Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

What permissions to set on /includes/ directory ??


Guest

Recommended Posts

Posted

Hi there

 

What should I set my /includes directory to permissions wise?

 

At the moment the internet guest user account (IUSR_blah_blah) has read access, but when I take off this anonymous user the whole of oscommerce throws a hissyfit.

 

Now I realise the internet user account needs access to the includes for the system to work, BUT what is to stop an unruly user entering the full url to your Configure.php and getting ALL your DB and LOGIN information!! :o

 

Ive set IIS to disallow directory browsing etc, but the ntfs permissions allow the IUSR to read everything in includes.

 

Should I select configure.php and stop it from inheriting permissions from the includes directory and just stop access to it from the geust IUSR account?

 

Cheers,

 

Jon.

Posted
Hi there

 

What should I set my /includes directory to permissions wise?

 

At the moment the internet guest user account (IUSR_blah_blah) has read access, but when I take off this anonymous user the whole of oscommerce throws a hissyfit.

 

Now I realise the internet user account needs access to the includes for the system to work, BUT what is to stop an unruly user entering the full url to your Configure.php and getting ALL your DB and LOGIN information!! :o

 

Ive set IIS to disallow directory browsing etc, but the ntfs permissions allow the IUSR to read everything in includes.

 

Should I select configure.php and stop it from inheriting permissions from the includes directory and just stop access to it from the geust IUSR account?

 

Cheers,

 

 

Apart from permission you can use .htacess to get your pages secured

also you can rename the file to something odd so the hacker cant easily make out the name of your config file..

 

 

 

 

Satish

 

Jon.

Ask/Skype for Free osCommerce value addon/SEO suggestion tips for your site.

 

Check My About US For who am I and what My company does.

Posted
BUT what is to stop an unruly user entering the full url to your Configure.php and getting ALL your DB and LOGIN information!!

 

The fact that your server is configured to send files with a .php extension through the PHP engine before serving them through the webserver.

 

The PHP engine runs the code and sends output back to the webserver to be sent to your browser. Unless you have code that is explicitly printing out your database user name and password, then anyone typing the full address to your configure.php will get nothing more than a blank page. The reason: there's no output. Try it and see what you get!

 

Apache servers can specify that /includes is an inaccessible URL (this can be set in an .htaccess file, which you may be familiar with). Read this MS KB article on IIS security and migrating from unix-like servers:

 

http://support.microsoft.com/default.aspx?...;324216&sd=tech

Contributions

 

Discount Coupon Codes

Donations

Posted
The fact that your server is configured to send files with a .php extension through the PHP engine before serving them through the webserver.

 

The PHP engine runs the code and sends output back to the webserver to be sent to your browser. Unless you have code that is explicitly printing out your database user name and password, then anyone typing the full address to your configure.php will get nothing more than a blank page. The reason: there's no output. Try it and see what you get!

 

Apache servers can specify that /includes is an inaccessible URL (this can be set in an .htaccess file, which you may be familiar with). Read this MS KB article on IIS security and migrating from unix-like servers:

 

http://support.microsoft.com/default.aspx?...;324216&sd=tech

 

cheers peeps

 

thats put my mind at rest now. :)

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...