Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with admin directory


Jan Zonjee

Recommended Posts

Just to add my 2p's to this topic and to hopefully help other newbies like myself...

 

Muggiebear, thank you for responding. I saved your instructions to file and bookmarked the link.

 

Over the past couple days I have been considering what to do...and my move my store folder within the public_html folder, which may solve one problem, and crop up some others like configuring, etc.

 

I will get this figured out eventually. Thanks

 

Steve

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • Replies 228
  • Created
  • Last Reply

I'm a NEWBIE and don't seem to be comprehending all these about the Admin Directory instructions. Can you please tell me that if I can just re-name my Admin Directory and create a new password in osCommerce...that takes care of #1 or A. For #2 or B, can I just not mess with changing the 2 lines to add the .htaccess protection in osCommerce if I have a Password Protect Directories in my own webhosting. In other words, can I take care on the .htaccess protection in my webhosting. I am hesitant to mess with my codes in osCommerce for fear of getting an ERROR page...please help! Thank you in advance.

Link to comment
Share on other sites

for most shops, renaming admin directory/folder is good enough as long as you take care of not publishing your new admin folder (such as on invoices) to any one else even your customers. you should use hard-to-guess or impossible-to-guess, random charactors eg, DhyIUKD8g, as the name of the admin folder. if no one knows the url (given that it has been renamed as shown above) to your admin area, then there is no chance of hacking.

i'd recommend the above for most shop owners, as the .htaccess thing seems to create a lot of problems especially on servers that are set up based on what the server admin *thinks* you would or would not need.

 

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

for most shops, renaming admin directory/folder is good enough as long as you take care of not publishing your new admin folder
I completely disagree with this. The only purpose of renaming the admin folder is not to have automated bots hitting it. It's not a security feature. Consider this, would you be willing to turn off password protection entirely and just rename the folder? Because that's essentially what you are proposing.

 

Renaming the folder is obscurity. Obscurity is not security. Obscurity can be pierced -- all it takes is an exploit that reveals the directory contents of the catalog folder. On some (badly configured) servers, that might be as simple as requesting the catalog directory. Even on a correctly configured server, there can still be an Apache bug that duplicates the badly configured behavior. Or on shared hosting, someone might figure out how to get out of their sandbox and look into yours. Note that they would not need write access, just read -- to a publicly available folder (catalog).

 

The only secure method is to password protect the folder.

 

Now, all that said, if someone has password protection in their hosting (the original question), then they don't need to mess with changing .htaccess. The hosting will do that. Hosting's password protection is secure for site's with admin in SSL (and no password scheme is secure without SSL). All that a host's password protection for a directory does is modify either the .htaccess or the httpd.conf file with the htpasswd changes. Essentially, it is making the .htaccess changes for you.

 

The osCommerce code changes just keep you from logging in twice. If you don't mind logging in twice, you can leave them off. The directory password protection is just as secure without them.

Always back up before making changes.

Link to comment
Share on other sites

...Consider this, would you be willing to turn off password protection entirely and just rename the folder? Because that's essentially what you are proposing...The only secure method is to password protect the folder...

 

i suppose you dont know what you are talking about. the issue applies to and ONLY applies to osc 2.2 rc1 or 2, which alteady has a login function albeit somewhat exploitable hence the suggestion of renaming the admin folder. the point i am making is if you dont know the name of the admin folder, ie, the url to it, you have no way to exploit it. and most shops are not that interested to hackers since there are not much useful data to steal from or damage to make. whos going to rob a begger on the street dressing in dirty clothing? on the other hand if you have a shop that actually makes a full, comfortable living for you and you could well have tens of thousands of customers data then you probably have no time to take the trouble as evindenced here you would have hired someone to secure it for you using methods thats beyond what has been discussed here.

 

aftre all, would a homeless spends his only pennies to protect his property while sleep on the street when in fact he has no property at all to worry about?

 

The only secure method is to password protect the folder.

Really? what about FTP??

and no password scheme is secure without SSL

RUBBISH.

 

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

My point is that there are ways to determine what folders are present on a website. I listed three (bad Apache configuration, Apache bug, shared hosting bug). If an attacker uses any of those, your secret URL is no longer a secret. The first two of those are vulnerable to bots in the same way that this exploit is.

