Latest News: (loading..)

Updated Security Thread

84 posts in this topic

In 2.3.1 you do not need to do anything as it is basically a secure package in that to date there have been no serious security issues reported about it other than the issue I raised somewhere else about malformed admin strings could be used to coerce an admin to log into their own site via the link. But that is less of an issue it seems than any of the previous security issues from earlier versions of osCommerce.


So then is it safe to say that "to date" a vanilla install of 2.3.1 is fine security wise, with the exception of changing the admin section name and securing it via the standard htaccess method included in the admin section?


I have been reading through this thread and a few others lately and I'm just not sure what to think.


So far I have:

  • renamed my admin
  • password protected it with the supplied htaccess (with a strong style password)
  • installed Security Pro for 2.3.1
  • Will be installing Filesafe for 2.3.1 later today

Any other necessities or severe recommendations?

Share this post

Link to post
Share on other sites

i am running oscommerce 2.2 RC2a i thought i had applied all the fixes and security mods but i think i missed this one....


do i need to add this fix here


admin/includes/application_top.php find


$current_page = basename($PHP_SELF); and replace that one to


$current_page = basename($_SERVER['SCRIPT_FILENAME']);

Share this post

Link to post
Share on other sites

In both application_top.php files where it has the following:


// set php_self in the local scope
$PHP_SELF = ....


Make sure that the $PHP_SELF line contains the following:

  // set php_self in the local scope
 $PHP_SELF = ( ( ( strlen( ini_get('cgi.fix_pathinfo' ) ) > 0 ) && ( ( bool ) ini_get('cgi.fix_pathinfo' ) == false ) ) || !isset( $HTTP_SERVER_VARS['SCRIPT_NAME' ] ) ) ? basename( $HTTP_SERVER_VARS[ 'PHP_SELF' ] ) : basename( $HTTP_SERVER_VARS[ 'SCRIPT_NAME' ] );


If you scroll to the bottom of that page you linked to you will see that this is the actual fix to that specific issue you posted above. The other primary code change is to the code which governs the login process here.


Those are the two primary code changes needed to prevent the admin login bypass exploit. There are more code changes needed but at least with those two you will secure your site code against the main exploit that has ravaged through many 10s of thousands of osCommerce sites who use the older versions.


Read more about these two code changes here .

Share this post

Link to post
Share on other sites

Hi Taipo,

i already have that code in both my application top files, thanks for clearing this up for me, however the

Fixing the admin login bypass exploit


i do not have this code in this file

$redirect = true;


Share this post

Link to post
Share on other sites

5. Rename /admin/ and htpasswd it {

2.3.1 and lower

a. if your admin area is located at /admin/ change it now by renaming it to something randomly hard to guess, eg: /d9fne3ufvurjes%kep/

b. amend the file /includes/configure.php (in the newly renamed admin area) to reflect the new name (it should be very obvious where to amend that file!)


Ahhhh, I guess I am blind. I do not see any reference to my "admin" folder anywhere in this file.

Share this post

Link to post
Share on other sites


can someone point me to the definitive list of things I should do to secure a brand new 2.3.1 installation?


which addons, things i should change?


i Tried oscommerce about 4 years back but that table layout almost made me kill myself. I see that the new version is CSS ready, so hopefully I can try again, but the contributions thing is also a problem.


I found it really annoying going through all them coded files replacing so many bits, i hope i don't have to do so many again

Please advise of the 2.3.1 security procedures to make it strong and safe from hackers.



Share this post

Link to post
Share on other sites

I'm a little bit of a newby with osc 2.3.1, so I have a few security questions.


About '5. Rename /admin/ and htpasswd it' :


Have you changed the admin name in catalog/your_new_admin_folder/includes/configure.php


define('HTTP_SERVER', ''); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTP_CATALOG_SERVER', '');


define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module

define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

define('DIR_WS_ADMIN', '/admin/');


define('DIR_WS_CATALOG', '/catalog/');


change this to the new name of your admin folder


So is it enough to just rename the /admin/ directory name, and put this new name into the configure.php file within this new admin directory /includes/ ? Or are there more places to set the new admin directory name?


Also, my configure.php files (both in catalog and in admin) are set to 644 in stead of 444, should I change this immediately?



About '6. Remove references to (newly renamed) admin area in outgoing emails' :


I have tried to find out where in the emails this directory is mentioned, but no matter what I try, I can't see a reference to the admin directory. I've looked to the email's source with an OSX mail client. Is this issue still active in 2.3.1?

But what I do see is something like; (envelope-from <>) which contains my FTP login name. Can this be a vulnerability?



Some things I do have already are:

- .htaccess files in most directories

- .htpasswd_osc file in the admin dir (but rights set to 664 because the rest is giving errors)

- adding "if (strpos($_SERVER['REQUEST_URI'], ".php/login.php") !== false) something something" to application_top.php in the admin dir

- set all directories to 755 instead of 777

- made sure the $PHP_SELF fix from this topic is added


Besides some IP / anti brute force filtering, what more can I secure??

Share this post

Link to post
Share on other sites

Last night I changed the admin's folder name, also made the change in configure.php and .htaccess, all runs well right now!

Also set permissions of the two configure.php to 444.


Step-by-step getting closer to a well-secured osc install ;)



Now I have an additional question, my shop is not installed in the root, but in a subdir called something like root/webshop/

Do I need to secure the root directory extra somehow? There are just a few files there, like 404.shtml (also 400, 401, 500 and so on), an index.html (for my start page before entering the shop), some images for index.html, a google-site-verification html and a robot.txt, no .htaccess though.

Edited by ShopAdminNL

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now