218 replies to this topic

[GemRock]

Quote

... and I won't reply any more

no one expects or waiting for a reply, at least not me as that makes no sense. now all said, its up to everyone to decide whether you would want to kidding yourself by buying two lunches each day with one as a backup in case you dont end up with hungry and can't be functioning the whole afternoon.

@steve: you didnt say how you did it but normal procedure is: take cPanel as example, you look for a function called password protect directory in cPanel, you then follow the onscreen instruction (starting by selecting the admin folder name you want to protect). when finished, the .htacceee will be created by cPanel and placed in the admin folder without you even realising it. There is NO editor involved/used.

Ken

[altoid]

GemRock, on Jul 25 2009, 05:04 PM, said:

@steve: you didnt say how you did it but normal procedure is: take cPanel as example, you look for a function called password protect directory in cPanel, you then follow the onscreen instruction (starting by selecting the admin folder name you want to protect). when finished, the .htacceee will be created by cPanel and placed in the admin folder without you even realising it. There is NO editor involved/used.

Ken

Ken,  I searched my host site for folder password protection and came up with these instructions...

"Log into the .htaccess Editor, and then click Password Protection.
In the Select Directory section, click Change to select the directory you want to protect. The current protection setting for the selected directory displays in the Password Protection Status section.
To change the setting, click one of the following buttons:

Enable to add protection.
Disable to remove existing protection. "

That's why I was using the .htaccess editor they offer.  When I ran into the directory issue I asked for an alternative way to password protect my folder and that's when the said to move my folder under the public_html folder then I could do that.

I just searched again and all hits point me to using their built in .htaccess editor.

Thanks for the response and I am open to suggestions for sure.  

Steve

[GemRock]

Steve

one should try to help others to help him/her-self by giving out as much details (of the problem) as possible. in your case, iwould like to know what site control panel the server uses, and what exactly the editor does. what your host told you must move site to the web root (for pw protect directory) is a load of rubbish, they were trying to cover up the non professional way of setting up their server (and therefore not fit for purpose IMO). password protecting directories has nothing to do with what location the directory would be in the directory hierarchy. it can be anywhere within your web space.
if you host proves they dont know what they are doing or talking about, ie, everything fails, then try this online tool, which as far as I can see is not a commercial site so its not against forum rules to put it here.

Ken

[altoid]

GemRock, on Jul 26 2009, 04:56 AM, said:

Steve

in your case, iwould like to know what site control panel the server uses, and what exactly the editor does.

Ken

Hi Ken,  

Here is what I can glean from my host site relative to your questions.

At the control panel I see "powered by vDeck."

[img]http://ba.barkavenuedogboutique.com/images/albums/temp/Cpanel.jpg[/img]

When I click the .htaccess button you get....

[img]http://ba.barkavenuedogboutique.com/images/albums/temp/htaccesseditor.jpg[/img]

Then when I click the password protection, I am taken through a route that puts me into that specific public_html folder with no ability to navigate laterally or upwards to another folder.

I have had a couple other tech support glitches with the host so I am not surprised if their response to this issue is off the mark.

Thanks much.

Steve

[muggibear]

Just to add my 2p's to this topic and to hopefully help other newbies like myself...

I did what the OP said regarding renaming the 'admin' folder, so:
[Step 1] 'http://www.mysite.com/mycatalog/admin' --became-> 'http://www.mysite.com/mycatalog/newadminfolder'
(Needless to say the above site isn't real.)

Then:
[Step 2] changed 'newadminfolder/includes/configure.php' as per the OP's instructions

After Step 2, all attempts to access 'http://www.mysite.com/mycatalog/admin' should result in a 404 error, but I'll reach my osCommerce Administration login page at 'http://www.mysite.com/mycatalog/newadminfolder'

It's in the next step where I started scratching my head...good thing I found this handy tutorial, which also contains a neat tool (at the end of the tutorial) for generating your login and password for your would-be protected 'newadminfolder'

Here's the link: http://www.addedbytes.com/apache/password-...-with-htaccess/   (Please read tutorial before continuing below)

