Jump to content

Archived

This topic is now archived and is closed to further replies.

mjo

Security Directory Permissions Tool

Recommended Posts

I've installed OsCommerce version v2.3.1 (Host info indicates Linux server running Apache, PHP Version 5.2.14) I have set all folder permissions to 755, all file permissions to 644, and configuration files to 444 as recommended. Also installed FWR_Security_Pro 2.0. and it tested as "working."

 

So now......My Question: Is it a security risk that when I am logged into my OsCommerce Admin that under >Tools >Security Directory Permissions the page shows some red x's in the "recommended" column instead of green checkmarks? Only the following folders (directories?) have green checkmarks in the "recommended" column: images, images/banners, some other misc folders under images like images/sierra, images/microsoft and then includes/work and pub folders along with two folders under my *admin* (which I of course renamed).

Share this post


Link to post
Share on other sites

If it has red x's I'd suggest there is a problem.

 

Try reducing them.

 

HTH

 

G


Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile

 

Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.

 

For links mentioned in old answers that are no longer here follow this link Useful Threads.

 

If this post was useful, click the Like This button over there ======>>>>>.

Share this post


Link to post
Share on other sites

If it has red x's I'd suggest there is a problem.

 

Try reducing them.

 

HTH

 

G

------------------------

I did play around with permissions a bit but didn't seem to change how OsC evaluated the permissions... I can't find any recommendations for specific permissions other than what I already applied as stated above. ... I must be missing something. I did find out if you set the permissions too high on some things, the php code won't work properly..so, again, kinda explored as far as I know. Is OsC evaluating entire directories AND sub directories separately...are my permissions set too high...how specific must they be...is there a way to find this in the OsCommerce code somewhere? I'm only creating more questions I can't answer! :(

Share this post


Link to post
Share on other sites

I think many of the osC tools are there just to look pretty - I think you'll find that every installation of 2.3.1 has this pretty page as you describe it; only the designers can tell you how it should be interpreted and seeing they put out documentation for 2.3, parts of which referred to changes describing 2.2, I wouldn't hold out much hope from them.

 

General permissions for osC are:

 

Folders: 755

Files: 644

Configure files: 444

 

If yours are set like so then you have little to worry about and you'll probably have "This is a properly configured installation of osCommerce Online Merchant!" on your dashboard page.

 

Having said you have nothing to worry about it's still worth adding additional security features - 2.2 is the easy target for the hackers at the moment but once everyone starts upgrading to 2.3 then they'll be looking for holes in the 2.3 security fence ;)


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

I'm reviving an old topic, but as I took the time to find the true and correct answer I thought I'd go ahead and post it.

 

The screen in question is not very intuitive. The first column is telling you whether the directory in question is writable. If there is a green check mark then the directory is writable. If there is a red 'x' then the directory is not writable. The second column is telling you the recommended state. So, at least according to this tool, you want to set most of the directories in question to 555 instead of 755 so that they are not writable.

 

I'm not making a statement as to whether this tool is providing good advice... only an accurate interpretation of what it is trying to communicate after I examined the code to see what it's doing.

 

Feel free to ask questions...

 

LarryD

Share this post


Link to post
Share on other sites

I'm reviving an old topic, but as I took the time to find the true and correct answer I thought I'd go ahead and post it.

 

The screen in question is not very intuitive. The first column is telling you whether the directory in question is writable. If there is a green check mark then the directory is writable. If there is a red 'x' then the directory is not writable. The second column is telling you the recommended state. So, at least according to this tool, you want to set most of the directories in question to 555 instead of 755 so that they are not writable.

 

I'm not making a statement as to whether this tool is providing good advice... only an accurate interpretation of what it is trying to communicate after I examined the code to see what it's doing.

 

Feel free to ask questions...

 

LarryD

 

 

Well one would accept that... except...

 

 

My version searches the complete site, including a couple of forums, telling me that some forum directories that need to be writable should be non-writable... I suspect that many of the osC directories that it is saying should be non-writable should be in essence writable.

 

Consequently, until such time that one of the core team answers this post and provides documentation as to the proper usage of this feature in 2.3, users should continue using 755 for folders/directories, 644 for files with the exception of the two configure files which should be set to 444 or 400 - which as I said in my previous post produces the "This is a properly configured installation of osCommerce Online Merchant!" on your dashboard page.


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Hello all!

