Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with admin directory


Jan Zonjee

Recommended Posts

Hello again. Please could you tell me where any other link to filemanager.php might be? Apart from in the "Tools" box? Thanks.

I think there is one define_language.php. The only other one I know off is in the Tools box.

Link to comment
Share on other sites

  • Replies 228
  • Created
  • Last Reply
  • 3 weeks later...

I am new to the set up. So I am on servage and did the install. But I get this message. I know in php you have to delete a file after install. What step am I missing? This is what the message I am seeing is. Warning: I am able to write to the configuration file: /home119a/sub006/sc67285-PFSB/fontsboutique.com/shoppe/includes/configure.php. This is a potential security risk - please set the right user permissions on this file. I have not gone any further since it says security risk. Can you please let me know what I should do?

Thanks,

Christy

Link to comment
Share on other sites

Ok I think I am slow..lol I found the folder (file). Is there an example of this step somewhere. I am looking and I am so use to php where you just delete and rename a file. This seems a bit different. Help I am not slow maybe just a bit confused.

Link to comment
Share on other sites

  • 2 weeks later...

Ken,

 

I can appreciate that for you it is a snap. But there are at least three of us in this thread who are not getting the same results. I too can get the log in page with the new_admin_directory but when I log in it goes back to:

 

www.domain.com/new_admin_directory/login.php

 

It is supposed to go to:

 

www.domain.com/catalog/new_admin_directory/index.php

 

But is is not. This obviously is a simple fix. It might be the way the code is configured. The initial code shows:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

 

I copied the /your/path/to/directory/renamed_admin_directory/ from the backup database path. My back up directory is this path:

 

/home/43/dnumber/htdocs/domainfolder/catalog/renamed_admin_director/

 

I placed a copy of the configure.php file in the local folder as well. What would be the motive of three of us having the same problem other than we are simply not getting the same snappy result you do. We all wish we could get this done and simply are asking what are we doing wrong and please help us. We want to beef up the security of the admin folder. Maybe you could think of something you would check?

 

remember the config file permissions... change to 777 to make the changes, an d when you finish set it back to 444

Link to comment
Share on other sites

  • 2 weeks later...

 

 

To avoid having to login twice (once in the "popup" screen and then again in the osC admin login) you might want to look at the code Harald Ponce de Leon wrote some time ago:

 

http://github.com/osCommerce/oscommerce2/commit/569917f654edab2b07bf61ab8caf2764ba1457c4

Try to perform an automatic login if a Basic HTTP Authentication mechanism is already in place. For this to work, the administrator username and password must be the same as the HTTP Authentication login credentials.

 

Changes in the following files:

catalog/admin/includes/application_top.php
catalog/admin/login.php

 

 

 

Has anyone been able to get this to work? I've copied Harold's code exactly but no joy. Any help appreciated.

Link to comment
Share on other sites

Has anyone been able to get this to work? I've copied Harold's code exactly but no joy. Any help appreciated.

 

 

I always use that code now, its also included in the rc3 release. wink.gif

 

As with any add-on if it don't work, 99% of the time its due to your own failure, just go over the install instructions again & read all related docs thoughly. smile.gif

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 2 weeks later...

Hello, I have a store oscommerce and erases the file it cases out-managed.php (something therefore is called) by the doubts of the possible ones to hacker and modifies the name of the folder of admin and before entering login (to put to user and pass to enter the administration panel) I put password to him to that folder at level servant, with that they think that this or to avoid an attack Web or data base. They think that I must realise something but?

Link to comment
Share on other sites

hey everyone

 

this is my first time ever installing and using OSC and i love it.

 

there is one small problem however. I followed Jan's steps (i.e. renaming the admin, then changing the configure.php code as instructed, password protecting my newly renamed admin folder using httaccess), I even set the permissions to 777 while modifying the code then changed them back to 644, I even restarted my PC and cleared the cache, I even tried logging in from firefox, IE and google chrome yet I am unable to log into my admin account anymore

 

I read quite few posts and threads on this forum but I couldn't find an answer to my problem and so I finally decided to make this post

 

so, to make a long story short, here's the errors I'm getting when I try to log into my newly renamed admin account:

 

 

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /hermes/bosweb/web230/b2301/ipw.rayden1980/public_html/needaguide/stapanul1980siteului5/includes/application_top.php:5) in /hermes/bosweb/web230/b2301/ipw.rayden1980/public_html/needaguide/stapanul1980siteului5/includes/functions/sessions.php on line 102

 

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /hermes/bosweb/web230/b2301/ipw.rayden1980/public_html/needaguide/stapanul1980siteului5/includes/application_top.php:5) in /hermes/bosweb/web230/b2301/ipw.rayden1980/public_html/needaguide/stapanul1980siteului5/includes/functions/sessions.php on line 102

 

Warning: Cannot modify header information - headers already sent by (output started at /hermes/bosweb/web230/b2301/ipw.rayden1980/public_html/needaguide/stapanul1980siteului5/includes/application_top.php:5) in /hermes/bosweb/web230/b2301/ipw.rayden1980/public_html/needaguide/stapanul1980siteului5/includes/functions/general.php on line 22

 

 

hope that any geek here (:P) will show me how to fix this issue

 

regards

 

 

ah! sorry for the obtrusive fonts. I just wanted to make it visible but didn't know it would end up so insanely evident

 

apologize

Link to comment
Share on other sites

Post the first 10 or 15 lines of /includes/application_top.php

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

here are the first 50 lines :)

note: the code will start with <!DOCTYPE HTML ...... etc because i use NVU (an HTML editor) to open my php pages

