Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Permissions error message


peterr

Recommended Posts

Hi,

 

After installing osCommerce, I get this message at the top of the form

 

Warning: I am able to write to the configuration file: /home/username/public_html/catalog/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

 

The cmod was 644, which means only the owner can write, so the message is wrong.

 

Anyway, I searched and found that people have had to set it to 444, which I did from the FTP logs

 

Command: SITE CHMOD 444 /public_html/catalog/includes/configure.php

Response: 200 Permissions changed on /public_html/catalog/includes/configure.php

 

but the error messages still appears at the top of the page when I go to try and use osC. The directory list from the FTP client still shows it as cmod 644 (...grrrhhh).

 

The includes path has a CMOD of 755, is this the reason it won't let me change the CMOD to 444 on configure.php ??

 

Peter

Link to comment
Share on other sites

that deals with the version of php and some other setting with your host server, it has nothing to deal with osCommere. 644 is the typical for i would say 99% of the people. just certain servers are not setup properly for php. make sure it is 4.3.3 or higher.

Link to comment
Share on other sites

Hi John,

 

that deals with the version of php and some other setting with your host server, it has nothing to deal with osCommere.

 

osCommerce is checking as follows

 

/catalog/includes/languages/english.php - line 307

 

define('WARNING_CONFIG_FILE_WRITEABLE', 'Warning: I am able to write to the configuration file: ' . dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.');

 

/catalog/includes/header.php - lines 20 - 25

 

// check if the configure.php file is writeable
 if (WARN_CONFIG_WRITEABLE == 'true') {
   if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
     $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
   }
 }

 

and from http://www.phpe.net/manual/function.is-writeable.php

 

is_writeable

 

(PHP 3, PHP 4 )

is_writeable -- Tells whether the filename is writable

 

so the (error) message doesn't check if it is owner/group/public, only if it is writable, so writes would have to be turned off for all (o/g/p).

 

Therefore, the message is being sourced from osC, the fix is a 444 (or similar to remove writes), but, as you say, there is a problem at the hosting end, because I change it to 444 and it goes back to 644. :D

 

644 is the typical for i would say 99% of the people.  just certain servers are not setup properly for php.  make sure it is 4.3.3 or higher.

 

Yes, 644 is what I use for other PHP files on the same site, no problems with those PHP files. The version of PHP is 4.3.4

 

Arrghh, ... looks like a help desk ticket to the hosts. :)

 

Thanks,

 

Peter

Link to comment
Share on other sites

Hi,

 

just certain servers are not setup properly for php.

 

Yes, that was it, the following from the web hosts.

 

This is something that must be done by an administrator. I have set the file to CHMOD 444

 

Considering that I may have a number of installations of osC, I don't want to have to ask the tech guys to CMOD the file (or others ??) everytime. Considering the following code:

 

/catalog/includes/header.php - lines 20 - 25

 

// check if the configure.php file is writeable
if (WARN_CONFIG_WRITEABLE == 'true') {
  if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
    $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
  }
}

 

I assume there is a (system ?) setting somewhere to turn "WARN_CONFIG_WRITEABLE" on or off, or should I consider modifying the code to also check the permissions ? This would make more sense, that is, only display the message if the group or public permissions were writable, certainly it makes no sense to me to have the message display if the owner has write permissions.

 

From http://au2.php.net/manual/en/function.fileperms.php

 

fileperms

 

(PHP 3, PHP 4 )

fileperms -- Gets file permissions

Description

int fileperms ( string filename)

 

Returns the permissions on the file, or FALSE in case of an error.

 

There are some good examples there also, in the use of the function fileperms

 

Peter

Link to comment
Share on other sites

Hi,

 

Not an elegant solution, but as I see absolutely no reason to CMOD the file to a 444, I have made the following changes

 

/catalog/includes/header.php

 

// Following check commented out, was checking too "hard" on the permissions, and needed a 444 to remove warning message

// check if the configure.php file is writeable
//  if (WARN_CONFIG_WRITEABLE == 'true') {
//    if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {
//      $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
//    }
//  }


// New code replacement, only issue warning msg if either world or group has write permissions

$world_group_write = '0';
if (fileperms($filename) & 2)    //check for world write
{
   $world_group_write = '1';
}
if (fileperms($filename) & 16)    //check for group write
{
    $world_group_write = '1';
}


// check if the configure.php file is writeable, but only for world or group
 if (WARN_CONFIG_WRITEABLE == 'true')
{
   if (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php'))
   {
     if ($world_group_write == '1')
     {
        $messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
     }
   }
} 


// End of code replacement

 

It works, and I would consider it a bug in osC. :D

 

Peter

Link to comment
Share on other sites

Hi,

 

Just a minor change, less code actually. :D

 

Replace this block of code ............

