208 replies to this topic

[uniks]

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory
========================


I did the above procedure and it works but I got this error message when I go to

the Admin page then Tools\DataBaseBackUp

then I see this error messages " :Error Error: Backup directory does not exist. Please set this in configure.php. "


Does someone needs how to fix this, thanks

[geoffreywalton]

Please do not double post

http://forums.oscommerce.com/topic/368985-error-error-backup-directory-does-not-exist-please-set-this-in-configurephp/page__pid__1554542#entry1554542

[bavariuaninc]

My admin got hacked as well and now the index and login files are gone. When I try to copy from backup it will not save? What happened? Thanks

[geoffreywalton]

That really will take some time and a lot of detective work to find out.

A link on how to sort out a hacked site is on my about me page in my profile.

Not really difficult just time consuming and detailed.

HTH

G

Edited by geoffreywalton, 28 December 2010, 00:06.

[qkzoo]

I need help with step B. "Add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htascess cannot be used on a Windows server by the way)"

How do you do this? I have no idea. I have followed most of the steps in "securing" my website, and I have seen this one posted in each one, but I have no idea how to go about this, can somebody help? I'm using HostGator, if that matters or helps...

Thanks,

Andrew

[BryceJr]

qkzoo, on 09 January 2011, 22:17, said:

I need help with step B. "Add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htascess cannot be used on a Windows server by the way)"

How do you do this? I have no idea. I have followed most of the steps in "securing" my website, and I have seen this one posted in each one, but I have no idea how to go about this, can somebody help? I'm using HostGator, if that matters or helps...

Thanks,

Andrew

Proceed to your web host control panel and follow >>this.

[qkzoo]

BryceJr, on 09 January 2011, 23:33, said:

Proceed to your web host control panel and follow >>this.

...that's instructions to password protect a directory, which I've done. It doesn't tell me, however, anything about what .htaccess is or how to protect it.

[BryceJr]

qkzoo, on 10 January 2011, 12:45, said:

...that's instructions to password protect a directory, which I've done. It doesn't tell me, however, anything about what .htaccess is or how to protect it.

The purpose of creating a .htaccess file is to password protect your newly_renamed admin directory. The easy way to accomplish that is through your host control panel which you've done.

More info on >>htaccess

[qkzoo]

Ok, so if I understand you correctly, then I can ignore all the suggestions here? I'm just a little flustered is all, I noticed several .htaccess files throughout my installation as I went through and checked all file permissions. Yes, my admin directory is now renamed and password protected using my hosts cPanel, which was quite simple.

Andy

[BryceJr]

Quote

Ok, so if I understand you correctly, then I can ignore all the suggestions here? ...

Password protecting your admin directory will not compensate for the other security issues you need to address in your store.

Ignoring the suggestions on "How to secure your osCommerce" thread will not protect your site from injection attacks, xss, file_manager point of entry, etc.

[qkzoo]

BryceJr, on 11 January 2011, 06:49, said:

Password protecting your admin directory will not compensate for the other security issues you need to address in your store.

Ignoring the suggestions on "How to secure your osCommerce" thread will not protect your site from injection attacks, xss, file_manager point of entry, etc.

I'm sorry, I dropped the wrong link somehow. The link I meant to show was a bunch of .htaccess codes for protecting a site, and I can't find the link now. I have followed those instructions to the best of my ability, I have added Security Pro, I have gone through and made sure that all of my files are 644 or lower (permissions), folders 755 or lower, my configuration.php file(s) have a permission setting of 400, I believe. I renamed the admin directory, and I have protected the "Admin" directory with .htaccess by means of my hosts cpanel directory password protect function. According to the post, i should delete the admin/file_manager.php file (which didn't exist in my installation) and the file admin/define_language.php, which I did. The only thing I think I have left to do is the link titled "You can stop cross site scripting attacks with Anti XSS."

There was also a link to install software to block specific ip's, but my site isn't even active yet, so I can wait on that...right?

I want to make sure this thing is tight as I can possibly make it, so can you think of anything I left out?

Thank you,


Andy

[puerdemon]

Okay so I did both rename and .htaccess modifying.

