Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Warning!


Elena1

Recommended Posts

hi everybody,

i visited my site which has osc and i see no the top this frase:

Warning! :I am able to write to the configuration file: /home/fashiona/public_html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

How could it happen!? What to do now to protect my site from hackers?

I understand that my site got hit my hackerchallenge this weekend...

:(

does anybody has the same problem?

thank you in advance for helping...

Elena.

Sometimes, ignorance is not bliss.

Link to comment
Share on other sites

:) Relax...it's just saying that you need to change your permission of the 2 config files (catalog/includes/config.php and catalog/admin/includes/config.php) just in case other computer can access and change them...so why config file is so important? :? because it contains all your website's information such as user name and password to your database in this case.

 

You need to change the permission of the two config files to 644. Do you know how to do that? Let me know if you need more help on that. I will post more information on security of those config file after this post. :D

 

Steve

Link to comment
Share on other sites

Here is a post by TB (Tony), it should give you some idea of how to protect the 2 config files:

 

There are a few things you can do to secure the admin folder.

 

First level of protection would be the web protection.

Next thing you could do is to move the configure.php file to behind the directories which can be accessed by the internet.

(This step can be done for both catalog and admin interfaces)

 

Example:

Site setups vary though this is a common setup:

        Internet                              File System

www.yourdomain.com = /usr/home/yourdomain/public_html/

 

/usr/home/yourdomain/ can't be accessed by any computer through your domain www.yourdomain.com

 

Move catalog/includes/configure.php from /usr/home/yourdomain/public_html/catalog/includes/configure.php

to /usr/home/yourdomain/includes/configure_catalog.php

 

Once you've done this, you will need to create a new catalog/includes/configure.php

 

This is the code that should be inside that file.

 

Configure.php

<?php

if (!file_exists('includes/local/configure.php')) {

require('/home/yourdomain/includes/configure_catalog.php');

} ?>

The way this code is setup, is that it looks to see if you're using a local test server (the includes/local/ directory shouldn't be uploaded to your web server).  If you're not on a local test server, than it will load all your configuration details from the configure_catalog.php file.

 

The reason you'd want to put this file behind anywhere the internet could get it is because it holds your database password information.

 

Let me know if you need a hand doing setting up either of these things.

 

HTH,

Tony

 

Hope this help :D

 

Steve

Link to comment
Share on other sites

I have check to make sure her 2 configure.php files and both are chmod at 644 and i know the warning was not there on friday

 

Regards

The_Bear

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...