Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with admin directory


Jan Zonjee

Recommended Posts

Server logs show excessive access to /tell_a_friend.php

 

I don't use the tell a friend feature.

 

It appears when /tell_a_friend.php is called directly the user is redirected to: /product_info.php?products_id=0 where an access denied message is displayed.

 

Providing a valid product id: /tell_a_friend.php?action=process&products_id=[Product_id#] as a guest user can bypass the restriction and send unsolicited mails from the system.

 

Is it safe to remove /tell_a_friend.php without breaking anything?

Link to comment
Share on other sites

  • Replies 228
  • Created
  • Last Reply

If there is an option to "turn off" tell a friend in your shop admin I'd do that first.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

  • 4 weeks later...

Most people here had issue with renaming directory, I had the same issue but I was able to fix it.

 

the issue is when you are making a copy of admin directory or rename your admin directory the directory permissions change, depends on your domain provider.

 

What you have to do is temporary set the permissions a to either 777 or something for admin/include/configure.php file. Once the configure admin name is changed to new directory name you are good to go.

 

hopefully this is helpful.

 

Oh don't forget to change the permission on configure back.

 

Thanks

Hamsaya

Link to comment
Share on other sites

  • 4 weeks later...

Sorry folks, but the instructions to change the admin folder name did not work for me. I've attempted 4 different times being sure to follow the instructions (from Jan's post) to the letter, but I always end up with "500 The server encountered an internal error or misconfiguration and was unable to complete your request."

 

As a recap, here is just one of the attempted scenarios:

 

1.) I had the "admin" folder working fine. I could login and browse the back office; no problems...

2.) I changed the folder name on the server side from "admin" to "mynewname"

3.) I changed the folder name on my local side from "admin" to "mynewname"

4.) I modified the configure.php found in "mynewname/includes/" directory on my local side to be:

define('DIR_WS_ADMIN', '/mynewname/'); //and as according to Jan's instructions. This step seemed a bit weird as the original syntax for the first define line reads : "define('DIR_WS_ADMIN', 'catalog/mynewname/');"

define('DIR_FS_ADMIN', '/your/path/to/directory/mynewname/');

5.) I uploaded the changes to the server

6.) Cleared my cache

7.) Attempted to login to back office at url: https://shopname.domain.com/catalog/mynewname/

 

I can get to the first login window but 500 Internal Server Error on second login window...

 

Any help??

 

 

Thanks

Thanks,

Shawn

 

"Surface the ship! Prepare to muster all personnel to escape hatches.

Break out the rafts. Lash them to the deck.

We'll use them as shelters until the fleet arrives."

Link to comment
Share on other sites

  • 1 month later...

4.) I modified the configure.php found in "mynewname/includes/" directory on my local side to be:

define('DIR_WS_ADMIN', '/mynewname/'); //and as according to Jan's instructions. This step seemed a bit weird as the original syntax for the first define line reads : "define('DIR_WS_ADMIN', 'catalog/mynewname/');"

define('DIR_FS_ADMIN', '/your/path/to/directory/mynewname/');

Sohgave, did you ever come right?

I think the problem is that you left out 'catalog'.

Normally, installations of oscommerce go into a 'catalog' folder, which is annoying because there's no good reason for it, and if you don't know how to point your domain properly, your site's URL will be www.mysite.com/catalog/ -- so most of us get rid of the 'catalog' part during the installation by putting everything that *was* inside catalog up 1 folder.

 

Therefore, yours probably needs the 'catalog' part, and you will need to use this logic when following the instructions.

Unfortunately this is just one of those things that weren't told to you and you had to learn from experience :P

Link to comment
Share on other sites

I have searched and searched on these forums, but can't find a solution to my problem.

I uploaded my new store to my website, changed the admin directory, and did the password protect with cpanel.

I can log into my renamed_admin directory without the .htaccess file, but when it is there, and the htpasswd file is where it is supposed to be (whether I used the cpanel, or wrote my own), it comes up with 404 file not found. It never asks for the user/pw. I am using osC2.3.1.

If I don't have the .htaccess file in the renamed_admin directory, it comes up with the warning that the renamed_admin directory is not password protected.

What am I doing wrong???? I have been fighting this for days, and am running out of patience. I no longer know what to change.

