Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security issue with admin directory


Jan Zonjee

Recommended Posts

  • Replies 228
  • Created
  • Last Reply

Hi All, my installation of Oscommerce RC2.2 was hacked even though I renamed admin folder and applied htaccess. Does anybody know if any other possible vulnerability that could of allowed the hackers in?

 

Hello there, for the 2.2 Osc there's a bunch of securty recommendations. See the very first post in this topic by Jan; he provides info there on more security measures.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

There is a known security issue with the 2.2 range of osCommerce versions that offer an admin login. It is possible that attackers were able to add rogue shell files into your sites directories, often in the images directory, which are used to exploit your website. So along with following the security recommendations here, make sure you go through all your website directories and remove any php files that should not be there.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

  • 2 months later...

Hi

can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?

 

which addons, things i should change?

 

i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.

 

I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again

Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.

 

thanks

Link to comment
Share on other sites

@@vampirehunter

 

There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://www.oscommerce.com/forums/topic/375288-updated-security-thread/page__hl__security%20231

 

Also, the installation of contributions has not changed, there are still manual code edits when applying changes.

 

 

Chris

Link to comment
Share on other sites

@@vampirehunter

 

There are no known security issues with v2.3.1, however there are some additional measures that you can take to monitor your installation. Read this thread: http://www.oscommerce.com/forums/topic/375288-updated-security-thread/page__hl__security%20231

 

Also, the installation of contributions has not changed, there are still manual code edits when applying changes.

 

 

Chris

 

ok thanks

 

i read the page, it says for the ones in 2.31 i should install these particular ones? is this right?

 

1. Security Pro from FWR Media {

2.3.1 and lower.

a. Addon

b. Support

}

 

 

3. Filesafe from FWR Media {

2.3.1 and lower

a. Addon

b. Support

Filesafe replaces "Site Monitor". Site Monitor is old and tired.

}

 

 

 

5. Rename /admin/ and htpasswd it {

2.3.1 and lower

a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/

b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)

}

 

6. Remove references to (newly renamed) admin area in outgoing emails {

2.3.1 and lower

a. renaming your admin area is great, but it is still possible to find out where it is, by placing an order, as outgoing emails contain the admin address. More.

}

 

7. Add extra login parameter (JanZ) {

2.3.1 and lower

a. link - scroll down to "admin/includes/application_top.php Line 146-151" and start reading.

}

Link to comment
Share on other sites

Its all optional for version 2.3.1

 

So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites

6. Remove references to (newly renamed) admin area in outgoing emails {

 

The fix you linked to often no longer works, see my post in the linked thread

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 2 months later...

I have looked at sorting this out and can't even find the file i need! I do not have cpanel, when i go to file manager I have various directories at the same level, including one called FTP and another VAR. The var has a directory path var/www/vhosts/apattern.co.uk but i have no files in it! I thought my files were supposed to go there, but the host said it needed to go in httpdocs, which is on the same level below FTP. When i auto installed Wordpress all the files are in FTP/httpdocs and my store is at FTP/httpdocs/catalog. I link from wordpress to my store, and therefore this can be problematic so i have been advised to carry out the following, but i cannot find a file called .htaccess!!!:- How do I get password-protected directories (with .htaccess) to co-exist with textpattern? QUESTION: Using .htaccess authentication makes the directory inaccessible. HTTP Basic Authentication with the webserver redirects everything to textpattern’s index page. Using HTTP Auth with Apache results in 404 error pages. ANSWER: Please add the following lines to your .htaccess file: ErrorDocument 401 /[path_to_file]/myerror.html ErrorDocument 403 /[path_to_file]/myerror.html Make sure you point to existing, static html files.

Running a botched up version of  osCommerce Online Merchant v2.3.4 bootstrap with the dresscode theme installed, numerous add-ons, terrible coding, terrible website, but will have to make do until I have made up for my losses and can risk shutting down for a couple of weeks while I start all over again. - I did not install my program but am endeavouring to fix it with your help.

Link to comment
Share on other sites

Its all optional for version 2.3.1 So far there has been no known security holes found in that version. The 2.2 range of osCommerce sites though need addition code patches.

 

The version i have just downloaded is 2.3.1, so do i not have to do the re-naming thing?? and will i still have the other problem?

 

How do I get password-protected directories (with .htaccess) to co-exist with textpattern?

Running a botched up version of  osCommerce Online Merchant v2.3.4 bootstrap with the dresscode theme installed, numerous add-ons, terrible coding, terrible website, but will have to make do until I have made up for my losses and can risk shutting down for a couple of weeks while I start all over again. - I did not install my program but am endeavouring to fix it with your help.

Link to comment
Share on other sites

The version i have just downloaded is 2.3.1, so do i not have to do the re-naming thing?? and will i still have the other problem?

 

How do I get password-protected directories (with .htaccess) to co-exist with textpattern?

I don't know what you mean by "re-naming thing" but if you are asking if you should rename the admin directory, the answer is yes. I don't know what "textpattern" is so I can't comment on that but Plesk, which is the name of your control panel, has an option that will let you password protect directories. If you don't know how to find it, your host should be able to provide help with it.

