Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Secure 2.3.1

oscbeginner99

By oscbeginner99
in Security

Recommended Posts

oscbeginner99

oscbeginner99

Posted
Posted

I have used my Hostgator cpanel to password protect the admin directory.

 

This evidently does not work. I cannot login.

 

After lengthy effort from the host, they finally removed password protection from the admin directory

so that I can login.

 

What options are available to secure 2.3.1 version?

Are procedures different from the older versions?

 

Thank you in advance

Link to comment
Share on other sites
toyicebear

♥toyicebear

Posted
Posted

2.31 has a "build-in" htaccess password system for admin...

 

Go to "Administrators" in your shops admin .. and follow the instructions given there

Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To

 

To see what more i can do for you check out my profile [click here]

Link to comment
Share on other sites
oscbeginner99

oscbeginner99

Posted
  • Author
Posted

2.31 has a "build-in" htaccess password system for admin...

 

Go to "Administrators" in your shops admin .. and follow the instructions given there

 

 

Thank you for you response. I now have look at the Administrators Area and see:

 

The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

 

" /home/zappersu/public_html/catalog/admin/.htaccess

/home/zappersu/public_html/catalog/admin/.htpasswd_oscommerce

 

Reload this page to confirm if the correct file permissions have been set."

 

I must be missing something simple, but I do not see the files in the admin directories.

 

Do I have to create them some how?

Link to comment
Share on other sites
toyicebear

♥toyicebear

Posted
Posted

Not in the shops admin, go to the file manager in your hosting control panel there you should be able to see them and set the correct permissions.

Basics for osC 2.2 Design - Basics for Design V2.3+ - Seo & Sef Url's - Meta Tags for Your osC Shop - Steps to prevent Fraud... - MS3 and Team News... - SEO, Meta Tags, SEF Urls and osCommerce - Commercial Support Inquiries - OSC 2.3+ How To

 

To see what more i can do for you check out my profile [click here]

Link to comment
Share on other sites
oscbeginner99

oscbeginner99

Posted
  • Author
Posted

Not in the shops admin, go to the file manager in your hosting control panel there you should be able to see them and set the correct permissions.

 

Yes, I am looking through the cpanel and do not see those 2 files in the admin folder.......

Link to comment
Share on other sites
Xpajun

Xpajun

Posted
Posted

Brad, you should be able to use your cPanel to password protect the admin BUT user name and Password MUST be the same as your admin login

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites
oscbeginner99

oscbeginner99

Posted
  • Author
Posted

Brad, you should be able to use your cPanel to password protect the admin BUT user name and Password MUST be the same as your admin login

 

That is very interesting.....I would have thought that you should use a different pass and user.

But what about changing the permissions on the files that I can not see?

 

1. public_html/catalog/admin/.htaccess

2. public_html/catalog/admin/.htpasswd_oscommerce

Link to comment
Share on other sites
Xpajun

Xpajun

Posted
Posted

That is very interesting.....I would have thought that you should use a different pass and user.

Yes it is - many others have voiced the same opinion - tell the core coders :rolleyes: :rolleyes:

 

If you manage to get the osC .htaccess protection working that is exactly what it will do - produce .htaccess protection with the same username and password

 

But what about changing the permissions on the files that I can not see?

 

1. public_html/catalog/admin/.htaccess

2. public_html/catalog/admin/.htpasswd_oscommerce

 

 

In your cPanel file manager do you have a check box to show hidden files?

My store is currently running Phoenix 1.0.3.0

I'm currently working on 1.0.7.2 and hope to get it live before 1.0.8.0 arrives (maybe 🙄 )

I used to have a list of add-ons here but I've found that with the ones that supporters of Phoenix get any other add-ons are not really neccessary

Link to comment
Share on other sites
oscbeginner99

oscbeginner99

Posted
  • Author
Posted

Yes it is - many others have voiced the same opinion - tell the core coders :rolleyes: :rolleyes:

 

If you manage to get the osC .htaccess protection working that is exactly what it will do - produce .htaccess protection with the same username and password

 

 

 

 

In your cPanel file manager do you have a check box to show hidden files?