 

If there is an exploit for the password protection, then the password protection does not exist. Anyone smart enough to write a bot that tries all osCommerce sites would also be smart enough to read this thread and figure out how to bypass the password protection.

 

Not sure what FTP has to do with it? Unless you are claiming that FTP is secure without SSL? It's not. That's why SFTP exists.

 

Most shops might be able to get by without using SSL and never be exploited. The concerns there are very different (mostly relating to eavesdropping of connections). Perhaps I shouldn't have brought it up, as it's outside the current discussion. However, for a secure admin, SSL is required. The beggar comparison is apt here, as SSL costs money (albeit not a lot, ) and it might possibly be more practical to accept the risk of compromise than to pay the $50 for a cheapo SSL certificate. That does not apply to password protecting the folder, which is free.

 

It is especially bad advice to give to someone who has password protection in their hosting. It is in fact horrible advice. That person can spend a couple minutes using the tool that their host provided and improve their protection greatly at no cost to him or herself except a small amount of time.

Always back up before making changes.

Link to comment
Share on other sites

Thank you all for this debatable topic. All in all, it's a great learning experience for new member, like myself. I does seem like it's all that hard, but I guess if you know what you are doing or understand the concept, it's as easy as 123. For my part, it turned out simple since I didn't have to deal with changing anything in osCommerce, except my Admin Directory. I did my .htaccess protection with my webhosting and it was very simple. It even helps generate a strong password to use. Protecting your website, however big or small, is a peace of mind, in the day and age bombarded with hackers. :rolleyes:

 

 

 

 

My point is that there are ways to determine what folders are present on a website. I listed three (bad Apache configuration, Apache bug, shared hosting bug). If an attacker uses any of those, your secret URL is no longer a secret. The first two of those are vulnerable to bots in the same way that this exploit is.

 

If there is an exploit for the password protection, then the password protection does not exist. Anyone smart enough to write a bot that tries all osCommerce sites would also be smart enough to read this thread and figure out how to bypass the password protection.

 

Not sure what FTP has to do with it? Unless you are claiming that FTP is secure without SSL? It's not. That's why SFTP exists.

 

Most shops might be able to get by without using SSL and never be exploited. The concerns there are very different (mostly relating to eavesdropping of connections). Perhaps I shouldn't have brought it up, as it's outside the current discussion. However, for a secure admin, SSL is required. The beggar comparison is apt here, as SSL costs money (albeit not a lot, ) and it might possibly be more practical to accept the risk of compromise than to pay the $50 for a cheapo SSL certificate. That does not apply to password protecting the folder, which is free.

 

It is especially bad advice to give to someone who has password protection in their hosting. It is in fact horrible advice. That person can spend a couple minutes using the tool that their host provided and improve their protection greatly at no cost to him or herself except a small amount of time.

Link to comment
Share on other sites

...there are ways to determine what folders are present on a website...

 

and so theres always ways not to give out site directory structure, a proper setup 404 page being one of them.

 

...bad Apache configuration, Apache bug, shared hosting bug...

in that case one could only pray god morning & night or every 15 minutes for protection. and is there a bug to accept ANY password you may type in when prompted for one, if not why not?

 

 

...Anyone smart enough to write a bot that tries all osCommerce sites...

the word *smart* should be properly replaced by *stupid*. smart guy dont try those poor (poorer than a mouse) osc shops instead theyd spend their time on high profile sites which would need a proper guy to properly protect, and thats the real battle field.

 

...what FTP has to do with it...

ftp only has something to do with it is when someone claim the only way is pw protect it. ok, you have pw, plus SSL, if iwere hacker, id listen to your ftp traffic as MOST hosts do not offer SFTP to intercept your ftp details. now, even an dummy would now how to use ftp to rename a file to render it into useless. so all a sudden your .htaccess becomes nothing.

 

...Most shops might be able to get by without using SSL and never be exploited...

should add pw .htaccess to it. and dont forget some SSL itself is also exploitable as reported not so long ago. so if youare so worried, then you may develop a mental problem as the list of loophole would go longer and longer.

