Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with admin directory


Jan Zonjee

Recommended Posts

The file you sent has all that HTML trash in front of the opening PHP tag.

 

Like I have said: use a simple text editor not an HTML editor.


Added in edit:

 

And it has HTML trash at the end of the file:

 

</head>
<body>

<br>

</body>
</html>

Both of which will cause you grief when dealing with PHP at times.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • Replies 228
  • Created
  • Last Reply

update

 

i just took an hour or so to delete all the whitespaces at the end of every single php file in the admin section of the website and all the html codes i could find

 

result? i can login

 

but some messages still appear and the admin control panel is a bit deformed but at least i can log in and this is a good sign

 

i have something else to do at the moment but when i finish, i will do again a cache clearing, a restart of the PC and i will try to log in again and see if and how everything works

 

those messages were indeed caused by some HTML code in front of the starting php tag mainly in the login.php files (both from the admin and the includes sections) but there is another thing that looks pretty weird to me

 

it's the coding in the footer.php (it does no harm at the moment, at least i didn't notice it to cause any troubles of any kind but after going through all of these issues today and after looking over the coding in the footer.php file, I can tell that something is not quite right.

 

anyway, thank you for helping me fix this issue

 

regards,

john

Link to comment
Share on other sites

  • 1 month later...

This is still very confusing, and the multiple replies don't help much. Why is it that this software is released with so many issues? Can't the programmers make these changes and just release the software again?

Link to comment
Share on other sites

  • 3 weeks later...
  • 3 weeks later...

I'm another one with a problem changing the admin name. I have tried some of the suggestions given in the posts here and followed Jan's original instructions.

 

The error I am getting is

 

Warning: mysql_connect() [function.mysql-connect]: Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2) in /homepages/**/********/htdocs/catalog/(my new admin name)/includes/functions/database.php on line 19

Unable to connect to database server!

 

I've had a look at the database.php around line 19 but can see nothing to change.

 

Any help would be so appreciated.

 

(I don't have cPanel.)

 

I tried to change it back to the original 'admin' name - renaming the file and loading up a copy of the original osCommerce comfigure.php file, but now I can't log in - I just get a Error 403 forbidden message!

Help >_<

Link to comment
Share on other sites

Hello all!

 

i am also getting error 403, i know it has something to do with the permissions. Ever since i installed discount cupouns i am having this problem. The site will be up, but by morning it will go down and i will have to go through my ftp and change the permisions on my "public" folder to 755 and then again the next morning the site will be down again and showing me error 403 and the "public" folders permissions will be 750 again, and i change it again through ftp to 755 and the site is back up. But every morning i wake up to see it down again and the permission automatically go back to 750 on the public folder...does anyone know how i can fix this permanently.

 

Thanks so much in advance

 

Imran

Link to comment
Share on other sites

i am also getting error 403, i know it has something to do with the permissions. Ever since i installed discount cupouns i am having this problem. The site will be up, but by morning it will go down and i will have to go through my ftp and change the permisions on my "public" folder to 755 and then again the next morning the site will be down again and showing me error 403 and the "public" folders permissions will be 750 again, and i change it again through ftp to 755 and the site is back up. But every morning i wake up to see it down again and the permission automatically go back to 750 on the public folder...does anyone know how i can fix this permanently.

DId you contact your hosting provider about this? Perhaps they have some script running at certain times to do this? I've never heard of an osCommerce script or addon doing this.

Link to comment
Share on other sites

Hello Jan,

 

thanks so much for the reply, i contacted the host and all he tells me is that you should never change the permission on the public folder. But if i dont do this my website will keep showing the error, it only comes back up when i change the permission from 750 back to 755 on the main folder. The host has a few people on his server and he says some have the discount coupon code add-on(which i installed before i started getting this problem) but dont have this problem. I am not sure if they have the same add on i have but yeah i just cant figure out what the problem is and the host isnt really helping me :(

 

DId you contact your hosting provider about this? Perhaps they have some script running at certain times to do this? I've never heard of an osCommerce script or addon doing this.