Now I am entirely locked out. I get the lovely "500 Internal Server Error" message. I had been modding my code via the file manager because my .htaccess file does not show up in Filzilla for me. I have tried FTPing the file for .htaccess and .htpasswd back up into my site but to no avail. And my entire site is now offline. Advice anyone? Thank you in advance

This is my .htaccess code:

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)
# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers
#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>
# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter
# AcceptPathInfo On
# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)
# php_value session.use_trans_sid 0
# php_value register_globals 1

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /hyperactive3d.com/lookywhatifound/.htpasswd.txt/.htpasswd 
AuthGroupFile /dev/null 
<Files home>
require valid-user
</Files>

EDIT: Sorry didn't copy all the code.

Edited by puerdemon, 16 January 2011, 01:32.

[puerdemon]

Ah sorry I got it to work, was able to get my hidden files to show up on Filezilla. Sorry for the double post

[hhitch]

first, change the name of your "admin" folder.

Then, you MUST change the references to that folder name in the following file:

/admin (has new name now)/configure.php

if you make the changes to that file, then the system can find the login page. if you don't make the changes to that file, the system cannot find the login page nor the error page.

rgmonster, on 21 July 2009, 15:29, said:

this is not so simple. I have renamed admin and changed configure.php and when I go to the new folder it bombs with the following error:

Not Found
The requested URL /admin/login.php was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


--------------------------------------------------------------------------------

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 Server at www.myshop.co.uk Port 443

Please, for novices like me who are trying to learn oscommerce, don't assume it's just this or that and it's done. I am finding lack of concise answers to anything regarding oscommerce and putting notices like this without a troubleshooting guide is not helpfull at all.

[Biancoblu]

If I set up password protection through .htaccess (Cpanel), I have to keep it the same as the password I set up during installation.
If I set up different passwords, the one in .htaccess seems to override the other and locks me out of admin.

I thought I would be able to set up one password in htaccess which would be different than the one set up during installation.
Am I missing something?

[ppworks]

Server logs show excessive access to /tell_a_friend.php

I don't use the tell a friend feature.

It appears when /tell_a_friend.php is called directly the user is redirected to: /product_info.php?products_id=0 where an access denied message is displayed.

Providing a valid product id: /tell_a_friend.php?action=process&products_id=[Product_id#] as a guest user can bypass the restriction and send unsolicited mails from the system.

Is it safe to remove /tell_a_friend.php without breaking anything?

[geoffreywalton]

If there is an option to "turn off" tell a friend in your shop admin I'd do that first.

HTH

G

[hamsaya]

Most people here had issue with renaming directory, I had the same issue but I was able to fix it.

the issue is when you are making a copy of admin directory or rename your admin directory the directory permissions change, depends on your domain provider.

What you have to do is temporary set the permissions a to either 777 or something for admin/include/configure.php file. Once the configure admin name is changed to new directory name you are good to go.

hopefully this is helpful.

Oh don't forget to change the permission on configure back.

Thanks
Hamsaya

[Sohgave]

Sorry folks, but the instructions to change the admin folder name did not work for me. I've attempted 4 different times being sure to follow the instructions (from Jan's post) to the letter, but I always end up with "500 The server encountered an internal error or misconfiguration and was unable to complete your request."

As a recap, here is just one of the attempted scenarios:

1.) I had the "admin" folder working fine. I could login and browse the back office; no problems...
2.) I changed the folder name on the server side from "admin" to "mynewname"
3.) I changed the folder name on my local side from "admin" to "mynewname"
4.) I modified the configure.php found in "mynewname/includes/" directory on my local side to be:
define('DIR_WS_ADMIN', '/mynewname/'); //and as according to Jan's instructions. This step seemed a bit weird as the original syntax for the first define line reads : "define('DIR_WS_ADMIN', 'catalog/mynewname/');"
define('DIR_FS_ADMIN', '/your/path/to/directory/mynewname/');
5.) I uploaded the changes to the server
6.) Cleared my cache
7.) Attempted to login to back office at url: https://shopname.domain.com/catalog/mynewname/

I can get to the first login window but 500 Internal Server Error on second login window...

Any help??


Thanks

Edited by Sohgave, 13 April 2011, 22:10.

[Emilytw88]

Hi Chris,

Can you show us by steps on how to change the config.php file from 444 or to 604? Thanks.

-Emily