Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Jan Zonjee

Security issue with admin directory

229 posts in this topic

In the German forum there is an announcement by the German team members about a security problem in the admin for shops using osC 2.2 version RC1 and RC2. The details of how to compromise the admin have not been disclosed (for obvious reasons).

 

For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

 

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel (see for example post 141 in this thread).

 

To avoid having to login twice (once in the "popup" screen and then again in the osC admin login) you might want to look at the code Harald Ponce de Leon wrote some time ago:

 

http://github.com/osCommerce/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

Try to perform an automatic login if a Basic HTTP Authentication mechanism is already in place. For this to work, the administrator username and password must be the same as the HTTP Authentication login credentials.

 

Changes in the following files:

catalog/admin/includes/application_top.php
catalog/admin/login.php

 

Some additional information and advice on security

 

Delete admin/filemanager.php and associated links.

Delete admin/define_language.php and associated link in the "Tools" box.

Note: keep a local copy of your site on your computer and after editing files and ensuring the things you have added to your shop are working upload edited files by FTP to your site.

 

Ensure that your folder permissions are never set higher than 755

 

Install some security addons

 

Also some ideas from this post can help you

 

Adding this bit of code in admin/includes/application_top.php by FWR Media, to make sure $PHP_SELF is what is supposed to be is very much recommended too.

 

The code below will most likely be in the next release candidate for osC 2.2 to fix the hole:

GitHub Harald Ponce de Leon

 

admin/includes/application_top.php Line 146-151

 

Change:

     $redirect = true;
   }

   if ($redirect == true) {
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }

To:

     $redirect = true;
   }

   if (!isset($login_request) || isset($HTTP_GET_VARS['login_request']) || isset($HTTP_POST_VARS['login_request']) || isset($HTTP_COOKIE_VARS['login_request']) || isset($HTTP_SESSION_VARS['login_request']) || isset($HTTP_POST_FILES['login_request']) || isset($HTTP_SERVER_VARS['login_request'])) {
   $redirect = true;
   }

   if ($redirect == true) {
     tep_redirect(tep_href_link(FILENAME_LOGIN));
   }

 

admin/login.php Line 10-11

 

After:

  Released under the GNU General Public License
*/

Add:

 $login_request = true;

Share this post


Link to post
Share on other sites

i guess the renaming of admin folder is only as good as, if you also advise site owners, which i have been doing, NOT to print url on the invoices that are printed from the admin -> orders, by setting the header/footer to anything other than url (browser - File - page setup). by default the url is shown/printed either at the header or footer of the printout.

 

Ken

Share this post


Link to post
Share on other sites

Hi

I added pass protect to admin folder. Might this be enough to fix the issue?

I tried to rename the folder and changed the paths in the configure file but after that when I log in in the admin it doest show the first page correctly - the page where you see the summary of the customers and orders.

http://www.name.com/admin/index.php

I dont see nothing after changing the admin name and before there were 2 tables there one in left for customers and one in right for orders.

If someone suggest how to fix this I am happy to rename the admin folder

Share this post


Link to post
Share on other sites

hi all

fixed it. now it is new admin name and pass protected.

just one idea here: if you change the nama, change it to somethig long (more that 20 symbols and numbers), but still use something you will remember. Not that all will need this but you might end up on another (not yours) machine and you might want to access your admin end.So you need to know what to type for URL even thought long. I suggest you use some saying you like and put numbers in between words/letters.

All the best and hopefully hack-less work.

Share this post


Link to post
Share on other sites

Just to note:

The Bug may also apply to versions, who have an Admin Access Contribution installed and other php applications.

At least a lot of shops i checked were vulnerable.

 

So to be on the safe side: add an .htaccess protection to your shop.

Share this post


Link to post
Share on other sites

this is not so simple. I have renamed admin and changed configure.php and when I go to the new folder it bombs with the following error:

 

Not Found

The requested URL /admin/login.php was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

 

--------------------------------------------------------------------------------

 

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 Server at www.myshop.co.uk Port 443

 

Please, for novices like me who are trying to learn oscommerce, don't assume it's just this or that and it's done. I am finding lack of concise answers to anything regarding oscommerce and putting notices like this without a troubleshooting guide is not helpfull at all.

