218 replies to this topic

[Jan Zonjee]

In the German forum there is an announcement by the German team members about a security problem in the admin for shops using osC 2.2 version RC1 and RC2. The details of how to compromise the admin have not been disclosed (for obvious reasons).

For the moment two things can and should be done:
A. rename the admin directory
B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel (see for example post 141 in this thread).

To avoid having to login twice (once in the "popup" screen and then again in the osC admin login) you might want to look at the code Harald Ponce de Leon wrote some time ago:

http://github.com/osCommerce/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

Try to perform an automatic login if a Basic HTTP Authentication mechanism is already in place. For this to work, the administrator username and password must be the same as the HTTP Authentication login credentials.

Changes in the following files:

catalog/admin/includes/application_top.php
catalog/admin/login.php

Some additional information and advice on security

Delete admin/filemanager.php and associated links.
Delete admin/define_language.php and associated link in the "Tools" box.
Note: keep a local copy of your site on your computer and after editing files and ensuring the things you have added to your shop are working upload edited files by FTP to your site.

Ensure that your folder permissions are never set higher than 755

Install some security addons

Also some ideas from this post can help you

Adding this bit of code in admin/includes/application_top.php by FWR Media, to make sure $PHP_SELF is what is supposed to be is very much recommended too.

The code below will most likely be in the next release candidate for osC 2.2 to fix the hole:
GitHub Harald Ponce de Leon

admin/includes/application_top.php Line 146-151

Change:

	  $redirect = true;
	}

	if ($redirect == true) {
	  tep_redirect(tep_href_link(FILENAME_LOGIN));
	}

To:

	  $redirect = true;
	}

	if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
	$redirect = true;
	}
   
	if ($redirect == true) {
	  tep_redirect(tep_href_link(FILENAME_LOGIN));
	}

admin/login.php Line 10-11

After:

  Released under the GNU General Public License
*/

Add:

  $login_request = true;

Edited by Jan Zonjee, 05 September 2010 - 10:12 AM.

[GemRock]

i guess the renaming of admin folder is only as good as, if you also advise site owners, which i have been doing, NOT to print url on the invoices that are printed from the admin -> orders, by setting the header/footer to anything other than url (browser - File - page setup). by default the url is shown/printed either at the header or footer of the printout.

Ken

[garnet]

Hi
I added pass protect to admin folder. Might this be enough to fix the issue?
I tried to rename the folder and changed the paths in the configure file but after that when I log in in the admin it doest show the first page correctly - the page where you see the summary of the customers and orders.
http://www.name.com/admin/index.php
I dont see nothing after changing the admin name and before there were 2 tables there one in left for customers and one in right for orders.
If someone suggest how to fix this I am happy to rename the admin folder

[garnet]

hi all
fixed it. now it is new admin name and pass protected.
just one idea here: if you change the nama, change it to somethig long (more that 20 symbols and numbers), but still use something you will remember. Not that all will need this but you might end up on another (not yours) machine and you might want to access your admin end.So you need to know what to type for URL even thought long. I suggest you use some saying you like and put numbers in between words/letters.
All the best and hopefully hack-less work.

[henri]

Just to note:
The Bug may also apply to versions, who have an Admin Access Contribution installed and other php applications.
At least a lot of shops i checked were vulnerable.

So to be on the safe side: add an .htaccess protection to your shop.

[rgmonster]

this is not so simple.  I have renamed admin and changed configure.php and when I go to the new folder it bombs with the following error:

Not Found
The requested URL /admin/login.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 Server at www.myshop.co.uk Port 443

Please, for novices like me who are trying to learn oscommerce, don't assume it's just this or that and it's done.  I am finding lack of concise answers to anything regarding oscommerce and putting notices like this without a troubleshooting guide is not helpfull at all.

