Jump to content

* * * * * 4 votes

Updated Security Thread

  • Please log in to reply
83 replies to this topic

#81   Mort-lemur

  • Members
  • 2,387 posts
  • Real Name:Heather
  • Gender:Female
  • Location:UK

Posted 15 March 2012 - 13:54

@Ninety-one Maro

In 2.3.1 installation you will have renamed the admin folder to something else. Basically it is the folder where all the admin files live.

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

#82   vampirehunter

  • Members
  • 700 posts
  • Real Name:vampire

Posted 11 April 2012 - 20:54

can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?

which addons, things i should change?

i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.

I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again
Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.


#83   ShopAdminNL

  • Members
  • 15 posts
  • Real Name:LeoS

Posted 19 April 2012 - 14:23

I'm a little bit of a newby with osc 2.3.1, so I have a few security questions.

About '5. Rename /admin/ and htpasswd it' :

Have you changed the admin name in catalog/your_new_admin_folder/includes/configure.php

define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers
define('HTTP_CATALOG_SERVER', '');
define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
define('DIR_WS_ADMIN', '/admin/');
define('DIR_WS_CATALOG', '/catalog/');

change this to the new name of your admin folder

So is it enough to just rename the /admin/ directory name, and put this new name into the configure.php file within this new admin directory /includes/ ? Or are there more places to set the new admin directory name?

Also, my configure.php files (both in catalog and in admin) are set to 644 in stead of 444, should I change this immediately?

About '6. Remove references to (newly renamed) admin area in outgoing emails' :

I have tried to find out where in the emails this directory is mentioned, but no matter what I try, I can't see a reference to the admin directory. I've looked to the email's source with an OSX mail client. Is this issue still active in 2.3.1?
But what I do see is something like; (envelope-from <deb3900000@xxxxx.nl>) which contains my FTP login name. Can this be a vulnerability?

Some things I do have already are:
- .htaccess files in most directories
- .htpasswd_osc file in the admin dir (but rights set to 664 because the rest is giving errors)
- adding "if (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) something something" to application_top.php in the admin dir
- set all directories to 755 instead of 777
- made sure the $PHP_SELF fix from this topic is added

Besides some IP / anti brute force filtering, what more can I secure??

#84   ShopAdminNL

  • Members
  • 15 posts
  • Real Name:LeoS

Posted 20 April 2012 - 10:39

Last night I changed the admin's folder name, also made the change in configure.php and .htaccess, all runs well right now!
Also set permissions of the two configure.php to 444.

Step-by-step getting closer to a well-secured osc install ;)

Now I have an additional question, my shop is not installed in the root, but in a subdir called something like root/webshop/
Do I need to secure the root directory extra somehow? There are just a few files there, like 404.shtml (also 400, 401, 500 and so on), an index.html (for my start page before entering the shop), some images for index.html, a google-site-verification html and a robot.txt, no .htaccess though.

Edited by ShopAdminNL, 20 April 2012 - 10:40.