Share this post


Link to post
Share on other sites
this is not so simple. I have renamed admin and changed configure.php and when I go to the new folder it bombs with the following error:

 

Not Found

The requested URL /admin/login.php was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

 

--------------------------------------------------------------------------------

 

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 Server at www.myshop.co.uk Port 443

 

Please, for novices like me who are trying to learn oscommerce, don't assume it's just this or that and it's done. I am finding lack of concise answers to anything regarding oscommerce and putting notices like this without a troubleshooting guide is not helpfull at all.

 

Ditto!

 

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

 

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head <_<

 

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain? :blink:

 

Thanks

Share this post


Link to post
Share on other sites

it is a simple change (takes about 2 minutes) for a default osc shop if you understand and follow the first post by Jan in particular this bit "After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php". Note the location of the configure.php, which is different from the other one under [catalog]/includes/.

there should not be any hard coded admin folder name in any files, if yours does have hard coded admin folder in files then bad luck (you have a wrongly modified shop) , you will need to find each occurance and fix them.

 

the .htaccess protection is beyond osc, you will need to contact your host for advice as different host may have different way of doing it.

 

Ken

Share this post


Link to post
Share on other sites
Ditto!

 

I changed the name of the admin folder & the suggested file, but still can't access the admin as per the above. There are more references to the folder "admin" in OSC & these don't seem to be changed. I want to protect the store I've built, but following this thread actually makes the admin unusable.....can the advice be more thorough for an important issue like this please, even if it's just a link to another thread?

 

I would also like to write a correct .htaccess file, but despite thinking I'm fairly intelligent, most of the stuff I read is just way above my head <_<

 

Can the information be spelt out for us newbies, in a way that we can follow to the correct result, but doesn't fry the brain? :blink:

 

Thanks

 

Hi Mr Pointy

 

If you have a cPanel logon provided by your web hosting provider then there is a Sercurity section with "Password Protect Directories". This is fairly easy to use:

 

If you do not (and I did tried before without the cPanel) then the entries to the .htaccess files are:

 

AuthName "admin"

AuthUserFile "/home/myaccount/.htpasswds/public_html/admin/passwd"

require valid-user

 

The AuthUserFile is where the matching password and username must be located. The location is specific to my host but importantly it must not on the publicly accessable part of the server.

 

The file with the password on my system is encrypted (not by me) so I really don't know how you can get this done without cPanel or asking your host company for assistance. That is perhaps why my non cPanel attempts failed.

 

Maybe someone else knows how?

 

Sorry it's only a half answer.

Share this post


Link to post
Share on other sites
it is a simple change (takes about 2 minutes) for a default osc shop if you understand and follow the first post by Jan in particular this bit "After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php". Note the location of the configure.php, which is different from the other one under [catalog]/includes/.

there should not be any hard coded admin folder name in any files, if yours does have hard coded admin folder in files then bad luck (you have a wrongly modified shop) , you will need to find each occurance and fix them.

 

the .htaccess protection is beyond osc, you will need to contact your host for advice as different host may have different way of doing it.

 

Ken

 

I have a failrly bog standard hosting provider with cPanel and automated install of oscommerce. The issue I pointed out with renaming the admin folder is a real one. I was editing the proper configure.php file and not the one in the catalog. My site is not a production site and is for learning on. It is pretty much straight out of the box with no hard coding of directories except what is done from the installation itself. I am sure I am not unique in this circumstance of my store configuration, including lots of "live" stores.

 

My point being: if there is even a possibility of other parts of the OSC system needing changed folk need to know about it before breaking their websites with the advice given.

Share this post


Link to post
Share on other sites
Not Found

The requested URL /admin/login.php was not found on this server.

 

You can't find admin/login.php because you changed the name of the directory called "admin". Look for it using your new admin name.

Share this post


Link to post
Share on other sites
You can't find admin/login.php because you changed the name of the directory called "admin". Look for it using your new admin name.

 

Did that. Tried to log on using the new admin folder name but the error message came up with /admin/login.php.

 

Thanks

Share this post


Link to post
Share on other sites
Did that. Tried to log on using the new admin folder name but the error message came up with /admin/login.php.

 

Thanks

 

Try clearing the cache in your browser and then restarting your PC

Share this post


Link to post
Share on other sites

if there is even a possibility of other parts of the OSC system needing changed

 

NO, there isn't (for a default setup). been doing this (changing admin folder name) many many times. a one minute job.

 

Ken

Share this post


Link to post
Share on other sites
if there is even a possibility of other parts of the OSC system needing changed

 

NO, there isn't (for a default setup). been doing this (changing admin folder name) many many times. a one minute job.

