kenkja Posted April 8, 2011 Share Posted April 8, 2011 Please accept my apologies if you think the following post should be within the add ons - payment modules forum, but it seems to me that it may be related to both. A couple of months ago I began developing my 1st os-commerce site using v2.3.1. which was installed via my hosts Fantastico installer (which may have been my first error) After installation, I first added all the security required by by post 1 of the security forum and all seemed in order, followed by my SSL, languages, Year make model and so on. Then to the Payment Gateway, my uk retail store uses the Uk Company Cardsave so it seemed natural to go with them, especially as they have an oscommerce add on, however it just would not work. So after a few weeks of trying various options suggested by cardsave own "IT" dept, I decided to dump the whole site and re-install using the os-commerce install procedures. During the install I renamed the admin, used cPanel to password protect it and ensured that the admin was showing a correctly configured install, so all good so far. I then added the Cardsave Payment module, yet again it would not work, the problem being the gateway could not access a file within the uploaded payment module which then leads back to the oscommerce site checkout success or checkout failure. At this point the appropriate file could not be browsed to, either, it resulted in Forbidden You don't have permission to access /includes/modules/payment/cardsave_redirect/callback.php on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request Again after much to & fro with the cardsave "IT" dept and no success, my hosts IT identified the root/includes/.htaccess as the problem, as it contained the rule <Files *.php> Order Deny,Allow Deny from all </Files> Effectively denying all access to .php files within root/includes from all outside source, (Nb the file which the gateway requires is located within root/includes/modules/payment/cardsave_redirect/) So after the "deny from all", I added allow statements for the appropriate ip's for cardsave and my own ip, and then tried to browse to required file "includes/modules/payment/cardsave_redirect/callback.php, which was now not Forbidden and resulted in an error message "HashDigest, MerchantID, CrossReference or OrderID missing" This is the result the cardsave would expect to receive when the callback.php fle is browsed to, and appears to make sense to me. So, it appeared to me that if my IP can find the callback.php, then so should the Cardsave ip's, but after trying a another test purchase - the gateway is unable to return to my site. By way of check I then rename root/includes.htaccess to disable it , ran another test transaction and it worked correctly. Its fair to say, I'm now a little baffled, the obvious answer is that allowed IP's for cardsave are incorrect but they are not. Cardsave's answer is to permanently disable the root/includes/.htaccess, so that the gateway then works, however that would then leave the files/folders within root/includes open to outside access. Any clues anyone ?? Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Guest Posted April 8, 2011 Share Posted April 8, 2011 Ken, this code in .htaccess is for the IMAGES directory ONLY <Files *.php> Order Deny,Allow Deny from all </Files> A default root .htaccess file looks like this: # $Id$ # # This is used with Apache WebServers # # For this to work, you must include the parameter 'Options' to # the AllowOverride configuration # # Example: # # <Directory "/usr/local/apache/htdocs"> # AllowOverride Options # </Directory> # # 'All' with also work. (This configuration is in the # apache/conf/httpd.conf file) # The following makes adjustments to the SSL protocol for Internet # Explorer browsers #<IfModule mod_setenvif.c> # <IfDefine SSL> # SetEnvIf User-Agent ".*MSIE.*" \ # nokeepalive ssl-unclean-shutdown \ # downgrade-1.0 force-response-1.0 # </IfDefine> #</IfModule> # If Search Engine Friendly URLs do not work, try enabling the # following Apache configuration parameter # AcceptPathInfo On # Fix certain PHP values # (commented out by default to prevent errors occuring on certain # servers) # php_value session.use_trans_sid 0 # php_value register_globals 1 Chris Link to comment Share on other sites More sharing options...
kenkja Posted April 8, 2011 Author Share Posted April 8, 2011 Hi Chris, thanks for your prompt reply. Maybe I'm missing something here but the .htaccess which appears to be causing the problem is not the one within the root, it is within the root/includes folder and currently is # $Id$ # # This is used with Apache WebServers # The following blocks direct HTTP requests in this directory recursively # # For this to work, you must include the parameter 'Limit' to the AllowOverride configuration # # Example: # #<Directory "/usr/local/apache/htdocs"> # AllowOverride Limit # # 'All' with also work. (This configuration is in your apache/conf/httpd.conf file) # # This does not affect PHP include/require functions # # Example: http://server/catalo...ication_top.php will not work <Files *.php> Order Deny,Allow Deny from all Allow from "Cardsave IP" Allow from "Cardsave IP" </Files> In so far as I know, I didn't add this .htaccess to root/includes all I've done is add the 2 allow statements (I've overwritten the actual IP's with the text within the quotes for the post" The root .htaccess is now RewriteEngine on # $Id$ # # This is used with Apache WebServers # # For this to work, you must include the parameter 'Options' to # the AllowOverride configuration # # Example: # # <Directory "/usr/local/apache/htdocs"> # AllowOverride Options # </Directory> # # 'All' with also work. (This configuration is in the # apache/conf/httpd.conf file) # The following makes adjustments to the SSL protocol for Internet # Explorer browsers #<IfModule mod_setenvif.c> # <IfDefine SSL> # SetEnvIf User-Agent ".*MSIE.*" \ # nokeepalive ssl-unclean-shutdown \ # downgrade-1.0 force-response-1.0 # </IfDefine> #</IfModule> # If Search Engine Friendly URLs do not work, try enabling the # following Apache configuration parameter # AcceptPathInfo On # Fix certain PHP values # (commented out by default to prevent errors occuring on certain # servers) # php_value session.use_trans_sid 0 # php_value register_globals 1 RewriteCond %{HTTP_REFERER} !