Jump to content

Archived

This topic is now archived and is closed to further replies.

mdtaylorlrim

Admin Security

Recommended Posts

My 2.3.4 installation Configurations --> Administrators is complaining that I should have additional security with .htaccess and .htpasswd_oscommerce even though I am doing http authentication at the .conf file level.

 

Can anyone, or everyone, confirm that that is an erroneous statement and can be safely ignored?

 

I do get properly asked for a password when accessing the admin pages. Is it possible that the core code can be changed to check for authentication at the conf level in future releases?

 

 

 

Coming back to osCommerce after three years is daunting!

 

 

Mark

 


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

The new version has the login on the page, which is from the database, but it also has a popup login, which is the warning you see, that is handled by a file. If you want to have the additional login, then you should enable it from your control panel, not the admin option. Only because the admin option uses the same login as the on page one so the increase in security is not as great as if a different login was used for each. Also see this thread. Especially the part about forcing a secure connection.

Share this post


Link to post
Share on other sites

Maybe I wasn't clear. I *DO* have extra security, but I do it as the OS level using the httpd.conf file and not with .htaccess file. I have disabled .htaccess for security reasons.

 

I just wanted to be sure osCommerce wasn't seeing something I wasn't and see if that check could be included in future code, if it is even possible.

 

 

Mark


Community Bootstrap Edition, Edge

 

Avoid the most asked question. See How to Secure My Site and How do I...?

Share this post


Link to post
Share on other sites

I don't understand what you mean by "check could be included" but if you mean to check the httpd.conf file, then you probably can't do that. If you have a dedicated server you may be able to but it would be a security issue, in my opinion. If you just want to check a setting in it, then that should be possible. Though it would not be a common thing for most sites and probably wouldn't be included as part of oscommerce because of that.

 

As for the code seeing something you aren't, it is just checking to see if a file is being used. It doesn't do any kind of security checking beyond that and a few minor things like file permissions.

Share this post


Link to post
Share on other sites

As I recall, some of the "security checking" is simply looking to see if certain files (.ht*) were found in certain places. If you have extra logon/password working through other means (e.g., in httpd.conf), you can safely ignore the warning. It's a very simple-minded check that will falsely fail if you do anything minutely different.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Hi Jack, Mark, and Phil,

I could not find any forum on here that deals specifically with MySQL security. And, since you guys know a lot about OSC security, I figured I would ask here.  My site is an older version MS2.2

I recently noticed the STORE_ZONE field in MySQL was altered. The hack came from outside the site’s admin panel. I have several security layers to secure access to that admin area – much of what Jack mentioned in his other post regarding admin security steps.

The added entry was not a selection from the drop-down menu used to edit that field, which is based on my country’s code. I’m now looking for a solution to patch that hole.

So,.. I thought about revoking the rights to insert, update, delete that configuration table from the public. However, I am not sure if that will be enough or the right way to go, or if there is a better alternative.  Something like this:

REVOKE INSERT, UPDATE, DELETE ON ‘configuration’.* FROM PUBLIC;

I’d love to know how the hack was executed and if I missed securing a form or some other entry point. However, at this time I think blocking all write access to that configuration table would likely work. Any help on this would be greatly appreciated.

 

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

@Demitry

MS2.2 should not be used for any ecommerce store. It is out of date and insecure, far too dangerous. Instead of trying to plug holes in an ancient version of osCommerce (release date 2008, over 9 years ago!) you should install the latest up to date community version 2.3.4 Edge. It is modern, responsive, modular, and secure.

Do yourself (and your vulnerable customers) a favour: 

 


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites
On 2/24/2017 at 11:36 AM, mdtaylorlrim said:

Maybe I wasn't clear. I *DO* have extra security, but I do it as the OS level using the httpd.conf file and not with .htaccess file. I have disabled .htaccess for security reasons.

I just wanted to be sure osCommerce wasn't seeing something I wasn't and see if that check could be included in future code, if it is even possible.

I *think* that the OP was asking, "If I set up additional security, such as password protection to the admin directory through my cPanel, can osC check that too, and not check just for .htaccess."

And, I think the answer is No.

Malcolm


Get the latest Responsive osCommerce CE (community edition) here .

Share this post


Link to post
Share on other sites

Hi Frank,

Thank you for the reply. I would love to switch to the newer version of OSC, however, for me it would be starting from scratch again. My site is highly customized and unfortunately scrapping it is not an option at this time.

I realize that out of the box original MS2.2 is highly vulnerable to all sorts of hacks. However, I’ve installed many security features to protect it and with the daily hack attempts I get (the ones I see via the emails from the IPTrap add-on), this is the first time someone actually got through… and the only thing they were able to change is the STORE_ZONE field in the configuration table.

Do you know if there is a way to secure that configuration table from the public, like maybe using that SQL revoke statement I mentioned? Thank you in advance for your help with this.

 

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites
21 hours ago, ArtcoInc said:

I *think* that the OP was asking, "If I set up additional security, such as password protection to the admin directory through my cPanel, can osC check that too, and not check just for .htaccess."

And, I think the answer is No.

There are many possible ways that hosting could set up additional security on an account or directory, so it would be unreasonable for an application such as osC to try to check them all. If the additional security works (e.g., you need to enter an ID and password), you're golden. Just ignore osC's complaints.