 

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

<?php /*

$Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2008 osCommerce

 

Released under the GNU General Public License

*/

 

// start the timer for the page parse time log

define('PAGE_PARSE_START_TIME', microtime());

 

// set the level of error reporting

error_reporting(E_ALL & ~E_NOTICE);

 

// check support for register_globals

if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {

exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');

}

 

// Set the local configuration parameters - mainly for developers

if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

 

// include server parameters

require('includes/configure.php');

 

if (strlen(DB_SERVER) < 1) {

if (is_dir('install')) {

header('Location: install/index.php');

}

}

 

// define the project version

define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a');

 

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

Link to comment
Share on other sites

Get rid of all the trash in front of:

 

<?php 

The opening PHP tag must be at the top of the file, nothing preceding it.

 

Start using a simple text editor instead.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

hi,

 

here are the first lines but this time opened up with notepad

 

hope it helps

 

 

 

<?php

/*

$Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2008 osCommerce

 

Released under the GNU General Public License

*/

 

// start the timer for the page parse time log

define('PAGE_PARSE_START_TIME', microtime());

 

// set the level of error reporting

error_reporting(E_ALL & ~E_NOTICE);

 

// check support for register_globals

if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {

exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');

}

 

// Set the local configuration parameters - mainly for developers

if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

 

// include server parameters

require('includes/configure.php');

 

if (strlen(DB_SERVER) < 1) {

if (is_dir('install')) {

header('Location: install/index.php');

}

}

 

// define the project version

define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a');

 

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

 

// set the type of request (secure or not)

$request_type = (getenv('HTTPS') == 'on') ? 'SSL' : 'NONSSL';

 

// set php_self in the local scope

if (!isset($PHP_SELF)) $PHP_SELF = $HTTP_SERVER_VARS['PHP_SELF'];

 

if ($request_type == 'NONSSL') {

define('DIR_WS_CATALOG', DIR_WS_HTTP_CATALOG);

} else {

define('DIR_WS_CATALOG', DIR_WS_HTTPS_CATALOG);

}

Link to comment
Share on other sites

What I said about the opening PHP tag in my last post still stands.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Headers Already Sent

 

Click the link above for an explanation.

 

I could PM you an email addy to send the file to (as an attachment) if you want.

 

Are you posting code from your local file or the one that's on the server?

:unsure:

 

They may not be identical.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

uhm,

 

i posted code from the server (i don't have any file saved on my computer yet)

 

now, regarding the whitespace mentioned in the link you gave me above, there was a whitespace indeed after the closing php tag in my application_top.php file and i just removed it but it still won't stop displaying those messages

 

i think it would save me time and even more troubles if i sent you the file so that you could figure it out for me

 

but obviously this depends on you :P

 

cheers

Link to comment
Share on other sites

And are you posting the code from the file in the admin side of the site?

:unsure:

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

hmmm!

 

no, i posted from the root/includes side of the site

 

sorry :(

 

here are the lines from the root/admin/includes/application_top.php file (note: instead of admin, it says stapanul1980siteului5 now, as per the admin renaming suggestion. So the code below is actually from root/stapanul1980siteului5/includes/application_top.php file)

 

 

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>

<head>

 

<?php /*

$Id: application_top.php 1833 2008-01-30 22:03:30Z hpdl $

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

Copyright © 2008 osCommerce

Released under the GNU General Public License

*/

// Start the clock for the page parse time log

define('PAGE_PARSE_START_TIME', microtime());

// Set the level of error reporting

error_reporting(E_ALL & ~E_NOTICE);

// check support for register_globals

if (function_exists('ini_get') && (ini_get('register_globals') == false) && (PHP_VERSION < 4.3) ) {

exit('Server Requirement Error: register_globals is disabled in your PHP configuration. This can be enabled in your php.ini configuration file or in the .htaccess file in your catalog directory. Please use PHP 4.3+ if register_globals cannot be enabled on the server.');

}

// Set the local configuration parameters - mainly for developers

if (file_exists('includes/local/configure.php')) include('includes/local/configure.php');

// Include application configuration parameters

require('includes/configure.php');

// Define the project version

define('PROJECT_VERSION', 'osCommerce Online Merchant v2.2 RC2a');

// some code to solve compatibility issues

require(DIR_WS_FUNCTIONS . 'compatibility.php');

// set php_self in the local scope

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

// Used in the "Backup Manager" to compress backups

define('LOCAL_EXE_GZIP', '/usr/bin/gzip');

define('LOCAL_EXE_GUNZIP', '/usr/bin/gunzip');

define('LOCAL_EXE_ZIP', '/usr/local/bin/zip');

define('LOCAL_EXE_UNZIP', '/usr/local/bin/unzip');

// include the list of project filenames

require(DIR_WS_INCLUDES . 'filenames.php');

// include the list of project database tables

require(DIR_WS_INCLUDES . 'database_tables.php');

// customization for the design layout

define('BOX_WIDTH', 125); // how wide the boxes should be in pixels (default: 125)

// Define how do we update currency exchange rates

// Possible values are 'oanda' 'xe' or ''

define('CURRENCY_SERVER_PRIMARY', 'oanda');

define('CURRENCY_SERVER_BACKUP', 'xe');

 

 

 

I know, I will have to remove what's in front of the starting php tag but i wanted to post here the file exactly as is :)

Link to comment
Share on other sites

I sent a PM with an email addy.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...