 

Ken

 

Thanks to the respondants.

 

I tried all of the thinks you have suggested and even changed PC. It is not a browser cache issue and there is obviously something else that needs done apart from the configure.php file. Lucky for you guys who insist it is a one minute job. It is obviously not always the case.

 

I want folk to be aware that this might bring their site down and to have a recovery plan, especially if you have a working online store.

 

Thanks

Share this post


Link to post
Share on other sites
Thanks to the respondants.

 

I tried all of the thinks you have suggested and even changed PC. It is not a browser cache issue and there is obviously something else that needs done apart from the configure.php file. Lucky for you guys who insist it is a one minute job. It is obviously not always the case.

 

I want folk to be aware that this might bring their site down and to have a recovery plan, especially if you have a working online store.

 

Thanks

Check to see if you have a configure.php file under "admin"/includes/local

Share this post


Link to post
Share on other sites
...Lucky for you guys who insist it is a one minute job. It is obviously not always the case.

want folk to be aware that this might bring their site down and to have a recovery plan, especially if you have a working online store...

 

the complete opposite is true. it is NOT lucky or otherwise, its simple a very straightforward thing, as easy as ABC. *Obviously* there is *NOTHING* esle (for a defualt osc setup). if you can't get this very simple thing done, then i suppose you should not issue any warning here as it is completely false: it can be done any time, anywhere, any shop including those that take in thousands of orders daily, and it wont stop your shop running for even a second. Thats the truth. and I am stating a fact, not insisting...or guessing.

 

Ken

Share this post


Link to post
Share on other sites

what Coopco pointed out above could be the problem but for a default setup there should not be a configure.php in the local folder. if you put one there then you should know it.

Ken

Share this post


Link to post
Share on other sites
the complete opposite is true. it is NOT lucky or otherwise, its simple a very straightforward thing, as easy as ABC. *Obviously* there is *NOTHING* esle (for a defualt osc setup). if you can't get this very simple thing done, then i suppose you should not issue any warning here as it is completely false: it can be done any time, anywhere, any shop including those that take in thousands of orders daily, and it wont stop your shop running for even a second. Thats the truth. and I am stating a fact, not insisting...or guessing.

 

Ken

 

Hey, no need for the shouting.

 

I agree to differ with the last message. My and obviously one other's experience is different so please don't shoot the messenger when there is something wrong. OSC is perfect and it's just the idiots messing about with it attitude isn't right either. The advice of going through every file to find a hard encoded file location was a no brainer and most unhelpful and to term it as "bad luck" not helpful either. Something must have been wrong in the installation somewhere but no sensible suggestion came out as to where.

 

All I am saying is warn folk to have a roll back plan when advising doing something like this because sod's law always crops up somewhere.

 

Everyone on this site has different levels of experience with oscommerce and all of us want simple, helpful and clear instructions on what to do about issues that trouble us.

 

Nuff said on this and I won't reply any more regardless.

Share this post


Link to post
Share on other sites
For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

 

I attempted point B regarding the .htaccess protection through my host. Unfortunately their .htaccess editor is set up by default to go to the public_html folder but my store is located in another folder at the same level of the directory. I asked them to modify that to allow me access not only to my store folder but other folders in the same heirarchical level. They said that could not be done and and suggested I move my store fold into the public_html folder. My store is currently running on a subdomain, with the sub pointing to the store folder. http://ba.barkavenuedogboutique.com/ with the ba being the subdomain pointing to a similarly named folder.

 

My question is, if I would move that what are the implications on the store site url and the subdomain pointer? I think the configur.php files would also have to be reworked to locate the new file structure ****public_html/ba, is that correct?

 

Thanks

Share this post


Link to post
Share on other sites
... and I won't reply any more

no one expects or waiting for a reply, at least not me as that makes no sense. now all said, its up to everyone to decide whether you would want to kidding yourself by buying two lunches each day with one as a backup in case you dont end up with hungry and can't be functioning the whole afternoon. :)

 

@steve: you didnt say how you did it but normal procedure is: take cPanel as example, you look for a function called password protect directory in cPanel, you then follow the onscreen instruction (starting by selecting the admin folder name you want to protect). when finished, the .htacceee will be created by cPanel and placed in the admin folder without you even realising it. There is NO editor involved/used.

