Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

SSL / WYSIWYG


Guest

Recommended Posts

Posted

Hi!

 

I want to secure the Admin Panel (SSL). SSL works, except with the WYSIWYG Editor (WYSIWYG HTMLAreaMS2v1_7). Everything works fine except creating products.

 

When i click to create products in the admin panel, i get this message: This site contains secure and nonsecure items".

 

Then, when i create a product the path of the thumb is like this: "https://secure.chat-noir.ch/catalog/images/http://secure.chat-noir.ch/catalog/images/microsoft/chat-noir_panel.jpg"

 

My admin/include/configure.php

 

Code:

define('HTTP_SERVER', 'https://secure.chat-noir.ch');

define('HTTP_CATALOG_SERVER', 'http://www.chat-noir.ch');

define('HTTPS_CATALOG_SERVER', 'https://secure.chat-noir.ch');

define('ENABLE_SSL_CATALOG', 'false');

 

Maybe I could disable ssl ONLY for categories/products? Ain't important to secure the catalog. Is that possible and how?

 

Any Ideas?

  • 4 weeks later...
Posted

I recently put my admin behind a SSL. I'm now getting the "This site contains secure and nonsecure items", just as you when I try to enter or edit a product. Also, I am no longer able to selected or upload images with it (the windows in the dialog eventually shows browser style 'can not find this page' type of errors). I'm assuming it's a paths issue. Just haven't been able to put it all togeater yet. (I'm not good enough with JAVA to know how to have it tell me what path that dialog is getting).

 

Were you ever able to fix your problem?

 

What was the answer?

 

Thanks.

Posted
ANy on eget this fixed? I have found several threads asking but no fixes???

Number 1, it's unwise to use the Admin file editor, it's buggy and generates code errors.

 

Number 2, it's pretty much pointless to secure the admin via ssl.

 

That's why no one bothers to respond.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Posted
why is it pintless to use SSL in admin? Would that be the best way to protect the clients information?

ssl only protects data in transit. So unless someone is constantly monitoring your activity it's highly unlikely that they'll catch anything of interest. 99% of your admin activity is of no interest to anyone but you.

 

You should not be storing complete credit card numbers in the database in any case. A hacker will not bother to try to catch data in transit, they'll just access the db and ssl will do nothing to prevent that.

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Posted

I personally feel it is IMPORTANT to allows protect your admin area with SSL. Even in osC, when someone registers, their personal information is protected via SSL, why should you pull it up in admin without the same protection that they gave it to you?

 

I can't respond to the original problem, but I also won't buy from a store that I know doesn't protect my personal data, whether it's my credit card, home phone number, buying history, or even my email address. There is a LOT of personal information beyond the credit card number.

 

Dan

Dan Stevens

Posted
but I also won't buy from a store that I know doesn't protect my personal data, whether it's my credit card, home phone number, buying history, or even my email address. There is a LOT of personal information beyond the credit card number.

 

Dan

:lol:

 

I bet AOL users feel all better that ssl was in use over there.

 

AOL worker held over e-mail scam

 

Spam accounts for 83% of e-mail, according to some estimates

 

An America Online employee has been arrested after he allegedly sold 90m customer e-mail addresses to providers of unsolicited adverts.

 

Jason Smathers, 24, faces charges of conspiracy after allegedly stealing the AOL customer list.

 

Prosecutors say the list was later used to send massive amounts of spam.

 

Mr Smathers and an alleged accomplice face a fine of at least $250,000 (?138,000) and a maximum jail sentence of five years.

 

The alleged accomplice, Sean Dunaway, has also been detained and charged with conspiracy.

 

Mr Smathers, who worked at AOL's offices in Dulles, Virginia, passed on the addresses to Mr Dunaway, 21, of Las Vegas, Nevada, according to prosecutors.

 

Mr Dunaway is alleged to have used the list to advertise an internet gambling operation and then sold it to other companies delivering spam.

 

Mr Smathers did not have permission to access the screen name list and used another staff member's access code last year to steal it, prosecutors said.

 

http://news.bbc.co.uk/2/hi/americas/3834919.stm

 

ssl is only a tiny part of protecting the data that you mention. How do you know that the guys at your hosting company are not studying your data?

Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux

Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)

Posted

Well, the problem ist, that you can Secure the Clients information via SSL....but remember....you're gonna send an email confirmation to your clients....and...email is the most unsecure thing of the internet....

 

And most of the Shops use a service like Paypal or 2checkout.com....so.....you really could waive SSL.

Posted

All comments between my last post and this one being noted:

 

A big part of the problem seems to be in, htmlarea>popups>config.inc.php

 

It _assumes_ the URL begins with http:// rather than checking for the possibility of being behind a SSL.

 

I patched the problem like this; Find the function scriptURL (almost the last function in the file).

 

replace

 

      return ("http://" . $HTTP_SERVER_VARS["HTTP_HOST"] . $url);

with

 

   if(ENABLE_SSL_CATALOG == strtolower('true'))
     return ("https://" . $HTTP_SERVER_VARS["HTTP_HOST"] . $url);
  else
     return ("http://" . $HTTP_SERVER_VARS["HTTP_HOST"] . $url);

 

 

So, make sure ENABLE_SSL_CATALOG is set to true in admin>includes>configure.php

 

But then you may want to create your own flag called ENABLE_SSL_ADMIN seeing as how ENABLE_SSL_CATALOG is probably referring to the catalog. Regardless, the above is a starting point to begin attacking the problem from.

 

You will probably still get a browser warning about the presence of both secure and unsecured data. I'm looking into that next.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...