Latest News: (loading..)

Archived

This topic is now archived and is closed to further replies.

Jan Zonjee

Security issue with admin directory

229 posts in this topic

I get this error message on the log in page:

 

Error: Invalid administrator login attempt.

 

That is why it is throwing me out of the catalog folder to the top level of the domain. So how do I fix this? How do I change the admin user name and password? I have an idea. I will go back and install the cart again and change the user name and password. I will let you know.

Share this post


Link to post
Share on other sites

 

Thanks Sam. Now that is a cool addon. It works great. However, resetting the password still does the same thing. I have put everything back the way it used to be, the admin folder and the configure.php file the way it was originally. And when I reset the admin password the next page is OUTSIDE the catalog. Very weird. I have checked the configure.php file in both the includes/ and in the admin/includes and I don't see anything out of place.

 

Do you have any idea why this could be happening. I am logging in and then taken out of the catalog and to the top level of my domain:

 

http://domain.com/login.php

 

There has to be a reason this is happening.

Share this post


Link to post
Share on other sites

After many hours of tweaking around I finally figured out how to change the admin directory to a new name without being logged in to outside the catalog directory. It is not as straightforward as some have said. Obviously each host has different ways of doing this. Here is what I came up with that works for me:

define('DIR_WS_ADMIN', '/catalog/name_of_new_admin_directory/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

If you will note, you leave the second line the same as the original. When I log into the new admin directory I then am directed into the catalog/name_of_new_directory/index.php like I am supposed to. If you are being logged in to outside the catalog directory to the top level of the domain, try this code out to see if it works for you.

Share this post


Link to post
Share on other sites

Feeling very confident that I was able to change the admin directory name on a test shopping cart to see if I can do it I then proceeded to change the name of the admin directory in my actual working shopping cart. Everything went fine, except that the Checkout by Amazon payment module refers to the admin folder and so I tried to figure out how to remedy this one and it got a bit complicated, so I simply put the admin folder back into its original name. I have added the admin directory as a password protected directory with cPanel through my host. I will contact the Checkout by Amazon team who is very helpful with such things and ask them the steps necessary to change the admin directory with their payment module.

Share this post


Link to post
Share on other sites

Hello everyone. :)

 

Couple of questions:

 

1) Will there be a fix released in the near future for this problem or this is it?

2) How to change the admin directory BEFORE installing? Just rename the folder and install as usual or is there anything to change on the install folder as well?

 

TIA

Share this post


Link to post
Share on other sites
1) Will there be a fix released in the near future for this problem or this is it?

I don't know.

2) How to change the admin directory BEFORE installing?

Peter Bernard and others already did some work on that.

Share this post


Link to post
Share on other sites

I read this whole thread with a combination of curiosity and amusement. I just want to add some generic advice that I hope is helpful for anyone who wants to move their Admin dir or is having trouble protecting a directory in their store:

 

1. Contact your hosting company. Please don't listen to anyone on these forums about your particular situation for cPanel, Plesk, etc. Look, the fact is there are umpteen shells out there. You know that these are just graphic shells for the real meat of the server, right? Seriously, please contact your host. Take 5 minutes and ask a professional - who you are paying btw - to help you learn how to use the tools they are providing you to protect your directories. Nuff said.

 

2. Find yourself some good tools (there are plenty of freebies available) that will allow you to compare file contents and to search files for character strings. Some of my personal favorites and which I highly recommend are (and these are just examples btw, and by no means the only such products available for the job):

 

Beyond Compare (compare contents of one file or directory to another)

Examine32 (text string search of any file type)

 

You can find these programs - for free - at www.scootersoftware.com and www.examine32.com respectively. You'll also find them on CNET's download section. Be careful of the program you select for these chores. I have tried many text string searchers in particular and most of them suck and fail to find all combinations. Examine32 is a keeper IMHO.

 

3. Be thorough. Don't forget to search your database for references to things you want to change.

 

4. Try different search string patterns to be sure you get all the nuances, e.g. <mydomain.com> and <mydomain> or <http://www.mydomain.com>.

 

I hope this is helpful to someone. We've all spent many hours trying to troubleshoot what appear to be simple problems (and often are). My goal is to help make your job finding your needle-in-the-haystack easier and faster!

 

Regards,

David

Equalizer likes this

Share this post


Link to post
Share on other sites

Hi

I added pass protect to admin folder. Might this be enough to fix the issue?

I tried to rename the folder and changed the paths in the configure file but after that when I log in in the admin it doest show the first page correctly - the page where you see the summary of the customers and orders.

http://www.name.com/admin/index.php

I dont see nothing after changing the admin name and before there were 2 tables there one in left for customers and one in right for orders.

