Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

security warning- I am able to write to the configure file


Guest

Recommended Posts

Posted

All of a sudden, when I opened my website today, there is a warning message at the top of the home page which reads" Warning: I am able to write to the configuration file: /home/content/*/*/*/***dadmin/html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

I don't know why this message is appearing and how to correct the security issue. I have not made any configuration changes.

Posted

Our host is GoDaddy- they sent me to OSCommerce for help...

Posted

You need to set the permissions on includes/configure.php. They should be 644. If you still get that message then set it to 444.

 

You can set this through your hosts control panel or your ftp program.

Posted

You need to set the permissions on includes/configure.php. They should be 644. If you still get that message then set it to 444.

 

You can set this through your hosts control panel or your ftp program.

 

Thanks to all!;

 

Got the message removed,simple when you know what you are doing.

 

GBeck

  • 3 weeks later...
Posted

You need to set the permissions on includes/configure.php. They should be 644. If you still get that message then set it to 444.

 

You can set this through your hosts control panel or your ftp program.

 

 

 

I have tried setting permission to 444 to no avail. I can change the permissions to various other permissions but I can NOT remove "WRITE" from owner. Hence I still recieve warning message at top of page. The best I can do is 644 but this permission still allow WRITE for Owner so is there a security risk with this setting? IF not can I remove the warning message somehow? Using WS_FTP pro for changing permissions. Any help much appreciated.

Posted

It depends on whether PHP and Apache are running as "owner" or in your "group" or even as "world". If they are not running as owner, 644 is fine. The idea is to lock certain files so that some hacker can't bend osC and use it to modify these files by overwriting them. If the files in question are 644 and you get the message, it means that you need to change them to 444 (read only), as PHP and Apache are running as "owner".

 

Are you on a Linux server (Apache web server) or Windows with either Apache or IIS? Linux uses "644" style permissions, while Windows... well I'm not sure how to make it "Read Only" access (attrib command?).

 

Note 1. FTP clients usually assume a Linux server, and will merely confuse a Windows server by sending a "chmod" command.

 

Note 2. Many Linux servers are now configured, for security reasons, to ignore "chmod" requests from an FTP client. You now have to go into your hosting service's file manager to change permissions. If you are able to change other permissions, this may not be the case for you.

 

In either case, you may have to talk with your hosting service to find the magical incantation to make a file Read-Only.

Posted

It depends on whether PHP and Apache are running as "owner" or in your "group" or even as "world". If they are not running as owner, 644 is fine. The idea is to lock certain files so that some hacker can't bend osC and use it to modify these files by overwriting them. If the files in question are 644 and you get the message, it means that you need to change them to 444 (read only), as PHP and Apache are running as "owner".

 

Are you on a Linux server (Apache web server) or Windows with either Apache or IIS? Linux uses "644" style permissions, while Windows... well I'm not sure how to make it "Read Only" access (attrib command?).

 

Note 1. FTP clients usually assume a Linux server, and will merely confuse a Windows server by sending a "chmod" command.

 

Note 2. Many Linux servers are now configured, for security reasons, to ignore "chmod" requests from an FTP client. You now have to go into your hosting service's file manager to change permissions. If you are able to change other permissions, this may not be the case for you.

 

In either case, you may have to talk with your hosting service to find the magical incantation to make a file Read-Only.

 

 

Thanks for your reply.

Here is some info on server etc which i got from osCommerse Admin/Tools/Server info

Database: MySQL 4.1.22-standard-log

HTTP Server: .V03 Apache/1.3.26 (Unix) mod_fs 6.005

PHP Version: 4.1.2 (Zend: 1.1.1)

Server OS: It tells me nothing.

 

I haven't got my head around who's who when talking about "owner, group, other" so not to sure what you are trying to tell me there. Something more to learn!! I can make any change to permission I like, except that there will alway be "OWNER - read, write" No matter what I do these two will always be there. This happens on any file that I choose. In summing up, from your above comments, because I get the warning message I NEED TO CHANGE PERMISSION. Looks like my only course of action is to contact my hosting company. Unfortunately the web host's file manager app. does not give me any options to change permission in there. Cheers

Posted

Unfortunately the web host's file manager app. does not give me any options to change permission in there.

 

Very strange, it might be hidden in your host's file manager.

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Posted

Thanks for your reply.

Here is some info on server etc which i got from osCommerse Admin/Tools/Server info

Database: MySQL 4.1.22-standard-log

HTTP Server: .V03 Apache/1.3.26 (Unix) mod_fs 6.005

PHP Version: 4.1.2 (Zend: 1.1.1)

Server OS: It tells me nothing.

Your host is WAY behind on software levels. You should be at PHP 4.4.9 at the very minimum, with at least the option to go to PHP 5.x. PHP 4 is no longer supported, and PHP 4.1 is so ancient it's not even funny. Note that osC 2.2 at least RC1 (preferably RC2a) is going to be needed to handle some of the changes in PHP once your host emerges from the Stone Age. The server is OK, although Apache 2.0 is preferred now (1.3 is End of Life). MySQL is acceptable, although version 5 is current (changes are needed to osC 2.2 to handle MySQL 5). I presume that the server is running some flavor of Linux or Unix, rather than Windows.

 

I haven't got my head around who's who when talking about "owner, group, other" so not to sure what you are trying to tell me there. Something more to learn!!

 

Read http://www.catskilltech.com/freeSW/SMF/faqs > Proper Permissions for the lowdown on permission numbers.

 

I can make any change to permission I like, except that there will alway be "OWNER - read, write" No matter what I do these two will always be there. This happens on any file that I choose. In summing up, from your above comments, because I get the warning message I NEED TO CHANGE PERMISSION. Looks like my only course of action is to contact my hosting company. Unfortunately the web host's file manager app. does not give me any options to change permission in there.

Either your hosting company has an incredibly primitive "file manager", or you're using it wrong. I've never seen a file manager that didn't let you change permissions to whatever you need to. Do you know what the name of this file manager is?

 

If you are on cPanel, be aware that there's a quirk in the "Change file permissions" function. You will be presented with a grid of owner/group/world vs read/write/execute checkboxes. You will also see the three digit permissions listed below. Do not overtype the numbers. You must tick/untick the checkboxes.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...