[mrpointy]

rgmonster, on Jul 21 2009, 04:29 PM, said:

this is not so simple.  I have renamed admin and changed configure.php and when I go to the new folder it bombs with the following error:

Not Found
The requested URL /admin/login.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 Server at www.myshop.co.uk Port 443

Please, for novices like me who are trying to learn oscommerce, don't assume it's just this or that and it's done.  I am finding lack of concise answers to anything regarding oscommerce and putting notices like this without a troubleshooting guide is not helpfull at all.

Ditto!

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head  

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain?  

Thanks

[GemRock]

it is a simple change (takes about 2 minutes) for a default osc shop if you understand and follow the first post by Jan in particular this bit "After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php". Note the location of the configure.php, which is different from the other one under [catalog]/includes/.
there should not be any hard coded admin folder name in any files, if yours does have hard coded admin folder in files then bad luck (you have a wrongly modified shop) , you will need to find each occurance and fix them.

the .htaccess protection is beyond osc, you will need to contact your host for advice as different host may have different way of doing it.

Ken

Edited by GemRock, 21 July 2009 - 04:00 PM.

[rgmonster]

mrpointy, on Jul 21 2009, 04:44 PM, said:

Ditto!

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head  

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain?  

Thanks

Hi Mr Pointy

If you have a cPanel logon provided by your web hosting provider then there is a Sercurity section with "Password Protect Directories".  This is fairly easy to use:

If you do not (and I did tried before without the cPanel) then the entries to the .htaccess files are:

AuthName "admin"
AuthUserFile "/home/myaccount/.htpasswds/public_html/admin/passwd"
require valid-user

The AuthUserFile is where the matching password and username must be located.  The location is specific to my host but importantly it must not on the publicly accessable part of the server.

The file with the password on my system is encrypted (not by me) so I really don't know how you can get this done without cPanel or asking your host company for assistance.  That is perhaps why my non cPanel attempts failed.

Maybe someone else knows how?

Sorry it's only a half answer.

[rgmonster]

GemRock, on Jul 21 2009, 04:58 PM, said:

it is a simple change (takes about 2 minutes) for a default osc shop if you understand and follow the first post by Jan in particular this bit "After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php". Note the location of the configure.php, which is different from the other one under [catalog]/includes/.
there should not be any hard coded admin folder name in any files, if yours does have hard coded admin folder in files then bad luck (you have a wrongly modified shop) , you will need to find each occurance and fix them.

the .htaccess protection is beyond osc, you will need to contact your host for advice as different host may have different way of doing it.

Ken

I have a failrly bog standard hosting provider with cPanel and automated install of oscommerce.  The issue I pointed out with renaming the admin folder is a real one.  I was editing the proper configure.php file and not the one in the catalog.  My site is not a production site and is for learning on.  It is pretty much straight out of the box with no hard coding of directories except what is done from the installation itself.  I am sure I am not unique in this circumstance of my store configuration, including lots of "live" stores.

My point being:  if there is even a possibility of other parts of the OSC system needing changed folk need to know about it before breaking their websites with the advice given.

[NExWH]

Quote

Not Found
The requested URL /admin/login.php was not found on this server.

You can't find admin/login.php because you changed the name of the directory called "admin".  Look for it using your new admin name.

[rgmonster]

NExWH, on Jul 21 2009, 09:17 PM, said:

You can't find admin/login.php because you changed the name of the directory called "admin".  Look for it using your new admin name.

Did that.  Tried to log on using the new admin folder name but the error message came up with /admin/login.php.

Thanks

[mhvideos]

rgmonster, on Jul 21 2009, 10:05 PM, said:

Did that.  Tried to log on using the new admin folder name but the error message came up with /admin/login.php.

Thanks

Try clearing the cache in your browser and then restarting your PC

[GemRock]

if there is even a possibility of other parts of the OSC system needing changed

NO, there isn't (for a default setup). been doing this (changing admin folder name) many many times. a one minute job.

Ken

Edited by GemRock, 21 July 2009 - 09:23 PM.

[rgmonster]

GemRock, on Jul 21 2009, 10:22 PM, said:

if there is even a possibility of other parts of the OSC system needing changed

NO, there isn't (for a default setup). been doing this (changing admin folder name) many many times. a one minute job.

