Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin security via HTTPS is very buggy (i.e., not secure)


Kaiser Soze

Recommended Posts

You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

And you could also add Admin with Levels ... to be even more secure ... :D

Link to comment
Share on other sites

You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

Have you tried it? I have. It doesn't work. (I did modify a bunch of code to make it secure though.)

Link to comment
Share on other sites

You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

Have you tried it? I have. It doesn't work. (I did modify a bunch of code to make it secure though.)

 

I don't have a true secure certificate to test this on ... what did you end up having to change to get it to work?

 

I usually just add an Admin Interface and login/password as the secure server slows things down an awful lot in the Admin.

Link to comment
Share on other sites

You could edit your configure.php and make both HTTP servers secure as well as add your own password on the admin directory ... which you should do anyway ... then you are even doublely safe ...

 

Have you tried it? I have. It doesn't work. (I did modify a bunch of code to make it secure though.)

 

I don't have a true secure certificate to test this on ... what did you end up having to change to get it to work?

 

I usually just add an Admin Interface and login/password as the secure server slows things down an awful lot in the Admin.

 

How's about I zip up my source & email it to you? (Or is there an ftp site I could put it on?)

 

BTW, I don't notice any slow-down when I run in secure mode.

Link to comment
Share on other sites

What would I be testing? I do not own my own secure certificate to test anything just a shared one.

 

There was another thread that talked about enabling the SSL in the Admin in MS1 that might help you on this one.

Link to comment
Share on other sites

What would I be testing? I do not own my own secure certificate to test anything just a shared one.

 

There was another thread that talked about enabling the SSL in the Admin in MS1 that might help you on this one.

 

You asked what I had changed. You can do a diff to find out what is different from your source.

 

Can you give me a link to the MS1 ref?

 

Thanks!

Link to comment
Share on other sites

With any server you should be able to go in and setup .htaccess so that you have to provide a login and passowrd for the admin directory. Also you can add the mod that requires a login and password on top of that if you want more security. This should be good enough to lock down your data. My admin has never run in ssl even with my shared certificut setup properly. The .htaccess makes your admin directory and you can set the same thing up for other directories in admin as well.

Shane A. Miller

OWNER

www.Special-Things.Net

Link to comment
Share on other sites

With any server you should be able to go in and setup .htaccess so that you have to provide a login and passowrd for the admin directory. Also you can add the mod that requires a login and password on top of that if you want more security. This should be good enough to lock down your data. My admin has never run in ssl even with my shared certificut setup properly. The .htaccess makes your admin directory and you can set the same thing up for other directories in admin as well.

 

Of course this works -- but it's not what I'm worried about. If you run in a shared environment, there may be hackers running "smart" packet sniffers. All they have to do is look at the plain text in the packets and search for "password" in the packet & they can get the passwords to your transaction gateway. HTTPS prevents this. Besides, once a packet leaves your client or server, you have no way of knowing if the packet is getting sniffed or not. The WWW is a shared/open environment.

 

The greatest vulnerability is in the database backup & restore. Without a working https connection hackers can potentialy grab customer credit info.

 

You may not have realized that the .htaccess method of protecting your data doesn't encrypt data as it passes between the client & server. HTTPS does.

Link to comment
Share on other sites

Well since the admin page does not transmit credit card information I did not worry about ssl not working on the admin page. I use authorize.net so the credit card info is not saved anywhere and it imidiatly transfered via an ssl connection. Are there security problems with the admin page I am not aware of??

 

I would like to know how to get ssl working on the admin page though.

Shane A. Miller

OWNER

www.Special-Things.Net

Link to comment
Share on other sites

Has anyone figured out an answer to this??

 

Thanks,

Matt

 

There is a kludge that gives you ssl. In your configure.php file, change the HTTP_SERVER define from http to https.

 

e.g., define('HTTP_SERVER', 'https://www.myserver.com/');

 

But be careful, if you download (or upload) your configure.php file without SSH or SFTP you don't know who you'll be sharing the password to your DB with.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...