Jump to content

Archived

This topic is now archived and is closed to further replies.

kenkja

includes htaccess

Recommended Posts

Please accept my apologies if you think the following post should be within the add ons - payment modules forum, but it seems to me that it may be related to both.

 

A couple of months ago I began developing my 1st os-commerce site using v2.3.1. which was installed via my hosts Fantastico installer (which may have been my first error)

After installation, I first added all the security required by by post 1 of the security forum and all seemed in order, followed by my SSL, languages, Year make model and so on.

Then to the Payment Gateway, my uk retail store uses the Uk Company Cardsave so it seemed natural to go with them, especially as they have an oscommerce add on, however it just would not work.

So after a few weeks of trying various options suggested by cardsave own "IT" dept, I decided to dump the whole site and re-install using the os-commerce install procedures.

 

During the install I renamed the admin, used cPanel to password protect it and ensured that the admin was showing a correctly configured install, so all good so far.

 

I then added the Cardsave Payment module, yet again it would not work, the problem being the gateway could not access a file within the uploaded payment module which then leads back to the oscommerce site checkout success or checkout failure. At this point the appropriate file could not be browsed to, either, it resulted in

 

 

Forbidden

You don't have permission to access /includes/modules/payment/cardsave_redirect/callback.php on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request

 

Again after much to & fro with the cardsave "IT" dept and no success, my hosts IT identified the root/includes/.htaccess as the problem, as it contained the rule

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

Effectively denying all access to .php files within root/includes from all outside source, (Nb the file which the gateway requires is located within root/includes/modules/payment/cardsave_redirect/)

 

So after the "deny from all", I added allow statements for the appropriate ip's for cardsave and my own ip, and then tried to browse to required file "includes/modules/payment/cardsave_redirect/callback.php, which was now not Forbidden and resulted in an error message

 

"HashDigest, MerchantID, CrossReference or OrderID missing"

 

This is the result the cardsave would expect to receive when the callback.php fle is browsed to, and appears to make sense to me. So, it appeared to me that if my IP can find the callback.php, then so should the Cardsave ip's, but after trying a another test purchase - the gateway is unable to return to my site. By way of check I then rename root/includes.htaccess to disable it , ran another test transaction and it worked correctly.

 

Its fair to say, I'm now a little baffled, the obvious answer is that allowed IP's for cardsave are incorrect but they are not.

 

Cardsave's answer is to permanently disable the root/includes/.htaccess, so that the gateway then works, however that would then leave the files/folders within root/includes open to outside access.

 

Any clues anyone ??

 

Ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Ken,

 

this code in .htaccess is for the IMAGES directory ONLY

 

<Files *.php>

Order Deny,Allow

Deny from all

</Files>

 

 

A default root .htaccess file looks like this:

 

# $Id$

#

# This is used with Apache WebServers

#

# For this to work, you must include the parameter 'Options' to

# the AllowOverride configuration

#

# Example:

#

# <Directory "/usr/local/apache/htdocs">

# AllowOverride Options

# </Directory>

#

# 'All' with also work. (This configuration is in the

# apache/conf/httpd.conf file)

 

# The following makes adjustments to the SSL protocol for Internet

# Explorer browsers

 

#<IfModule mod_setenvif.c>

# <IfDefine SSL>

# SetEnvIf User-Agent ".*MSIE.*" \

# nokeepalive ssl-unclean-shutdown \

# downgrade-1.0 force-response-1.0

# </IfDefine>

#</IfModule>

 

# If Search Engine Friendly URLs do not work, try enabling the

# following Apache configuration parameter

 

# AcceptPathInfo On

 

# Fix certain PHP values

# (commented out by default to prevent errors occuring on certain

# servers)

 

# php_value session.use_trans_sid 0

# php_value register_globals 1

 

 

 

Chris


:|: Was this post helpful ? Click the LIKE THIS button :|:

 

See my Profile to learn more about add ons, templates, support plans and custom coding (click here)

Share this post


Link to post
Share on other sites

Hi Chris, thanks for your prompt reply.

 

Maybe I'm missing something here but the .htaccess which appears to be causing the problem is not the one within the root, it is within the root/includes folder and currently is

 

# $Id$

#

# This is used with Apache WebServers

# The following blocks direct HTTP requests in this directory recursively

#

# For this to work, you must include the parameter 'Limit' to the AllowOverride configuration

#

# Example:

#

#<Directory "/usr/local/apache/htdocs">

# AllowOverride Limit

#

# 'All' with also work. (This configuration is in your apache/conf/httpd.conf file)

#

# This does not affect PHP include/require functions

#

# Example: http://server/catalo...ication_top.php will not work

 

<Files *.php>

Order Deny,Allow

Deny from all

Allow from "Cardsave IP"

Allow from "Cardsave IP"

</Files>

 

In so far as I know, I didn't add this .htaccess to root/includes all I've done is add the 2 allow statements (I've overwritten the actual IP's with the text within the quotes for the post"

 

The root .htaccess is now

 

RewriteEngine on

# $Id$

#

# This is used with Apache WebServers

#

# For this to work, you must include the parameter 'Options' to

# the AllowOverride configuration

#

# Example:

#

# <Directory "/usr/local/apache/htdocs">

# AllowOverride Options

# </Directory>

#

# 'All' with also work. (This configuration is in the

# apache/conf/httpd.conf file)

 

