oscbeginner99 Posted April 9, 2011 Share Posted April 9, 2011 I have used my Hostgator cpanel to password protect the admin directory. This evidently does not work. I cannot login. After lengthy effort from the host, they finally removed password protection from the admin directory so that I can login. What options are available to secure 2.3.1 version? Are procedures different from the older versions? Thank you in advance Link to comment Share on other sites More sharing options...
♥toyicebear Posted April 9, 2011 Share Posted April 9, 2011 2.31 has a "build-in" htaccess password system for admin... Go to "Administrators" in your shops admin .. and follow the instructions given there Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
oscbeginner99 Posted April 9, 2011 Author Share Posted April 9, 2011 2.31 has a "build-in" htaccess password system for admin... Go to "Administrators" in your shops admin .. and follow the instructions given there Thank you for you response. I now have look at the Administrators Area and see: The following files need to be writable by the web server to enable the htaccess/htpasswd security layer: " /home/zappersu/public_html/catalog/admin/.htaccess /home/zappersu/public_html/catalog/admin/.htpasswd_oscommerce Reload this page to confirm if the correct file permissions have been set." I must be missing something simple, but I do not see the files in the admin directories. Do I have to create them some how? Link to comment Share on other sites More sharing options...
♥toyicebear Posted April 9, 2011 Share Posted April 9, 2011 Not in the shops admin, go to the file manager in your hosting control panel there you should be able to see them and set the correct permissions. Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To To see what more i can do for you check out my profile [click here] Link to comment Share on other sites More sharing options...
oscbeginner99 Posted April 9, 2011 Author Share Posted April 9, 2011 Not in the shops admin, go to the file manager in your hosting control panel there you should be able to see them and set the correct permissions. Yes, I am looking through the cpanel and do not see those 2 files in the admin folder....... Link to comment Share on other sites More sharing options...
Xpajun Posted April 9, 2011 Share Posted April 9, 2011 Brad, you should be able to use your cPanel to password protect the admin BUT user name and Password MUST be the same as your admin login My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
oscbeginner99 Posted April 9, 2011 Author Share Posted April 9, 2011 Brad, you should be able to use your cPanel to password protect the admin BUT user name and Password MUST be the same as your admin login That is very interesting.....I would have thought that you should use a different pass and user. But what about changing the permissions on the files that I can not see? 1. public_html/catalog/admin/.htaccess 2. public_html/catalog/admin/.htpasswd_oscommerce Link to comment Share on other sites More sharing options...
Xpajun Posted April 10, 2011 Share Posted April 10, 2011 That is very interesting.....I would have thought that you should use a different pass and user. Yes it is - many others have voiced the same opinion - tell the core coders :rolleyes: :rolleyes: If you manage to get the osC .htaccess protection working that is exactly what it will do - produce .htaccess protection with the same username and password But what about changing the permissions on the files that I can not see? 1. public_html/catalog/admin/.htaccess 2. public_html/catalog/admin/.htpasswd_oscommerce In your cPanel file manager do you have a check box to show hidden files? My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
oscbeginner99 Posted April 10, 2011 Author Share Posted April 10, 2011 Yes it is - many others have voiced the same opinion - tell the core coders :rolleyes: :rolleyes: If you manage to get the osC .htaccess protection working that is exactly what it will do - produce .htaccess protection with the same username and password In your cPanel file manager do you have a check box to show hidden files? Thank you Xpajun, I was not aware that these would be hidden files. Thank you very much...now I changed these to 777 and I hope that this is correct. Link to comment Share on other sites More sharing options...
peteravu Posted October 4, 2011 Share Posted October 4, 2011 Thank you Xpajun, I was not aware that these would be hidden files. Thank you very much...now I changed these to 777 and I hope that this is correct. Why must they be writable after changed? when change back to 655 it again says "the following files need to be writable by the web server to enable the htaccess/htpasswd security layer:" but 655 must be better than 777? So now I have 655 and have to login 2 times, that must be more secure than 777 right or not? Thanks to all that contributed to separate_price_per_customers_4.2.2_for_2.3.1, Add Multiple Products with plus/minus buttons, One Page Checkout for 2.3.1, Multi Attribute V2, Login Box Club osCommerce Shipping Date Chooser for 2.3.1, Quickly Update Product Stock 3.8.5 Español and order number in email subject Forum, Thanks Designing New Themes the Easy Way, how-to-set-backgrounds. my contributions Add Multiple Product In Product Listing 2.3.1 v.1.0 and Multiple Attribute entry boxes in product info page v1.0 for 2.3.1 Link to comment Share on other sites More sharing options...