Now, certainly, osC could be greatly improved by simply adding to the security "error" message something like, You may have different or additional security measures installed and functioning. If you do, you can disregard this message.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites
7 hours ago, Demitry said:

Thank you for the reply. I would love to switch to the newer version of OSC, however, for me it would be starting from scratch again. My site is highly customized and unfortunately scrapping it is not an option at this time.

I realize that out of the box original MS2.2 is highly vulnerable to all sorts of hacks. However, I’ve installed many security features to protect it and with the daily hack attempts I get (the ones I see via the emails from the IPTrap add-on), this is the first time someone actually got through… and the only thing they were able to change is the STORE_ZONE field in the configuration table.

Do you know if there is a way to secure that configuration table from the public, like maybe using that SQL revoke statement I mentioned? Thank you in advance for your help with this.

I think that your pain will only increase as time goes by and you have to keep patching this ancient code to keep up with the latest threats. It's time for you to take a long, hard look at whether you would be better off biting the bullet and converting to 2.3.4BS Edge, and re-implementing/porting whatever changes you find necessary. It might merely look a lot harder than it really is! Eventually, you will become solely responsible for maintaining what will become your own fork of osC, as no one around will still be running 2.2 and be able to help you. It's always a bad idea to stick with very old software (and try patching) it, rather than periodically moving up to the current level. And be sure to keep written track of every add-on you install (and its purpose) and every custom tweak you make (and its purpose) to make finding updates for the next install that much easier.

Regarding securing the DB table, I think the first thing you need to do is find out how they got in and changed it. If someone has a backdoor, or Trojan code, or an SQL injection, or Query String PHP injection, you're simply closing the barn door after the horse got out. Could the hacker have gotten system passwords, perhaps through a password sniffer or keyboard logger? Scan your PC for malware, and then change every password you can think of, and preferably over a secure (https) link. Did you ever publicly expose your DB name and password? Don't forget to change at least the password.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Hi Phil,

Thank you for the reply. I am looking at the 2.3.4 BS Edge with responsive design. I’ll install it on my development server tomorrow and see how much work this switch-over entails. I do as much as I can myself, which means it will likely be pretty time-intensive.  

As far as patching the hole in the current MS2.2 version, I don’t know where the hack came from though I am sure it was not from access to the admin panel. The changed STORE_ZONE configuration field was not changed to a value that was any of the selections in the drop-down menu based on my country code.

I’d have to hire someone to do Pen Testing to find that vulnerability. I will change the database password though - that’s a good idea, thank you for that suggestion.

I did get rid of most eval() and eregi() throughout the site, but there are some other things and settings that I cannot get rid of because they break up the site. I think what I will do is just work with what I have and hope that no other intrusions happen. Meanwhile, I will build the new version on the development server.

It looks like 2.3.4 BS Edge is over 3 years old,.. is there a newer version coming out any time soon?

 

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

I trust you're not confusing 2.3.4BS Edge (available on GitHub) with the "official" 2.3.4 (available on download page). Edge started 3 or so years ago, but has been continuously developed and updated since then. Unfortunately, there's no release or version numbering with it to tell you how far behind you are with your version. Harald has promised that Edge will be officially released "real soon now" as 2.3.6 (2.3.5 is a patched 2.3.4), but given his past history on promised releases, I'm not holding my breath. You can either wait a bit to see when it appears, after seeing what work you will need to do on Edge, or just go ahead with Edge, and deal with 2.3.6 when it finally comes out (it should be a very small jump).


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

no, I downloaded it from GitHub. I think that's probably the latest version via updates and bug-fixes, right?

I assume that there will be an update to move to the 2.3.6 version once it is released, is that correct? If not, then I may wait a bit for it. Otherwise, I can start with this version and work on making it production ready.

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

The best thing about osCommerce 2.3.4BS is that it is highly modularised, so there is little need to touch core code when altering a store.

2.3.6 will be pretty much the same as 2.3.4BS (the one you downloaded) so you can start making modules for your new store ready to install on the new version when it's released. That will give you a big head start.


Let's make things easier for new osCommerce users http://forums.oscommerce.com/topic/402638-discussion-about-hard-coded-database-tables/?p=1718900  Getting there with osCommerce 2.4! :thumbsup:

Share this post


Link to post
Share on other sites

There had better be a smooth upgrade path from 2.3.4BS Edge to 2.3.6 or a mob with pitchforks and torches will descend upon HPDL. I have no idea how automated it will be, but the differences between the two should be quite small. Given the length of time between promised versions and when they actually appear, I would not wait around for 2.3.6 -- it may appear soon, or it could be years. Go ahead and work with Edge and see what happens when and if 2.3.6 comes out.


If you are running the "official" osC 2.3.4 or 2.3.4.1 download, your installation is obsolete! Get (stable) Frozenpatches or (unstable) Edge. See also the naming convention and the latest community-supported responsive "Edge" release

Share this post


Link to post
Share on other sites

Frank, Phil, ..thank you both.

If that's the case and I can simply install my customized modules onto the new osC release, then that's perfect. With MS2.2 I've always felt like I am playing catch-up while unable to move with to the next version. I even bumped it to PHP5.3, which is now ancient. I'll move forward with BS Edge, thanks again.

 


osCommerce: made for programmers, ...because store owners do not want to be programmers.

https://trends.google.com/trends/explore?date=all&geo=US&q=oscommerce

Share this post


Link to post
Share on other sites

×