# The following makes adjustments to the SSL protocol for Internet

# Explorer browsers

 

#<IfModule mod_setenvif.c>

# <IfDefine SSL>

# SetEnvIf User-Agent ".*MSIE.*" \

# nokeepalive ssl-unclean-shutdown \

# downgrade-1.0 force-response-1.0

# </IfDefine>

#</IfModule>

 

# If Search Engine Friendly URLs do not work, try enabling the

# following Apache configuration parameter

 

# AcceptPathInfo On

 

# Fix certain PHP values

# (commented out by default to prevent errors occuring on certain

# servers)

 

# php_value session.use_trans_sid 0

# php_value register_globals 1

 

RewriteCond %{HTTP_REFERER} !^http://mysubdomainsite.co.uk/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^http://mysubdomainsite.co.uk$ [NC]

RewriteCond %{HTTP_REFERER} !^http://mysite.com/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^http://mysite.com$ [NC]

RewriteCond %{HTTP_REFERER} !^http://www.mysubdomainsite.co.uk/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^http://www.mysubdomainsite.co.uk$ [NC]

RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^http://www.mysite.com$ [NC]

RewriteCond %{HTTP_REFERER} !^https://mysubdomainsite.co.uk/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^https://mysubdomainsite.co.uk$ [NC]

RewriteCond %{HTTP_REFERER} !^https://www.mysubdomainsite.co.uk/.*$ [NC]

RewriteCond %{HTTP_REFERER} !^https://www.mysubdomainsite.co.uk$ [NC]

RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

 

As far as can work out all these RewriteCond & the Rewrite Rule are as a consequence of me having Hotlink protection on in cPanel, and without them no images displayed

 

ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

I'd agree with Chris here stock osC does not have a .htaccess file in catalog/includes which is where your gateway should be coming back to.

 

 

There is one similar to what you describe in admin/includes which should not affect payment modules


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

Thanks Julian

 

Just to confirm, what you and Chrs are saying.

 

A standard V2.3.1 install has no .htacess file within within the "root" or "catalogue"/includes folder.

 

So, if one is there, then I or someone else must have created it ?

 

thanks

 

Ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Stock osCommerce 2.3.1 does have the .htaccess file you posted. This is good protection for the includes/ directory and its subdirectories. It will obviously block any attempt to execute a file in those directories, including your card processor's callback file. The proper solution would be to move the processor's callback file to the root and change any links that point to it. This is probably going to be a bit difficult. A workaround would be to put a .htaccess file in the directory containing the callback file that would allow access to that file. That's a minor security risk, but much better than leaving the entire includes directory unprotected.

 

<Files cardsave.php>
Order Deny,Allow
Allow from all
</Files>

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Thanks Jim

 

Will try the .htacess in the appropriate folder

 

Ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Stock osCommerce 2.3.1 does have the .htaccess file you posted.

 

Regards

Jim

 

 

My apologies to the OP for the misinformation - just checked again and it does - thank you Jim for the correction


My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Share this post


Link to post
Share on other sites

No problem Julian, God knows I wouldn't have a clue without all the help you guys give.

 

Jim your solution your solution works, thanks very much


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Jim, also tried replacing

 

Allow from All

 

with

 

Allow from Cardsave's Ip Addresses

 

that also works

 

thanks

 

Ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Thats better security than what I posted. Glad to hear you got it working.

 

Please consider posting a fix to the Cardsave addon, or let the author know about the fix.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Jim

 

I don't think there is a cardsave addon, I got the files and instructions from their website and have informed them of the fix.

 

 

Ken


Os-commerce v2.3.3

Security Pro v11

Site Monitor

IP Trap

htaccess Protection

Bad Behaviour Block

Year Make Model

Document Manager

X Sell

Star Product

Modular Front Page

Modular Header Tags

Share this post


Link to post
Share on other sites

Excuse me for interrupting,

 

Could this htaccess file or files have anything to do with the sales not being

listed in the admin/customers/orders? I'm using 2checkout.com as my payment

module, It runs through a sale just fine but the orders never show up so I have

no clue what the customer ordered if it contains any attributes, can't print a packing

slip or an invoice.

 

I've been pulling my hair out tying to figure out why this is failing to report the info

needed. I've confirmed with my host it's not the subhosin.get.max_value_length

 

I've installed a new 2.3.1 right from the download and entered all info to make the sales

work. A fresh install.. still the same problem. I've tried removing the htaccess files as

mentioned above. same problem

 

Any other idea's as to why this is happening? Could it be the osC and 2co are in

test mode?

Share this post


Link to post
Share on other sites

Tis is one cause for Cardsave not returning to complete the order. If you have removed the .htaccess file in the catalog/includes/ directory and it still doesn't work, you have a different problem. Once you solve the other problem, you will still have this one, so it's a good idea to make these changes now.

 

Regards

Jim


See my profile for a list of my addons and ways to get support.

Share this post


Link to post
Share on other sites

Tis is one cause for Cardsave not returning to complete the order. If you have removed the .htaccess file in the catalog/includes/ directory and it still doesn't work, you have a different problem. Once you solve the other problem, you will still have this one, so it's a good idea to make these changes now.

 

Regards

Jim

 

 

Thanks Jim.... I'll keep it in mind

Share this post


Link to post
Share on other sites

×