 

// New code replacement, only issue warning msg if either world or group has write permissions

$world_group_write = '0';
if (fileperms($filename) & 2)    //check for world write
{
  $world_group_write = '1';
}
if (fileperms($filename) & 16)    //check for group write
{
   $world_group_write = '1';
}

 

with this ............

 

// New code replacement, only issue warning msg if either world or group has write permissions

$world_group_write = '0';
//check for either world write or group write (2 = world write, 16 = group write)
//The value of 18 has two bits set. If either of those bits remain set in the result value, it will be non-zero.

if (fileperms($filename) & 18)  
{
    $world_group_write = '1';
}

 

Peter

Link to comment
Share on other sites

  • 2 weeks later...

hi peterr,

I'm new to osCommerce, and I am having the problem people are talking about here, I tried to set the CHMOD to 444, but I fail, I would like to try to use your fix, but I am not sure to where to place the new code in osCommerce.

itembazaar.com Website Admin

Link to comment
Share on other sites

Hi,

 

I'm new to osCommerce, and I am having the problem people are talking about here, I tried to set the CHMOD to 444, but I fail, I would like to try to use your fix, but I am not sure to where to place the new code in osCommerce.

 

Yes, sorry, it's a bit hard to follow, here it is ............

 

/catalog/includes/header.php - change line 22 from this

 

    if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) {

 

 

to this ...................

 

    if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (fileperms(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php') & 18) ) {

 

 

Peter

Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...
  • 3 months later...

Hi all, I have been having this same problem with my osCommerce site, I reset the permissions to 644 and 444 and nothing helps.

 

It did have the same error as the original post, but now something I have done has changed the error slightly to:

 

Warning WARNING_CONFIG_FILE_WRITEABLE

 

at the top of each page.

 

I have tried following the advice above but it didnt quite match what I had in my header.php, so I took a bash at making it fit .

 

here's what I have:

 

<?php
/*
 $Id: header.php,v 1.42 2003/06/10 18:20:38 hpdl Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2003 osCommerce

 Released under the GNU General Public License
*/

// check if the 'install' directory exists, and warn of its existence
 if (WARN_INSTALL_EXISTENCE == 'true') {
if (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/install')) {
  $messageStack->add('header', WARNING_INSTALL_DIRECTORY_EXISTS, 'warning');
}
 }



// New code replacement, only issue warning msg if either world or group has write permissions

$world_group_write = '0';
//check for either world write or group write (2 = world write, 16 = group write)
//The value of 18 has two bits set. If either of those bits remain set in the result value, it will be non-zero.

if (fileperms($filename) & 18)  
{
$world_group_write = '1';
}

//if (fileperms($filename) & 2)	//check for world write
//{
//   $world_group_write = '1';
//}
//if (fileperms($filename) & 16)	//check for group write
//{
//	$world_group_write = '1';
//}


// check if the configure.php file is writeable, but only for world or group

if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (fileperms(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php') & 18) )
{
$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
 }


//if (WARN_CONFIG_WRITEABLE == 'true')
//{
  // if (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php'))
//   {
//	 if ($world_group_write == '1')
//	 {
//		$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');
//	 }
//   }
//}






// check if the session folder is writeable
 if (WARN_SESSION_DIRECTORY_NOT_WRITEABLE == 'true') {
if (STORE_SESSIONS == '') {
  if (!is_dir(tep_session_save_path())) {
	$messageStack->add('header', WARNING_SESSION_DIRECTORY_NON_EXISTENT, 'warning');
  } elseif (!is_writeable(tep_session_save_path())) {
	$messageStack->add('header', WARNING_SESSION_DIRECTORY_NOT_WRITEABLE, 'warning');
  }
}
 }

