videosilva Posted March 18, 2016 Posted March 18, 2016 I did a new full package install of v 2.3.4 and am getting the following errors Admin HTTP Authentication admin_http_authentication HTTP Authentication has not been set up for the osCommerce Administration Tool - please set this up in your web server configuration to further protect the Administration Tool from unauthorized access. config_file_catalog config_file_catalog I am able to write to the configuration file: /home/videosil/public_html/dvd/catalog/includes/configure.php. This is a potential security risk - please set the right user permissions on this file. I have read / googled and am unable to figure out why I am getting these errors. Most importantly how do i fix them ?
videosilva Posted March 18, 2016 Author Posted March 18, 2016 Additional Protection With htaccess/htpasswd This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means. Enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records. Please note, if this additional security layer is enabled and you can no longer access the Administration Tool, please make the following changes and consult your hosting provider to enable htaccess/htpasswd protection: 1. Edit this file:/home/videosil/public_html/dvd/catalog/admin/.htaccess Remove the following lines if they exist: ##### OSCOMMERCE ADMIN PROTECTION - BEGIN #####AuthType BasicAuthName "osCommerce Online Merchant Administration Tool"AuthUserFile /home/videosil/public_html/dvd/catalog/admin/.htpasswd_oscommerceRequire valid-user##### OSCOMMERCE ADMIN PROTECTION - END ##### 2. Delete this file:/home/videosil/public_html/dvd/catalog/admin/.htpasswd_oscommerce
♥14steve14 Posted March 18, 2016 Posted March 18, 2016 Before you go much further you should check your oscommerce version. If you are planning to start from new and have installed version 2.3.4 you should really be lloking at the 2.3.4BS version. Details can be found here. http://www.oscommerce.com/forums/topic/396152-bootstrap-3-in-234-responsive-from-the-get-go/ Using bootstrap version will make your site responsive, which means it will work on many size displays. Google will also not penalise you for being non responsive in its search results. Set up is exactly the same between the two versions, but it is easier to add many extras as they are being developed as modules. REMEMBER BACKUP, BACKUP AND BACKUP
SpicyGirl Posted March 18, 2016 Posted March 18, 2016 @@videosilva, like 14steve14 says, take a look at the 234BS version. It's AWESOME & no need of iOSC for mobile version
MrPhil Posted March 18, 2016 Posted March 18, 2016 Additional Protection With htaccess/htpasswd Are you asking how to do this, or are you reporting that you found the answer to your question? Your second post is very vague. Per your original post, there are two issues here. You need to have the "admin" (it should be renamed so hackers have a harder time attacking it) directory protected by system-implemented ID and password. That is, you need to log in to the admin side, beyond any normal osC user ID. This might be done with the supplied .htaccess and password control files, or your host probably offers some sort of "password protect a directory". Use one or the other, but make sure you do this! The two configure.php files need to be made Read-Only for PHP access. This prevents hackers from somehow manipulating osC into overwriting these files and destroying your store. It doesn't necessarily have to be Read-Only for you, but that can be helpful to prevent accidentally erasing the files. Note that the source of the configure.php files cannot normally be read by the public (thus preventing the passwords within them from being exposed). Also note that making the files Read-Only to you means that to edit them or upload new copies, you first need to temporarily make them Read-Write. Finally, do not make them Read-Only until you have completed the setup of the store (it needs to write to these files).
lmjacques Posted April 2, 2016 Posted April 2, 2016 Are you asking how to do this, or are you reporting that you found the answer to your question? Your second post is very vague. Per your original post, there are two issues here. You need to have the "admin" (it should be renamed so hackers have a harder time attacking it) directory protected by system-implemented ID and password. That is, you need to log in to the admin side, beyond any normal osC user ID. This might be done with the supplied .htaccess and password control files, or your host probably offers some sort of "password protect a directory". Use one or the other, but make sure you do this! The two configure.php files need to be made Read-Only for PHP access. This prevents hackers from somehow manipulating osC into overwriting these files and destroying your store. It doesn't necessarily have to be Read-Only for you, but that can be helpful to prevent accidentally erasing the files. Note that the source of the configure.php files cannot normally be read by the public (thus preventing the passwords within them from being exposed). Also note that making the files Read-Only to you means that to edit them or upload new copies, you first need to temporarily make them Read-Write. Finally, do not make them Read-Only until you have completed the setup of the store (it needs to write to these files). Hello I have followed these instructions, I am using the 2.3.4BS version and despite making the changes I am still getting the amber alert on the Security Check Admin HTTP Authentication admin_http_authentication HTTP Authentication has not been set up for the osCommerce Administration Tool - please set this up in your web server configuration to further protect the Administration Tool from unauthorized access. Please can you help
MrPhil Posted April 2, 2016 Posted April 2, 2016 I don't think the osC detection tools may work properly on all servers. When you try to go into the Admin Tool, are you being asked for an ID and password by your server? If so, just ignore the alert. If you aren't, try using your hosting control panel "password protect a directory" function instead (after removing the security files you manually installed).
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.