papillon Posted April 27, 2008 Posted April 27, 2008 Hi, im almost ready to launch my store, but i have some security questions... (im using osc v2.2 RC1, and the store is in the root, not /catalog.) here is what i've done so far - chmod includes/configure.php to 644 - chmod images to 777 - chmod admin/images/graphs 777 - chmod admin/backups 777 - password-protected admin (with .htaccess and .htpasswd) - avoid hotlinking of the images - all my products will be for download only, i installed super download shop that i think it protects the download directory, anybody knows if im wrong? (i have tried to access a product going to www.misite.com/download/product and it doesnt allows it, so it seems its secured, or...?) so, what other things should i do? i have read in some posts about "security updates" and "security patches" or something for some versions of oscomerce... somebody can guide me a little bit on all this? thanks
arietis Posted April 27, 2008 Posted April 27, 2008 so, what other things should i do? i have read in some posts about "security updates" and "security patches" or something for some versions of oscomerce... somebody can guide me a little bit on all this?thanks well, if you really want to be secure you could rename your admin directory. if no one but you knows the name of it, no one can get to it. that's one of the best methods of security. this would, of course, require changing your includes/configure.php and admin/includes/configure.php files to account for the 'new' name.
papillon Posted April 28, 2008 Author Posted April 28, 2008 well, if you really want to be secure you could rename your admin directory. if no one but you knows the name of it, no one can get to it. that's one of the best methods of security. this would, of course, require changing your includes/configure.php and admin/includes/configure.php files to account for the 'new' name. Thanks Dave, i will try to change it. by the way, should I rename also the download directory? i mean, it would be also a matter of changing the configures.php, right?
arietis Posted April 29, 2008 Posted April 29, 2008 Thanks Dave, i will try to change it. by the way, should I rename also the download directory? i mean, it would be also a matter of changing the configures.php, right? it shouldn't hurt anything, so sure. but you should also have an .htaccess file to limit any access to this directory. the problem with the admin directory is that the files must publicly downloadable, otherwise the admin doesn't work. but with the download directory, public access is not required.
Robbogeordie Posted May 4, 2008 Posted May 4, 2008 We CHMOD all 777s to 755 and when we want to use any of these folders re set the permissions only for the time that we are uploading/downloading things i.e backups,new images etc.We don't have downloadable products though and don't know about super download shop. Change the admin name as mentioned. Also check out security pro contribution : http://www.oscommerce.com/community/contributions,5752 I believe Register Globals can be switched off with RC1 - so make sure this is the case by checking in your admin/tools/server info. If its on you can switch it off in your .htaccess,but make sure to check all your contributions work after this and check to see if there are any patches that are needed for them. I think there were also a security issue fixed in RC2a - Protect includes directory from direct HTTP requests - http://www.oscommerce.com/ext/upgrade-22rc2.html
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.