Link to comment
Share on other sites

i contacted the host and all he tells me is that you should never change the permission on the public folder.

In principle that should work I understand from Googling "750 chmod". But if ownership of the public_html is not correctly set it can be a problem (Apache user not allowed to read files...). See for example this thread.

Link to comment
Share on other sites

  • 2 weeks later...

As soon as you change the admin name it will change the privacy policies to the recent admin user. Then you have to use the new or the changed admin name instead of the previous one. If you are facing the login problem with the new username, then clear the cache in your browser and then restart your PC.

Link to comment
Share on other sites

for most shops, renaming admin directory/folder is good enough as long as you take care of not publishing your new admin folder (such as on invoices) to any one else even your customers.

 

I have been looking around and I can't find out where I would go to remove the path that is printed at the top of the invoices and packing slips.

 

My admin folder has been renamed and password protected via the cpanel.

 

From what I read, even though the path may be public (by being printed on invoices and packing slips and sent out to customers) since the renamed admin directory is password protected I'm fine.

 

But I would prefer to still remove the code/path, for peace of mind and to clean things up a little, no need for the clutter to be up there on a customers invoice/packing slip.

 

I skimmed through the invoice.php and packingslip.php files, but didn't see the code for the path in there.

 

Can someone lead me in the right direction

Link to comment
Share on other sites

  • 2 weeks later...

In the German forum there is an announcement by the German team members about a security problem in the admin for shops using osC 2.2 version RC1 and RC2. The details of how to compromise the admin have not been disclosed (for obvious reasons).

 

For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

 

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel.

 

To avoid having to login twice (once in the "popup" screen and then again in the osC admin login) you might want to look at the code Harald Ponce de Leon wrote some time ago:

 

http://github.com/osCommerce/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

Try to perform an automatic login if a Basic HTTP Authentication mechanism is already in place. For this to work, the administrator username and password must be the same as the HTTP Authentication login credentials.

 

Changes in the following files:

catalog/admin/includes/application_top.php
catalog/admin/login.php

 

Some additional information and advice on security

 

Delete admin/filemanager.php and associated links.

Delete admin/define_language.php and associated link in the "Tools" box.

Note: keep a local copy of your site on your computer and after editing files and ensuring the things you have added to your shop are working upload edited files by FTP to your site.

 

Ensure that your folder permissions are never set higher than 755

 

Install some security addons

 

Also some ideas from this post can help you

 

Adding this bit of code in admin/includes/application_top.php by FWR Media, to make sure $PHP_SELF is what is supposed to be is very much recommended too.

 

The code below will most likely be in the next release candidate for osC 2.2 to fix the hole:

GitHub Harald Ponce de Leon

 

admin/includes/application_top.php Line 146-151

 

Change:

     $redirect = true;
   }

   if ($redirect == true) {
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }

To:

     $redirect = true;
   }

   if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
   $redirect = true;
   }

   if ($redirect == true) {
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }

 

admin/login.php Line 10-11

 

After:

  Released under the GNU General Public License
*/

Add:

 $login_request = true;

 

Hi, I'm just wanting to double check what you mean by 'admin' folder? do you mean my root folder where all the page files for my site are located? because this is not called 'admin', it's called 'public_html'. Is that the one i need to rename?

Or, are you referring to the actual 'admin' folder which is INSIDE the 'public_html' folder?

Please clarify!

Thank you so much. :)

x

Link to comment
Share on other sites

  • 1 month later...

<SNIP>

 

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC

 

<SNIP>

 

Unless I missed something, I didn't see anywhere in this thread how to to do the above. I don't mind working with my web host on this, plus I already have my own .htaccess file for web site protection, but I don't know what to put in an .htaccess file to specifically address this OSC vulnerability. Can anyone point me to the code our type of protection to put in the .htaccess file to protect the renamed admin directory? Thanks!

