208 replies to this topic

[mdtaylorlrim]

obcbeatle, on 05 September 2010, 01:29, said:

<SNIP>

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC

<SNIP>

Unless I missed something, I didn't see anywhere in this thread how to to do the above. I don't mind working with my web host on this, plus I already have my own .htaccess file for web site protection, but I don't know what to put in an .htaccess file to specifically address this OSC vulnerability. Can anyone point me to the code our type of protection to put in the .htaccess file to protect the renamed admin directory? Thanks!

cPanel users have a function in cpanel and others usually called 'Directory Protection' or 'Password Protect Directories' that creates the .htaccess file. The .htaccess password protects the directory so that it requires a password to access. Follow the directions in your cPanel to password protect your newly renamed admin directory. Once completed access to your admin directory will require a username and password the FIRST time a browser session encounters the directory.

Once the directory has this security in place you will find that an .htaccess file is now in your admin directory with these lines in it...

AuthType Basic
AuthName "Authorized Use Only"
AuthUserFile "/home/dir/.htpasswds/dir/dir/passwd"
require valid-user

Of course, 'dir' is directory names to your shop, and passwd could be anything... and "Authorized Use Only" is whatever you put in when you create the password.

[obcbeatle]

mdtaylorlrim, on 05 September 2010, 10:00, said:

cPanel users have a function in cpanel and others usually called 'Directory Protection' or 'Password Protect Directories' that creates the .htaccess file. The .htaccess password protects the directory so that it requires a password to access. Follow the directions in your cPanel to password protect your newly renamed admin directory. Once completed access to your admin directory will require a username and password the FIRST time a browser session encounters the directory.

Once the directory has this security in place you will find that an .htaccess file is now in your admin directory with these lines in it...

AuthType Basic
AuthName "Authorized Use Only"
AuthUserFile "/home/dir/.htpasswds/dir/dir/passwd"
require valid-user

Of course, 'dir' is directory names to your shop, and passwd could be anything... and "Authorized Use Only" is whatever you put in when you create the password.

Thank you for the quick reply. As you said, using my web hosts cpanel to pw protect the newly renamed osC admin dir created an .htaccess file with the code you mention above, and now authentication is required to the new admin dir. Thank you for explaining this! As an aside, I have just read thru all the posts in the top pinned security thread for this forum (sigh). So I am now at the point of installing the contribution add-ons, but I have to say that I'm a bit reluctant given all the thread posts of people having problems during or after the installs. Also, the original contrib add-ons were posted in 2008. It's almost 2011. Does osC not create update packages for these vulnerabilities on a regular basis or are all these add-ons and tweaks posted herein "the updates"? Sorry...I've been mostly living in a M$ world the last 10 years and am only now re-entering the *nix (or non Windows) world once again. Thanks again for the quick and detailed reply!

[germ]

Releasing "update packages" wouldn't cover everyone.

Many templates have osC as their base code but the rest of the code is different. An "update package" applied to a template would most likely "break the store".

Another obstacle is the fact the software is free and downloadble at many sources (without registration), so there is no way to contact everyone.

When problems are discovered people post about them here and fixes are contrived.

Shop owners just have to frequent the forum for now.

Maybe in the future there will be a more concerted effort for advising and applying security fixes.

For now the forums are the only avenue.

Good, bad, or indifferent - that's just the way it currently is.

[obcbeatle]

germ, on 05 September 2010, 13:57, said:

Releasing "update packages" wouldn't cover everyone.

Many templates have osC as their base code but the rest of the code is different. An "update package" applied to a template would most likely "break the store".

Another obstacle is the fact the software is free and downloadble at many sources (without registration), so there is no way to contact everyone.

When problems are discovered people post about them here and fixes are contrived.

Shop owners just have to frequent the forum for now.

Maybe in the future there will be a more concerted effort for advising and applying security fixes.

For now the forums are the only avenue.

Good, bad, or indifferent - that's just the way it currently is.

Thanks for the reply! Just wanted to make sure I wasn't missing an area where osC update packages were regularly archived for d/l'ing/installing. Hope to start applying the remaining security add-ons this week. Thanks!

[FIMBLE]

For htaccess in your admin you can alsways use this solution http://addons.oscommerce.com/info/7170 which is also being included with version 2.3 soon to be released.
this one os obviously for V2.2RC2A.
Nic

[khoking]

What is the config.php permission that we should set?

[FIMBLE]

khoking, on 13 September 2010, 12:28, said:

What is the config.php permission that we should set?

Config for what?

[khoking]

Sorry, I meant this file: configure.php

[DunWeb]

configure.php file permissions should be set to 444 if your hosting provider will allow it. If not 604 will also give you some security.



Chris

[khoking]

Thanks DunWeb!

[zpupster]

hello,

i am little confused. i am having to log in three times into admin. twice with the htaccess that i password protected the directory
admin is in, and once when i get into oscommerce. i contacted my host they said i am being redirected to the same url, but my redirect is empty in
cpanel. also, i have been reading here that you can marry the two so you only have to login with oscommerce and get
the same protection as htaccess. one last thing this may be a stupid question but if i have htaccess then i should not have to have
an ssl certificate to get https, becasue it is protected by the htaccess. am i right or wrong about this.


where should i go to undo and redo this the right way, since i obviously went down the wrong track somewhere.

thanks,
craig

[cherishedmoments]

Jan Zonjee, on 18 July 2009, 07:23, said:

For the moment two things can and should be done:
A. rename the admin directory
B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel (see for example post 141 in this thread).