 

...does not apply to password protecting the folder, which is free.

...a small amount of time...

 

try to tell steve above or someone like him, they have been having almost life threatening troubles to try to do it, which is what prompts me to make my suggestion, to save their life!

 

knowing something does NOT neccesarily mean you have to use it anywhere anytime any situation.

 

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

Hey, no need for the shouting.

 

I agree to differ with the last message. My and obviously one other's experience is different so please don't shoot the messenger when there is something wrong. OSC is perfect and it's just the idiots messing about with it attitude isn't right either. The advice of going through every file to find a hard encoded file location was a no brainer and most unhelpful and to term it as "bad luck" not helpful either. Something must have been wrong in the installation somewhere but no sensible suggestion came out as to where.

 

All I am saying is warn folk to have a roll back plan when advising doing something like this because sod's law always crops up somewhere.

 

Everyone on this site has different levels of experience with oscommerce and all of us want simple, helpful and clear instructions on what to do about issues that trouble us.

 

Nuff said on this and I won't reply any more regardless.

 

 

Mystery Solved.

 

The problem was with password protecting the admin folder first using cPanel utility. Before renaming the admin folder remove any password protection on the folder. After performing the rename and the configure.php file check you can log in. Then re-apply the password protection using cPanel.

 

If you have another meathod of applying password protection perhaps you should consider removing it anyway:

 

So for clarity:

 

Backup the admin/includes/configure.php file

 

1. Remove password protection on admin folder

 

2. Renaming the admin folder to a name of your choice.

 

3. Edit the /includes/configure.php file in the newly renamed folder to replace the word admin with the new folder name. These lines look like:

 

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', '/home/setstre1/public_html/admin/');

 

4. Check this works.

 

5. Re-apply password protection on newly renamed admin folder

 

6. Check this works with password protection on.

Link to comment
Share on other sites

All the discussion and suggestions are very beneficial, so after pondering this a while I think I will bite the bullet and go along with my host suggestion to move the folder where my osCommerce store resides from "beside" to under the public_html folder. That way, I will be able to use their tool to set password protection for my admin folder. (The host only allows the tool for use for folder protection to the public_html folder and any folders contained in the public_html folder.)

 

Before I dive into this, I'd like someone with more experience to look over what I plan to do and let me know if I am missing something.

 

in my /catalog/admin/includes/configure.php file there are some defines that probably apply.

 

I think

 

define('HTTP_SERVER', 'my store url');

define('HTTP_CATALOG_SERVER', 'my store url');

 

are ok because I will point my subdomain to the appropriate folder that I am moving.

 

So for the sake of my example my pointer now goes to catalog, following my domain, and will now have to go to public_html/catalog.

 

However for

 

define('DIR_FS_DOCUMENT_ROOT', '/*********************/catalog//');

and

define('DIR_FS_CATALOG', '/****************************/catalog//');

 

Should I put /public_html in before the /catalog// part?

 

Do any other defines need changed so the /public_html is properly recognized anywhere?

 

Then over in /catlogue/includes/configure.php I don't see any definde in there that need changed.

 

Input please and thank you.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

Input please and thank you.

 

I went ahead and made the config changes so my site resides in the public_html folder, then protected my folder as per the recommendation in this post. After the redo I made a sale about a half our later....so all is working.

 

When managing running administrative tasks I have to enter a user id and password twice, but no big deal really given the protection benefit.

 

Onward and upward.....

 

Thanks

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • 3 weeks later...

I think the fix should be;

 

admin/includes/application_top.php

 

Line 36

 

// set php_self in the local scope
$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);

Change to

 

// set php_self in the local scope
$PHP_SELF = $_SERVER['PHP_SELF'];

 

Line 124

 

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered('admin')) {
  $redirect = false;

  $current_page = basename($PHP_SELF);

 

Change to

 

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered('admin')) {
  $redirect = false;

  $current_page = basename($_SERVER['SCRIPT_NAME']);

 

Line 149

 

// include the language translations
require(DIR_WS_LANGUAGES . $language . '.php');
$current_page = basename($PHP_SELF);

 

Change to

 

// include the language translations
require(DIR_WS_LANGUAGES . $language . '.php');
$current_page = basename($_SERVER['SCRIPT_NAME']);

Link to comment
Share on other sites

  • 3 weeks later...
Check to see if you have a configure.php file under "admin"/includes/local

 

What does this mean? How do I check for this? I am having the same problem, when I change the admin folder name I can't log into the new folder and I get the same 404 error. Obviously there are at least three of us doing something wrong. The instructions are simple enough but there is something missing in the instructions that Ken and others seem to understand intuitively that we newbies don't. Like, what does it mean to have a config.php file under "admin"/includes/local.

