Jump to content



Photo
* * * * * 5 votes

Security issue with admin directory


  • Please log in to reply
228 replies to this topic

#221   Demitry

Demitry
  • Members
  • 20 posts
  • Real Name:Demitry
  • Gender:Male
  • Location:Seminole, FL

Posted 11 September 2013 - 23:12

Taking this a step further and using the IP Trap contribution, I added "admin/" to the url in the aforementioned code so that anyone who tries to access the already renamed admin directory, will get their IP banned.

RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$
RewriteRule ^admin_directory(.*)$ http://www . mysite . com/admin/ [R,L]

Trouble is to remember to change my IP address in the .htaccess file in the case that I have work remotely so as not to have to unblock my remote IP. ;O) Still looking to find out if there are any negative implications of adding this code to the .htaccess file. Does anyone know?

Edited by Demitry, 11 September 2013 - 23:13.


#222   wealthcreation

wealthcreation
  • Members
  • 2 posts
  • Real Name:Omosebi Innocent

Posted 03 October 2013 - 11:11

Dear Authors

i am having problem secureing my website with .htaccess and .htpasswd_oscommerce. please someone to educate me.

#223   altoid

altoid
  • Community Sponsor
  • 1,031 posts
  • Real Name:Steve
  • Gender:Male
  • Location:Hollidaysburg, Pennsylvania

Posted 03 October 2013 - 13:45

Dear Authors

i am having problem secureing my website with .htaccess and .htpasswd_oscommerce. please someone to educate me.


if you mean securing the admin side of your site and if you're version is the 2.3 series go to admin>configuration>administrators.
I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.
I remember what it was like when I first started with osC. It can be overwhelming.
However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.
There are several good pros here on osCommerce. Look around, you'll figure out who they are.

#224   grandpaj

grandpaj
  • Members
  • 417 posts
  • Real Name:John
  • Gender:Male
  • Location:New Zealand

Posted 04 March 2014 - 00:23

Hi

I am trying to rename the admin area in oscommerce 2.3.3.4 its so simple, yet I can't get it to work. 3
Change admin name
Change configure.php in 2 places. Done, But doesn't work.

My question is. Does the admin folder in 2.3.3.4 need to be renamed and if so exactly how. Its always been so simple Ive tried changing the name of the admin file then changing in the 2 places in admin>configure.php.

Please don't shoot me.

Kind regards
grandpa

#225   joli1811

joli1811

    Anybody seen this leprechaun say yeah !!

  • Community Sponsor
  • 2,127 posts
  • Real Name:john dunlop
  • Gender:Male
  • Location:Ireland

Posted 04 March 2014 - 00:38

Hi

It is the yellow admin folder where you want to change the name then in admin/includes/configure.php in x 2 places to reflect the new admin name

It is possible that the permissions on your configure.php are set to non writable 444 or something similar (this is how they should be) so you may have to change the permissions first to 666 to be able to overwrite in your control panel file manager remember to change back when you are finished (444)

John

PS: one of the best things you can do to protect your admin

Edited by joli1811, 04 March 2014 - 00:39.

To improve is to change; to be perfect is to change often.

#226   grandpaj

grandpaj
  • Members
  • 417 posts
  • Real Name:John
  • Gender:Male
  • Location:New Zealand

Posted 04 March 2014 - 00:50

Hi John

I have set the permissions at 666 everything looks just fin in the config file and the renamed admin. But when I go to the browser and type in the new URL all I get is the correct URL showing ( through secure server) and a blank page. Somethings not quite right.)
Folder permissions are at 777 and the config at 666

Any ideas
Im tearing my hair out. And I don't have much left.

Cheers
John

#227   grandpaj

grandpaj
  • Members
  • 417 posts
  • Real Name:John
  • Gender:Male
  • Location:New Zealand

Posted 04 March 2014 - 01:06

Hi John

Solved it. Had to change htaccess

Cheers
John

#228   joli1811

joli1811

    Anybody seen this leprechaun say yeah !!

  • Community Sponsor
  • 2,127 posts
  • Real Name:john dunlop
  • Gender:Male
  • Location:Ireland

Posted 04 March 2014 - 01:10

great remember to change the permissions back folders normally 755 and files 644 configure 444
To improve is to change; to be perfect is to change often.

#229   ce7

ce7
  • Members
  • 244 posts
  • Real Name:lyn

Posted 19 June 2014 - 01:32

Hi,

 

For security reason, I had changed the admin folder name as suggested, thanks.

 

I have a question, I like to have 2nd admin folder that can allow alliance to access only one page in the backend. Because the security reason, I don't want to show the link that redirect to the original first administrator folder. That is why I need to have this 2nd admin folder.

 

Right now I just copy the first admin folder and rename it to something else, it does ask me to enter id and password, but it doesn't allow me to login though. How can I change it and make it work? Please kindly give me some steps to follow up, many thanks in advance.

 

Lyn