If someone suggest how to fix this I am happy to rename the admin folder

 

Thank you to everyone for this very valuable information. i am a novice at this, but I had this exact issue (above) happen to me when I performed the admin directory name change. Garnet, I noticed you rectified this issue, perhaps you may be able to enlighten me :blush:

Share this post


Link to post
Share on other sites

...'amusement. I just want to add some generic advice that I hope is helpful for anyone who wants to move their Admin dir or is having trouble protecting a directory in their store... Be thorough. Don't forget to search your database for references to things you want to change.

 

what you said in your post is completely utterly irrelevant (and potentially misleading) to the issue discussed under this thread. what on earth changing (NOT move as you referred to it) admin name and applying password to it has anything to do with database? i reckon for anyone who has the skills and dares to search the database directly would not have a problem changing the admin name and applying a password to it.

 

The advice that is being given out in post#1 by Jan and many subsequent posts applies to general situations and not necessarily cover every single site/server if the host chooses to do things in an odd way.

 

People who know osCommerce inside out would surely be amused by your post.

Ken

spooks likes this

Share this post


Link to post
Share on other sites

If you have MS2.2 and Admin Access levels plus the HTML editor (folder htmlarea) then you are open for attack. You can accessed the file upload program in the editor without a password and upload files and then it's your worst nightmare.

 

So if you are using the old editor upgrade to FCKEditor immediately. Also remove your downloads folder if you don't use them because it is a target folder for use in this type of hack.

 

Plus of course renaming Admin is a good idea.

Share this post


Link to post
Share on other sites

For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

 

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel.

 

Hi folks, it doesn't get an easier change then this, and yes I rechecked several times to make sure I didn't type a mistake, but somehow, I cannot login...

 

I see the login screen, but I get the message Error: Invalid administrator login attempt.

 

Anyone knows what the problem could be.

Share this post


Link to post
Share on other sites

Hi folks, it doesn't get an easier change then this, and yes I rechecked several times to make sure I didn't type a mistake, but somehow, I cannot login...

 

I see the login screen, but I get the message Error: Invalid administrator login attempt.

 

Anyone knows what the problem could be.

 

Just changed it all back, now I cant even sign in, via the regular shop/admin ....

Share this post


Link to post
Share on other sites

I run 3 shops, 2 f the three I have password protected and renamed admin folder.

 

My issue with the third one is, I installed the "suppliers" mod, that allows my vendors to add their product info via their own supplier area. If I password protect my admin, they are prompted to log in that info before logging into their own supplier are.

 

So am I basically out of luck for doing this unless I give them them the protected admin's password?

Share this post


Link to post
Share on other sites

what you said in your post is completely utterly irrelevant (and potentially misleading) to the issue discussed under this thread. what on earth changing (NOT move as you referred to it) admin name and applying password to it has anything to do with database? i reckon for anyone who has the skills and dares to search the database directly would not have a problem changing the admin name and applying a password to it.

 

The advice that is being given out in post#1 by Jan and many subsequent posts applies to general situations and not necessarily cover every single site/server if the host chooses to do things in an odd way.

 

Ken,

 

My points were that hosting providers are a good resource for troubleshooting. As you put it, some hosts choose to do things, "in an odd way" (whatever that means).

 

Regarding my database comments, it is important to remember that there are many settings in the db. Some of them may need to be changed as a result of changing directories. Yes, this is probably obvious to any OSC experts, but this forum is not limited to that set of people. I have learned OSC from scratch, with no prior programming in PHP. I'm sure there are others in the same boat. Many people read these forums. Perhaps this suggestion will help someone else avoid some of the pitfalls that I've run into. I meant these comments as friendly advice.

 

There is no need for your UK snobbery.

 

Regards,

RC

Equalizer likes this

Share this post


Link to post
Share on other sites

One way I have thought about that would might reduce this problem of sarcasm and nasty remarks to beginners is to add a forum under the v2.2 heading called NEWBIES or BEGINNERS and then if the developers venture into this forum they should know that there will be a lot of dumb questions that if someone would take the time to read the manual or spend a few hours reading the posts already there wouldn't ask again. But the nature of some newbies is that they ask a dumb question without reading anything and you can only imagine how a developer of the osCommerce code would react to that. Not all developers are that way, some are very helpful and what is going on here is totally amazing. Thousands of people are here asking questions and probably a core of less than hundred know what is going on with osCommerce and if one is really good with osCommerce shopping carts are making lots of money setting them up and not spending any time here helping newbies.