 

What is 'local' ? How do you check this in simple steps? Maybe this is the problem, or maybe it is something else we are missing.

Link to comment
Share on other sites

I think the fix should be;

 

admin/includes/application_top.php

 

Line 36

 

// set php_self in the local scope
$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);

Change to

 

// set php_self in the local scope
$PHP_SELF = $_SERVER['PHP_SELF'];

 

Line 124

 

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered('admin')) {
  $redirect = false;

  $current_page = basename($PHP_SELF);

 

Change to

 

// redirect to login page if administrator is not yet logged in
if (!tep_session_is_registered('admin')) {
  $redirect = false;

  $current_page = basename($_SERVER['SCRIPT_NAME']);

 

Line 149

 

// include the language translations
require(DIR_WS_LANGUAGES . $language . '.php');
$current_page = basename($PHP_SELF);

 

Change to

 

// include the language translations
require(DIR_WS_LANGUAGES . $language . '.php');
$current_page = basename($_SERVER['SCRIPT_NAME']);

 

I tried this and it totally crashed my site and I had to re-install it again losing some products I had started. Thankfully it was only five items, no big deal. But I think the above code is a bit drastic for newbies and if anyone understands what Java Roasters is suggesting and can confirm this is the correct code, please post since if this is the solution, newbies will need a bunch of help understanding this one.

Link to comment
Share on other sites

I tried this and it totally crashed my site and I had to re-install it again losing some products I had started. Thankfully it was only five items, no big deal. But I think the above code is a bit drastic for newbies and if anyone understands what Java Roasters is suggesting and can confirm this is the correct code, please post since if this is the solution, newbies will need a bunch of help understanding this one.

 

Hi Bradybarrows

 

Install oscommerce by the book ie: Don't use the Fantastico installer as it messes with the system and you cannot successfully rename the admin folder if you use it. I know this from bitter experience. It is ok to use the cPanel to create the mySQL database but you need to ftp the oscommerce files over to your website and then run the install routing. You can find the procedure here http://www.oscommerce.com/forums/index.php?sho...&hl=install

 

I wasn't going to reply again due to the know all and sarcastic attitude of some in this forum but you might benefit from this. He knows who he is.

 

Oh, and definately use the cPanel to password protect a folder and also make sure you have an SSL certificate. You can ensure direction to https:// using .htaccess by adding as follows:

 

RewriteEngine On

RewriteCond %{SERVER_PORT} !=443

RewriteRule ^ https://www.yoursite.com%{REQUEST_URI} [NS,R,L]

 

IndexIgnore *

 

The IndexIgnore statement prevents directory listing in your website, otherwise a listing could assist someone guessing your new admin folders name.

 

I hope this helps.

 

 

Regards

Link to comment
Share on other sites

Hi Bradybarrows

 

Install oscommerce by the book ie: Don't use the Fantastico installer as it messes with the system and you cannot successfully rename the admin folder if you use it. I know this from bitter experience. It is ok to use the cPanel to create the mySQL database but you need to ftp the oscommerce files over to your website and then run the install routing. You can find the procedure here http://www.oscommerce.com/forums/index.php?sho...&hl=install

 

I wasn't going to reply again due to the know all and sarcastic attitude of some in this forum but you might benefit from this. He knows who he is.

 

Oh, and definately use the cPanel to password protect a folder and also make sure you have an SSL certificate. You can ensure direction to https:// using .htaccess by adding as follows:

 

RewriteEngine On

RewriteCond %{SERVER_PORT} !=443

RewriteRule ^ https://www.yoursite.com%{REQUEST_URI} [NS,R,L]

 

IndexIgnore *

 

The IndexIgnore statement prevents directory listing in your website, otherwise a listing could assist someone guessing your new admin folders name.