[Step 3] Follow the tutorial for generating your .htaccess file and your login/password list for your 'newadminfolder'
[Step 3a] For the absolute path needed for the 'AuthUserFile' entry, I used the 'Backup Directory' entry found in 'Database Backup' tool inside osCommerce Administration
Example:
I created a new folder called 'mynewfolder' just outside of my catalog, so if my Backup Directory says '/this/is/where/you/are/mysite.com/mycatalog/newadminfolder/backups/' then I entered the following lines in my .htaccess file:

AuthName "My New Admin Page"
AuthType Basic
AuthUserFile /this/is/where/you/are/mysite.com/mynewfolder/.htpasswd
require valid-user

[Step 4] Upload the .htpasswd file under the 'mynewfolder' folder and

[Step 5] Upload the .htaccess file under the 'newadminfolder' folder

And that's it. The first time I go to 'http://www.mysite.com/mycatalog/newadminfolder' I get a pop-up window to enter a login ID/pswd, which should be found within my 'mynewfolder/.htpasswd' file, and if I get both ID/pswd correct then my osCommerce Administration login page gets displayed. I don't mind entering two login ID/pswd's.

Hope these help!

[altoid]

muggibear, on Jul 26 2009, 09:34 PM, said:

Just to add my 2p's to this topic and to hopefully help other newbies like myself...

Muggiebear, thank you for responding.  I saved your instructions to file and bookmarked the link.

Over the past couple days I have been considering what to do...and my move my store folder within the public_html folder, which may solve one problem, and crop up some others like configuring, etc.

I will get this figured out eventually.  Thanks

Steve

[ecogreenbee]

I'm a NEWBIE and don't seem to be comprehending all these about the Admin Directory instructions. Can you please tell me that if I can just re-name my Admin Directory and create a new password in osCommerce...that takes care of #1 or A. For #2 or B, can I just not mess with changing the 2 lines to add the .htaccess protection in osCommerce if I have a Password Protect Directories in my own webhosting. In other words, can I take care on the .htaccess protection in my webhosting. I am hesitant to mess with my codes in osCommerce for fear of getting an ERROR page...please help! Thank you in advance.

[GemRock]

for most shops, renaming admin directory/folder is good enough as long as you take care of not publishing your new admin folder (such as on invoices) to any one else even your customers. you should use hard-to-guess or impossible-to-guess, random charactors eg, DhyIUKD8g, as the name of the admin folder. if no one knows the url (given that it has been renamed as shown above) to your admin area, then there is no chance of hacking.
i'd recommend the above for most shop owners, as the .htaccess thing seems to create a lot of problems especially on servers that are set up based on what the server admin *thinks* you would or would not need.

Ken

Edited by GemRock, 28 July 2009 - 05:57 PM.

[ecartz]

GemRock, on Jul 28 2009, 01:56 PM, said:

for most shops, renaming admin directory/folder is good enough as long as you take care of not publishing your new admin folder

I completely disagree with this.  The only purpose of renaming the admin folder is not to have automated bots hitting it.  It's not a security feature.  Consider this, would you be willing to turn off password protection entirely and just rename the folder?  Because that's essentially what you are proposing.  

Renaming the folder is obscurity.  Obscurity is not security.  Obscurity can be pierced -- all it takes is an exploit that reveals the directory contents of the catalog folder.  On some (badly configured) servers, that might be as simple as requesting the catalog directory.  Even on a correctly configured server, there can still be an Apache bug that duplicates the badly configured behavior.  Or on shared hosting, someone might figure out how to get out of their sandbox and look into yours.  Note that they would not need write access, just read -- to a publicly available folder (catalog).  

The only secure method is to password protect the folder.  

Now, all that said, if someone has password protection in their hosting (the original question), then they don't need to mess with changing .htaccess.  The hosting will do that.  Hosting's password protection is secure for site's with admin in SSL (and no password scheme is secure without SSL).  All that a host's password protection for a directory does is modify either the .htaccess or the httpd.conf file with the htpasswd changes.  Essentially, it is making the .htaccess changes for you.  

The osCommerce code changes just keep you from logging in twice.  If you don't mind logging in twice, you can leave them off.  The directory password protection is just as secure without them.

