203 replies to this topic

[bradybarrows]

rgmonster, on Sep 10 2009, 11:19 AM, said:

Hi Bradybarrows

Install oscommerce by the book ie: Don't use the Fantastico installer as it messes with the system and you cannot successfully rename the admin folder if you use it. I know this from bitter experience. It is ok to use the cPanel to create the mySQL database but you need to ftp the oscommerce files over to your website and then run the install routing. You can find the procedure here http://forums.oscommerce.com/index.php?sho...&hl=install

I wasn't going to reply again due to the know all and sarcastic attitude of some in this forum but you might benefit from this. He knows who he is.

Oh, and definately use the cPanel to password protect a folder and also make sure you have an SSL certificate. You can ensure direction to https:// using .htaccess by adding as follows:

RewriteEngine On
RewriteCond %{SERVER_PORT} !=443
RewriteRule ^ https://www.yoursite.com%{REQUEST_URI} [NS,R,L]

IndexIgnore *

The IndexIgnore statement prevents directory listing in your website, otherwise a listing could assist someone guessing your new admin folders name.

I hope this helps.


Regards

Aloha Robert,
thanks for the tip. however, I did indeed use ftp to upload the cart. I am simply experimenting with a new cart to understand how to re-write the admin folder before I even attempt to try this on my working shopping cart with SSL certification. I simply want to beef up my site with security since on another shopping cart that doesn't even have the payment modules integrated (I am simply using the osCommerce v2 cart as a database web site cause it is so cool) and didn't know I needed any security addons at all since there aren't any warnings about security addons needed with the instructions (at least I didn't notice them if there were any) and a hacker went into my site and really messed it up. So before I get hacked with my real live shopping cart that is integrated with two payment modules I am simply experimenting with another cart. I am still trying to figure out how to change the admin folder name. If I figure it out, I will post the results.

As to the sarcastic advice here in osCommerce forums, it is just the nature of some to be that way just like in real life with real people we meet outside this forum. You have to understand the nature of volunteering which is what is happening here. All the posters are volunteering their time to answer questions, and some of the questions are really dumb because to a developer of the osCommerce code, which some of these volunteers are, they can't quite fathom that a novice or newbie would even dare to ask such a question and they don't want to waste time teaching basic knowledge that anyone who would want a shopping cart should already know.

One way I have thought about that would might reduce this problem of sarcasm and nasty remarks to beginners is to add a forum under the v2.2 heading called NEWBIES or BEGINNERS and then if the developers venture into this forum they should know that there will be a lot of dumb questions that if someone would take the time to read the manual or spend a few hours reading the posts already there wouldn't ask again. But the nature of some newbies is that they ask a dumb question without reading anything and you can only imagine how a developer of the osCommerce code would react to that. Not all developers are that way, some are very helpful and what is going on here is totally amazing. Thousands of people are here asking questions and probably a core of less than hundred know what is going on with osCommerce and if one is really good with osCommerce shopping carts are making lots of money setting them up and not spending any time here helping newbies.

The other suggestion I have for Harold Ponce De Leon who came up with this whole deal is to clearly explain what an alpha shopping cart is since hundreds of newbies think v3 should be the one to download and they haven't a clue what they are doing. And with v2 it should clearly say with big warning letters that security is an issue and there are several addons that need to be integrated into the shop before going live with a cart.

[GemRock]

Quote

Check to see if you have a configure.php file under "admin"/includes/local

bradybarrows, on Sep 10 2009, 09:48 PM, said:

What does this mean? How do I check for this?

if you dont know what it is, then you are unlikely having one there. this is akin to asking "what is a safe? how do i know ro how i check it i got one in my room? well, if you dont know, then you are highly unlikely having a safe in your room becasue you'd have to buy it then put it in your room. same as the configure.php file in the local folder. osc does not automatocally put such a file there. it has to be the person whos installing the osc store puts it there. so the fact that you dont know what it is, then you have no worry about it and there wont be one there. sorry i seem to become a bit chatty..."normally" i am kind of straight talking.

the instruction is in the #1 post. what is not clear in it?

and if you are just starting building your first online store then focus should not be on this issue. i know it sounds serious but in real life its not a big deal for many. i know someone probably jump in and point out i am giving bad advice etc etc, and remember software apllications security is a matter of life that i (i say I so that I dont include accidetally others who may see differently) will have to live with, just think, like it or not, MS has an army of very good programmers but every week we have security updates. i say MS but unfortunately other big (software) players cant exclude them from this sad fact, like it or not.
Ken

Edited by GemRock, 10 September 2009, 23:35.