ShallonCimelus Posted October 4, 2011 Share Posted October 4, 2011 Can someone tell me the proper permissions for the two .htaccess file? I must be missing something... I keep getting: Error Additional Protection With htaccess/htpasswd This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means. The following files need to be writable by the web server to enable the htaccess/htpasswd security layer: /home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htaccess /home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htpasswd_oscommerce Reload this page to confirm if the correct file permissions have been set. I've removed the .htpasswd_oscommerce file Within my control panel I've added a username and password (same as admin) for my admin folder. I've also tried a ton of different permission combinations and no luck... Link to comment Share on other sites More sharing options...
peteravu Posted October 5, 2011 Share Posted October 5, 2011 Can someone tell me the proper permissions for the two .htaccess file? I must be missing something... I keep getting: Error Additional Protection With htaccess/htpasswd This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means. The following files need to be writable by the web server to enable the htaccess/htpasswd security layer: /home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htaccess /home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htpasswd_oscommerce Reload this page to confirm if the correct file permissions have been set. I've removed the .htpasswd_oscommerce file Within my control panel I've added a username and password (same as admin) for my admin folder. I've also tried a ton of different permission combinations and no luck... It works if you change to 777 Thanks to all that contributed to separate_price_per_customers_4.2.2_for_2.3.1, Add Multiple Products with plus/minus buttons, One Page Checkout for 2.3.1, Multi Attribute V2, Login Box Club osCommerce Shipping Date Chooser for 2.3.1, Quickly Update Product Stock 3.8.5 Español and order number in email subject Forum, Thanks Designing New Themes the Easy Way, how-to-set-backgrounds. my contributions Add Multiple Product In Product Listing 2.3.1 v.1.0 and Multiple Attribute entry boxes in product info page v1.0 for 2.3.1 Link to comment Share on other sites More sharing options...
ShallonCimelus Posted October 5, 2011 Share Posted October 5, 2011 It works if you change to 777 Yeah I've tried that before and nothing. I'll leave it for a few hours and see. I've also cleared my browser of all files, different browser and different computer and still the same issue. Anyone have another idea? TIA Link to comment Share on other sites More sharing options...
ShallonCimelus Posted October 6, 2011 Share Posted October 6, 2011 A day later and still no change. Anyone have any other ideas? Link to comment Share on other sites More sharing options...
♥kymation Posted October 6, 2011 Share Posted October 6, 2011 You cannot use your host's control panel to set the .htaccess protection unless you remove all of the access protection code from the osCommerce admin. Remove the protection in your host's control panel, restore the file you deleted, set the permissions as instructed in your Admin, and follow the rest of those instructions. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
peteravu Posted October 7, 2011 Share Posted October 7, 2011 Why must they be writable after changed? when change back to 655 it again says "the following files need to be writable by the web server to enable the htaccess/htpasswd security layer:" but 655 must be better than 777? So now I have 655 and have to login 2 times, that must be more secure than 777 right or not? Thanks to all that contributed to separate_price_per_customers_4.2.2_for_2.3.1, Add Multiple Products with plus/minus buttons, One Page Checkout for 2.3.1, Multi Attribute V2, Login Box Club osCommerce Shipping Date Chooser for 2.3.1, Quickly Update Product Stock 3.8.5 Español and order number in email subject Forum, Thanks Designing New Themes the Easy Way, how-to-set-backgrounds. my contributions Add Multiple Product In Product Listing 2.3.1 v.1.0 and Multiple Attribute entry boxes in product info page v1.0 for 2.3.1 Link to comment Share on other sites More sharing options...
