Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

potential security risk: able to write to the configuration file


dhirt

Recommended Posts

Posted

this is one of two issues After a "Security Check" :

config_file_catalog config_file_catalog I am able to write to the configuration file: /home/wigohere/public_html/test/osc/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

I've changed the permissions to 666 & 755 to the file configure.php & re-checked after each change & received the same 'error'.

 

Here is an idea; tell us what the "right user permissions" are . . .

 

where/how do find the "right user permissions"?

 

Thanks In Advance . . . . dhirt

 

 

edit: I've searched the forums with obvious search terms & got NO GOOD return . . . but found something by 'browsing' here:

http://www.oscommerce.com/forums/index.php?app=core&module=search&do=search&fromMainBar=1

Posted

osC is telling you that the configure.php files need to be unwritable by PHP. It doesn't care whether you (the file owner) can write to the files. Depending on how your system is configured (what PHP runs as), the necessary permissions could be as strict as 444. Certainly 666 isn't going to do it, as it grants write permission to all parties. Try 644 and if you still get the message, 444 should do it. A few servers need different permissions, such as 404. Take your normal default file permissions and remove "write" (value 2) from each category. 604 -> 404, 644 -> 444, etc.

 

Note that your host may restrict you to changing file permissions from your hosting control panel. It is common to ignore FTP client (browser) requests to change permissions, and sometimes they won't allow programs to do it either, for security reasons. Check the permissions after whatever method you use to change them, and confirm that they changed.

Posted

ThankYou :thumbsup: MrPhil I also want to give a shout out to: Lambros (w00t) For the relevant response, it was helpfull!

 

 

 

 

 

this is the Second of two issues After a "Security Check" :

Admin HTTP Authentication admin_http_authentication HTTP Authentication has not been set up for the osCommerce Administration Tool - please set this up in your web server configuration to further protect the Administration Tool from unauthorized access.

 

Asking for Ideas . . . I'm currently researching the issue . . . But if you have a clue L.M.K. ThankYou!!!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...