 

The other suggestion I have for Harold Ponce De Leon who came up with this whole deal is to clearly explain what an alpha shopping cart is since hundreds of newbies think v3 should be the one to download and they haven't a clue what they are doing. And with v2 it should clearly say with big warning letters that security is an issue and there are several addons that need to be integrated into the shop before going live with a cart.

 

BradyBarrows,

 

Thanks. That's one of the best posts I've read on these forums in a long time! :)

 

Regards,

RC

Share this post


Link to post
Share on other sites

...My points were ...

 

you seems still not to get it:

if you posted it on the tips & tricks forum then that would be fine and i would not make any comment about it but since you posted under this thread which is "Security issue with admin directory" but your post is completely irrelevant to this issue and you tried to set yourself up as "expert of all experts" by telling noobies "don't listen to anyone on these forum", which is misleading and would waste peoples time to look at database to sort out the admin issue.

you failed to give a single example of why database is relevant to the admin issue. database does store lots of settings but NONE of them is the admin path. even the most stupid coder would know that you can dynamically get the path by using one line of php code wherever and whenever you like so that the code can be used on any server on which the absolute path may be different.

Ken

Share this post


Link to post
Share on other sites

It seems the advice here is to rename the admin directory to something obscure. I think an even better solution is to go one step further and to re-create a dummy admin directory after you've renamed the real one. The relatively bare-bones dummy one I have contains only a few files...

 

admin/index.php

admin/login.php

admin/includes/general.js

admin/includes/stylesheet.css

admin/images/oscommerce.png

admin/images/pixel_trans.gif

 

My admin/index.php contains:

<?php
header("Location: https://www.mydomain.com/admin/login.php");
die();
?>

 

and admin/login.php contains a cut-and-paste of the 'view source' result from viewing the default admin/index.php before moving it.

 

In other words my admin/login.php now contains this...

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="ltr" lang="en"><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<meta name="robots" content="noindex,nofollow">
<title>osCommerce Online Merchant Administration Tool</title>
<link rel="stylesheet" type="text/css" href="includes/stylesheet.css">
<script language="javascript" src="includes/general.js"></script>
</head><body topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0" onload="SetFocus();" bgcolor="#ffffff" marginheight="0" marginwidth="0">
<!-- header //-->
<table border="0" cellpadding="0" cellspacing="0" width="100%">
 <tbody><tr>
   <td colspan="2"><a href="https://www.mydomain.com/admin/index.php"><img src="images/oscommerce.png" alt="osCommerce Online Merchant v2.2 RC2a" title=" osCommerce Online Merchant v2.2 RC2a " border="0"></a></td>
 </tr>
 <tr class="headerBar">
   <td class="headerBarContent">  <a href="https://www.mydomain.com/admin/index.php" class="headerLink">Administration</a>  |  <a href="http://www.mydomain.com/" class="headerLink">Online Catalog</a>  |  <a href="http://www.oscommerce.com/" class="headerLink">Support Site</a></td>
   <td class="headerBarContent" align="right">  </td>
 </tr>
</tbody></table>
<!-- header_eof //-->

<!-- body //-->
<table border="0" cellpadding="2" cellspacing="2" width="100%">
 <tbody><tr>
   <td><table border="0" cellpadding="0" cellspacing="0" width="100%" height="40">
     <tbody><tr>
       <td class="pageHeading">Administrator Login</td>
       <td class="pageHeading" align="right"><form name="adminlanguage" action="https://www.mydomain.com/admin/index.php" method="get"><select name="language" onchange="this.form.submit();"><option value="en" selected="selected">English</option></select></form></td>
     </tr>
   </tbody></table></td>
 </tr>
 <tr>
   <td>

<table border="0" cellpadding="2" cellspacing="0" width="100%">
 <tbody><tr class="infoBoxHeading">
   <td class="infoBoxHeading"><b>Administrator Login</b></td>
 </tr>
</tbody></table>
<form name="login" action="https://www.mydomain.com/admin/login.php?action=process" method="post">
<table border="0" cellpadding="2" cellspacing="0" width="100%">
 <tbody><tr>
   <td class="infoBoxContent">Username:<br><input name="username" type="text"></td>
 </tr>
 <tr>
   <td class="infoBoxContent"><br>Password:<br><input name="password" maxlength="40" type="password"></td>
 </tr>
 <tr>
   <td class="infoBoxContent" align="center"><br><input value="Login" type="submit"></td>
 </tr>
</tbody></table>
</form>

