Jump to content

Archived

This topic is now archived and is closed to further replies.

LeanderPL

Security in OsCommerce

Recommended Posts

Additional Protection With htaccess/htpasswd

This osCommerce Online Merchant Administration Tool installation is not additionally secured through htaccess/htpasswd means.

The following files need to be writable by the web server to enable the htaccess/htpasswd security layer:

  • /home/dcsstor1/public_html/shop/admin/.htaccess
  • /home/dcsstor1/public_html/shop/admin/.htpasswd_oscommerce

Reload this page to confirm if the correct file permissions have been set

 

 

 

This is in red on my Administration page in the backend anybody know how i can fix this

 

Doug

Share this post


Link to post
Share on other sites

It sounds like those files are not writable by the webserver. if you are using a file manager of some form then find the method used in that manager to change the permissions of the files to writable, usually a file permission of 666 works. If you are using an FTP client then follow the instructions of that particular client to adjust the file permissions to the point the server is able to write to the files...i.e. the error disappears, again, this will probably be a setting of 666.


- Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)
- Another discussion about infected files ::here::
- A discussion on file permissions ::here::
- Site hacked? Should you upgrade or not, some thoughts ::here::
- Fix the admin login bypass exploit here
- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes
- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX

Share this post


Link to post
Share on other sites

i tried that and 444 and other combinations but no luck the message is still there are there any orther files that might need looking at to see if changes have been made.

 

Doug

Share this post


Link to post
Share on other sites

Did you verify that the permissions actually changed? It's common for servers to silently ignore chmod requests by FTP browsers, so you end up not changing permissions. If so, use your hosting control panel to change permissions. Also confirm that you are the owner of the file, and not some other account. After that, possibly you're missing the correct file(s) -- did you ever change your "admin" to a different name? Are you installed under a different path? After that, permissions vary on what's needed for osC (via PHP) to write to a given file. 644 may work, 444 definitely will not. Go systematically, not at random. If osC can't write with 644, try 664. Only as last resort try 666, and restore to 644 when you're done with the operation (666 is a security hazard, as is 777).

Share this post


Link to post
Share on other sites
Did you verify that the permissions actually changed? It's common for servers to silently ignore chmod requests by FTP browsers, so you end up not changing permissions. If so, use your hosting control panel to change permissions. Also confirm that you are the owner of the file, and not some other account. After that, possibly you're missing the correct file(s) -- did you ever change your "admin" to a different name? Are you installed under a different path? After that, permissions vary on what's needed for osC (via PHP) to write to a given file. 644 may work, 444 definitely will not. Go systematically, not at random. If osC can't write with 644, try 664. Only as last resort try 666, and restore to 644 when you're done with the operation (666 is a security hazard, as is 777).

 

I did verify the changes and i asked my hosting company. i own the file or at least thats how i see it. I didn't change the file name or path. i have tried all combinations of permissions and still no luck.

 

doug

Share this post


Link to post
Share on other sites

×