Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 All not change here, please read the README file in the package. I still prepare to release the update above in new version. Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
apodigm Posted April 23, 2003 Share Posted April 23, 2003 This appears to work for me as well. I only have one concern... since you are specifying certain files which should not be checked, I wonder if we should let the administrator specify additional "non-check" files. I know in my website I have added several files from other contributions that shouldn't be checked. I have found that as long as I have those files associated with one of the side boxes (even if there is no link from that side box), it will get allowed. I'm just curious if there should be a way in the admin console to specify "allow/disallow" for these miscellaneous files. That may be something to add later. Quote Link to comment Share on other sites More sharing options...
apodigm Posted April 23, 2003 Share Posted April 23, 2003 I thought about this feature to record bad login attempts. I had created a column in the database table and I wrote some code to increment it if the email address was correct but not the password. The problem is that I was resetting it as soon as the user properly logged in, so although I was capturing what might be useful data, it was reset before the administrator got a chance to view it. And then I started wondering how I would capture information when a hacker attempted to log in and didn't get the email address correct. So I abandoned the lock-down policy and records in the db. However, my solution to tracking this is to create a logfile that can record failed attempts. This can record the IP address, date, time, etc of any failed attempts. I'm borrowing from some code in the HTTP_Error contribution. I should have it ready in another day or two. JG Quote Link to comment Share on other sites More sharing options...
deltablue Posted April 23, 2003 Share Posted April 23, 2003 Hello All, Is there a chance programing challenged people like myself will ever see a log of changes to apply to files "Replace (or Change)" instead of making a comparison? Thanks in advance Quote Link to comment Share on other sites More sharing options...
apodigm Posted April 23, 2003 Share Posted April 23, 2003 Here are my instructions to implement the file logging or email for failed login attempts.... *****Run SQL script to add the options in configuration: INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES ('Store Admin Login Errors', 'STORE_ADMIN_LOGIN_ERROR', 'false', 'Store the results of admin login errors', '10', '6', 'tep_cfg_select_option(array('true', 'false'), ', now()); INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, date_added) VALUES ('Admin Login Errors Log Destination', 'STORE_ADMIN_LOGIN_LOG', '/var/log/www/tep/http_error.log', 'Directory and filename of the admin login error log', '10', '7', now()); INSERT INTO configuration (configuration_title, configuration_key, configuration_value, configuration_description, configuration_group_id, sort_order, set_function, date_added) VALUES ('Email Admin Login Errors', 'EMAIL_ADMIN_LOGIN_ERROR', 'false', 'Email Admin Login Error Report to Store Owner.', '12', '6', 'tep_cfg_select_option(array('true', 'false'), ', now()); ****************************************************************************** ***Add the following code to admin/login.php: below: require('includes/application_top.php'); function tep_admin_error_record($att_email='', $att_pass=''){ // Send the Email to Store Owner if (EMAIL_ADMIN_LOGIN_ERROR == 'true') { tep_mail(STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, EMAIL_FAIL_TEXT_SUBJECT, sprintf(EMAIL_FAIL_BODY, date("m/d/Y G:i:s"), getenv('REMOTE_ADDR'), getenv('HTTP_USER_AGENT'), getenv('HTTP_REFERER'),$att_email, $att_pass ), STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS, ''); } // Save the Error Report to disk if (STORE_ADMIN_LOGIN_ERROR == 'true') { error_log(strftime(STORE_PARSE_DATE_TIME_FORMAT) . ',' . getenv('REMOTE_ADDR') . ',' . getenv('HTTP_USER_AGENT') . ',' . getenv('HTTP_REFERER') . ',' . $att_email . ',' .$att_pass . "n", 3, STORE_ADMIN_LOGIN_LOG); } } ***Then add this line in the two places where the login fails: add below: $HTTP_GET_VARS['login'] = 'fail'; tep_admin_error_record($email_address,$password); ****************************************************************************** ***Add the following lines to admin/includes/languages/english/login.php: define('EMAIL_FAIL_TEXT_SUBJECT','Login Fail Attempt'); define('EMAIL_FAIL_BODY', '------------------------------------------------------' . "n" . 'Date/Time: %s.' . "n" . 'Remote IP Address: %s' . "n" . 'User Agent: %s' . "n" . 'Referer: %s' . "n" . 'Attempted Email Address: %s' . "n" . 'Attempted Password: %s' . "n" . '------------------------------------------------------'); ****************************************************************************** ***Then you will need to update your configuration. The option to email on failed attempts will be in the Admin console under configuration in the "Email" group. The option to store the failed attempts in a logfile is found in the Admin console under configuration in the "Logging" group. Emails and logfile will include the date/time, IP address, browser, page referrer, attempted email address, attempted password. It is set to send the email store owner as defined in the configuration settings. However, for additional security, it may be wise to hardcode that setting to a special security email address. enjoy! Quote Link to comment Share on other sites More sharing options...