Taipo Posted October 7, 2011 Share Posted October 7, 2011 I guess it will allow you to change your password in the future? 666 is generally the writable setting for files. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
ShallonCimelus Posted October 7, 2011 Share Posted October 7, 2011 SOLUTION! So after messing with the permissions more, I got a 500 Error and was no longer able to access the admin side of osCom. I deleted everything and started completely fresh. Installation completed, no issues. Go into the admin and get the following error: Error Additional Protection With htaccess/htpasswd This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means. Enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records. Please note, if this additional security layer is enabled and you can no longer access the Administration Tool, please make the following changes and consult your hosting provider to enable htaccess/htpasswd protection: 1. Edit this file: /home/zzzz/public_html/catalog/zzzz/.htaccess Remove the following lines if they exist: ##### OSCOMMERCE ADMIN PROTECTION - BEGIN ##### AuthType Basic AuthName "osCommerce Online Merchant Administration Tool" AuthUserFile /home/zzzz/public_html/catalog/zzzz/.htpasswd_oscommerce Require valid-user ##### OSCOMMERCE ADMIN PROTECTION - END ##### 2. Delete this file: /home/zzzz/public_html/catalog/zzzz/.htpasswd_oscommerce This time; I clicked on my admin user > edit > put in same password and checked the protect with .htaccess > save. Refresh pop-up comes up, input login info and error is gone! The first time I just checked "protect with .htaccess..." and did NOT put a password in, because it says "New Password". I believe that was the root of all my issues. I read the directions several times and they are a little lax with this one step. I would recommend adding a little more to say "insert same password in the 'New Password' field and check the protection" for those like me that thought the original password would stay if left blank. ,htaccess and .htpasswd_oscommerce are in my admin dir with permissions 644. Thank you all for your help. Link to comment Share on other sites More sharing options...
JoeBaker Posted October 13, 2011 Share Posted October 13, 2011 Hello. I am having the problem described here, so I have been stepping through the advice given. I found the checkbox for hidden files, changed the permissions for the two .htaccess files, selected password protect from within filemanager and then got the same error message as ShallonCimelus. Only when I put in the same password I was no longer able to access the Administration Tool. I followed the instructions to delete the one and modify the other .htaccess file, which resulted in the original message. I'm going around in circles and getting frustrated. Before I found the checkbox for hidden files, I found a password protect thingy on the control panel and used it to password protect the admin directory. Although it doesn't seem to be working, there doesn't appear to be a way to unpassword protect the admin directory. Could it be preventing me from doing it the .htaccess way? Should I delete the admin directory and reupload it from my local drive to try again, or is there something very simple and obvious that I am overlooking? Joe Link to comment Share on other sites More sharing options...
JoeBaker Posted October 14, 2011 Share Posted October 14, 2011 Hello. I was able to solve my problem. The information I needed was in Jim Keebaugh's post. First I figured out how to unpassword protect the admin from cpanel. Then I changed the permissions on both the .htaccess files and the admin directory. Then I used the security feature in Admin. This time there was a checkbox along with the request for a "new" password. I supplied the same username and password and checked the checkbox. It worked. There are so many seemingly insignificant ways one can get things wrong while trying to get them right. The process for undoing password protection is an example. I watched the instructional video supplied by cpanel that showed the process for creating password protection. It didn't show how to undo it, so first I tried undoing it in the same sequence as doing it. That didn't work. But when I tried undoing it in reverse sequence, it did work! There seem to be two competing methods for password protecting the admin. One calls for using cpanel, one for using admin. It can be tricky figuring out which method is right, and even more tricky to back out of the method that is wrong. Knowing that I needed to use the same password, not a new one, and that I had to change the permissions for the admin directory as well as for the .htaccess files was key, at least for me. Joe Link to comment Share on other sites More sharing options...
JoeBaker Posted October 14, 2011 Share Posted October 14, 2011 Information that I needed was also in ShallonCimelus's post and elsewhere throughout the thread. The forum is very helpful. Thank you to the people who post and the people who reply. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.