Security issue with admin directory

[zpupster 6]

hello,

 

i am little confused. i am having to log in three times into admin. twice with the htaccess that i password protected the directory

admin is in, and once when i get into oscommerce. i contacted my host they said i am being redirected to the same url, but my redirect is empty in

cpanel. also, i have been reading here that you can marry the two so you only have to login with oscommerce and get

the same protection as htaccess. one last thing this may be a stupid question but if i have htaccess then i should not have to have

an ssl certificate to get https, becasue it is protected by the htaccess. am i right or wrong about this.

 

 

where should i go to undo and redo this the right way, since i obviously went down the wrong track somewhere.

 

thanks,

craig

[cherishedmoments 0]

 

For the moment two things can and should be done:

A. rename the admin directory

B. add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htaccess cannot be used on a Windows server by the way)

 

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');
define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

For password protecting of your admin directory you can (hopefully) use the Password Protect feature in your web hosting control panel (see for example post 141 in this thread).

 

 

Okay, now I'm locked out of my own admin and every page on my site gives me a 403 error. I renamed my admin, then I changed the renamed_admin_directory/includes/configure.php. I tried to password protect but Bluehost said that I couldn't password protect because I have FrontPage Extentions installed. So I uninstalled them. For whatever reason, even though it said that they were uninstalled, my cPanel still says they are installed and won't let me password protect my admin. And now I have an even bigger problem....when I uninstalled FrontPage Extensions, it erased all of my .htaccess files and now I can't get onto any page on my site, including my admin. It says....

 

 

Forbidden

 

You don't have permission to access /new_admin_name on this server.

 

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

 

So I just made my problem 10 times bigger and, not only can I not figure out how to gain access to my site again....but even if I figured it out....I'm back to having an admin that I cannot password protect.....which is what I was trying to do in the first place!

 

Will someone please help me! I don't think I can take anymore!

[jgoluch 0]

Okay, now I'm locked out of my own admin and every page on my site gives me a 403 error. I renamed my admin, then I changed the renamed_admin_directory/includes/configure.php. I tried to password protect but Bluehost said that I couldn't password protect because I have FrontPage Extentions installed. So I uninstalled them. For whatever reason, even though it said that they were uninstalled, my cPanel still says they are installed and won't let me password protect my admin. And now I have an even bigger problem....when I uninstalled FrontPage Extensions, it erased all of my .htaccess files and now I can't get onto any page on my site, including my admin. It says....

 

 

Forbidden

 

You don't have permission to access /new_admin_name on this server.

 

Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

 

So I just made my problem 10 times bigger and, not only can I not figure out how to gain access to my site again....but even if I figured it out....I'm back to having an admin that I cannot password protect.....which is what I was trying to do in the first place!

 

Will someone please help me! I don't think I can take anymore!

 

Been following this posts and similar ones elsewhere as a client site has same type of hacking...what are they trying to achieve/gain via the hack?

[Peepo 0]

Ive changed the name of the admin directory.

 

But when I look at the code in admin/incluides/configure.php I wonder should I really be changing this

 

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

for this?

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');

define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

 

The reason I ask is because the replacement has a direct link to the directory and the original code has some sort of reference.

 

Im using 2.3.1. Can anyone confirm I still need to change this code as the original post was written in 2009.

Thanks

[Xpajun 119]

Ive changed the name of the admin directory.

 

But when I look at the code in admin/incluides/configure.php I wonder should I really be changing this

 

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

for this?

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');

define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory/');

 

The reason I ask is because the replacement has a direct link to the directory and the original code has some sort of reference.

 

Im using 2.3.1. Can anyone confirm I still need to change this code as the original post was written in 2009.

Thanks

 

 

You would have to rename the first:

 

define('DIR_WS_ADMIN', '/admin/');

 

but not necessarily the second unless it dosen't work and then you would

 

 

The second is saying "go to the document root (catalog) and use the directory defined for DIR_WS_ADMIN

[Peepo 0]

Ah understood :) Ok I'll have a play about with it.

[tstarr 1]

I added the following lines to my .htpasswds in the Admin folder

 

AuthType Basic

AuthName "Authorized Use Only"

AuthUserFile "/home/admin/.htpasswds/home/admin/passwd"

require valid-user

 

I am now getting the user name and password popup.

I have a stupid question, what is my user name & password?

 

I am assuming that my password is "passwd" but what is my username & how do I change the username?

[solaris955 0]

Hi guys,

 

I have gone through this thread several times, there's just so much detail to hold in mind ...

 

I am trying to secure my admin area in the newest version - 2.3.1.

 

Could someone please be so kind as to put it what specifically I should do to secure it please?