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

Get the latest versions of my addons

Recommended SEO Addons

Link to comment
Share on other sites

  • 1 month later...

Hi, im really new to this, but i want to share what i have done.

 

i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters.

 

And i was moving all file to root path/directorry and come 500 internal server...

 

What i ve done is:

 

go to admin/includes and find .htaccess and open/edit it

scroll down until you see

 

 

AuthType Basic

AuthName "osCommerce Admin Access"

AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd

Require valid-user

 

 

and delete /catalog or rename it with /youradminfolder whatever you name it

Link to comment
Share on other sites

Hi, im really new to this, but i want to share what i have done.

 

i was installing oscommerce in godaddy server.And i dont like /catalog to be in my domain. Because of seo matters.

 

And i was moving all file to root path/directorry and come 500 internal server...

 

What i ve done is:

 

go to admin/includes and find .htaccess and open/edit it

scroll down until you see

 

 

AuthType Basic

AuthName "osCommerce Admin Access"

AuthUserFile /home/content/41/9670941/html/catalog/admin/.htpasswd

Require valid-user

 

 

and delete /catalog or rename it with /youradminfolder whatever you name it

 

 

sorry it was in /admin directory

Link to comment
Share on other sites

Previously mentioned here

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Link to comment
Share on other sites

  • 1 month later...
  • 7 months later...

I just did an install of 2.3.3. I am bringing over my store from 2.2

 

I am now suddenly unable to log-in to my administration panel.

 

The username and password that I am putting in are the same that I had set them up to be.

 

Is this to do with the additional security that I was asked to set up in the post-installation interactions?

 

I simply can't log-in and am told 'maximum number of log-in's attempted, please try again in 5 minutes'.

 

However that's not working either.

 

I would like to just by pass this now, so as to get my store up and running again.

 

www.gouletdesigns.com/catalog/admin.

 

Thank you!

Link to comment
Share on other sites

@@suzgems1

 

You may need to reset your admin password by truncating the administrators table in your database. Then, create a new username and password when prompted when you access your admin area.

 

Also, If you had previously set up .htaccess protection on the /admin directory, you will also need to reset those files as well by replacing them with new files from the original osCommerce download

 

 

Chris

Link to comment
Share on other sites

Thanks Chris.

 

How do I

"truncating the administrators table in your database". Don't know how to do that.

 

I can replace the admin files as you're asking. Do both actions need to take place in order for me to get in?

Thank you!

Suzanne

Link to comment
Share on other sites

  • 4 months later...

Hi,

 

I have version 2.2-MS2 with several security measures installed. I was thinking of adding the following code to the main .htaccess file in order to deny access to all IP's except for mine to the (already renamed) admin folder.

 

RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$

RewriteRule ^admin_directory(.*)$ http:// w w w.m y s i t e.com/ [R,L]

 

Does anyone know of any negative implications of doing this? ..such as system generated emails, or user tracking, or some other aspect of the admin directory? Thanks in advance for any help on this.

osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Link to comment
Share on other sites

Taking this a step further and using the IP Trap contribution, I added "admin/" to the url in the aforementioned code so that anyone who tries to access the already renamed admin directory, will get their IP banned.

 

RewriteCond %{REMOTE_ADDR} !^XX\.XXX\.XX\.XXX$

RewriteRule ^admin_directory(.*)$ http://www . mysite . com/admin/ [R,L]

 

Trouble is to remember to change my IP address in the .htaccess file in the case that I have work remotely so as not to have to unblock my remote IP. ;O) Still looking to find out if there are any negative implications of adding this code to the .htaccess file. Does anyone know?

osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Link to comment
Share on other sites

  • 3 weeks later...

Dear Authors

 

i am having problem secureing my website with .htaccess and .htpasswd_oscommerce. please someone to educate me.

 

if you mean securing the admin side of your site and if you're version is the 2.3 series go to admin>configuration>administrators.

I am not a professional webmaster or PHP coder by background or training but I will try to help as best I can.

I remember what it was like when I first started with osC. It can be overwhelming.

However, I strongly recommend considering hiring a professional for extensive site modifications, site cleaning, etc.

There are several good pros here on osCommerce. Look around, you'll figure out who they are.

Link to comment
Share on other sites

  • 5 months later...

Hi

 

I am trying to rename the admin area in oscommerce 2.3.3.4 its so simple, yet I can't get it to work. 3

Change admin name

Change configure.php in 2 places. Done, But doesn't work.

 

My question is. Does the admin folder in 2.3.3.4 need to be renamed and if so exactly how. Its always been so simple Ive tried changing the name of the admin file then changing in the 2 places in admin>configure.php.

 

Please don't shoot me.

 

Kind regards

grandpa

Link to comment
Share on other sites

Hi

 

It is the yellow admin folder where you want to change the name then in admin/includes/configure.php in x 2 places to reflect the new admin name

 

It is possible that the permissions on your configure.php are set to non writable 444 or something similar (this is how they should be) so you may have to change the permissions first to 666 to be able to overwrite in your control panel file manager remember to change back when you are finished (444)

 

John

 

PS: one of the best things you can do to protect your admin

To improve is to change; to be perfect is to change often.

 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...