 

I hope this helps.

 

 

Regards

 

Aloha Robert,

thanks for the tip. however, I did indeed use ftp to upload the cart. I am simply experimenting with a new cart to understand how to re-write the admin folder before I even attempt to try this on my working shopping cart with SSL certification. I simply want to beef up my site with security since on another shopping cart that doesn't even have the payment modules integrated (I am simply using the osCommerce v2 cart as a database web site cause it is so cool) and didn't know I needed any security addons at all since there aren't any warnings about security addons needed with the instructions (at least I didn't notice them if there were any) and a hacker went into my site and really messed it up. So before I get hacked with my real live shopping cart that is integrated with two payment modules I am simply experimenting with another cart. I am still trying to figure out how to change the admin folder name. If I figure it out, I will post the results.

 

As to the sarcastic advice here in osCommerce forums, it is just the nature of some to be that way just like in real life with real people we meet outside this forum. You have to understand the nature of volunteering which is what is happening here. All the posters are volunteering their time to answer questions, and some of the questions are really dumb because to a developer of the osCommerce code, which some of these volunteers are, they can't quite fathom that a novice or newbie would even dare to ask such a question and they don't want to waste time teaching basic knowledge that anyone who would want a shopping cart should already know.

 

One way I have thought about that would might reduce this problem of sarcasm and nasty remarks to beginners is to add a forum under the v2.2 heading called NEWBIES or BEGINNERS and then if the developers venture into this forum they should know that there will be a lot of dumb questions that if someone would take the time to read the manual or spend a few hours reading the posts already there wouldn't ask again. But the nature of some newbies is that they ask a dumb question without reading anything and you can only imagine how a developer of the osCommerce code would react to that. Not all developers are that way, some are very helpful and what is going on here is totally amazing. Thousands of people are here asking questions and probably a core of less than hundred know what is going on with osCommerce and if one is really good with osCommerce shopping carts are making lots of money setting them up and not spending any time here helping newbies.

 

The other suggestion I have for Harold Ponce De Leon who came up with this whole deal is to clearly explain what an alpha shopping cart is since hundreds of newbies think v3 should be the one to download and they haven't a clue what they are doing. And with v2 it should clearly say with big warning letters that security is an issue and there are several addons that need to be integrated into the shop before going live with a cart.

Link to comment
Share on other sites

Check to see if you have a configure.php file under "admin"/includes/local
What does this mean? How do I check for this?

 

if you dont know what it is, then you are unlikely having one there. this is akin to asking "what is a safe? how do i know ro how i check it i got one in my room? well, if you dont know, then you are highly unlikely having a safe in your room becasue you'd have to buy it then put it in your room. same as the configure.php file in the local folder. osc does not automatocally put such a file there. it has to be the person whos installing the osc store puts it there. so the fact that you dont know what it is, then you have no worry about it and there wont be one there. sorry i seem to become a bit chatty..."normally" i am kind of straight talking.

 

the instruction is in the #1 post. what is not clear in it?

 

and if you are just starting building your first online store then focus should not be on this issue. i know it sounds serious but in real life its not a big deal for many. i know someone probably jump in and point out i am giving bad advice etc etc, and remember software apllications security is a matter of life that i (i say I so that I dont include accidetally others who may see differently) will have to live with, just think, like it or not, MS has an army of very good programmers but every week we have security updates. i say MS but unfortunately other big (software) players cant exclude them from this sad fact, like it or not.

Ken

commercial support - unProtected channel, not to be confused with the forum with same name - open to everyone who need some professional help: either PM/email me, or go to my website (URL can be found in my profile).

over 20 years of computer programming experience.

Link to comment
Share on other sites

it is a simple change (takes about 2 minutes) for a default osc shop if you understand and follow the first post by Jan in particular this bit "After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php". Note the location of the configure.php, which is different from the other one under [catalog]/includes/.

there should not be any hard coded admin folder name in any files, if yours does have hard coded admin folder in files then bad luck (you have a wrongly modified shop) , you will need to find each occurance and fix them.