 

Thank you Xpajun,

I was not aware that these would be hidden files. Thank you very much...now I changed these to 777 and I hope

that this is correct.

Link to comment
Share on other sites
  • 5 months later...
peteravu

peteravu

Posted
Posted

Thank you Xpajun,

I was not aware that these would be hidden files. Thank you very much...now I changed these to 777 and I hope

that this is correct.

Why must they be writable after changed? when change back to 655 it again says "the following files need to be writable by the web server to enable the htaccess/htpasswd security layer:" but 655 must be better than 777? So now I have 655 and have to login 2 times, that must be more secure than 777 right or not?

Thanks to all that contributed to separate_price_per_customers_4.2.2_for_2.3.1, Add Multiple Products with plus/minus buttons, One Page Checkout for 2.3.1, Multi Attribute V2, Login Box Club osCommerce Shipping Date Chooser for 2.3.1, Quickly Update Product Stock 3.8.5 Español and order number in email subject

Forum, Thanks Designing New Themes the Easy Way, how-to-set-backgrounds.

 

my contributions Add Multiple Product In Product Listing 2.3.1 v.1.0 and Multiple Attribute entry boxes in product info page v1.0 for 2.3.1

Link to comment
Share on other sites
ShallonCimelus

ShallonCimelus

Posted
Posted

Can someone tell me the proper permissions for the two .htaccess file? I must be missing something...

 

I keep getting:

Error Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:
/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htaccess
/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htpasswd_oscommerce
Reload this page to confirm if the correct file permissions have been set.

 

I've removed the .htpasswd_oscommerce file

Within my control panel I've added a username and password (same as admin) for my admin folder.

I've also tried a ton of different permission combinations and no luck...

Link to comment
Share on other sites
peteravu

peteravu

Posted
Posted

Can someone tell me the proper permissions for the two .htaccess file? I must be missing something...

 

I keep getting:

Error Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:
/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htaccess
/home/ZZZZZZ/public_html/catalog/ZZZZZZ/.htpasswd_oscommerce
Reload this page to confirm if the correct file permissions have been set.

 

I've removed the .htpasswd_oscommerce file

Within my control panel I've added a username and password (same as admin) for my admin folder.

I've also tried a ton of different permission combinations and no luck...

It works if you change to 777

Thanks to all that contributed to separate_price_per_customers_4.2.2_for_2.3.1, Add Multiple Products with plus/minus buttons, One Page Checkout for 2.3.1, Multi Attribute V2, Login Box Club osCommerce Shipping Date Chooser for 2.3.1, Quickly Update Product Stock 3.8.5 Español and order number in email subject

Forum, Thanks Designing New Themes the Easy Way, how-to-set-backgrounds.

 

my contributions Add Multiple Product In Product Listing 2.3.1 v.1.0 and Multiple Attribute entry boxes in product info page v1.0 for 2.3.1

Link to comment
Share on other sites
kymation

♥kymation

Posted
Posted

You cannot use your host's control panel to set the .htaccess protection unless you remove all of the access protection code from the osCommerce admin. Remove the protection in your host's control panel, restore the file you deleted, set the permissions as instructed in your Admin, and follow the rest of those instructions.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Link to comment
Share on other sites
peteravu

peteravu

Posted
Posted

Why must they be writable after changed? when change back to 655 it again says "the following files need to be writable by the web server to enable the htaccess/htpasswd security layer:" but 655 must be better than 777? So now I have 655 and have to login 2 times, that must be more secure than 777 right or not?

Thanks to all that contributed to separate_price_per_customers_4.2.2_for_2.3.1, Add Multiple Products with plus/minus buttons, One Page Checkout for 2.3.1, Multi Attribute V2, Login Box Club osCommerce Shipping Date Chooser for 2.3.1, Quickly Update Product Stock 3.8.5 Español and order number in email subject

Forum, Thanks Designing New Themes the Easy Way, how-to-set-backgrounds.