// check session.auto_start is disabled
 if ( (function_exists('ini_get')) && (WARN_SESSION_AUTO_START == 'true') ) {
if (ini_get('session.auto_start') == '1') {
  $messageStack->add('header', WARNING_SESSION_AUTO_START, 'warning');
}
 }

 if ( (WARN_DOWNLOAD_DIRECTORY_NOT_READABLE == 'true') && (DOWNLOAD_ENABLED == 'true') ) {
if (!is_dir(DIR_FS_DOWNLOAD)) {
  $messageStack->add('header', WARNING_DOWNLOAD_DIRECTORY_NON_EXISTENT, 'warning');
}
 }

 if ($messageStack->size('header') > 0) {
echo $messageStack->output('header');
 }
?>
<table border="0" width="100%" cellspacing="0" cellpadding="0">
 <tr class="header">
<td valign="middle"><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image(DIR_WS_IMAGES . 'oscommerce.gif', 'osCommerce') . '</a>'; ?></td>
<td align="right" valign="bottom"><?php echo '<a href="' . tep_href_link(FILENAME_ACCOUNT, '', 'SSL') . '">' . tep_image(DIR_WS_IMAGES . 'header_account.gif', HEADER_TITLE_MY_ACCOUNT) . '</a>  <a href="' . tep_href_link(FILENAME_SHOPPING_CART) . '">' . tep_image(DIR_WS_IMAGES . 'header_cart.gif', HEADER_TITLE_CART_CONTENTS) . '</a>  <a href="' . tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL') . '">' . tep_image(DIR_WS_IMAGES . 'header_checkout.gif', HEADER_TITLE_CHECKOUT) . '</a>'; ?>  </td>
 </tr>
</table>
<table border="0" width="100%" cellspacing="0" cellpadding="1">
 <tr class="headerNavigation">
<td class="headerNavigation">  <?php echo $breadcrumb->trail(' » '); ?></td>
<td align="right" class="headerNavigation"><?php if (tep_session_is_registered('customer_id')) { ?><a href="<?php echo tep_href_link(FILENAME_LOGOFF, '', 'SSL'); ?>" class="headerNavigation"><?php echo HEADER_TITLE_LOGOFF; ?></a>  |  <?php } ?><a href="<?php echo tep_href_link(FILENAME_ACCOUNT, '', 'SSL'); ?>" class="headerNavigation"><?php echo HEADER_TITLE_MY_ACCOUNT; ?></a>  |  <a href="<?php echo tep_href_link(FILENAME_SHOPPING_CART); ?>" class="headerNavigation"><?php echo HEADER_TITLE_CART_CONTENTS; ?></a>  |  <a href="<?php echo tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'); ?>" class="headerNavigation"><?php echo HEADER_TITLE_CHECKOUT; ?></a>   </td>
 </tr>
</table>
<?php
 if (isset($HTTP_GET_VARS['error_message']) && tep_not_null($HTTP_GET_VARS['error_message'])) {
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tr class="headerError">
<td class="headerError"><?php echo htmlspecialchars(urldecode($HTTP_GET_VARS['error_message'])); ?></td>
 </tr>
</table>
<?php
 }

 if (isset($HTTP_GET_VARS['info_message']) && tep_not_null($HTTP_GET_VARS['info_message'])) {
?>
<table border="0" width="100%" cellspacing="0" cellpadding="2">
 <tr class="headerInfo">
<td class="headerInfo"><?php echo htmlspecialchars($HTTP_GET_VARS['info_message']); ?></td>
 </tr>
</table>
<?php
 }
?>

 

Any chance of someone helping me sort this out?

Link to comment
Share on other sites

  • 5 months later...
  • 6 months later...

Hi, hope all is well with everyone, i am having a similar problem i changed the code in header, but i still cant make changes to configure. I need to turn ssl to false in configure. This is what i have done in header(in green) Am i missing something? Any help would be greatly appreciated.

 

<?php

/*

$Id: header.php 1739 2007-12-20 00:52:16Z hpdl $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2003 osCommerce

 

Released under the GNU General Public License

*/

 

// check if the 'install' directory exists, and warn of its existence

if (WARN_INSTALL_EXISTENCE == 'true') {

if (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/install')) {

$messageStack->add('header', WARNING_INSTALL_DIRECTORY_EXISTS, 'warning');

}

}

 

// check if the configure.php file is writeable

if (WARN_CONFIG_WRITEABLE == 'true') {

if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (fileperms(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php') & 18) ) {

$messageStack->add('header', WARNING_CONFIG_FILE_WRITEABLE, 'warning');

}

}

 

// check if the session folder is writeable

if (WARN_SESSION_DIRECTORY_NOT_WRITEABLE == 'true') {

if (STORE_SESSIONS == '') {

if (!is_dir(tep_session_save_path())) {

$messageStack->add('header', WARNING_SESSION_DIRECTORY_NON_EXISTENT, 'warning');