^http://mysubdomainsite.co.uk/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://mysubdomainsite.co.uk$ [NC] RewriteCond %{HTTP_REFERER} !^http://mysite.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://mysite.com$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.mysubdomainsite.co.uk/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.mysubdomainsite.co.uk$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$ [NC] RewriteCond %{HTTP_REFERER} !^http://www.mysite.com$ [NC] RewriteCond %{HTTP_REFERER} !^https://mysubdomainsite.co.uk/.*$ [NC] RewriteCond %{HTTP_REFERER} !^https://mysubdomainsite.co.uk$ [NC] RewriteCond %{HTTP_REFERER} !^https://www.mysubdomainsite.co.uk/.*$ [NC] RewriteCond %{HTTP_REFERER} !^https://www.mysubdomainsite.co.uk$ [NC] RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC] As far as can work out all these RewriteCond & the Rewrite Rule are as a consequence of me having Hotlink protection on in cPanel, and without them no images displayed ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Xpajun Posted April 10, 2011 Share Posted April 10, 2011 I'd agree with Chris here stock osC does not have a .htaccess file in catalog/includes which is where your gateway should be coming back to. There is one similar to what you describe in admin/includes which should not affect payment modules My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
kenkja Posted April 10, 2011 Author Share Posted April 10, 2011 Thanks Julian Just to confirm, what you and Chrs are saying. A standard V2.3.1 install has no .htacess file within within the "root" or "catalogue"/includes folder. So, if one is there, then I or someone else must have created it ? thanks Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
♥kymation Posted April 10, 2011 Share Posted April 10, 2011 Stock osCommerce 2.3.1 does have the .htaccess file you posted. This is good protection for the includes/ directory and its subdirectories. It will obviously block any attempt to execute a file in those directories, including your card processor's callback file. The proper solution would be to move the processor's callback file to the root and change any links that point to it. This is probably going to be a bit difficult. A workaround would be to put a .htaccess file in the directory containing the callback file that would allow access to that file. That's a minor security risk, but much better than leaving the entire includes directory unprotected. <Files cardsave.php> Order Deny,Allow Allow from all </Files> Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
kenkja Posted April 10, 2011 Author Share Posted April 10, 2011 Thanks Jim Will try the .htacess in the appropriate folder Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Xpajun Posted April 11, 2011 Share Posted April 11, 2011 Stock osCommerce 2.3.1 does have the .htaccess file you posted. Regards Jim My apologies to the OP for the misinformation - just checked again and it does - thank you Jim for the correction My store is currently running Phoenix 1.0.3.0 I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 ) I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary Link to comment Share on other sites More sharing options...
kenkja Posted April 11, 2011 Author Share Posted April 11, 2011 No problem Julian, God knows I wouldn't have a clue without all the help you guys give. Jim your solution your solution works, thanks very much Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
kenkja Posted April 11, 2011 Author Share Posted April 11, 2011 Jim, also tried replacing Allow from All with Allow from Cardsave's Ip Addresses that also works thanks Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
♥kymation Posted April 11, 2011 Share Posted April 11, 2011 Thats better security than what I posted. Glad to hear you got it working. Please consider posting a fix to the Cardsave addon, or let the author know about the fix. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
kenkja Posted April 11, 2011 Author Share Posted April 11, 2011 Jim I don't think there is a cardsave addon, I got the files and instructions from their website and have informed them of the fix. Ken Os-commerce v2.3.3 Security Pro v11 Site Monitor IP Trap htaccess Protection Bad Behaviour Block Year Make Model Document Manager X Sell Star Product Modular Front Page Modular Header Tags Link to comment Share on other sites More sharing options...
Nor-Cal Posted April 11, 2011 Share Posted April 11, 2011 Excuse me for interrupting, Could this htaccess file or files have anything to do with the sales not being listed in the admin/customers/orders? I'm using 2checkout.com as my payment module, It runs through a sale just fine but the orders never show up so I have no clue what the customer ordered if it contains any attributes, can't print a packing slip or an invoice. I've been pulling my hair out tying to figure out why this is failing to report the info needed. I've confirmed with my host it's not the subhosin.get.max_value_length I've installed a new 2.3.1 right from the download and entered all info to make the sales work. A fresh install.. still the same problem. I've tried removing the htaccess files as mentioned above. same problem Any other idea's as to why this is happening? Could it be the osC and 2co are in test mode? Link to comment Share on other sites More sharing options...
♥kymation Posted April 12, 2011 Share Posted April 12, 2011 Tis is one cause for Cardsave not returning to complete the order. If you have removed the .htaccess file in the catalog/includes/ directory and it still doesn't work, you have a different problem. Once you solve the other problem, you will still have this one, so it's a good idea to make these changes now. Regards Jim See my profile for a list of my addons and ways to get support. Link to comment Share on other sites More sharing options...
Nor-Cal Posted April 12, 2011 Share Posted April 12, 2011 Tis is one cause for Cardsave not returning to complete the order. If you have removed the .htaccess file in the catalog/includes/ directory and it still doesn't work, you have a different problem. Once you solve the other problem, you will still have this one, so it's a good idea to make these changes now. Regards Jim Thanks Jim.... I'll keep it in mind Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.