 

Regarding permission for 2.3.1 configure.php files, I attempted serveral times to change it from 644 to 444, but 644 remained there! When I tried 400 instead, it changed by itself to 640! For this reason, a "potential security risk" on the admin start-up page is always on the alert

 

Is this a self mechanism preset by my webhost service provider?

Share this post


Link to post
Share on other sites

That is certainly an issue with the way many servers are now configured where anything but 444 is writeable yet the web host has disallowed the 444 permissions. However what many of them do not realise is that the script in that configuration, has owner permissions, so PHP itself can change file permissions to 444 even though the WSP has banned it.

 

Try this:

 

<?php
 error_reporting(0);
   if ( ( !chmod( "includes/configure.php", 0444 ) ) ||
        ( !chmod( "admin/includes/configure.php", 0444 ) ) ) {
        echo "all done";
   }
?>

 

Create a php file and add this code to it and upload it to your shop folder. Browse to it and once it loads it will change the settings of those files listed in there to 444 (if PHP has ownership permissions).


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

Hello Taipo,

 

Thanks for what you suggested. I'll create this php file for a try with your scripting.

What name should be assigned to this .php file, or just any name?

Share this post


Link to post
Share on other sites

Taipo,

 

I named the file as php.php and copied it to catalog/.

 

After browsing it once, the warning was gone and the configuration is now deemed proper!

 

Thanks a lot for your help!

Share this post


Link to post
Share on other sites

As advised by the system,

 

"The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

/home/shingmun/public_html/oscommerce-2.3.1/catalog/admin/.htaccess

/home/shingmun/public_html/oscommerce-2.3.1/catalog/admin/.htpasswd_oscommerce"

 

I reset ".htaccess" from 644 to 755, but the alert was still there. By the way, the "catalog/admin/" directory does not have a file named ".htpasswd_oscommerce" !

 

Thanks.

Share this post


Link to post
Share on other sites

I think you'll find it needs to be 777 >_<


Currently...:

 

Working with osCommerce 2.3.1

Now working with Phoenix

Add-Ons so far Installed:

Not all of these installed yet on Phoenix - some are and the rest will be

 

Add date and order number to invoice and packing slip,

Products Cycle Slideshow,

Detailed Monthly Sales,

Holiday Settings,

Tracking Module for 2.3

Share this post


Link to post
Share on other sites

Well one would accept that... except...

 

 

My version searches the complete site, including a couple of forums, telling me that some forum directories that need to be writable should be non-writable... I suspect that many of the osC directories that it is saying should be non-writable should be in essence writable.

 

Consequently, until such time that one of the core team answers this post and provides documentation as to the proper usage of this feature in 2.3, users should continue using 755 for folders/directories, 644 for files with the exception of the two configure files which should be set to 444 or 400 - which as I said in my previous post produces the "This is a properly configured installation of osCommerce Online Merchant!" on your dashboard page.

 

The reason for that is that it starts at the root 'catalog' directory. If you've made the root of your site the 'catalog' directory, then the checker will pick up the other directories that are there, as well. For instance, on my site it also picks up the cgi-bin, the modlogan, and a couple other directories.

 

The way the code is written, it will indicate that all directories should be 555 except the ones that are white-listed. The only ones that are white-listed by default are the ones that come with the osCommerce install. So... you can ignore the directories that don't come with the osCommerce install or you can add them to the sec_directory_whitelist table so that it won't flag them.

 

LarryD

Share this post


Link to post
Share on other sites

I suspect that many of the osC directories that it is saying should be non-writable should be in essence writable.

 

Also... as stated originally... I cannot tell you if the security the tool recommends is actually correct. I'm only saying what it is the code is doing. I can say that I've not had any problems setting suggested directories to 555.

 

As a recap, the code is doing the following:

 

  • Making a list of every directory starting at the root catalog directory
  • If a directory is in the sec_directory_whitelist table then it says the directory should be a green checkmark when 'correct'
  • If a directory is not in the sec_directory_whitelist table then it says the directory should be a red x when 'correct'
  • To get a directory to be a red x then it needs the permissions set to 555 for that directory... 755 will NOT work

 

LarryD

Share this post


Link to post
Share on other sites

Hi Julian,

 

Although the file permission was reset to 777 as suggested, the warning message remains seen!

 

Depending on the configuration in apache, when it comes to files, 666 is writable by PHP. On other configurations 644 is also writable (where PHP has root permissions).


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

×