[bradybarrows]

GemRock, on Jul 21 2009, 05:58 AM, said:

it is a simple change (takes about 2 minutes) for a default osc shop if you understand and follow the first post by Jan in particular this bit "After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php". Note the location of the configure.php, which is different from the other one under [catalog]/includes/.
there should not be any hard coded admin folder name in any files, if yours does have hard coded admin folder in files then bad luck (you have a wrongly modified shop) , you will need to find each occurance and fix them.

the .htaccess protection is beyond osc, you will need to contact your host for advice as different host may have different way of doing it.

Ken

I have spent about five hours on this, so please bare with my lack of knowledge. I can get the new admin folder to show up and get the log in page. However, when I log in with the user name and password I used before, it won't log in. How can I reset the user name and password? Or is there another work around?

[bradybarrows]

GemRock, on Sep 10 2009, 01:32 PM, said:

if you dont know what it is, then you are unlikely having one there. this is akin to asking "what is a safe? how do i know ro how i check it i got one in my room? well, if you dont know, then you are highly unlikely having a safe in your room becasue you'd have to buy it then put it in your room. same as the configure.php file in the local folder. osc does not automatocally put such a file there. it has to be the person whos installing the osc store puts it there. so the fact that you dont know what it is, then you have no worry about it and there wont be one there. sorry i seem to become a bit chatty..."normally" i am kind of straight talking.

the instruction is in the #1 post. what is not clear in it?

and if you are just starting building your first online store then focus should not be on this issue. i know it sounds serious but in real life its not a big deal for many. i know someone probably jump in and point out i am giving bad advice etc etc, and remember software apllications security is a matter of life that i (i say I so that I dont include accidetally others who may see differently) will have to live with, just think, like it or not, MS has an army of very good programmers but every week we have security updates. i say MS but unfortunately other big (software) players cant exclude them from this sad fact, like it or not.
Ken

Aloha Ken,

thanks for replying to my question. What throws me off is the statement:

configure.php file under "admin"/includes/local

I know the configure.php file is in the following folder:

/catalog/admin/includes/

Why would the original poster write 'local' at the end? What does that mean? I know what a safe is. I would look in the room till I find it. I am not asking how to open the safe, I am asking, can you give me some direction on where the safe is located in the room.

I have at least been able to get the log in page to come up in my browser with the new admin folder. However, when I log in using the user name and password I set up with the admin folder I am redirected to a 404 page error. Here is the url I am redirected to:

http://www.mydomain.com/new_admin_directory/login.php?

As you can see, it is not pointing to catalog/new_admin_directory/login.php?

Maybe that is a clue to what is going on. I am making progress. I can at least see the new admin directory. I am confident this problem will work out, it is just something I am doing wrong, or neglecting to do.

[mhvideos]

bradybarrows, on Sep 11 2009, 12:50 AM, said:

Aloha Ken,

thanks for replying to my question. What throws me off is the statement:

configure.php file under "admin"/includes/local

I know the configure.php file is in the following folder:

/catalog/admin/includes/

Why would the original poster write 'local' at the end? What does that mean?

Local would be a subfolder in the admin/includes folder
If there is no folder then you do not have a local version
If it is there the configure.php file in it will overide the one in admin/includes

Martin

[bradybarrows]

mhvideos, on Sep 10 2009, 07:49 PM, said:

Local would be a subfolder in the admin/includes folder
If there is no folder then you do not have a local version
If it is there the configure.php file in it will overide the one in admin/includes

Martin

Duh. Thanks very much for being so patient with me Martin. I see what people get upset with posters like me asking dumb questions. Ok. I put a copy of the configure.php file in there and I still get the same response when I log in I get this:

http://www.mydomain.com/new_admin_folder/login.php

It isn't going to:

http://www.mydomain.com/catalog/new_admin_folder/index.php

I know this is easy fix since I am close. Please help.

[bradybarrows]

mrpointy, on Jul 21 2009, 05:44 AM, said:

Ditto!

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain?