 

Because the discussions above refer to older versions, it would be great if someone could summarize what steps should be taken for the newest version please (2.3.1).

 

I (and many others, I am sure) would really, really appreciate a brief summary of steps to be taken to secure the admin area of this newest version (2.3.1).

 

Thanks hugely in advance for all your help.

 

Irina

[tstarr 1]

I added the following lines to my .htpasswds in the Admin folder

 

AuthType Basic

AuthName "Authorized Use Only"

AuthUserFile "/home/admin/.htpasswds/home/admin/passwd"

require valid-user

 

I am now getting the user name and password popup.

I have a stupid question, what is my user name & password?

 

I am assuming that my password is "passwd" but what is my username & how do I change the username?

 

OK, with alot of snooping around I figured out.

 

Here are all of the steps to get the .htaccess password protection working on the Admin folder.

 

1) Paste the following lines into the .htaccess file in the Admin folder:

 

AuthType Basic

AuthName "Authorized Use Only"

AuthUserFile "/var/chroot/home/content/22/6527522/html/bbhshop/bbhnewshop/admin/.htpasswd"

AuthGroupFile /dev/null

require valid-user

 

2) Replace my path "/var/chroot/home/content/22/6527522/html/bbhshop/bbhnewshop/" with your specific path.

You can find your path in your cPannel File Manager, your Web Hosting File view, or your FTP File view.

 

3) Go to the following .htaccess password encryption tool

http://www.tools.dynamicdrive.com/password/

 

4) Create a .htpasswd file with the following line from the above tool. (yours will be different depending on your username & password)

myUsername:mS3fKc1G21eRM

 

5) Upload the .htpassword file to the Admin directory. You should be done.

 

Here is a good how to guide if my post did not make sense.

http://www.javascriptkit.com/howto/htaccess3.shtml

[♥DunWeb 921]

Irina,

 

V2.3.1 has the ability to change the admin directory name and .htaccess protect during setup OR from the admin area afterwards.

 

You will not need to secure it any further if you use the security features built into the admin area.

 

 

Ofcourse, there are still the 5 'must have' security contributions for your catalog.

 

 

Chris

[uniks 0]

Renaming the admin directory has always been a good measure but was never prominently advised in the install procedure. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

 

define('DIR_WS_ADMIN', '/renamed_admin_directory/');

define('DIR_FS_ADMIN', '/your/path/to/directory/renamed_admin_directory

========================

 

 

I did the above procedure and it works but I got this error message when I go to

 

the Admin page then Tools\DataBaseBackUp

 

then I see this error messages " :Error Error: Backup directory does not exist. Please set this in configure.php. "

 

 

Does someone needs how to fix this, thanks

[♥geoffreywalton 139]

Please do not double post

 

http://forums.oscommerce.com/topic/368985-error-error-backup-directory-does-not-exist-please-set-this-in-configurephp/page__pid__1554542#entry1554542

[bavariuaninc 0]

My admin got hacked as well and now the index and login files are gone. When I try to copy from backup it will not save? What happened? Thanks

[♥geoffreywalton 139]

That really will take some time and a lot of detective work to find out.

 

A link on how to sort out a hacked site is on my about me page in my profile.

 

Not really difficult just time consuming and detailed.

 

HTH

 

G

[qkzoo 0]

I need help with step B. "Add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htascess cannot be used on a Windows server by the way)"

 

How do you do this? I have no idea. I have followed most of the steps in "securing" my website, and I have seen this one posted in each one, but I have no idea how to go about this, can somebody help? I'm using HostGator, if that matters or helps...

 

Thanks,

 

Andrew

[BryceJr 20]

I need help with step B. "Add .htaccess protection to the (renamed) admin directory as was necessary on the older versions of osC (.htascess cannot be used on a Windows server by the way)"

 

How do you do this? I have no idea. I have followed most of the steps in "securing" my website, and I have seen this one posted in each one, but I have no idea how to go about this, can somebody help? I'm using HostGator, if that matters or helps...

 

Thanks,

 

Andrew

Proceed to your web host control panel and follow >>this.

[qkzoo 0]

Proceed to your web host control panel and follow >>this.

 

...that's instructions to password protect a directory, which I've done. It doesn't tell me, however, anything about what .htaccess is or how to protect it.

[BryceJr 20]

...that's instructions to password protect a directory, which I've done. It doesn't tell me, however, anything about what .htaccess is or how to protect it.

The purpose of creating a .htaccess file is to password protect your newly_renamed admin directory. The easy way to accomplish that is through your host control panel which you've done.

 

More info on >>htaccess

[qkzoo 0]

Ok, so if I understand you correctly, then I can ignore all the suggestions here? I'm just a little flustered is all, I noticed several .htaccess files throughout my installation as I went through and checked all file permissions. Yes, my admin directory is now renamed and password protected using my hosts cPanel, which was quite simple.