} elseif (!is_writeable(tep_session_save_path())) {

$messageStack->add('header', WARNING_SESSION_DIRECTORY_NOT_WRITEABLE, 'warning');

}

}

}

 

// check session.auto_start is disabled

if ( (function_exists('ini_get')) && (WARN_SESSION_AUTO_START == 'true') ) {

if (ini_get('session.auto_start') == '1') {

$messageStack->add('header', WARNING_SESSION_AUTO_START, 'warning');

}

}

 

if ( (WARN_DOWNLOAD_DIRECTORY_NOT_READABLE == 'true') && (DOWNLOAD_ENABLED == 'true') ) {

if (!is_dir(DIR_FS_DOWNLOAD)) {

$messageStack->add('header', WARNING_DOWNLOAD_DIRECTORY_NON_EXISTENT, 'warning');

}

}

 

if ($messageStack->size('header') > 0) {

echo $messageStack->output('header');

}

?>

<table border="0" width="100%" cellspacing="0" cellpadding="0">

<tr class="header">

<td valign="middle"><?php echo '<a href="' . tep_href_link(FILENAME_DEFAULT) . '">' . tep_image(DIR_WS_IMAGES . 'banner1.jpg', 'ISLAMICGEMS') . '</a>'; ?></td>

 

<td align="right" valign="bottom"><?php echo '<a href="' . tep_href_link(FILENAME_ACCOUNT, '', 'SSL') . '">' . tep_image(DIR_WS_IMAGES . 'header_account.gif', HEADER_TITLE_MY_ACCOUNT) . '</a> <a href="' . tep_href_link(FILENAME_SHOPPING_CART) . '">' . tep_image(DIR_WS_IMAGES . 'header_cart.gif', HEADER_TITLE_CART_CONTENTS) . '</a> <a href="' . tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL') . '">' . tep_image(DIR_WS_IMAGES . 'header_checkout.gif', HEADER_TITLE_CHECKOUT) . '</a>'; ?> </td>

</tr>

</table>

<table border="0" width="100%" cellspacing="0" cellpadding="1">

<tr class="headerNavigation">

<td class="headerNavigation"> <?php echo $breadcrumb->trail(' » '); ?></td>

<td align="right" class="headerNavigation"><?php if (tep_session_is_registered('customer_id')) { ?><a href="<?php echo tep_href_link(FILENAME_LOGOFF, '', 'SSL'); ?>" class="headerNavigation"><?php echo HEADER_TITLE_LOGOFF; ?></a> | <?php } ?><a href="<?php echo tep_href_link(FILENAME_ACCOUNT, '', 'SSL'); ?>" class="headerNavigation"><?php echo HEADER_TITLE_MY_ACCOUNT; ?></a> | <a href="<?php echo tep_href_link(FILENAME_SHOPPING_CART); ?>" class="headerNavigation"><?php echo HEADER_TITLE_CART_CONTENTS; ?></a> | <a href="<?php echo tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'); ?>" class="headerNavigation"><?php echo HEADER_TITLE_CHECKOUT; ?></a> </td>

</tr>

</table>

<?php

if (isset($HTTP_GET_VARS['error_message']) && tep_not_null($HTTP_GET_VARS['error_message'])) {

?>

<table border="0" width="100%" cellspacing="0" cellpadding="2">

<tr class="headerError">

<td class="headerError"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['error_message']))); ?></td>

</tr>

</table>

<?php

}

 

if (isset($HTTP_GET_VARS['info_message']) && tep_not_null($HTTP_GET_VARS['info_message'])) {

?>

<table border="0" width="100%" cellspacing="0" cellpadding="2">

<tr class="headerInfo">

<td class="headerInfo"><?php echo htmlspecialchars(stripslashes(urldecode($HTTP_GET_VARS['info_message']))); ?></td>

</tr>

</table>

<?php

}

?>

Link to comment
Share on other sites

  • 1 year later...
  • 2 months later...
Hi,

 

Not an elegant solution, but as I see absolutely no reason to CMOD the file to a 444, I have made the following changes...

 

Thanks PeterR,

 

You are right, it doesn't fully fix a problem but is definately a good work around. Have you by any chance actually figured out why that error shows and how to fix it without modifying the code?

Also is what error says actually true? I mean that the file is writable? Or is it a mistake? Because I have set only the Read rights on those files and it still showed the error. I'm running IIS6. Thanks for sharing the code.

Link to comment
Share on other sites

  • 1 year later...

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...