Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin Security Opinon


Jayson Wonder

Recommended Posts

Hi,

 

I have installed this contrib for multiple admins: http://www.oscommerce.com/community/contributions,1174 and it is working fine.

 

I also have the standard .htacess method still in place.

 

Since I have the login method with the multi admin w/levels contrib installed can I shut off the .htaccess method so people do not have to log in twice? Is there any security risk create by removing this?

 

Any advice is appreciated. I am quite confused with the .htacess method at this point as I cannot seem to add or remove users acess. I check all .htaccess documentation but cannot figure it out. I think it uses .php and or oscommerce database to authenticate, can anyone verify this?

 

Thanks,

Link to comment
Share on other sites

Hi,

 

I have installed this contrib for multiple admins: http://www.oscommerce.com/community/contributions,1174 and it is working fine.

 

I also have the standard .htacess method still in place.

 

Since I have the login method with the multi admin w/levels contrib installed can I shut off the .htaccess method so people do not have to log in twice? Is there any security risk create by removing this?

 

Any advice is appreciated. I am quite confused with the .htacess method at this point as I cannot seem to add or remove users acess. I check all .htaccess documentation but cannot figure it out. I think it uses .php and or oscommerce database to authenticate, can anyone verify this?

 

No - htaccess accesses a file named htpasswd.

The htpasswd file is kept (usually) at the root or lower in your path.

You need to generate a username and password, and dump it in your htpasswd file.

 

Downlaod the .htaccess file under the admin directory.

Open the file to see where the .htpasswd file is kept - then go download it.

Generate a new set of credentials using this : http://home.flash.net/cgi-bin/pw.pl

and dump the output into the .htpasswd file

then re-uplaod the .htpasswd file.

 

Or, your control panel with your host should be able to provide a 'Password Protected Directory' link

 

david

Link to comment
Share on other sites

No - htaccess accesses a file named htpasswd.

The htpasswd file is kept (usually) at the root or lower in your path.

You need to generate a username and password, and dump it in your htpasswd file.

 

Downlaod the .htaccess file under the admin directory.

Open the file to see where the .htpasswd file is kept - then go download it.

Generate a new set of credentials using this : http://home.flash.net/cgi-bin/pw.pl

and dump the output into the .htpasswd file

then re-uplaod the .htpasswd file.

 

Or, your control panel with your host should be able to provide a 'Password Protected Directory' link

 

david

 

Thanks, I understand now.

 

Any thoughts on the risks if any in removing the .htaccess on the admin diretory of the shop, since I have the Multi-Admin w Levels contrib installed, will this put me at any risk?

 

Thanks!

Link to comment
Share on other sites

Thanks, I understand now.

 

Any thoughts on the risks if any in removing the .htaccess on the admin diretory of the shop, since I have the Multi-Admin w Levels contrib installed, will this put me at any risk?

 

Thanks!

 

yes it will put you at risk because the files beneath the admin folder will not be protected. So someone can run scripts directly from the sub-folders of the admin. Because the login mechanism of these contributions relies in the application_top.php. And of course we have plenty of files that are not using it (meaning not including it directly).

Link to comment
Share on other sites

yes it will put you at risk because the files beneath the admin folder will not be protected. So someone can run scripts directly from the sub-folders of the admin. Because the login mechanism of these contributions relies in the application_top.php. And of course we have plenty of files that are not using it (meaning not including it directly).

 

Yes, I understand. Thanks for that clarification.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...