 

Andy

[BryceJr 20]

Ok, so if I understand you correctly, then I can ignore all the suggestions here? ...

Password protecting your admin directory will not compensate for the other security issues you need to address in your store.

 

Ignoring the suggestions on "How to secure your osCommerce" thread will not protect your site from injection attacks, xss, file_manager point of entry, etc.

[qkzoo 0]

Password protecting your admin directory will not compensate for the other security issues you need to address in your store.

 

Ignoring the suggestions on "How to secure your osCommerce" thread will not protect your site from injection attacks, xss, file_manager point of entry, etc.

 

I'm sorry, I dropped the wrong link somehow. The link I meant to show was a bunch of .htaccess codes for protecting a site, and I can't find the link now. I have followed those instructions to the best of my ability, I have added Security Pro, I have gone through and made sure that all of my files are 644 or lower (permissions), folders 755 or lower, my configuration.php file(s) have a permission setting of 400, I believe. I renamed the admin directory, and I have protected the "Admin" directory with .htaccess by means of my hosts cpanel directory password protect function. According to the post, i should delete the admin/file_manager.php file (which didn't exist in my installation) and the file admin/define_language.php, which I did. The only thing I think I have left to do is the link titled "You can stop cross site scripting attacks with Anti XSS."

 

There was also a link to install software to block specific ip's, but my site isn't even active yet, so I can wait on that...right?

 

I want to make sure this thing is tight as I can possibly make it, so can you think of anything I left out?

 

Thank you,

 

 

Andy

[puerdemon 0]

Okay so I did both rename and .htaccess modifying.

 

Now I am entirely locked out. I get the lovely "500 Internal Server Error" message. I had been modding my code via the file manager because my .htaccess file does not show up in Filzilla for me. I have tried FTPing the file for .htaccess and .htpasswd back up into my site but to no avail. And my entire site is now offline. Advice anyone? Thank you in advance :)

 

This is my .htaccess code:

# $Id: .htaccess 1739 2007-12-20 00:52:16Z hpdl $
#
# This is used with Apache WebServers
#
# For this to work, you must include the parameter 'Options' to
# the AllowOverride configuration
#
# Example:
#
# <Directory "/usr/local/apache/htdocs">
#   AllowOverride Options
# </Directory>
#
# 'All' with also work. (This configuration is in the
# apache/conf/httpd.conf file)
# The following makes adjustments to the SSL protocol for Internet
# Explorer browsers
#<IfModule mod_setenvif.c>
#  <IfDefine SSL>
#    SetEnvIf User-Agent ".*MSIE.*" \
#             nokeepalive ssl-unclean-shutdown \
#             downgrade-1.0 force-response-1.0
#  </IfDefine>
#</IfModule>
# If Search Engine Friendly URLs do not work, try enabling the
# following Apache configuration parameter
# AcceptPathInfo On
# Fix certain PHP values
# (commented out by default to prevent errors occuring on certain
# servers)
# php_value session.use_trans_sid 0
# php_value register_globals 1

<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


AuthName "Restricted Area" 
AuthType Basic 
AuthUserFile /hyperactive3d.com/lookywhatifound/.htpasswd.txt/.htpasswd 
AuthGroupFile /dev/null 
<Files home>
require valid-user
</Files>

 

EDIT: Sorry didn't copy all the code.

[puerdemon 0]

Ah sorry I got it to work, was able to get my hidden files to show up on Filezilla. Sorry for the double post :blush:

[hhitch 0]

first, change the name of your "admin" folder.

 

Then, you MUST change the references to that folder name in the following file:

 

/admin (has new name now)/configure.php

 

if you make the changes to that file, then the system can find the login page. if you don't make the changes to that file, the system cannot find the login page nor the error page.

 

this is not so simple. I have renamed admin and changed configure.php and when I go to the new folder it bombs with the following error:

 

Not Found

The requested URL /admin/login.php was not found on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 

 

--------------------------------------------------------------------------------

 

Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 Server at www.myshop.co.uk Port 443

 

Please, for novices like me who are trying to learn oscommerce, don't assume it's just this or that and it's done. I am finding lack of concise answers to anything regarding oscommerce and putting notices like this without a troubleshooting guide is not helpfull at all.

[♥Biancoblu 57]

If I set up password protection through .htaccess (Cpanel), I have to keep it the same as the password I set up during installation.

If I set up different passwords, the one in .htaccess seems to override the other and locks me out of admin.

 

I thought I would be able to set up one password in htaccess which would be different than the one set up during installation.

Am I missing something?