Thanks

I found this helpful for the .htaccess file:

http://addons.oscommerce.com/info/6066

I downloaded FIMBLE 15 Jul 2008 and used the script provided. If you don't know about the .htaccess file it is sometimes hidden and if you have a windows server you can't use it. If it is a Linux server or Apache server it works. This explains how .htaccess works:

http://en.wikipedia.org/wiki/.htaccess

[rgmonster]

bradybarrows, on Sep 10 2009, 11:11 PM, said:

Aloha Robert,
thanks for the tip. however, I did indeed use ftp to upload the cart. I am simply experimenting with a new cart to understand how to re-write the admin folder before I even attempt to try this on my working shopping cart with SSL certification. I simply want to beef up my site with security since on another shopping cart that doesn't even have the payment modules integrated (I am simply using the osCommerce v2 cart as a database web site cause it is so cool) and didn't know I needed any security addons at all since there aren't any warnings about security addons needed with the instructions (at least I didn't notice them if there were any) and a hacker went into my site and really messed it up. So before I get hacked with my real live shopping cart that is integrated with two payment modules I am simply experimenting with another cart. I am still trying to figure out how to change the admin folder name. If I figure it out, I will post the results.

As to the sarcastic advice here in osCommerce forums, it is just the nature of some to be that way just like in real life with real people we meet outside this forum. You have to understand the nature of volunteering which is what is happening here. All the posters are volunteering their time to answer questions, and some of the questions are really dumb because to a developer of the osCommerce code, which some of these volunteers are, they can't quite fathom that a novice or newbie would even dare to ask such a question and they don't want to waste time teaching basic knowledge that anyone who would want a shopping cart should already know.

One way I have thought about that would might reduce this problem of sarcasm and nasty remarks to beginners is to add a forum under the v2.2 heading called NEWBIES or BEGINNERS and then if the developers venture into this forum they should know that there will be a lot of dumb questions that if someone would take the time to read the manual or spend a few hours reading the posts already there wouldn't ask again. But the nature of some newbies is that they ask a dumb question without reading anything and you can only imagine how a developer of the osCommerce code would react to that. Not all developers are that way, some are very helpful and what is going on here is totally amazing. Thousands of people are here asking questions and probably a core of less than hundred know what is going on with osCommerce and if one is really good with osCommerce shopping carts are making lots of money setting them up and not spending any time here helping newbies.

The other suggestion I have for Harold Ponce De Leon who came up with this whole deal is to clearly explain what an alpha shopping cart is since hundreds of newbies think v3 should be the one to download and they haven't a clue what they are doing. And with v2 it should clearly say with big warning letters that security is an issue and there are several addons that need to be integrated into the shop before going live with a cart.

Aloha Bradybarrows

Thanks for the pep talk. I will bear that in mind. No you don't need SSL if you are not running and online store but I have seen advice here stating that it is not very important. Also, no one has mentioned preventing listing the directories in your website so I thought it would be helpful as a security measure as well. Paranoia is not a bad thing on the web and if you do get hacked at least you can, in good conscience inform your customers that you did all you could (and perhaps avoid legal action).

I have rebuild my website about a dozen times due to this admin folder issue and I should have switched to the wonderful Joomla at this point but I am stubborn and wouldn't let it beat me. I can only put my issues down to the Fantastico installer as all went well when I installed manually. However, there are some other steps that might help so here is step by step how I got it working:

I created a new mySQL Database with a very complex username and password

Copy the files in the catalog folder using ftp to your website location. In my case it is the root folder and is called public_html when viewing in ftp. It is not made clear for newbies to only transfer the files and folders in the catalog folder and not the catalog folder itself. I used osCommerce 2.2a.

I ran the install routine with the files and folders as per out the box and then sorted any warning messages (about file permissions).

I then used the cPanel file manager to rename the admin folder.

After that I modified the renamed_admin_directory/includes/configure.php file as per the first post using wordpad and not notepad as the line breakes seemed to go missing using notepad. I now use wordpad instead of notepad for editing as the linebreaks are never removed.

I then used the cPanel password protect a directory facility. I had tried this manually and it never worked. After browsing about I noticed the password is encrypted in the file with the username and password, no doubt to improving security so it is not possible to do this manually.

I hope this is helpful to you and others.

[bradybarrows]

GemRock, on Jul 22 2009, 06:36 AM, said:

the complete opposite is true. it is NOT lucky or otherwise, its simple a very straightforward thing, as easy as ABC. *Obviously* there is *NOTHING* esle (for a defualt osc setup). if you can't get this very simple thing done, then i suppose you should not issue any warning here as it is completely false: it can be done any time, anywhere, any shop including those that take in thousands of orders daily, and it wont stop your shop running for even a second. Thats the truth. and I am stating a fact, not insisting...or guessing.