ossi Posted April 23, 2003 Share Posted April 23, 2003 i followed the readme file exactly imported the sql tabels via phpmyadmin: all ok edited all the .php files in the Admin folder as described. now when I go to the admin folder I get ? Fatal error: Call to undefined function: tep_admin_check_login() in /home/www/mywebsite.com/wwwroot/catalog/admin/index.php on line 14 and line 14 is: <?php /* $Id: index.php,v 1.17 2003/02/14 12:57:29 dgw_ Exp $ osCommerce, Open Source E-Commerce Solutions http://www.oscommerce.com Copyright © 2002 osCommerce Released under the GNU General Public License */ require('includes/application_top.php'); :arrow: tep_admin_check_login(basename($PHP_SELF)); what did I miss here ? Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 Fatal error: Call to undefined function: tep_admin_check_login() in /home/www/mywebsite.com/wwwroot/catalog/admin/index.php on line 14...what did I miss here ? Maybe you forgot to add the change admin/includes/functions/general.php (the changes can be found in the package: general_php) zaenal Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 ADMIN ACCOUNT with ACCESS LEVEL for osCommerce's Administration Tool Version: 1.2 dowdnload here:http://www.oscommerce.com/community/contributions,1174 Cut install time when move "tep_admin_check_login();" to admin/includes/application_top.php Changelog Version 1.2, 24 Apr 2003 - Move "tep_admin_check_login();" to admin/includes/application_top.php - Regarding to the point above, we make litle change to function tep_admin_check_login() in admin/includes/functions/general_php - Bug fixed: tep_mail (send email) for password_forgotten.php - Small change to email text that send when create account and password forgotten -- as suggestion from Don. Discussion Please don't send me email, just send the comment and question to this forum. Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 Hi, If adding any other contribution to below files it's save to replace the files. But if you have add the change to one of those files, you have to compare that file. - admin: index.php - admin/includes: column_left.php - admin/includes: header.php - admin/includes: stylesheet.css - admin/includes/boxes: catalog.php - admin/includes/boxes: customers.php - admin/includes/boxes: localization.php - admin/includes/boxes: report.php - admin/includes/boxes: taxes.php - admin/includes/boxes: report.php - admin/includes/boxes: tools.php Hello All,Is there a chance programing challenged people like myself will ever see a log of changes to apply to files "Replace (or Change)" instead of making a comparison? Thanks in advance Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 Sorry.. I mean: If you not make any changes to files below before, it's save to replace the files. But if you have add the change to one of those files, you have to compare that file Hi,If adding any other contribution to below files it's save to replace the files. But if you have add the change to one of those files, you have to compare that file. Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
Parikesit Posted April 23, 2003 Author Share Posted April 23, 2003 Hi, I need some rest for few days. Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
dwbrown Posted April 24, 2003 Share Posted April 24, 2003 ADMIN ACCESS with LEVELfor osCommerce's Administration Tool Version: 1.1 Released under the GPL Description Access to Administration Tool with access level for each admin member. This will only work with CVS2 and MS1 (see changelog below to see when the last update was made). Feature - Login box, password forgoten and logoff account - Create/edit/delete admin account with group - Create/edit/delete groups - Define boxes and files permission for each groups - Add/remove boxes and files - My Account: edit admin account - Automatic display accessed boxes and files (Left Menu) - Email notification when create admin account Hello, I have installed Admin Account /w Access and all seems as if it has installed OK. No glaring error messages. Invoking the admin url: https://localhost/admin invokes login.php as expected. However, no response can be gotten from the system. Both right and wrong email-address and password with subsequent clicking of the confirm button only redraws the login screen with new empty input dialogs for email-address and password. Clinking on the password_forgotten.php link: Password Forgotten? is ignored and the login.php screen is redrawn w/o anything error messages or logs to inspect. If you can suggest a diagnostic please advise, David Brown. Quote Link to comment Share on other sites More sharing options...
jaysin Posted April 25, 2003 Share Posted April 25, 2003 this is the email I am getting for new signup or password forgotten subject: ADMIN_EMAIL_SUBJECT Text: ADMIN_EMAIL_TEXT Where do we define the above when we set up a new member he gets an email with password -hidden- Is their any way we define, so he can actually get the password :roll: Quote Link to comment Share on other sites More sharing options...
Parikesit Posted April 29, 2003 Author Share Posted April 29, 2003 Hi, There are the answer in this tread. Please search. Anyway, If I don't forget, this bug has fixed in new version. Wassalam, zaenal this is the email I am getting for new signup or password forgotten subject: ADMIN_EMAIL_SUBJECT Text: ADMIN_EMAIL_TEXT Where do we define the above when we set up a new member he gets an email with password -hidden- Is their any way we define, so he can actually get the password :roll: Quote recent contributions: mySQLi extension for osc 2.X, OPI: advanced image handling (ajax, thumbnail, watermark, etc), and other contributions all here Link to comment Share on other sites More sharing options...
jaysin Posted April 30, 2003 Share Posted April 30, 2003 Missed that one :oops: Thanks Quote Link to comment Share on other sites More sharing options...