[GemRock]

ecartz, on Jul 28 2009, 10:24 PM, said:

...Consider this, would you be willing to turn off password protection entirely and just rename the folder? Because that's essentially what you are proposing...The only secure method is to password protect the folder...

i suppose you dont know what you are talking about. the issue applies to and ONLY applies to osc 2.2 rc1 or 2, which alteady has a login function albeit somewhat exploitable hence the suggestion of renaming the admin folder. the point i am making is if you dont know the name of the admin folder, ie, the url to it, you have no way to exploit it. and most shops are not that interested to hackers since there are not much useful data to steal from or damage to make. whos going to rob a begger on the street dressing in dirty clothing? on the other hand if you have a shop that actually makes a full, comfortable living for you and you could well have tens of thousands of customers data then you probably have no time to take the trouble as evindenced here you would have hired someone to secure it for you using methods thats beyond what has been discussed here.

aftre all, would a homeless spends his only pennies to protect his property while sleep on the street when in fact he has no property at all to worry about?

Quote

The only secure method is to password protect the folder.

Really? what about FTP??

Quote

and no password scheme is secure without SSL

RUBBISH.

Ken

Edited by GemRock, 28 July 2009 - 09:55 PM.

[ecartz]

My point is that there are ways to determine what folders are present on a website.  I listed three (bad Apache configuration, Apache bug, shared hosting bug).  If an attacker uses any of those, your secret URL is no longer a secret.  The first two of those are vulnerable to bots in the same way that this exploit is.  

If there is an exploit for the password protection, then the password protection does not exist.  Anyone smart enough to write a bot that tries all osCommerce sites would also be smart enough to read this thread and figure out how to bypass the password protection.  

Not sure what FTP has to do with it?  Unless you are claiming that FTP is secure without SSL?  It's not.  That's why SFTP exists.  

Most shops might be able to get by without using SSL and never be exploited.  The concerns there are very different (mostly relating to eavesdropping of connections).  Perhaps I shouldn't have brought it up, as it's outside the current discussion.  However, for a secure admin, SSL is required.  The beggar comparison is apt here, as SSL costs money (albeit not a lot, ) and it might possibly be more practical to accept the risk of compromise than to pay the $50 for a cheapo SSL certificate.  That does not apply to password protecting the folder, which is free.  

It is especially bad advice to give to someone who has password protection in their hosting.  It is in fact horrible advice.  That person can spend a couple minutes using the tool that their host provided and improve their protection greatly at no cost to him or herself except a small amount of time.

[ecogreenbee]

Thank you all for this debatable topic. All in all, it's a great learning experience for new member, like myself. I does seem like it's all that hard, but I guess if you know what you are doing or understand the concept, it's as easy as 123. For my part, it turned out simple since I didn't have to deal with changing anything in osCommerce, except my Admin Directory. I did my .htaccess protection with my webhosting and it was very simple. It even helps generate a strong password to use. Protecting your website, however big or small, is a peace of mind, in the day and age bombarded with hackers.  

ecartz, on Jul 28 2009, 11:33 PM, said:

My point is that there are ways to determine what folders are present on a website.  I listed three (bad Apache configuration, Apache bug, shared hosting bug).  If an attacker uses any of those, your secret URL is no longer a secret.  The first two of those are vulnerable to bots in the same way that this exploit is.  

If there is an exploit for the password protection, then the password protection does not exist.  Anyone smart enough to write a bot that tries all osCommerce sites would also be smart enough to read this thread and figure out how to bypass the password protection.  

Not sure what FTP has to do with it?  Unless you are claiming that FTP is secure without SSL?  It's not.  That's why SFTP exists.  

Most shops might be able to get by without using SSL and never be exploited.  The concerns there are very different (mostly relating to eavesdropping of connections).  Perhaps I shouldn't have brought it up, as it's outside the current discussion.  However, for a secure admin, SSL is required.  The beggar comparison is apt here, as SSL costs money (albeit not a lot, ) and it might possibly be more practical to accept the risk of compromise than to pay the $50 for a cheapo SSL certificate.  That does not apply to password protecting the folder, which is free.  

It is especially bad advice to give to someone who has password protection in their hosting.  It is in fact horrible advice.  That person can spend a couple minutes using the tool that their host provided and improve their protection greatly at no cost to him or herself except a small amount of time.