 

my contributions Add Multiple Product In Product Listing 2.3.1 v.1.0 and Multiple Attribute entry boxes in product info page v1.0 for 2.3.1

Link to comment
Share on other sites
Taipo

Taipo

Posted
Posted

I guess it will allow you to change your password in the future?

 

666 is generally the writable setting for files.

- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Link to comment
Share on other sites
ShallonCimelus

ShallonCimelus

Posted
Posted

SOLUTION!

So after messing with the permissions more, I got a 500 Error and was no longer able to access the admin side of osCom. I deleted everything and started completely fresh.

 

Installation completed, no issues. Go into the admin and get the following error:

Error Additional Protection With htaccess/htpasswd
This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.
Enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records.
Please note, if this additional security layer is enabled and you can no longer access the Administration Tool, please make the following changes and consult your hosting provider to enable htaccess/htpasswd protection:
1. Edit this file:
/home/zzzz/public_html/catalog/zzzz/.htaccess
Remove the following lines if they exist:
##### OSCOMMERCE ADMIN PROTECTION - BEGIN #####
AuthType Basic
AuthName "osCommerce Online Merchant Administration Tool"
AuthUserFile /home/zzzz/public_html/catalog/zzzz/.htpasswd_oscommerce
Require valid-user
##### OSCOMMERCE ADMIN PROTECTION - END #####
2. Delete this file:
/home/zzzz/public_html/catalog/zzzz/.htpasswd_oscommerce

This time; I clicked on my admin user > edit > put in same password and checked the protect with .htaccess > save.

Refresh pop-up comes up, input login info and error is gone!

 

The first time I just checked "protect with .htaccess..." and did NOT put a password in, because it says "New Password". I believe that was the root of all my issues.

I read the directions several times and they are a little lax with this one step. I would recommend adding a little more to say "insert same password in the 'New Password' field and check the protection" for those like me that thought the original password would stay if left blank.

 

,htaccess and .htpasswd_oscommerce are in my admin dir with permissions 644.

 

Thank you all for your help.

Link to comment
Share on other sites
JoeBaker

JoeBaker

Posted
Posted

Hello.

 

I am having the problem described here, so I have been stepping through the advice given. I found the checkbox for hidden files, changed the permissions for the two .htaccess files, selected password protect from within filemanager and then got the same error message as ShallonCimelus. Only when I put in the same password I was no longer able to access the Administration Tool. I followed the instructions to delete the one and modify the other .htaccess file, which resulted in the original message.

 

I'm going around in circles and getting frustrated.

 

Before I found the checkbox for hidden files, I found a password protect thingy on the control panel and used it to password protect the admin directory. Although it doesn't seem to be working, there doesn't appear to be a way to unpassword protect the admin directory. Could it be preventing me from doing it the .htaccess way?

 

Should I delete the admin directory and reupload it from my local drive to try again, or is there something very simple and obvious that I am overlooking?

 

Joe

Link to comment
Share on other sites
JoeBaker

JoeBaker

Posted
Posted

Hello.

 

I was able to solve my problem.

 

The information I needed was in Jim Keebaugh's post. First I figured out how to unpassword protect the admin from cpanel. Then I changed the permissions on both the .htaccess files and the admin directory. Then I used the security feature in Admin. This time there was a checkbox along with the request for a "new" password. I supplied the same username and password and checked the checkbox. It worked.

 

There are so many seemingly insignificant ways one can get things wrong while trying to get them right. The process for undoing password protection is an example. I watched the instructional video supplied by cpanel that showed the process for creating password protection. It didn't show how to undo it, so first I tried undoing it in the same sequence as doing it. That didn't work. But when I tried undoing it in reverse sequence, it did work!

 

There seem to be two competing methods for password protecting the admin. One calls for using cpanel, one for using admin. It can be tricky figuring out which method is right, and even more tricky to back out of the method that is wrong. Knowing that I needed to use the same password, not a new one, and that I had to change the permissions for the admin directory as well as for the .htaccess files was key, at least for me.

 

Joe

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...