Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Protecting Temp Directory? Downloads Can Be Stolen!


Guest

Recommended Posts

Hi,

 

I'm really sorry if this has been addressed before, but I could not find a thread about this after searching the forum.

 

It has come to my attention that it's not safe to sell digital downloads using OSC because anyone can access the catalog/temp folder (the folder where you must upload your digital products).

 

The reason is because the temp folder's permissions (CHMOD) must be set to 755, which allows the public to read and execute that folder. So, if you go to www.YOUR-STORE.com/catalog/temp, you will notice that you will then see a complete list of all your digital download files (AKA the products in your store that people are supposed to be paying for!).

 

So, I figured, perhaps all one has to do to fix this problem is to upload a blank index.html file to this folder. This makes it impossible to see the contents of the folder when someone goes to www.YOUR-STORE.com/catalog/temp. All you'll see is a blank page. However, there are still 2 problems here...

 

1. I'm not sure if adding this index.html file to the temp directory this will mess up the whole downloading process (in other words, make it impossible for your customers to download the products they purchased within their account area).

 

2. For simplicity's sake, let's say that all of the files you sell are in ZIP format. If a customer or thief knows the name of the file they want to purchase/steal , then all they have to do is go to www.YOUR-STORE.com/catalog/temp/NAME-OF-FILE.zip and they can just download the file for free. This is a BIG problem, at least for me, because I have a store I am setting up with over 2,000 digital download products. Therefore, to get the store up and running in this century, I have to keep things simple and eliminate as much meaningless tasks as possible. Therefore, the names of the files I am selling are the same as my model #'s. So, if a model # for a product is "qwerty" then the down loadable zip file will be "qwerty.zip". Therefore, all one as to do if they want to steal that file is go to www.MY-STORE.com/catalog/temp/qwerty.zip and they can have it for free.

 

I'm really saddened and frustrated to have come across this problem, however I am happy I figured it out before I went live.

 

Does anyone know of a solution to this problem. I would greatly appreciate it. I have spent 3 months already setting up this store and I have much more work to do before I go live yet. If there is not a fix for this problem I am afraid I'll have to use a different shopping cart (but I don't really want to ).

 

Thanks in advance for any help.

Link to comment
Share on other sites

Hi,

 

I'm really sorry if this has been addressed before, but I could not find a thread about this after searching the forum.

 

It has come to my attention that it's not safe to sell digital downloads using OSC because anyone can access the catalog/temp folder (the folder where you must upload your digital products).

 

The reason is because the temp folder's permissions (CHMOD) must be set to 755, which allows the public to read and execute that folder. So, if you go to www.YOUR-STORE.com/catalog/temp, you will notice that you will then see a complete list of all your digital download files (AKA the products in your store that people are supposed to be paying for!).

 

So, I figured, perhaps all one has to do to fix this problem is to upload a blank index.html file to this folder. This makes it impossible to see the contents of the folder when someone goes to www.YOUR-STORE.com/catalog/temp. All you'll see is a blank page. However, there are still 2 problems here...

 

1. I'm not sure if adding this index.html file to the temp directory this will mess up the whole downloading process (in other words, make it impossible for your customers to download the products they purchased within their account area).

 

2. For simplicity's sake, let's say that all of the files you sell are in ZIP format. If a customer or thief knows the name of the file they want to purchase/steal , then all they have to do is go to www.YOUR-STORE.com/catalog/temp/NAME-OF-FILE.zip and they can just download the file for free. This is a BIG problem, at least for me, because I have a store I am setting up with over 2,000 digital download products. Therefore, to get the store up and running in this century, I have to keep things simple and eliminate as much meaningless tasks as possible. Therefore, the names of the files I am selling are the same as my model #'s. So, if a model # for a product is "qwerty" then the down loadable zip file will be "qwerty.zip". Therefore, all one as to do if they want to steal that file is go to www.MY-STORE.com/catalog/temp/qwerty.zip and they can have it for free.

 

I'm really saddened and frustrated to have come across this problem, however I am happy I figured it out before I went live.

 

Does anyone know of a solution to this problem. I would greatly appreciate it. I have spent 3 months already setting up this store and I have much more work to do before I go live yet. If there is not a fix for this problem I am afraid I'll have to use a different shopping cart (but I don't really want to ).

 

Thanks in advance for any help.

I would add date-time to the file name for the download step.

just add code to copy the file from the protected unix directory to the open one with a unique name for them.

email them the file name.

good luck,

 

Dave

Link to comment
Share on other sites

Oh my. I am so sorry.

 

I was in a hurry today when I typed this. Everywhere in my original post where I was referring to a TEMP folder, I really meant the DOWNLOAD folder. Very, very, very sorry about that.

 

Anyway, I found the answer to my problem. My catalog/download folder was missing the .htaccess file with the following lines in it...

 

AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
Require valid-user

 

That code disallows access to the download folder directly.

 

Also, in case anyone is interested, make sure that your catalog/pub folder also has an .htaccess file in containing the following...

 

  Options +FollowSymLinks -Indexes

 

Sorry for the mix up. Thanks for helping anyhow!

Link to comment
Share on other sites

cxm322, Hi!

 

Can you help me to set up digital product focused osCommerce. Basicly I want the customer to be redirected to unique websites for each product they have bought. I wan't to know how you have set it up.

Thanx.

Link to comment
Share on other sites

cxm322, Hi!

 

Can you help me to set up digital product focused osCommerce. Basicly I want the customer to be redirected to unique websites for each product they have bought. I wan't to know how you have set it up.

Thanx.

 

Sorry, I have no idea how to set something like that up where the customer would be redirected to a different site for each product. Sounds like a real pain in the butt to me. :blink:

 

Heck, I'm not even sure I will be using OSC for my download project as setting up all the downloadable products is a real pain in them but when you have hundreds of them. Currently, I'm looking around for another cart that might be easier to set up for stores with hundreds of digital downloads to set up and upload.

 

I am not an expert at OSC, just a seasoned user at this point.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...