[GemRock]

Quote

...there are ways to determine what folders are present on a website...

and so theres always ways not to give out site directory structure, a proper setup 404 page being one of them.

Quote

...bad Apache configuration, Apache bug, shared hosting bug...

in that case one could only pray god morning & night or every 15 minutes for protection. and is there a bug to accept ANY password you may type in when prompted for one, if not why not?

Quote

...Anyone smart enough to write a bot that tries all osCommerce sites...

the word *smart* should be properly replaced by *stupid*. smart guy dont try those poor (poorer than a mouse) osc shops instead theyd spend their time on high profile sites which would need a proper guy to properly protect, and thats the real battle field.

Quote

...what FTP has to do with it...

ftp only has something to do with it is when someone claim the only way is pw protect it. ok, you have pw, plus SSL, if iwere hacker, id listen to your ftp traffic as MOST hosts do not offer SFTP to intercept your ftp details. now, even an dummy would now how to use ftp to rename a file to render it into useless. so all a sudden your .htaccess becomes nothing.

Quote

...Most shops might be able to get by without using SSL and never be exploited...

should add pw .htaccess to it. and dont forget some SSL itself is also exploitable as reported not so long ago. so if youare so worried, then you may develop a mental problem as the list of loophole would go longer and longer.

Quote

...does not apply to password protecting the folder, which is free.
...a small amount of time...

try to tell steve above or someone like him, they have been having almost life threatening troubles to try to do it, which is what prompts me to make my suggestion, to save their life!

knowing something does NOT neccesarily mean you have to use it anywhere anytime any situation.

Ken

[rgmonster]

rgmonster, on Jul 22 2009, 06:12 PM, said:

Hey, no need for the shouting.

I agree to differ with the last message.  My and obviously one other's experience is different so please don't shoot the messenger when there is something wrong.  OSC is perfect and it's just the idiots messing about with it attitude isn't right either.  The advice of going through every file to find a hard encoded file location was a no brainer and most unhelpful and to term it as "bad luck" not helpful either.  Something must have been wrong in the installation somewhere but no sensible suggestion came out as to where.  

All I am saying is warn folk to have a roll back plan when advising doing something like this because sod's law always crops up somewhere.

Everyone on this site has different levels of experience with oscommerce and all of us want simple, helpful and clear instructions on what to do about issues that trouble us.

Nuff said on this and I won't reply any more regardless.

Mystery Solved.

The problem was with password protecting the admin folder first using cPanel utility.  Before renaming the admin folder remove any password protection on the folder.  After performing the rename and the configure.php file check you can log in.  Then re-apply the password protection using cPanel.

If you have another meathod of applying password protection perhaps you should consider removing it anyway:

So for clarity:

Backup the admin/includes/configure.php file

1. Remove password protection on admin folder

2. Renaming the admin folder to a name of your choice.

3. Edit the /includes/configure.php file in the newly renamed folder to replace the word admin with the new folder name.  These lines look like:

  define('DIR_WS_ADMIN', '/admin/');
  define('DIR_FS_ADMIN', '/home/setstre1/public_html/admin/');

4. Check this works.

5. Re-apply password protection on newly renamed admin folder

6.  Check this works with password protection on.

[altoid]

All the discussion and suggestions are very beneficial, so after pondering this a while I think I will bite the bullet and go along with my host suggestion to move the folder where my osCommerce store resides from "beside" to under the public_html folder.  That way, I will be able to use their tool to set password protection for my admin folder.   (The host only allows the tool for use for folder protection to the public_html folder and any folders contained in the public_html folder.)

Before I dive into this, I'd like someone with more experience to look over what I plan to do and let me know if I am missing something.

in my /catalog/admin/includes/configure.php file there are some defines that probably apply.

I think

define('HTTP_SERVER', 'my store url');
define('HTTP_CATALOG_SERVER', 'my store url');

are ok because I will point my subdomain to the appropriate folder that I am moving.

So for the sake of my example my pointer now goes to catalog, following my domain, and will now have to go to public_html/catalog.  

However for

define('DIR_FS_DOCUMENT_ROOT', '/*********************/catalog//');
and
define('DIR_FS_CATALOG', '/****************************/catalog//');

Should I put /public_html in before the /catalog// part?