Okay, now I'm locked out of my own admin and every page on my site gives me a 403 error. I renamed my admin, then I changed the renamed_admin_directory/includes/configure.php. I tried to password protect but Bluehost said that I couldn't password protect because I have FrontPage Extentions installed. So I uninstalled them. For whatever reason, even though it said that they were uninstalled, my cPanel still says they are installed and won't let me password protect my admin. And now I have an even bigger problem....when I uninstalled FrontPage Extensions, it erased all of my .htaccess files and now I can't get onto any page on my site, including my admin. It says....


Forbidden

You don't have permission to access /new_admin_name on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

So I just made my problem 10 times bigger and, not only can I not figure out how to gain access to my site again....but even if I figured it out....I'm back to having an admin that I cannot password protect.....which is what I was trying to do in the first place!

Will someone please help me! I don't think I can take anymore!

[jgoluch]

cherishedmoments, on 06 October 2010, 17:12, said:

Okay, now I'm locked out of my own admin and every page on my site gives me a 403 error. I renamed my admin, then I changed the renamed_admin_directory/includes/configure.php. I tried to password protect but Bluehost said that I couldn't password protect because I have FrontPage Extentions installed. So I uninstalled them. For whatever reason, even though it said that they were uninstalled, my cPanel still says they are installed and won't let me password protect my admin. And now I have an even bigger problem....when I uninstalled FrontPage Extensions, it erased all of my .htaccess files and now I can't get onto any page on my site, including my admin. It says....


Forbidden

You don't have permission to access /new_admin_name on this server.

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

So I just made my problem 10 times bigger and, not only can I not figure out how to gain access to my site again....but even if I figured it out....I'm back to having an admin that I cannot password protect.....which is what I was trying to do in the first place!

Will someone please help me! I don't think I can take anymore!

Been following this posts and similar ones elsewhere as a client site has same type of hacking...what are they trying to achieve/gain via the hack?

[Peepo]

Ive changed the name of the admin directory.

But when I look at the code in admin/incluides/configure.php I wonder should I really be changing this

define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

for this?

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

The reason I ask is because the replacement has a direct link to the directory and the original code has some sort of reference.

Im using 2.3.1. Can anyone confirm I still need to change this code as the original post was written in 2009.
Thanks

[Xpajun]

Peepo, on 09 December 2010, 13:41, said:

Ive changed the name of the admin directory.

But when I look at the code in admin/incluides/configure.php I wonder should I really be changing this

define('DIR_WS_ADMIN', '/admin/');
define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

for this?

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

The reason I ask is because the replacement has a direct link to the directory and the original code has some sort of reference.

Im using 2.3.1. Can anyone confirm I still need to change this code as the original post was written in 2009.
Thanks

You would have to rename the first:

define('DIR_WS_ADMIN', '/admin/');

but not necessarily the second unless it dosen't work and then you would


The second is saying "go to the document root (catalog) and use the directory defined for DIR_WS_ADMIN

[Peepo]

Ah understood Ok I'll have a play about with it.

[tstarr]

I added the following lines to my .htpasswds in the Admin folder

AuthType Basic
AuthName "Authorized Use Only"
AuthUserFile "/home/admin/.htpasswds/home/admin/passwd"
require valid-user

I am now getting the user name and password popup.
I have a stupid question, what is my user name & password?

I am assuming that my password is "passwd" but what is my username & how do I change the username?

[solaris955]

Hi guys,

I have gone through this thread several times, there's just so much detail to hold in mind ...

I am trying to secure my admin area in the newest version - 2.3.1.

Could someone please be so kind as to put it what specifically I should do to secure it please?

Because the discussions above refer to older versions, it would be great if someone could summarize what steps should be taken for the newest version please (2.3.1).

I (and many others, I am sure) would really, really appreciate a brief summary of steps to be taken to secure the admin area of this newest version (2.3.1).

Thanks hugely in advance for all your help.

Irina

[tstarr]

tstarr, on 17 December 2010, 10:45, said:

I added the following lines to my .htpasswds in the Admin folder

AuthType Basic
AuthName "Authorized Use Only"
AuthUserFile "/home/admin/.htpasswds/home/admin/passwd"
require valid-user

I am now getting the user name and password popup.
I have a stupid question, what is my user name & password?

I am assuming that my password is "passwd" but what is my username & how do I change the username?

OK, with alot of snooping around I figured out.

Here are all of the steps to get the .htaccess password protection working on the Admin folder.

1) Paste the following lines into the .htaccess file in the Admin folder:

[indent][/indent]AuthType Basic
[indent][/indent]AuthName "Authorized Use Only"
[indent][/indent]AuthUserFile "/var/chroot/home/content/22/6527522/html/bbhshop/bbhnewshop/admin/.htpasswd"
[indent][/indent]AuthGroupFile /dev/null
[indent][/indent]require valid-user

2) Replace my path "/var/chroot/home/content/22/6527522/html/bbhshop/bbhnewshop/" with your specific path.
You can find your path in your cPannel File Manager, your Web Hosting File view, or your FTP File view.

3) Go to the following .htaccess password encryption tool
[indent][/indent]http://www.tools.dynamicdrive.com/password/

4) Create a .htpasswd file with the following line from the above tool. (yours will be different depending on your username & password)
[indent][/indent]myUsername:mS3fKc1G21eRM

5) Upload the .htpassword file to the Admin directory. You should be done.

Here is a good how to guide if my post did not make sense.
[indent][/indent]http://www.javascriptkit.com/howto/htaccess3.shtml

[DunWeb]

Irina,

V2.3.1 has the ability to change the admin directory name and .htaccess protect during setup OR from the admin area afterwards.

You will not need to secure it any further if you use the security features built into the admin area.


Ofcourse, there are still the 5 'must have' security contributions for your catalog.


Chris

Edited by DunWeb, 20 December 2010, 17:55.