Link to comment
Share on other sites

<SNIP>

 

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC

 

<SNIP>

 

Unless I missed something, I didn't see anywhere in this thread how to to do the above. I don't mind working with my web host on this, plus I already have my own .htaccess file for web site protection, but I don't know what to put in an .htaccess file to specifically address this OSC vulnerability. Can anyone point me to the code our type of protection to put in the .htaccess file to protect the renamed admin directory? Thanks!

cPanel users have a function in cpanel and others usually called 'Directory Protection' or 'Password Protect Directories' that creates the .htaccess file. The .htaccess password protects the directory so that it requires a password to access. Follow the directions in your cPanel to password protect your newly renamed admin directory. Once completed access to your admin directory will require a username and password the FIRST time a browser session encounters the directory.

 

Once the directory has this security in place you will find that an .htaccess file is now in your admin directory with these lines in it...

 

AuthType Basic
AuthName "Authorized Use Only"
AuthUserFile "/home/dir/.htpasswds/dir/dir/passwd"
require valid-user

 

Of course, 'dir' is directory names to your shop, and passwd could be anything... and "Authorized Use Only" is whatever you put in when you create the password.

Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Link to comment
Share on other sites

cPanel users have a function in cpanel and others usually called 'Directory Protection' or 'Password Protect Directories' that creates the .htaccess file. The .htaccess password protects the directory so that it requires a password to access. Follow the directions in your cPanel to password protect your newly renamed admin directory. Once completed access to your admin directory will require a username and password the FIRST time a browser session encounters the directory.

 

Once the directory has this security in place you will find that an .htaccess file is now in your admin directory with these lines in it...

 

AuthType Basic
AuthName "Authorized Use Only"
AuthUserFile "/home/dir/.htpasswds/dir/dir/passwd"
require valid-user

 

Of course, 'dir' is directory names to your shop, and passwd could be anything... and "Authorized Use Only" is whatever you put in when you create the password.

 

Thank you for the quick reply. As you said, using my web hosts cpanel to pw protect the newly renamed osC admin dir created an .htaccess file with the code you mention above, and now authentication is required to the new admin dir. Thank you for explaining this! As an aside, I have just read thru all the posts in the top pinned security thread for this forum (sigh). So I am now at the point of installing the contribution add-ons, but I have to say that I'm a bit reluctant given all the thread posts of people having problems during or after the installs. Also, the original contrib add-ons were posted in 2008. It's almost 2011. Does osC not create update packages for these vulnerabilities on a regular basis or are all these add-ons and tweaks posted herein "the updates"? Sorry...I've been mostly living in a M$ world the last 10 years and am only now re-entering the *nix (or non Windows) world once again. Thanks again for the quick and detailed reply!

Link to comment
Share on other sites

Releasing "update packages" wouldn't cover everyone.

 

Many templates have osC as their base code but the rest of the code is different. An "update package" applied to a template would most likely "break the store".

 

Another obstacle is the fact the software is free and downloadble at many sources (without registration), so there is no way to contact everyone.

 

When problems are discovered people post about them here and fixes are contrived.

 

Shop owners just have to frequent the forum for now.

 

Maybe in the future there will be a more concerted effort for advising and applying security fixes.

 

For now the forums are the only avenue.

 

Good, bad, or indifferent - that's just the way it currently is.

:)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Releasing "update packages" wouldn't cover everyone.

 

Many templates have osC as their base code but the rest of the code is different. An "update package" applied to a template would most likely "break the store".

 

Another obstacle is the fact the software is free and downloadble at many sources (without registration), so there is no way to contact everyone.

 

When problems are discovered people post about them here and fixes are contrived.

 

Shop owners just have to frequent the forum for now.

 

Maybe in the future there will be a more concerted effort for advising and applying security fixes.

 

For now the forums are the only avenue.

 

Good, bad, or indifferent - that's just the way it currently is.

:)

 

Thanks for the reply! Just wanted to make sure I wasn't missing an area where osC update packages were regularly archived for d/l'ing/installing. Hope to start applying the remaining security add-ons this week. Thanks!

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...