Ken

Ken,

I can appreciate that for you it is a snap. But there are at least three of us in this thread who are not getting the same results. I too can get the log in page with the new_admin_directory but when I log in it goes back to:

www.domain.com/new_admin_directory/login.php

It is supposed to go to:

www.domain.com/catalog/new_admin_directory/index.php

But is is not. This obviously is a simple fix. It might be the way the code is configured. The initial code shows:

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

I copied the /your/path/to/directory/renamed_admin_directory/ from the backup database path. My back up directory is this path:

/home/43/dnumber/htdocs/domainfolder/catalog/renamed_admin_director/

I placed a copy of the configure.php file in the local folder as well. What would be the motive of three of us having the same problem other than we are simply not getting the same snappy result you do. We all wish we could get this done and simply are asking what are we doing wrong and please help us. We want to beef up the security of the admin folder. Maybe you could think of something you would check?

[bradybarrows]

rgmonster, on Sep 10 2009, 10:09 PM, said:

Aloha Bradybarrows

Thanks for the pep talk. I will bear that in mind. No you don't need SSL if you are not running and online store but I have seen advice here stating that it is not very important. Also, no one has mentioned preventing listing the directories in your website so I thought it would be helpful as a security measure as well. Paranoia is not a bad thing on the web and if you do get hacked at least you can, in good conscience inform your customers that you did all you could (and perhaps avoid legal action).

I have rebuild my website about a dozen times due to this admin folder issue and I should have switched to the wonderful Joomla at this point but I am stubborn and wouldn't let it beat me. I can only put my issues down to the Fantastico installer as all went well when I installed manually. However, there are some other steps that might help so here is step by step how I got it working:

I created a new mySQL Database with a very complex username and password

Copy the files in the catalog folder using ftp to your website location. In my case it is the root folder and is called public_html when viewing in ftp. It is not made clear for newbies to only transfer the files and folders in the catalog folder and not the catalog folder itself. I used osCommerce 2.2a.

I ran the install routine with the files and folders as per out the box and then sorted any warning messages (about file permissions).

I then used the cPanel file manager to rename the admin folder.

After that I modified the renamed_admin_directory/includes/configure.php file as per the first post using wordpad and not notepad as the line breakes seemed to go missing using notepad. I now use wordpad instead of notepad for editing as the linebreaks are never removed.

I then used the cPanel password protect a directory facility. I had tried this manually and it never worked. After browsing about I noticed the password is encrypted in the file with the username and password, no doubt to improving security so it is not possible to do this manually.

I hope this is helpful to you and others.

Mahalo Robert. I am much closer since I can now at least see the new_admin_folder/login.php page. But when logging in it goes to outside the catalog page. Weird, huh? Obviously it is some minor glitch that needs tweaking a bit. There are so many variations of servers, scripting, code, php, that it is a wonder we can make any of this work, but I feel as you do, I am not giving up and will keep the osCommerce shopping cart since I have spent so many hours working with it. It is sort of like if your Dad drove a Ford truck, and you spent all those years driving in it, you end of buying a Ford instead of something else. However, I did spend about forty hours on the Interspire shopping cart and it is superior to the osCommerce one and has features built in that are in v3 like making web pages. Very cool cart, but costs $1000 and we know why we are all here working with osCommerce. I have probably spent way over 150 hours working with osCommerce. Yep, I have one client that I told I would build him an osCommerce shopping cart for a paltry sum with the condition that I would do the best I can but no warranty. It is it doesn't work, too bad. But he didn't care. So far, all he has the generic cart and I have put all the security features in it suggested at this url by Sam:

http://forums.oscommerce.com/index.php?showtopic=313323

Then I read about this admin security thread and have spent at least six hours on it and still haven't figured it out. I hate to go through all the steps again with a new uploaded cart, new database. I just did that. Everything is brand spanking new. Surely someone will suggest why the admin log in is going to outside the catalog and offer a suggestion to check this or that.

But I am happy that you figured it out and works for you. thanks for the chat.

[bradybarrows]

I get this error message on the log in page:

Error: Invalid administrator login attempt.

That is why it is throwing me out of the catalog folder to the top level of the domain. So how do I fix this? How do I change the admin user name and password? I have an idea. I will go back and install the cart again and change the user name and password. I will let you know.

[spooks]

bradybarrows, on Sep 11 2009, 09:43 AM, said:

Error: Invalid administrator login attempt.

Reset Admin Password http://www.oscommerce.com/community/contributions,5857

[bradybarrows]

spooks, on Sep 11 2009, 03:16 AM, said:

Reset Admin Password http://www.oscommerce.com/community/contributions,5857

Thanks Sam. Now that is a cool addon. It works great. However, resetting the password still does the same thing. I have put everything back the way it used to be, the admin folder and the configure.php file the way it was originally. And when I reset the admin password the next page is OUTSIDE the catalog. Very weird. I have checked the configure.php file in both the includes/ and in the admin/includes and I don't see anything out of place.