 

the .htaccess protection is beyond osc, you will need to contact your host for advice as different host may have different way of doing it.

 

Ken

 

I have spent about five hours on this, so please bare with my lack of knowledge. I can get the new admin folder to show up and get the log in page. However, when I log in with the user name and password I used before, it won't log in. How can I reset the user name and password? Or is there another work around?

Link to comment
Share on other sites

if you dont know what it is, then you are unlikely having one there. this is akin to asking "what is a safe? how do i know ro how i check it i got one in my room? well, if you dont know, then you are highly unlikely having a safe in your room becasue you'd have to buy it then put it in your room. same as the configure.php file in the local folder. osc does not automatocally put such a file there. it has to be the person whos installing the osc store puts it there. so the fact that you dont know what it is, then you have no worry about it and there wont be one there. sorry i seem to become a bit chatty..."normally" i am kind of straight talking.

 

the instruction is in the #1 post. what is not clear in it?

 

and if you are just starting building your first online store then focus should not be on this issue. i know it sounds serious but in real life its not a big deal for many. i know someone probably jump in and point out i am giving bad advice etc etc, and remember software apllications security is a matter of life that i (i say I so that I dont include accidetally others who may see differently) will have to live with, just think, like it or not, MS has an army of very good programmers but every week we have security updates. i say MS but unfortunately other big (software) players cant exclude them from this sad fact, like it or not.

Ken

 

Aloha Ken,

 

thanks for replying to my question. What throws me off is the statement:

 

configure.php file under "admin"/includes/local

 

I know the configure.php file is in the following folder:

 

/catalog/admin/includes/

 

Why would the original poster write 'local' at the end? What does that mean? I know what a safe is. I would look in the room till I find it. I am not asking how to open the safe, I am asking, can you give me some direction on where the safe is located in the room.

 

I have at least been able to get the log in page to come up in my browser with the new admin folder. However, when I log in using the user name and password I set up with the admin folder I am redirected to a 404 page error. Here is the url I am redirected to:

 

http://www.mydomain.com/new_admin_directory/login.php?

 

As you can see, it is not pointing to catalog/new_admin_directory/login.php?

 

Maybe that is a clue to what is going on. I am making progress. I can at least see the new admin directory. I am confident this problem will work out, it is just something I am doing wrong, or neglecting to do.

Link to comment
Share on other sites

Aloha Ken,

 

thanks for replying to my question. What throws me off is the statement:

 

configure.php file under "admin"/includes/local

 

I know the configure.php file is in the following folder:

 

/catalog/admin/includes/

 

Why would the original poster write 'local' at the end? What does that mean?

 

Local would be a subfolder in the admin/includes folder

If there is no folder then you do not have a local version

If it is there the configure.php file in it will overide the one in admin/includes

 

Martin

Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Link to comment
Share on other sites

Local would be a subfolder in the admin/includes folder

If there is no folder then you do not have a local version

If it is there the configure.php file in it will overide the one in admin/includes

 

Martin

 

 

Duh. Thanks very much for being so patient with me Martin. I see what people get upset with posters like me asking dumb questions. Ok. I put a copy of the configure.php file in there and I still get the same response when I log in I get this:

 

http://www.mydomain.com/new_admin_folder/login.php

 

It isn't going to:

 

http://www.mydomain.com/catalog/new_admin_folder/index.php

 

I know this is easy fix since I am close. Please help.

Link to comment
Share on other sites

Ditto!