 

Marianne

Link to comment
Share on other sites

  • 3 weeks later...

Hi there,

 

I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not.

 

Is there anything I can do to fix this ?

 

cheers,

 

Adam

Link to comment
Share on other sites

Hi there,

 

I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not.

 

Is there anything I can do to fix this ?

 

cheers,

 

Adam

 

Perhaps the username and password are still associated with the old admin name and not the new admin name?

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

Hi there,

 

I am in the process of securing my site. I renamed the admin folder and made the necessary changes to the configure.php. I now get the popup asking for username and password, however the username and password I believe should work - do not.

 

Is there anything I can do to fix this ?

 

cheers,

 

Adam

You mention a "popup asking for username and password" so I assume the admin is being secured by a .htaccess file.

 

The .htaccess file contains a line that locates the password file containing the usernames/passwords that work for it, usually located deeper in the folder.

 

If you change the admin name or path and the password file is deeper in the same folder you have to modify the line in the .htaccess file to relocate it as well.

 

An example.

 

Your original admin folder name was "admin" and the password file is in admin/safedir/.htpasswd

 

The line in the .htaccess file that locates it might look like this:

 

AuthUserFile /usr/local/www/admin/safedir/.htpasswd

Say you rename the admin folder to admin90210.

 

So now the code that locates the password file becomes:

 

AuthUserFile /usr/local/www/admin90210/safedir/.htpasswd

HTH

:)

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 2 weeks later...

Hi, if this message "xxx.com contains content from eurox5.biz, a site known to distribute malware. Your computer might catch a virus if you visit this site." is shown , what should I do to fix it ?

 

 

You will need to clean all malicious code from each file on your server and then remove any anomalous files. One that is done, secure your website using the contributions mentioned at the beginning of this thread.

 

 

 

 

Chris

Link to comment
Share on other sites

You will need to clean all malicious code from each file on your server and then remove any anomalous files. One that is done, secure your website using the contributions mentioned at the beginning of this thread.

 

 

 

 

Chris

 

Thanks first. But how to detect the malicious code from the files ? I'm newbie actually ...

Link to comment
Share on other sites

  • 2 months later...
  • 2 months later...

I am getting this UGH! Parse error: syntax error, unexpected T_STRING, expecting T_CONSTANT_ENCAPSED_STRING or '(' in/home/content/12/8659812/html/oscommerce/index.php on line 9

 

HELP

 

 

Maceo,

 

The change you just made to the index.php was incorrect. You will need to check the code edits and correct the syntax.

 

 

 

Chris

Link to comment
Share on other sites

  • 1 month later...

Hello,

 

I am coming into problems when I change my admin filename, I change it to whatever I wanted and changed the code in configure.php uploaded it and when I navigate to www.mystore.com/admin_name it gives me an internal server error.

 

Is there something I am doing wrong?

 

Thank you in advance

 

Adamanto75

Link to comment
Share on other sites

Check in the .htaccess file in your newly named admin directoryand see if it refers to your old admin directory.

 

HTH

 

H

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Check in the .htaccess file in your newly named admin directoryand see if it refers to your old admin directory.

 

HTH

 

H

 

I checked my admin/.htacess file and it says this:

 

 

# $Id$

#

# This is used with Apache WebServers

# The following blocks direct HTTP requests in this directory recursively

#

# For this to work, you must include the parameter 'Limit' to the AllowOverride configuration

#

# Example:

#

#<Directory "/usr/local/apache/htdocs">

# AllowOverride Limit

#

# 'All' with also work. (This configuration is in your apache/conf/httpd.conf file)

#

# This does not affect PHP include/require functions

#

# Example: http://server/catalog/admin/includes/application_top.php will not work

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

I don't see it calling for my old admin? Unless I'm missing something.

 

Is there anything else I can do?

 

Thanks

 

Adamanto75

Link to comment
Share on other sites

Thanks first. But how to detect the malicious code from the files ? I'm newbie actually ...

 

Really this is a case of expeience.

 

You need to check all files to see if certain known words occur in any file and then look and see if they are malicious.

 

VTS and site monitor will help you do this.

 

There are also some tips on cleansing a site in my profile.

 

HTH

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

Is there a reason you have deny from all?

 

Cheers

 

G

Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...