Do you have any idea why this could be happening. I am logging in and then taken out of the catalog and to the top level of my domain:

http://domain.com/login.php

There has to be a reason this is happening.

[bradybarrows]

After many hours of tweaking around I finally figured out how to change the admin directory to a new name without being logged in to outside the catalog directory. It is not as straightforward as some have said. Obviously each host has different ways of doing this. Here is what I came up with that works for me:

define('DIR_WS_ADMIN', '/catalog/name_of_new_admin_directory/');
  define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

If you will note, you leave the second line the same as the original. When I log into the new admin directory I then am directed into the catalog/name_of_new_directory/index.php like I am supposed to. If you are being logged in to outside the catalog directory to the top level of the domain, try this code out to see if it works for you.

[bradybarrows]

Feeling very confident that I was able to change the admin directory name on a test shopping cart to see if I can do it I then proceeded to change the name of the admin directory in my actual working shopping cart. Everything went fine, except that the Checkout by Amazon payment module refers to the admin folder and so I tried to figure out how to remedy this one and it got a bit complicated, so I simply put the admin folder back into its original name. I have added the admin directory as a password protected directory with cPanel through my host. I will contact the Checkout by Amazon team who is very helpful with such things and ask them the steps necessary to change the admin directory with their payment module.

Edited by bradybarrows, 13 September 2009, 03:02.

[Patty]

Hello everyone.

Couple of questions:

1) Will there be a fix released in the near future for this problem or this is it?
2) How to change the admin directory BEFORE installing? Just rename the folder and install as usual or is there anything to change on the install folder as well?

TIA

[Jan Zonjee]

Patty, on Sep 30 2009, 02:52 AM, said:

1) Will there be a fix released in the near future for this problem or this is it?

I don't know.

Quote

2) How to change the admin directory BEFORE installing?

Peter Bernard and others already did some work on that.

[Patty]

Jan Zonjee, on Sep 30 2009, 06:29 PM, said:

I don't know.

Peter Bernard and others already did some work on that.

Great! Will try that.

Tks a lot!

[Richard Cranium]

I read this whole thread with a combination of curiosity and amusement. I just want to add some generic advice that I hope is helpful for anyone who wants to move their Admin dir or is having trouble protecting a directory in their store:

1. Contact your hosting company. Please don't listen to anyone on these forums about your particular situation for cPanel, Plesk, etc. Look, the fact is there are umpteen shells out there. You know that these are just graphic shells for the real meat of the server, right? Seriously, please contact your host. Take 5 minutes and ask a professional - who you are paying btw - to help you learn how to use the tools they are providing you to protect your directories. Nuff said.

2. Find yourself some good tools (there are plenty of freebies available) that will allow you to compare file contents and to search files for character strings. Some of my personal favorites and which I highly recommend are (and these are just examples btw, and by no means the only such products available for the job):

Beyond Compare (compare contents of one file or directory to another)
Examine32 (text string search of any file type)

You can find these programs - for free - at www.scootersoftware.com and www.examine32.com respectively. You'll also find them on CNET's download section. Be careful of the program you select for these chores. I have tried many text string searchers in particular and most of them suck and fail to find all combinations. Examine32 is a keeper IMHO.

3. Be thorough. Don't forget to search your database for references to things you want to change.

4. Try different search string patterns to be sure you get all the nuances, e.g. <mydomain.com> and <mydomain> or <http://www.mydomain.com>.

I hope this is helpful to someone. We've all spent many hours trying to troubleshoot what appear to be simple problems (and often are). My goal is to help make your job finding your needle-in-the-haystack easier and faster!

Regards,
David

Edited by Richard Cranium, 04 October 2009, 02:11.

[xBelle]

garnet, on 20 July 2009, 11:25, said:

Hi
I added pass protect to admin folder. Might this be enough to fix the issue?
I tried to rename the folder and changed the paths in the configure file but after that when I log in in the admin it doest show the first page correctly - the page where you see the summary of the customers and orders.
http://www.name.com/admin/index.php
I dont see nothing after changing the admin name and before there were 2 tables there one in left for customers and one in right for orders.
If someone suggest how to fix this I am happy to rename the admin folder

Thank you to everyone for this very valuable information. i am a novice at this, but I had this exact issue (above) happen to me when I performed the admin directory name change. Garnet, I noticed you rectified this issue, perhaps you may be able to enlighten me