Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Prevent access to files?


Galasius

Recommended Posts

Posted

Hi all.

 

I've been making some good progress with my store setup, and am currently in the 'security' mindset, trying to make things as safe and secure as possible.

 

Right now, if I point my browser to a file in one of the subdirectory (i.e. includes, images, etc.), it tries to access the file. If I use /shop/images/real-filename, the image will be displayed. If I try '/shop/includes/counter.php (for example), it tries to proess the file and returns "Fatal error: Call to undefined function: tep_db_query() in /mnt/web_m/d46/s17/b02597a1/www/shop/includes/counter.php on line 13".

 

I have tried the same with some live osCommerce installs, and many will return a 'Forbidden - you do not have access to that file' message.

 

I've tried a bunch of searches here trying to track down some discussion on this subject, but can't seem to find anything.

 

My directory permissions are all set to 755, and all of my files are 644.

 

Any help will be appreciated.

 

Thanks,

David...

Posted

Here you see one of the differences between an install made through an upload of files via ftp and an install made with a ssh command to decompress the files on the server (tar xvfz oscommerce-2.2ms2.tar.gz).

 

Lots of ftp clients can't handle or see files beginning with . so you lose .htaccess files. Mac osX won't let files beginning with a . to exist in user space, they're reserved.

 

The standard osCommerce distribution has a .htaccess file in /includes with the following as content.

 

# $Id: .htaccess,v 1.4 2001/04/22 20:30:03 dwatkins Exp $
#
# This is used with Apache WebServers
# The following blocks direct HTTP requests in this directory recursively
#
# For this to work, you must include the parameter 'Limit' to the AllowOverride configuration
#
# Example:
#
#<Directory "/usr/local/apache/htdocs">
#  AllowOverride Limit
#
# 'All' with also work. (This configuration is in your apache/conf/httpd.conf file)
#
# This does not affect PHP include/require functions
#
# Example: http://server/catalog/includes/application_top.php will not work

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

 

Sometimes people have other problems if this file exists but you can try it. It does block the requests into /includes that you mention above.

 

As to your image folder you can just drop an index.html file in there, it will keep people from browsing the folder if they can now. (Some servers are set up not to allow directory listings unless expressly allowed via .htaccess directive.)

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Posted

Thanks, Alan.

 

That .htaccess file seems to be having the desired effect, although it's returning an "Internal Server Error" instead of a "Forbidden" message. I've got a request into my hosting company on that one.

 

I'm a little surprised I was missing that file. My installation was an automatic load offered by my hosting company - 'one-click' setup - select a directory, and it sets-up the generic osCommerce 2.2-MS2 load. Strange it wasn't included.

 

Are there any other .htaccess files that would normally be part of a ssl decompress installation? Would directories other than /includes be protected (i.e. /admin, /download, etc.)?

 

Dave...

Posted

Now there's a second part to this question...

 

Now that I have that .htaccess file in my /includes directory, by button images have disappeared from the site.

 

A search here shows quite a few occurrences of this problem, with one of the solutions being "if you have a .htaccess file in the /includes directory, delete it".

 

So, can you have a .htaccess file for directory security, AND a fully functioning site (i.e. working buttons, etc.) at the same time?

 

I've found some live osCommerce sites that seem to have achieved this goal - now I just need to figure out how they did it.

 

Thanks,

Dave...

Posted
Now there's a second part to this question...

 

Now that I have that .htaccess file in my /includes directory, my button images have disappeared from the site.

 

The button images live at /includes/languages/english/images/buttons (or whichever language is in use).

 

I've not had that problem caused by the .htaccess file.but I know that others have. I'm no expert, I learn by experimentation but I'd try.

 

<Files *.php>

Order Deny,Allow

Deny from all

Allow from yourdomain.com

</Files>

 

Here's the relevant page from Apache:

 

http://httpd.apache.org/docs/1.3/mod/mod_access.html#deny

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...