 

Ken

Share this post


Link to post
Share on other sites
@steve: you didnt say how you did it but normal procedure is: take cPanel as example, you look for a function called password protect directory in cPanel, you then follow the onscreen instruction (starting by selecting the admin folder name you want to protect). when finished, the .htacceee will be created by cPanel and placed in the admin folder without you even realising it. There is NO editor involved/used.

 

Ken

 

Ken, I searched my host site for folder password protection and came up with these instructions...

 

"Log into the .htaccess Editor, and then click Password Protection.

In the Select Directory section, click Change to select the directory you want to protect. The current protection setting for the selected directory displays in the Password Protection Status section.

To change the setting, click one of the following buttons:

 

Enable to add protection.

Disable to remove existing protection. "

 

That's why I was using the .htaccess editor they offer. When I ran into the directory issue I asked for an alternative way to password protect my folder and that's when the said to move my folder under the public_html folder then I could do that.

 

I just searched again and all hits point me to using their built in .htaccess editor.

 

Thanks for the response and I am open to suggestions for sure.

 

Steve

Share this post


Link to post
Share on other sites

Steve

 

one should try to help others to help him/her-self by giving out as much details (of the problem) as possible. in your case, iwould like to know what site control panel the server uses, and what exactly the editor does. what your host told you must move site to the web root (for pw protect directory) is a load of rubbish, they were trying to cover up the non professional way of setting up their server (and therefore not fit for purpose IMO). password protecting directories has nothing to do with what location the directory would be in the directory hierarchy. it can be anywhere within your web space.

if you host proves they dont know what they are doing or talking about, ie, everything fails, then try this online tool, which as far as I can see is not a commercial site so its not against forum rules to put it here.

 

Ken

Share this post


Link to post
Share on other sites
Steve

 

in your case, iwould like to know what site control panel the server uses, and what exactly the editor does.

 

Ken

 

Hi Ken,

 

Here is what I can glean from my host site relative to your questions.

 

At the control panel I see "powered by vDeck."

 

Cpanel.jpg

 

When I click the .htaccess button you get....

 

htaccesseditor.jpg

 

Then when I click the password protection, I am taken through a route that puts me into that specific public_html folder with no ability to navigate laterally or upwards to another folder.

 

I have had a couple other tech support glitches with the host so I am not surprised if their response to this issue is off the mark.

 

Thanks much.

 

Steve

Share this post


Link to post
Share on other sites

Just to add my 2p's to this topic and to hopefully help other newbies like myself...

 

I did what the OP said regarding renaming the 'admin' folder, so:

[step 1] 'http://www.mysite.com/mycatalog/admin' --became-> 'http://www.mysite.com/mycatalog/newadminfolder'

(Needless to say the above site isn't real.)

 

Then:

[step 2] changed 'newadminfolder/includes/configure.php' as per the OP's instructions

 

After Step 2, all attempts to access 'http://www.mysite.com/mycatalog/admin' should result in a 404 error, but I'll reach my osCommerce Administration login page at 'http://www.mysite.com/mycatalog/newadminfolder' :)

 

It's in the next step where I started scratching my head...good thing I found this handy tutorial, which also contains a neat tool (at the end of the tutorial) for generating your login and password for your would-be protected 'newadminfolder'

 

Here's the link: http://www.addedbytes.com/apache/password-...-with-htaccess/ (Please read tutorial before continuing below)

 

[step 3] Follow the tutorial for generating your .htaccess file and your login/password list for your 'newadminfolder'

[step 3a] For the absolute path needed for the 'AuthUserFile' entry, I used the 'Backup Directory' entry found in 'Database Backup' tool inside osCommerce Administration

Example:

I created a new folder called 'mynewfolder' just outside of my catalog, so if my Backup Directory says '/this/is/where/you/are/mysite.com/mycatalog/newadminfolder/backups/' then I entered the following lines in my .htaccess file:

 

AuthName "My New Admin Page"
AuthType Basic
AuthUserFile /this/is/where/you/are/mysite.com/mynewfolder/.htpasswd
require valid-user

 

[step 4] Upload the .htpasswd file under the 'mynewfolder' folder and

 

[step 5] Upload the .htaccess file under the 'newadminfolder' folder

 

And that's it. The first time I go to 'http://www.mysite.com/mycatalog/newadminfolder' I get a pop-up window to enter a login ID/pswd, which should be found within my 'mynewfolder/.htpasswd' file, and if I get both ID/pswd correct then my osCommerce Administration login page gets displayed. I don't mind entering two login ID/pswd's.

 

Hope these help! :)

Share this post


Link to post
Share on other sites