Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Products URL not working after security add-ons installed


Carbon_Fibre

Recommended Posts

Hello

 

I have an OSC 2.2 RC2A site installed. I'm using the Products URL field to link to pdf manuals located in another folder. Since I installed the add-ons suggested on this page (http://www.oscommerce.com/forums/topic/313323-how-to-secure-your-oscommerce-22-site/) i.e. Security Pro, Site Monitor, IP Trap and Anti-XSS as well as copied the .htaccess files from OSC 2.3 and copied them to this site.

 

But after this website, visitors are unable view these pdf documents. When clicked, the link directs back to index.php instead of the pdf document. (Note from the backend admin, if you view the product and click on the link, it works.)

 

I've tested it on another installation without the add-ons and that works. Obviously, something is blocking the pdf document from being opened and kicking it back to the home page. I have removed the Anti-XSS, but that didn't help.

 

Does anyone have any ideas which of the above add-ons it could be?

 

Thanks in advance :)

Link to comment
Share on other sites

@@Carbon_Fibre

 

Could be Security Pro but you haven't mentioned the link that is created so I can't make a definate judgement.

 

If I remember correctly the products url creates a redirection, this may introduce characters in the querystring which are not allowed by security Pro.

Link to comment
Share on other sites

@@Carbon_Fibre

 

Could be Security Pro but you haven't mentioned the link that is created so I can't make a definate judgement.

 

If I remember correctly the products url creates a redirection, this may introduce characters in the querystring which are not allowed by security Pro.

 

Thanks for the reply. Yes it is Security Pro. I followed Burt's suggestion

Link to comment
Share on other sites

@@Carbon_Fibre

 

Ok .. please bear in mind however that I don't recommend file exclusions unless they are absolutely necessary ( payment modules, shipping modules etc ).

 

redirect.php is now not protected .. it is trivial to simply create a link to the PDF files leaving security intact rather than excluding.

 

in my opinion redirect.php has the potential to be particulary dangerous .. instead of sending a URL via querystring it should have been a simple numeric key as an identifier.

Link to comment
Share on other sites

@@Carbon_Fibre

 

Ok .. please bear in mind however that I don't recommend file exclusions unless they are absolutely necessary ( payment modules, shipping modules etc ).

 

redirect.php is now not protected .. it is trivial to simply create a link to the PDF files leaving security intact rather than excluding.

 

in my opinion redirect.php has the potential to be particulary dangerous .. instead of sending a URL via querystring it should have been a simple numeric key as an identifier.

 

Okay noted. That makes sense.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...