DonH Posted May 6, 2003 Share Posted May 6, 2003 Did anyone find the fix for this problem? Hi,There are the answer in this tread. Please search. Anyway, If I don't forget, this bug has fixed in new version. Wassalam, zaenal this is the email I am getting for new signup or password forgotten subject: ADMIN_EMAIL_SUBJECT Text: ADMIN_EMAIL_TEXT Where do we define the above when we set up a new member he gets an email with password -hidden- Is their any way we define, so he can actually get the password :roll: Quote Link to comment Share on other sites More sharing options...
DonH Posted May 7, 2003 Share Posted May 7, 2003 this is the email I am getting for new signup, editing or password forgotten. subject: ADMIN_EMAIL_SUBJECT Text: ADMIN_EMAIL_TEXT I have read through this Thread and have tried anything I could find... To no avail. The problems still happens. I added the send mail on login failure and it worked fine. But anything the from ADMIN only sends the above??? Is the answer in this thread and I keep missing it? Does anyone know how to solve this problem? I asked the author, and he only refered me to this thread. Quote Link to comment Share on other sites More sharing options...
emiliano Posted May 8, 2003 Share Posted May 8, 2003 hi, i have a problem, maybe someone could help me.. after installing the contrib i get this Warning: Failed opening 'includes/functions/sessions_mysql.php' for inclusion (include_path='.;c:php4pear') in adminincludesfunctionsadministrators.php on line 72 Warning: Cannot add header information - headers already sent by (output started at adminincludesfunctionsadministrators.php:72) in adminincludesfunctionsadministrators.php on line 87 then.. i when to adminincludesfunctionsadministrators.php change sessions_mysql.php with sessions.php now the error is this Fatal error: Cannot redeclare _sess_open() (previously declared in adminincludesfunctionssessions.php:18) in adminincludesfunctionssessions.php on line 18 and i don't know what to do.. i'm using cvs cheers emiliano Quote patagonia, argentina Link to comment Share on other sites More sharing options...
jaysin Posted May 8, 2003 Share Posted May 8, 2003 try recreating session tables in Mysql Easy way by using phpMyadmin Quote Link to comment Share on other sites More sharing options...
emiliano Posted May 8, 2003 Share Posted May 8, 2003 the osc session tables? sorry.. but i never had this problem and i really don't know what to do.. if you could be more speficif.. thanks anyway cheers emiliano Quote patagonia, argentina Link to comment Share on other sites More sharing options...
jaysin Posted May 9, 2003 Share Posted May 9, 2003 I don't know if the same happened to you as It happened to me. When I used this contribution, after a few days, I got message of expired sessions from mysql when I checked and tried to brows or repaire SQL gave me message of Unknown table. I had the backup so then I recreated table session it started working fine for me. Hope this will help. Quote Link to comment Share on other sites More sharing options...
emiliano Posted May 9, 2003 Share Posted May 9, 2003 i'm using cvs... and there are many new things referring to sessions and cookies.. i don't know how to deal with this.. cheers emiliano Quote patagonia, argentina Link to comment Share on other sites More sharing options...
tkeats Posted May 11, 2003 Share Posted May 11, 2003 please put those images on a faster HOST because it takes about 15 +++ minutes to load them all, no its not my connection.(I download +500 Kb/s) Only too me seconds... adsl 1.5 meg... Thomas Quote A signature is something that reflects its user. - The dictionary The question is not, 'to code, or not to code' the question is, 'if we do not code, are we really alive?' -- anonymous Link to comment Share on other sites More sharing options...
tkeats Posted May 11, 2003 Share Posted May 11, 2003 (edited) OK, I got it all installed, no problems. Infact fixing some things helped me get phpMyAdmin installed even faster. Now my problem. if I load up the admin/index.php and then indicate user 'Admin' and password 'admin' it reloads the same page and does not log me in. I have tried admin and Admin, admin@localhost and Admin@localhost, none seem to work. Have I missed something? Thomas Keats Edited December 22, 2003 by Johnson Quote A signature is something that reflects its user. - The dictionary The question is not, 'to code, or not to code' the question is, 'if we do not code, are we really alive?' -- anonymous Link to comment Share on other sites More sharing options...
Daemonj Posted May 11, 2003 Share Posted May 11, 2003 I am unable to get past the login screen as well regardless of whether the information that I enter is correct or not. If it is not correct, there is no message indicating that something was wrong. Quote "Great spirits have always found violent opposition from mediocre minds. The latter cannot understand it when a man does not thoughtlessly submit to hereditary prejudices but honestly and courageously uses his intelligence." - A. Einstein Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.