pecoraro ( [email protected] ) 2002 Apr 1

for multiple directory .htaccess creation.

 

Simple stand-alone PHP script for creating .htaccess + .htpasswd

files on *nix in multiple directories. No modifications are

required. Up & running in about 15 seconds.

 

Place in any directory. When called, it will return the path

where it resides, allowing the creation of a password file in

its directory, or another directory which is specified. Be sure

to put a forward slash, "/" at the end of the path specified.

 

For security, be sure to create a password where this file

resides (default path).

 

If realm entry is not specified, it will be named "Please_Login".

 

New directory passwords will overwrite previous ones.

 

*** Use at your own risk... ***

 

***************************************************************/

 

$thisdirectory = $DOCUMENT_ROOT . dirname($PHP_SELF) . "/" ;

 

if (($user) && ($password) && ($directory))

{

 

for ($i = 0; $i < count ($user); $i++)

{

$htpasswd_text .= "$user[$i]:".crypt($password[$i],CRYPT_STD_DES)."\n";

$dir .= "$directory[$i]";

$realm .= "$realmname[$i]";

}

 

If ( file_exists($dir) ) {} else

{

echo "Directory does not exist!";

exit;

}

 

 

if( $realm == "" )

{

$realm = "Please_Login";

}

 

$htaccess= fopen("$dir.htaccess", "w");

$htpasswd= fopen("$dir.htpasswd", "w");

 

$htaccess_text = "AuthType Basic\n".

"AuthName \"$realm\"\n".

"AuthUserFile $dir.htpasswd\n".

"require valid-user\n";

 

 

fputs($htaccess, $htaccess_text);

fputs($htpasswd, $htpasswd_text);

fclose($htaccess);

fclose($htpasswd);

 

 

 

echo nl2br($htaccess_text);

echo "<p><hr></p>";

echo nl2br($htpasswd_text);

echo "<p><hr></p>";

 

 

} // end if user and password

 

?>

 

 

<HTML>

<HEAD>

<TITLE> MAKE .htaccess + .htpasswd </TITLE>

</HEAD>

<BODY>

<FORM METHOD="post" ACTION="<? echo $PHP_SELF; ?>">

<p>Username: <INPUT TYPE="TEXT" NAME="user[]"></p>

<p>password: <INPUT TYPE="TEXT" NAME="password[]"></p>

<p>realm: <INPUT TYPE="TEXT" NAME="realmname[]"></p>

<p>in directory: <INPUT TYPE="TEXT" size=75 NAME="directory[]" value="<? echo

$thisdirectory ?>"></p>

<p><INPUT TYPE="submit" VALUE="make"></p>

</FORM>

</BODY>

</HTML>

Link to comment
Share on other sites

I too was trying to secure my admin site. I tried the code posted above by Gary but I quickly lost my way and got seriously confused as I only started using OScommerce yesterday.

 

I found the solution at the link provided below.

 

http://www.oscommerce.com/community/contributions,1828/

 

I clicked on the post dated 3rd August 2004 and downloaded the relevant zip. The instructions to put a secure admin site in place are explained in simple easy to understand fashion to the extent that I completely winged it and still managed to have my admin site secured within 5 mins.

 

Best of luck :D

 

Sweeners

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...