dennish Posted April 25, 2012 Share Posted April 25, 2012 Hello, As an non security expert I (have to) presume that osC 2.3.1 is a safe trading platform, able to deal with common hacking threads like SQL injection. Going through the add-ons you encouter numerous extensions offering additional security. Most of them were developed for osC 2.2. Can anyone tell me which of the contribtions listed below should still be considered relevant for an osC 2.3.1 shop owner? General Security Pro http://addons.oscommerce.com/info/5752 Protect your site via htaccess http://addons.oscommerce.com/info/6066 ANTI Cross Site Scripting attacks http://addons.oscommerce.com/info/6044 SiteMonitor http://addons.oscommerce.com/info/4441 Check Permissions 1.0 http://addons.oscommerce.com/info/6134 FE Secure your site with an IP trap http://addons.oscommerce.com/info/5914 "Anti Hacker Login (security) for osCommerce (AHL4osC) " http://addons.oscommerce.com/info/7580 Activation Code http://addons.oscommerce.com/info/5241 BE Auto mysql backup http://addons.oscommerce.com/info/3100 Admin Account with Access Level http://addons.oscommerce.com/info/1174 fatFrog Security http://addons.oscommerce.com/info/7825 Please feel free to add suggestions for other add-ons if you think some essential item is missing or you have a better alternative. Kind regards, Dennis Link to comment Share on other sites More sharing options...
Guest Posted April 25, 2012 Share Posted April 25, 2012 @@dennish NONE of the above are essential. As of right now, there are no known vulnerabilities in v2.3.1. However, as a rule of thumb, I still install: Security Pro http://addons.oscommerce.com/info/7708/v,23 ANTI Cross Site Scripting attacks http://addons.oscommerce.com/info/6044 Auto mysql backup http://addons.oscommerce.com/info/3100 JMO Chris Link to comment Share on other sites More sharing options...
pfrecon Posted April 27, 2012 Share Posted April 27, 2012 There is a PHPIDS contrib that will help defend against SQLi and other attacks. http://www.oscommerce.com/community/contributions,8217/page,66 Possibly a great option you guys are overlooking. People that execute SQLi attacks actually use the PHPIDS demo as a smoke test for attacks before trying against systems they know to have IDS/IPS. The downside is there is no obscurity, the upside is that there is no obscurity. Also recommend getting intimate with .htaccess and chmod, and give your logins strong passwords. Link to comment Share on other sites More sharing options...
cstovin Posted April 29, 2012 Share Posted April 29, 2012 I have a question related to htaccess....after my installation when I click on the "administration" tab, it recommends that I use htaccess, but then says if I do - I can't access the admin panel... " Enabling the htaccess/htpasswd security layer will automatically store administrator username and passwords in a htpasswd file when updating administrator password records. Please note, if this additional security layer is enabled and you can no longer access the Administration Tool, please make the following changes and consult your hosting provider to enable htaccess/htpasswd protection:" So how do you make all the changes to your store if you can't acces the admin panel anymore? Suggestions? Please advise, I have never used the .htaccess before - thank you all C> Link to comment Share on other sites More sharing options...
dennish Posted May 1, 2012 Author Share Posted May 1, 2012 @ Chris I have implemented Security Pro. The documentation states: The XSS .htaccess contributions in my opinion are worthless if this is installed as they simply replicate a small part of what Security Pro does. The only exeption to this that I could see was the REQUEST_METHOD and TRACE|TRACK. Does this mean I can ignore the ANTI Cross Site Scripting attacks contribution? Another contribution I find useful is: Send eMail from admin-login when wrong provider http://addons.oscommerce.com/info/7323 to alert you of any unauthorised logins. @ Charlene Although the issue is strictly not part of this thread: The warning you're refering to is "in case of non-standard behavior". Normally, you can login to the admin section after enabling the htaccess/htpasswd security layer. Kind regards, Dennis Link to comment Share on other sites More sharing options...
hopper91 Posted July 7, 2012 Share Posted July 7, 2012 just like to know does anyone know how to get access levels for different admins for oscommerce 2.3.1 thanks andrew Link to comment Share on other sites More sharing options...
Guest Posted July 7, 2012 Share Posted July 7, 2012 @@hopper91 You keep asking the same questions and receiving the same answer.....UPDATE the contribution to function with v2.3.1. If you can't update it yourself, find someone to do it for you, it may cost you some money, but it will be done and you can then use it. Chris Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted July 8, 2012 Share Posted July 8, 2012 Have a look at os_sec HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.