   </td>
 </tr>
</tbody></table>
<!-- body_eof //-->

<!-- footer //-->
<br>
<table border="0" cellpadding="2" cellspacing="0" width="100%">
 <tbody><tr>
   <td class="smallText" align="center">
osCommerce Online Merchant Copyright � 2008 <a href="http://www.oscommerce.com/" target="_blank">osCommerce</a><br>
osCommerce provides no warranty and is redistributable under the <a href="http://www.fsf.org/licenses/gpl.txt" target="_blank">GNU General Public License</a>
   </td>
 </tr>
 <tr>
   <td><img src="images/pixel_trans.gif" alt="" border="0" width="1" height="5"></td>
 </tr>
 <tr>
   <td class="smallText" align="center">Powered by <a href="http://www.oscommerce.com/" target="_blank">osCommerce</a></td>
 </tr>
</tbody></table>
<!-- footer_eof //-->
<br>
</body></html>

 

Obviously 'mydomain' is replaced by my own shop's domain.

 

The other files add to the illusion that this is the real admin area.

 

The idea is that hackers will waste their time with admin/login.php which does absolutely nothing of course, whilst the real back office area is now in a different directory as already described in this thread.

 

It might be a waste of time, but if you're going to go to the trouble of renaming admin, you might as well go the whole hog and create a dummy one in its place to keep the hackers entertained. :rolleyes:

Share this post


Link to post
Share on other sites

add this to your admin/includes/application_top

 

if(basename($_SERVER['SCRIPT_FILENAME']) != FILENAME_LOGIN && basename($_SERVER['SCRIPT_FILENAME']) !== false){ header('Location: /admin/');

}

 

This will fix it

 

If you not want them to direct to admin, rename admin to url you want them to be redirected, like ashole.com or somthing ike that

Share this post


Link to post
Share on other sites

Ken,

 

Yes, I see your point that my comments were not relevant to the admin directory discussion. My intent was to suggest there are a variety of things to think about and look at with regards to security, such as not limiting one's actions to what is discussed on the forums, but to also consider other sources (such as one's hosting provider) for advice. While I may have made a poor choice on where to post those comments, there are certainly things to take into consideration within the database, depending of course on which mods you have installed, etc. While none of them may concern the admin path, they may effect other things. So, a lesson learned for me about not posting something that was perhaps out of context to the topic.

 

Perhaps my choice of language was also not the greatest or created some confusion. However, I don't think presumptuous statements belong in here either. I never had any intention of setting myself up as any kind of expert or "expert of experts" as you put it. I thought that I conveyed the fact clearly that I'm simply an OSC newbie just trying to help out other noobs.

 

Enough said.

 

Regards,

David

 

 

you seems still not to get it:

if you posted it on the tips & tricks forum then that would be fine and i would not make any comment about it but since you posted under this thread which is "Security issue with admin directory" but your post is completely irrelevant to this issue and you tried to set yourself up as "expert of all experts" by telling noobies "don't listen to anyone on these forum", which is misleading and would waste peoples time to look at database to sort out the admin issue.

you failed to give a single example of why database is relevant to the admin issue. database does store lots of settings but NONE of them is the admin path. even the most stupid coder would know that you can dynamically get the path by using one line of php code wherever and whenever you like so that the code can be used on any server on which the absolute path may be different.

Ken

Share this post


Link to post
Share on other sites

Hi guys.

 

This is very important! This vulnerability is being used to send SPAM from the admin's email page. They're using a simple command to access admin/email.php directly without loging in and this way they can see (and maybe enter) all admin's area and send email to all clients!

 

I've found the command when checking one of my client's access logs after receiving an email that was not sent by her. This was the email's content:

 

Hello

 

 

I will not post the command here for obvious reason, but if any admin would like to know what it is, please PM me and I'll gladly send it to you. JUST ADMIN, please. I won't give this information to anybody else.

 

Hope this helps fixing the hole in the admin area.

Share this post


Link to post
Share on other sites

That happened to a client of mine too a couple of days ago but it was MS2.2 and the reason was that their Admin has NO security at all. No .htaccess. Nothing.

 

So this is a new automated exploit targetting osCommerce - regardless of version.

Share this post


Link to post
Share on other sites

admin/email.php is present in every version. Of course if there was no htaccess protection your client's store was wide open and inviting. But RC2a has this admin login which for a long time we all believed was good protection. As informed from the first post on this thread, it's not.

 

This command I mentioned won't work on a htaccess protected area, but works without any problems on the normal RC2a admin with the default PHP login. This is there the danger lies. So beware and protect your stores with the steps mentioned on this thread.

Share this post


Link to post
Share on other sites

I heard you.

 

My point was that:

 

1. it was not just you this happened to in recent days

2. it is targetting osCommerce in general rather than RC+ per se

 

 

The program being targetted is actually called mail.php.

Share this post


Link to post
Share on other sites