 

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

 

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head <_<

 

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain? :blink:

 

Thanks

 

I found this helpful for the .htaccess file:

 

http://addons.oscommerce.com/info/6066

 

I downloaded FIMBLE 15 Jul 2008 and used the script provided. If you don't know about the .htaccess file it is sometimes hidden and if you have a windows server you can't use it. If it is a Linux server or Apache server it works. This explains how .htaccess works:

 

http://en.wikipedia.org/wiki/.htaccess

Link to comment
Share on other sites

Aloha Robert,

thanks for the tip. however, I did indeed use ftp to upload the cart. I am simply experimenting with a new cart to understand how to re-write the admin folder before I even attempt to try this on my working shopping cart with SSL certification. I simply want to beef up my site with security since on another shopping cart that doesn't even have the payment modules integrated (I am simply using the osCommerce v2 cart as a database web site cause it is so cool) and didn't know I needed any security addons at all since there aren't any warnings about security addons needed with the instructions (at least I didn't notice them if there were any) and a hacker went into my site and really messed it up. So before I get hacked with my real live shopping cart that is integrated with two payment modules I am simply experimenting with another cart. I am still trying to figure out how to change the admin folder name. If I figure it out, I will post the results.

 

As to the sarcastic advice here in osCommerce forums, it is just the nature of some to be that way just like in real life with real people we meet outside this forum. You have to understand the nature of volunteering which is what is happening here. All the posters are volunteering their time to answer questions, and some of the questions are really dumb because to a developer of the osCommerce code, which some of these volunteers are, they can't quite fathom that a novice or newbie would even dare to ask such a question and they don't want to waste time teaching basic knowledge that anyone who would want a shopping cart should already know.

 

One way I have thought about that would might reduce this problem of sarcasm and nasty remarks to beginners is to add a forum under the v2.2 heading called NEWBIES or BEGINNERS and then if the developers venture into this forum they should know that there will be a lot of dumb questions that if someone would take the time to read the manual or spend a few hours reading the posts already there wouldn't ask again. But the nature of some newbies is that they ask a dumb question without reading anything and you can only imagine how a developer of the osCommerce code would react to that. Not all developers are that way, some are very helpful and what is going on here is totally amazing. Thousands of people are here asking questions and probably a core of less than hundred know what is going on with osCommerce and if one is really good with osCommerce shopping carts are making lots of money setting them up and not spending any time here helping newbies.

 

The other suggestion I have for Harold Ponce De Leon who came up with this whole deal is to clearly explain what an alpha shopping cart is since hundreds of newbies think v3 should be the one to download and they haven't a clue what they are doing. And with v2 it should clearly say with big warning letters that security is an issue and there are several addons that need to be integrated into the shop before going live with a cart.

 

 

Aloha Bradybarrows

 

Thanks for the pep talk. I will bear that in mind. No you don't need SSL if you are not running and online store but I have seen advice here stating that it is not very important. Also, no one has mentioned preventing listing the directories in your website so I thought it would be helpful as a security measure as well. Paranoia is not a bad thing on the web and if you do get hacked at least you can, in good conscience inform your customers that you did all you could (and perhaps avoid legal action).

 

I have rebuild my website about a dozen times due to this admin folder issue and I should have switched to the wonderful Joomla at this point but I am stubborn and wouldn't let it beat me. I can only put my issues down to the Fantastico installer as all went well when I installed manually. However, there are some other steps that might help so here is step by step how I got it working:

 

I created a new mySQL Database with a very complex username and password

 

Copy the files in the catalog folder using ftp to your website location. In my case it is the root folder and is called public_html when viewing in ftp. It is not made clear for newbies to only transfer the files and folders in the catalog folder and not the catalog folder itself. I used osCommerce 2.2a.

 

I ran the install routine with the files and folders as per out the box and then sorted any warning messages (about file permissions).

 

I then used the cPanel file manager to rename the admin folder.

 

After that I modified the renamed_admin_directory/includes/configure.php file as per the first post using wordpad and not notepad as the line breakes seemed to go missing using notepad. I now use wordpad instead of notepad for editing as the linebreaks are never removed.

 

I then used the cPanel password protect a directory facility. I had tried this manually and it never worked. After browsing about I noticed the password is encrypted in the file with the username and password, no doubt to improving security so it is not possible to do this manually.

 

I hope this is helpful to you and others.

Link to comment
Share on other sites

the complete opposite is true. it is NOT lucky or otherwise, its simple a very straightforward thing, as easy as ABC. *Obviously* there is *NOTHING* esle (for a defualt osc setup). if you can't get this very simple thing done, then i suppose you should not issue any warning here as it is completely false: it can be done any time, anywhere, any shop including those that take in thousands of orders daily, and it wont stop your shop running for even a second. Thats the truth. and I am stating a fact, not insisting...or guessing.

