Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Admin security via HTTPS is very buggy (i.e., not secure)

Kaiser Soze

By Kaiser Soze
in General Support

Recommended Posts

Kaiser Soze

Kaiser Soze

Posted
Posted

pick a file & look for where 'SSL' is part of link constructor. Look for example in the form for modules, or look in backup.php.

 

I kinda think this should be fixed.

Ajeh

Ajeh

Posted
Posted

You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

And you could also add Admin with Levels ... to be even more secure ... :D

Kaiser Soze

Kaiser Soze

Posted
  • Author
Posted
You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

Have you tried it? I have. It doesn't work. (I did modify a bunch of code to make it secure though.)

Ajeh

Ajeh

Posted
Posted
You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

Have you tried it? I have. It doesn't work. (I did modify a bunch of code to make it secure though.)

 

I don't have a true secure certificate to test this on ... what did you end up having to change to get it to work?

 

I usually just add an Admin Interface and login/password as the secure server slows things down an awful lot in the Admin.

Kaiser Soze

Kaiser Soze

Posted
  • Author
Posted
You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

Have you tried it? I have. It doesn't work. (I did modify a bunch of code to make it secure though.)

 

I don't have a true secure certificate to test this on ... what did you end up having to change to get it to work?

 

I usually just add an Admin Interface and login/password as the secure server slows things down an awful lot in the Admin.

 

How's about I zip up my source & email it to you? (Or is there an ftp site I could put it on?)

 

BTW, I don't notice any slow-down when I run in secure mode.

Ajeh

Ajeh

Posted
Posted

What would I be testing? I do not own my own secure certificate to test anything just a shared one.

 

There was another thread that talked about enabling the SSL in the Admin in MS1 that might help you on this one.

Kaiser Soze

Kaiser Soze

Posted
  • Author
Posted
What would I be testing? I do not own my own secure certificate to test anything just a shared one.

 

There was another thread that talked about enabling the SSL in the Admin in MS1 that might help you on this one.

 

You asked what I had changed. You can do a diff to find out what is different from your source.

 

Can you give me a link to the MS1 ref?

 

Thanks!

Demented

Demented

Posted
Posted

With any server you should be able to go in and setup .htaccess so that you have to provide a login and passowrd for the admin directory. Also you can add the mod that requires a login and password on top of that if you want more security. This should be good enough to lock down your data. My admin has never run in ssl even with my shared certificut setup properly. The .htaccess makes your admin directory and you can set the same thing up for other directories in admin as well.

Shane A. Miller

OWNER

www.Special-Things.Net

Kaiser Soze

Kaiser Soze

Posted
  • Author
Posted
With any server you should be able to go in and setup .htaccess so that you have to provide a login and passowrd for the admin directory. Also you can add the mod that requires a login and password on top of that if you want more security. This should be good enough to lock down your data. My admin has never run in ssl even with my shared certificut setup properly. The .htaccess makes your admin directory and you can set the same thing up for other directories in admin as well.

 

Of course this works -- but it's not what I'm worried about. If you run in a shared environment, there may be hackers running "smart" packet sniffers. All they have to do is look at the plain text in the packets and search for "password" in the packet & they can get the passwords to your transaction gateway. HTTPS prevents this. Besides, once a packet leaves your client or server, you have no way of knowing if the packet is getting sniffed or not. The WWW is a shared/open environment.

 

The greatest vulnerability is in the database backup & restore. Without a working https connection hackers can potentialy grab customer credit info.

 

You may not have realized that the .htaccess method of protecting your data doesn't encrypt data as it passes between the client & server. HTTPS does.

Demented

Demented

Posted
Posted

Well since the admin page does not transmit credit card information I did not worry about ssl not working on the admin page. I use authorize.net so the credit card info is not saved anywhere and it imidiatly transfered via an ssl connection. Are there security problems with the admin page I am not aware of??

 

I would like to know how to get ssl working on the admin page though.

Shane A. Miller

OWNER

www.Special-Things.Net

Kaiser Soze

Kaiser Soze

Posted
  • Author
Posted
Has anyone figured out an answer to this??

 

Thanks,

Matt

 

There is a kludge that gives you ssl. In your configure.php file, change the HTTP_SERVER define from http to https.

 

e.g., define('HTTP_SERVER', 'https://www.myserver.com/');

 

But be careful, if you download (or upload) your configure.php file without SSH or SFTP you don't know who you'll be sharing the password to your DB with.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...