Do any other defines need changed so the /public_html is properly recognized anywhere?

Then over in /catlogue/includes/configure.php I don't see any definde in there that need changed.

Input please and thank you.

[altoid]

altoid, on Jul 30 2009, 07:19 PM, said:

Input please and thank you.

I went ahead and made the config changes so my site resides in the public_html folder, then protected my folder as per the recommendation in this post.  After the redo I made a sale about a half our later....so all is working.

When managing running administrative tasks I have to enter a user id and password twice, but no big deal really given the protection benefit.

Onward and upward.....

Thanks

[Java Roasters]

I think the fix should be;

admin/includes/application_top.php

Line 36

// set php_self in the local scope
 $PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);

Change to

// set php_self in the local scope
 $PHP_SELF = $_SERVER['PHP_SELF'];

Line 124

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($PHP_SELF);

Change to

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($_SERVER['SCRIPT_NAME']);

Line 149

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');
 $current_page = basename($PHP_SELF);

Change to

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');
 $current_page = basename($_SERVER['SCRIPT_NAME']);

[bradybarrows]

Coopco, on Jul 22 2009, 04:56 AM, said:

Check to see if you have a configure.php file under "admin"/includes/local

What does this mean?  How do I check for this?  I am having the same problem, when I change the admin folder name I can't log into the new folder and I get the same 404 error. Obviously there are at least three of us doing something wrong. The instructions are simple enough but there is something missing in the instructions that Ken and others seem to understand intuitively that we newbies don't. Like, what does it mean to have a config.php file under "admin"/includes/local.  

What is 'local' ?  How do you check this in simple steps?  Maybe this is the problem, or maybe it is something else we are missing.

[bradybarrows]

Java Roasters, on Aug 20 2009, 09:26 AM, said:

I think the fix should be;

admin/includes/application_top.php

Line 36

// set php_self in the local scope
 $PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] : $_SERVER['SCRIPT_NAME']);

Change to

// set php_self in the local scope
 $PHP_SELF = $_SERVER['PHP_SELF'];

Line 124

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($PHP_SELF);

Change to

// redirect to login page if administrator is not yet logged in
 if (!tep_session_is_registered('admin')) {
   $redirect = false;

   $current_page = basename($_SERVER['SCRIPT_NAME']);

Line 149

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');
 $current_page = basename($PHP_SELF);

Change to

// include the language translations
 require(DIR_WS_LANGUAGES . $language . '.php');
 $current_page = basename($_SERVER['SCRIPT_NAME']);

I tried this and it totally crashed my site and I had to re-install it again losing some products I had started.  Thankfully it was only five items, no big deal. But I think the above code is a bit drastic for newbies and if anyone understands what Java Roasters is suggesting and can confirm this is the correct code, please post since if this is the solution, newbies will need a bunch of help understanding this one.

[rgmonster]

bradybarrows, on Sep 10 2009, 09:51 PM, said:

I tried this and it totally crashed my site and I had to re-install it again losing some products I had started.  Thankfully it was only five items, no big deal. But I think the above code is a bit drastic for newbies and if anyone understands what Java Roasters is suggesting and can confirm this is the correct code, please post since if this is the solution, newbies will need a bunch of help understanding this one.

Hi Bradybarrows

Install oscommerce by the book ie:  Don't use the Fantastico installer as it messes with the system and you cannot successfully rename the admin folder if you use it.  I know this from bitter experience.   It is ok to use the cPanel to create the mySQL database but you need to ftp the oscommerce files over to your website and then run the install routing.  You can find the procedure here http://forums.oscommerce.com/index.php?sho...&hl=install

I wasn't going to reply again due to the know all and sarcastic attitude of some in this forum but you might benefit from this.  He knows who he is.

Oh, and definately use the cPanel to password protect a folder and also make sure you have an SSL certificate.  You can ensure direction to https://  using .htaccess by adding as follows:

  RewriteEngine On
  RewriteCond %{SERVER_PORT} !=443
  RewriteRule ^ https://www.yoursite.com%{REQUEST_URI} [NS,R,L]

  IndexIgnore *

The IndexIgnore statement prevents directory listing in your website, otherwise a listing could assist someone guessing your new admin folders name.

I hope this helps.


Regards