Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Securing Oscommerce


dux

Recommended Posts

Hello.

 

I have installed Oscommerce and running just fine with this awesome system. I go one concern though: security.

 

I have installed Admin Access Levels to try secure the admin area but...

 

1. Setting permissions on folders

What worries me is that I have to set permission to 777 on folders like catalog/images to put files there. Will other people be able to manipulate the files in there ?

 

2. Backup folder

The backup folder has to have permission 777 to be able to backup. Isnt that a big hole as well ?

 

3. index.php in every directory

Somebody said that putting a index.php in every dir of Oscommerce with application_top.php that checks for login via Admin Access Levels should be sufficient,. Well is it ?

 

Is there a smart way to secure Oscommerce ?

 

 

Thanks in advance

 

DUX

Link to comment
Share on other sites

dear dux,

775 is good means setting file to read only...If you have not changed the

/storename/admin to somthing else like /storename/???? where ????

is another name...this will prevent anyone from getting to your Admin

logon panel...Since everyone know the admin path...remember to replace the new name that you use in the /include/configure.php.

I hope this helps

dittone.com

Roman

Link to comment
Share on other sites

You can change the folders to 755 after making a backup or uploading images.

 

I am not sure what you are talking about putting index.php file in each directory.

 

You can change the name of your admin folder to something obsure. You will need to change the references in the config.php files. The idea here is, if they can't find it they can't hack it.

Backup before making changes. Backup before making changes! Backup before making changes!!

 

You did do a backup? eh?

Link to comment
Share on other sites

Hello.

 

I have installed Oscommerce and running just fine with this awesome system. I go one concern though: security.

 

I have installed Admin Access Levels to try secure the admin area but...

 

1. Setting permissions on folders

What worries me is that I have to set permission to 777 on folders like catalog/images to put files there. Will other people be able to manipulate the files in there ?

 

2. Backup folder

The backup folder has to have permission 777 to be able to backup. Isnt that a big hole as well ?

 

3. index.php in every directory

Somebody said that putting a index.php in every dir of Oscommerce with application_top.php that checks for login via Admin Access Levels should be sufficient,. Well is it ?

 

Is there a smart way to secure Oscommerce ?

Thanks in advance

 

DUX

 

2. Backup folder

The backup folder has to have permission 777 to be able to backup. Isnt that a big hole as well ?

 

Back-up only needs to be 777 when you want to back-up, in between backups the file can be whatever you want.

Link to comment
Share on other sites

I'm not aware that any of the folders need to be 777, as long as your PHP scripts run as "owner" of the folder. 777 should not be necessary anywhere.

Link to comment
Share on other sites

Hello.

 

Thanks for the feedback - it helped alot! I have changed the folder name for the backup folder and the admin folder.

 

Because I also have clients that uses my solution it will be too complicated for them to set permissions all the time. Unless I can somehow modify Protection of Configuration - http://www.oscommerce.com/community/contributions,2137

 

How do I prevent unwanted visitors to browse through my website folder structure with FTP ? Is it by denying anoymonous FTP access ?

Link to comment
Share on other sites

Sure, it should be easy to modify that contrib to add folders to protect, but I still don't see why you need to.

 

Disabling anonymous FTP access is certainly appropriate if it allows access to your web files. More often, anonymous FTP is limited to a particular directory tree that is independent of the web-accessible files.

Link to comment
Share on other sites

Typically one uses the FTP client to do a chmod. If you want to do it in a script, then I'd guess you'd just specify the folder path in the argument to the chmod function. I have not tried this myself.

 

Again, I think that if you think you have to dynamically change folder protection, you misunderstand the situation or you have a poorly-written contribution.

Link to comment
Share on other sites

How do you change the permissions of folders. I am running osC MS2?

 

Changing folder permissions can easily be done with any FTP program, typically by right clicking on the folder when you are logged in and selecting something like "accessibility" or "permissions".

 

However if you are referring to removing anonymous FTP ability completely, which that typically only goes to one set directory that does not effect the rest of your site, I would get with your hosting company on that.

 

As far as the /admin/ folder goes for security, even though changing up the name of your admin folder to something obscure will help....it is not a save all. Say you have someone at work who leaves their admin tools open while they go to lunch, some co-worker walks past and BOOM...they now know the path and can get into there anytime.

 

I personally have one of several security systems setup on all of our client oscommerce stores:

 

1. Multiple admin logins contribution: works wonderful, but bit of a learning curve for most since it requires you to make modifications on all future admin contributions.

 

2. Or this method using a quick authen.php page:

http://www.oscommerce.com/forums/index.php?sho...=172163&hl=

(see third post down)

 

3. Or just keep it simple and using cpanel, or other control panel provided by your host, OR contact the host to request it....password protect that admin directory.

 

Also regarding your comment about placing an index.php into every directory for security: if the hosting server is setup properly, there should be no need for that as every major directory already contains an .htaccess file which handles exactly what you are concerned about.

Sincerely,

Bruce

 

19 contributions submitted

Link to comment
Share on other sites

Thanks Bruce, very clear and precise.

 

Also there is this link for .htaccess file creation: http://www.tools.dynamicdrive.com/password/

 

 

I must clarify that Im very new to the whole issue around securing a website. Therefore my questions maybe kinda N00bish.

 

Just to clarify im using Administration Access Level Accounts 2.0 http://www.oscommerce.com/community/contributions,1359

 

It simply make sure everybody who access anything in catalog/admin/ is presented with a login page. it seems to work well and my ISP has great options so anonymous FTP access is turned off.

 

I have CHMOD:

catalog/admin/backups to 777

catalog/admin/images to 777

 

That I have done so I can backup the database and upload product pictures.

 

My real concern is that I have then allowed someone who "figures out" the path can copy whats there, overwrite or manipulate what is there. Will the above contrib and anonymous FTP access is turned off prevent that ?

 

Is necessary to add an additional layer of security as .htaccess ?

Link to comment
Share on other sites

The "Protection of Configuration" contrib is designed to protect just the configure.php files. You can modify it for other purposes. I would recommend 755 for the folder protection of folders that the admin has to write. Start with 711 and see if that works. 777 is dangerous on some hosts.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...