Securing configure.php

[sjb47]

More of a unix question b/c I'm an utter Unix newbie.

 

Did a clean install of 2.2 onto a shared server environment following the instructions at oscdox. All went well but when I open the catalog, i get the following warning:

 

Warning: I am able to write to the configuration file: <path>/catalog/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

where <path> is obviously the full path to /catalog.

 

Now, the installation told me to use chmod 706 on configure.php and if that didn't work, chmod 777. Have done both and still getting this message. What should I set the permissions to on this file?

 

This is a Redhat 7.2 box using Apache modified for the Ensim control panel.

 

TIA,

Steven

[Guest]

You need to set the permission son the configure.php to be read

 

chmod 777 is r-w-x

 

if you use an ftp client ie.. wsftp it will let you change the rights on a file by right clicking on it and select chmod

 

it's the answere I've foud for us NT gurus dabling in the unix/linux realm.

[sjb47]

Wowie. Thanks mucho.

 

Changed it to 755 and the warning went away. Is this a good setting?

 

Steven

[sfatula]

755 means the creator (owner) of the file has all access, and the group and others have read and execute access. So, only the owner has write access. So, sounds perfect to me.

[sjb47]

The docs at http://www.oscdox.com suggest chmod 644 (owner read/write, other and groups read) for the configure.php in the catalog and the admin application.

 

Steven

[pascal.a]

Hi

I have the same problem, how do i set permissions in dreamweaver mx?

[djmonkey1]

Pascal-

 

I don't believe that Dreamweaver has that function, though I don't know why not. I've looked and looked for it, but to no avail, so I still use WS_FTP to chmod files.

 

If anyone knows of how to use Dreamweaver to chmod (if it can) please let us know!

 

Cheers,

Stew

[pascal.a]

I will stop seeking for it then.

 

Thanks

[TomCavendish]

You 'can' do it manually in DW using the 'site FTP_log' although it's not ideal. Search on Google for 'dreamweaver chmod' for more info about what to type.

[pfaustino]

This is strange because I have oscommerce running on several servers. And on all of the stores. they are set to 644. But one of the servers, it is giving the error message even if it's set to 644. I now have it set to 444 to remove the red warning at the top. But everytime I want to edit this file, I have to first set it to 644, make the edit, then reset to 444.

 

The weird thing is this only started happening recently. I haven't touched the code in weeks.

 

Could my servers admins have been playing around with permissions?

 

What is causing this?

[ljh]

recently had same problem as you - am using shared hosting and they started using phpsuexec this is info they gave me maybe same thing

We are running php with SuExec to ensure that all php scripts are run under the username of the persons website. For example, if your main login name is "example", then all your php Scripts will be run as "example".In "real life" circumstances, this just means that you need to ensure that your php scripts can NOT be overwritten by "group" and "other/world" users (so in your "FTP File Permissions" selection box - ensure that the WRITE boxes for "group" and "other/world" are NOT ticked/selected). If your FTP client shows the permissions as a set of numbers, then the "maximum permission level" is 755. We recommend people use levels of 755 and 644. As an added security measure, the directory the script is in should have a maximum permission of 755.

[KrackMonkey]

All of this makes sense to me and I fully understand it, but my biggest question is, when you pull up your site that you own in your browser, how does the site know that YOU are the owner and not just some other joe schmoe "other/world" user when trying to access /catalog/admin ???

 

I havent had any luck in securing via htaccess or through PHP_AUTH...

 

Anybody wanna give me a hand?

[sufi]

hi

my site tto have this problem

server win 2003 and it not undertanding the 755

how can i remove this error alert

[Winterchild]

I'm on a win 2003 server too

 

This seems to have worked for me:

 

create a php file with

 

<?php 
chmod("configure.php", 0400); 
?>

 

upload it to the folder where configure.php is

 

Run the script:

Let's say you called the file this.php and configure is in catalog/includes

 

In your webbrowser : www.myshop.com/catalog/includes/this.php

 

After this remove the this.php from your site

[sufi]

<?php 
chmod("configure.php", 0400); 
?>

ı didnt understand

is it will save this.php?

[Winterchild]

1. Open a text editor (notepad)

2. copy paste the above (change the value 0400 to whatever you want e.g. 0755)

3. Save as this.php (or something else)

4. Upload to the folder with includes

5. Run the script

6. See if it still gives a warning on the site

7. Remove script from site

[sufi]

does'nt worked :(

ı removed warning alert but ı have now else error alert

WARNING_CONFIG_FILE_WRITEABLE

how can i remove...

[sufi]

i removed this error form site comletely

// check if the configure.php file is writeable
?if (WARN_CONFIG_WRITEABLE == 'true') {
? ?if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
? ? ?$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
? ?}
?}

 

 

remove delete this code from header.php

 

and than again remove

yours form langueages page example english.php

this code

define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.');

it s ok :)

[arbitro]

i removed this error form site comletely

// check if the configure.php file is writeable
?if (WARN_CONFIG_WRITEABLE == 'true') {
? ?if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
? ? ?$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
? ?}
?}

remove delete this code from header.php

 

and than again remove

yours form langueages page example english.php

this code

define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.');

it s ok :)

 

I had the same problem after moving osc store from one website to another. Changing chmod from 644 to 444 on the config.php files eliminated the error message. It is my understanding that 444 allows no one to write the file.

 

I am curious, though, about what would seem to be an underlying problem. 644 should allow only the owner to write the file. What allows a viewer of the website to have owner's write privileges on these files?

 

Happy new year!

 

Steve

[potier]

To answer the Creamweaver question, I think this might work:

 

View your files using the remote view, find the configure.php file, right click on it and then select the set permissions option.

 

Hope this helps!

[narcolepticdriver]

To answer the Creamweaver question, I think this might work:

 

View your files using the remote view, find the configure.php file, right click on it and then select the set permissions option.

 

Hope this helps!

 

I tried this, and for some reason when I look at my 'includes' folder using local view, everything is there and all is fine. But when I look at it using remote view, everything is fine for my site, except for the includes folder which is completely empty. I can't change permissions on files that aren't there! I had the same problem with wsftp...what should I do?

 

Thanks,

Mark

[narcolepticdriver]

Ok, after some more digging I found that I can upload everything to my site except for configure.php which is in the includes folder. Must've been something I did a while back. What should I start with?

 

Mark

[jaksmith]

changing configure.php did not work for me

[Guest]

i removed this error form site comletely

// check if the configure.php file is writeable
�if (WARN_CONFIG_WRITEABLE == 'true') {
� �if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
� � �$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
� �}
�}

remove delete this code from header.php

 

and than again remove

yours form langueages page example english.php

this code

define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.');

it s ok :)

Hi Steve, I tried this and it still comes up any ideas?

Becky

[Jim_T]

I have tried every combination including 000. No luck. Running on a Linux server.