Ken

Thanks to the respondants.

I tried all of the thinks you have suggested and even changed PC.  It is not a browser cache issue and there is obviously something else that needs done apart from the configure.php file.  Lucky for you guys who insist it is a one minute job.  It is obviously not always the case.

I want folk to be aware that this might bring their site down and to have a recovery plan, especially if you have a working online store.

Thanks

Edited by rgmonster, 22 July 2009 - 02:26 PM.

[Coopco]

rgmonster, on Jul 23 2009, 12:25 AM, said:

Thanks to the respondants.

I tried all of the thinks you have suggested and even changed PC.  It is not a browser cache issue and there is obviously something else that needs done apart from the configure.php file.  Lucky for you guys who insist it is a one minute job.  It is obviously not always the case.

I want folk to be aware that this might bring their site down and to have a recovery plan, especially if you have a working online store.

Thanks

Check to see if you have a configure.php file under "admin"/includes/local

[GemRock]

rgmonster, on Jul 22 2009, 03:25 PM, said:

...Lucky for you guys who insist it is a one minute job. It is obviously not always the case.
want folk to be aware that this might bring their site down and to have a recovery plan, especially if you have a working online store...

the complete opposite is true. it is NOT lucky or otherwise, its simple a very straightforward thing, as easy as ABC. *Obviously* there is *NOTHING* esle (for a defualt osc setup). if you can't get this very simple thing done, then i suppose you should not issue any warning here as it is completely false: it can be done any time, anywhere, any shop including those that take in thousands of orders daily, and it wont stop your shop running for even a second. Thats the truth. and I am stating a fact, not insisting...or guessing.

Ken

[GemRock]

what Coopco pointed out above could be the problem but for a default setup there should not be a configure.php in the local folder. if you put one there then you should know it.

Ken

[rgmonster]

GemRock, on Jul 22 2009, 05:36 PM, said:

the complete opposite is true. it is NOT lucky or otherwise, its simple a very straightforward thing, as easy as ABC. *Obviously* there is *NOTHING* esle (for a defualt osc setup). if you can't get this very simple thing done, then i suppose you should not issue any warning here as it is completely false: it can be done any time, anywhere, any shop including those that take in thousands of orders daily, and it wont stop your shop running for even a second. Thats the truth. and I am stating a fact, not insisting...or guessing.

Ken

Hey, no need for the shouting.

I agree to differ with the last message.  My and obviously one other's experience is different so please don't shoot the messenger when there is something wrong.  OSC is perfect and it's just the idiots messing about with it attitude isn't right either.  The advice of going through every file to find a hard encoded file location was a no brainer and most unhelpful and to term it as "bad luck" not helpful either.  Something must have been wrong in the installation somewhere but no sensible suggestion came out as to where.  

All I am saying is warn folk to have a roll back plan when advising doing something like this because sod's law always crops up somewhere.

Everyone on this site has different levels of experience with oscommerce and all of us want simple, helpful and clear instructions on what to do about issues that trouble us.

Nuff said on this and I won't reply any more regardless.

[altoid]

Jan Zonjee, on Jul 18 2009, 03:23 AM, said:

For the moment two things can and should be done:
A. rename the admin directory
B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

I attempted point B regarding the .htaccess protection through my host.  Unfortunately their .htaccess editor is set up by default to go to the public_html folder but my store is located in another folder at the same level of the directory. I asked them to modify that to allow me access not  only to my store folder but other folders in the same heirarchical level.  They said that could not be done and and suggested I move my store fold into the public_html folder.  My store is currently running on a subdomain, with the sub pointing to the store folder.  http://ba.barkavenuedogboutique.com/ with the ba being the subdomain pointing to a similarly named folder.

My question is, if I would move that what are the implications on the store site url and the subdomain pointer?   I think the configur.php files would also have to be reworked to locate the new file structure   ****public_html/ba, is that correct?

Thanks