 

Ken

 

Ken,

 

I can appreciate that for you it is a snap. But there are at least three of us in this thread who are not getting the same results. I too can get the log in page with the new_admin_directory but when I log in it goes back to:

 

www.domain.com/new_admin_directory/login.php

 

It is supposed to go to:

 

www.domain.com/catalog/new_admin_directory/index.php

 

But is is not. This obviously is a simple fix. It might be the way the code is configured. The initial code shows:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

 

I copied the /your/path/to/directory/renamed_admin_directory/ from the backup database path. My back up directory is this path:

 

/home/43/dnumber/htdocs/domainfolder/catalog/renamed_admin_director/

 

I placed a copy of the configure.php file in the local folder as well. What would be the motive of three of us having the same problem other than we are simply not getting the same snappy result you do. We all wish we could get this done and simply are asking what are we doing wrong and please help us. We want to beef up the security of the admin folder. Maybe you could think of something you would check?

Link to comment
Share on other sites

Aloha Bradybarrows

 

Thanks for the pep talk. I will bear that in mind. No you don't need SSL if you are not running and online store but I have seen advice here stating that it is not very important. Also, no one has mentioned preventing listing the directories in your website so I thought it would be helpful as a security measure as well. Paranoia is not a bad thing on the web and if you do get hacked at least you can, in good conscience inform your customers that you did all you could (and perhaps avoid legal action).

 

I have rebuild my website about a dozen times due to this admin folder issue and I should have switched to the wonderful Joomla at this point but I am stubborn and wouldn't let it beat me. I can only put my issues down to the Fantastico installer as all went well when I installed manually. However, there are some other steps that might help so here is step by step how I got it working:

 

I created a new mySQL Database with a very complex username and password

 

Copy the files in the catalog folder using ftp to your website location. In my case it is the root folder and is called public_html when viewing in ftp. It is not made clear for newbies to only transfer the files and folders in the catalog folder and not the catalog folder itself. I used osCommerce 2.2a.

 

I ran the install routine with the files and folders as per out the box and then sorted any warning messages (about file permissions).

 

I then used the cPanel file manager to rename the admin folder.

 

After that I modified the renamed_admin_directory/includes/configure.php file as per the first post using wordpad and not notepad as the line breakes seemed to go missing using notepad. I now use wordpad instead of notepad for editing as the linebreaks are never removed.

 

I then used the cPanel password protect a directory facility. I had tried this manually and it never worked. After browsing about I noticed the password is encrypted in the file with the username and password, no doubt to improving security so it is not possible to do this manually.

 

I hope this is helpful to you and others.

 

Mahalo Robert. I am much closer since I can now at least see the new_admin_folder/login.php page. But when logging in it goes to outside the catalog page. Weird, huh? Obviously it is some minor glitch that needs tweaking a bit. There are so many variations of servers, scripting, code, php, that it is a wonder we can make any of this work, but I feel as you do, I am not giving up and will keep the osCommerce shopping cart since I have spent so many hours working with it. It is sort of like if your Dad drove a Ford truck, and you spent all those years driving in it, you end of buying a Ford instead of something else. However, I did spend about forty hours on the Interspire shopping cart and it is superior to the osCommerce one and has features built in that are in v3 like making web pages. Very cool cart, but costs $1000 and we know why we are all here working with osCommerce. I have probably spent way over 150 hours working with osCommerce. Yep, I have one client that I told I would build him an osCommerce shopping cart for a paltry sum with the condition that I would do the best I can but no warranty. It is it doesn't work, too bad. But he didn't care. So far, all he has the generic cart and I have put all the security features in it suggested at this url by Sam:

 

http://www.oscommerce.com/forums/index.php?showtopic=313323

 

Then I read about this admin security thread and have spent at least six hours on it and still haven't figured it out. I hate to go through all the steps again with a new uploaded cart, new database. I just did that. Everything is brand spanking new. Surely someone will suggest why the admin log in is going to outside the catalog and offer a suggestion to check this or that.

 

But I am happy that you figured it out and works for you. thanks for the chat.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...