Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Protection of Configuration


stevel

Recommended Posts

  • 3 weeks later...
  • Replies 58
  • Created
  • Last Reply

Top Posters In This Topic

  • 4 weeks later...

I have updated the contribution to version 1.1 and I recommend that users on shared hosts install the update then use the tool to unprotect and reprotect their files.

Link to comment
Share on other sites

This is the official support topic for the contribution Protection of Configuration

 

Please report any problems with this contribution here.

 

Hi Steve,

 

I have a problem - when i uploaded both the files, and after I changed the filenames.php, now i can't get into the filemanger at all! So haven't been able to change the second file tools.php.

 

Any suggestions would be appreciated

 

thanks

jean

Link to comment
Share on other sites

I never use the osC file manager and actually remove it from the server of my stores as it is a security risk. At least, with the latest osC update, it no longer corrupts files.

 

You'll have to use an FTP client or some other method of editing your files until you fixed whatever error you made - probably a syntax error in filenames.php.

Link to comment
Share on other sites

I never use the osC file manager and actually remove it from the server of my stores as it is a security risk. At least, with the latest osC update, it no longer corrupts files.

 

You'll have to use an FTP client or some other method of editing your files until you fixed whatever error you made - probably a syntax error in filenames.php.

 

 

Thanks Steve, i have fixed it i think.

 

I have just put up oscommerce on my server - and its security that worries me, is there a place on the forum/contribution area that has a complete list of security issues and how to fix them?

thanks

jean

Link to comment
Share on other sites

  • 2 weeks later...

Steve,

 

I to get the error

 

No Right Permission Access

Please contact your Webmaster to request

more access or if you found any problem.

 

 

I am logged in as top administrator, i have changed file permissions to 755.. 644...444 nothing seems to work. any ideas?

 

I use creloaded 6.15 and cannot get the security error bar across the top of the home page off.

 

Thanks

 

Kyle

Link to comment
Share on other sites

Jean, sorry I didn't see your post earlier. The security issue of the File Manager is that if someone gets into your admin, they can see, edit or delete any file in your store. Obviously the osCommerce developers thought that was a good idea, but I don't.

 

Kyle, I have no experience with creloaded. I would first check to make sure the protection is actually set on the server to what you think it is. Then find the code that gives the warning and see what it is testing for,

Link to comment
Share on other sites

  • 5 months later...

The file permission is set to 644, I'm not able to set it differently - so I just need to have the check commented out.

 

This warning message is quite annoying. And I wish I could get rid of it by commenting out in a php file. Does anyone know how to do this? :-"

 

Thanks!

 

BR

Link to comment
Share on other sites

  • 5 weeks later...

Good Day,

 

in trying the contrib, I am getting the following error:

 

Fatal error: Cannot redeclare tep_db_connect() (previously declared in /xxxx/htdocs/Catalog/admin/includes/functions/database.php:13) in /xxxx/htdocs/Catalog/admin/includes/functions/database.php on line 13

 

Any help would be appreciated..

 

Steve

Link to comment
Share on other sites

Somehow you are gatting database.php included twice. Sometimes this is caused by a blank line at the end of includes/languages/english.php, though this mod doesn't change that file. The call to database.php comes from application_top.php which is not edited by this contrib. I suggest you check your changes carefully.

Link to comment
Share on other sites

Somehow you are gatting database.php included twice. Sometimes this is caused by a blank line at the end of includes/languages/english.php, though this mod doesn't change that file. The call to database.php comes from application_top.php which is not edited by this contrib. I suggest you check your changes carefully.

 

 

Steve,

 

I will look, but it doesn't make sense as you said.

 

Steve

Link to comment
Share on other sites

  • 8 months later...

somebody now where i can changes the php so i can get this script to work ??? and what i should changes in php.ini or other files. ????

 

 

You were right! That did the trick. This is what my ISP said:

 

Hello,

We have made some modifications in the PHP configurations in the server to do 'chmod' through PHP script. Also, we have added the line

#!/usr/local/bin/php

at the beginning of the script

/home/public_html/catalog/admin/protection.php

 

So I guess that was it.

BTW, do you think the "#!/usr/local/bin/php " makes any difference? I've never had to put that at the top of the page before and I'm running a lifetime of PHP stuff on this same server.

 

Thanks again!

 

cc

 

"I love people who love PHP"

Link to comment
Share on other sites

  • 10 months later...

Hi Steve,

i'm looking for ways to secure my site or at least make it more challenging for any would be hackers and came upon your contrib. Granted, I'm not the brightest bulb on the shelf so please be patient with my confusion. If someone is able to get into the admin area which grants them the ability to edit/delete files, what prevents them from deleting the protection.php files and any other files? I mean, once they're in, don't they have the ability to wreak havoc irregardless of any secondary security precautions or is a comparision to an intruder inside a premises with the intent of vandalism incorrect? Your suggestion to move the admin folder out of the catalog seems more judicious so as to thwart (reduce the ease of) entry in the first place. Also if i remove filenames.php, doesn't that bypass 'define 'FILENAME_PROTECTION', 'protection.php');' ? i realize if someone is adamant on getting in and has the resources that there's always a risk, and i sincerely appreciate your measures to safeguard my site. i'm just conjuring up an image that while i'm locking up the cookie jar, i failed to shut the front door. Thanks for your patience and understanding.

respectfully,

jk

Link to comment
Share on other sites

  • 3 months later...

Sorry for not seeing this earlier - my subscription to the topic seems to have expired.

 

This contribution does not improve security of the store. All it does is make it easier to change the file protection status of the two configuration.php files as recommended by osCommerce instructions, making them not writeable. In particular, some combinations of FTP client and web host won't let you set a 444 protection on a file, so you have to do it either from a shell or from a script. It also shows you whether or not the two files are writeable.

Link to comment
Share on other sites

  • 2 weeks later...

The contribution uses the same PHP is_writable function that osCommerce uses to warn you if the configuration file is writable. If Protection of Configuration says the file is writable, then it is.

Link to comment
Share on other sites

  • 2 weeks later...

Steve,

Just a quick question. I have installed Protection of Configuration and have secured the two config files perfectly fine. Which was the main reason that I installed it as I am on a Windows shared hosting and cannot change the levels of security on the folders.

 

However, I have just been looking at the other folders that I can change the security levels on and found that even if I select to secure them, and it confirms it at the top, nothing changes.

 

I have attached a screen shot below for reference.

 

protection-of-configuration.gif

 

Any advice would be helpful!

 

Thanks!! :)

Gazza

If its not broken...why try fixing it??

Link to comment
Share on other sites

I would guess that the "chmod" PHP function does not operate on directories on a Windows host. All the code is "confirming" is that chmod did not return an error.

Link to comment
Share on other sites

  • 3 months later...

Hi,

 

this is Mendoh with a problem using this contribution.

 

I have installed version 1.1 correctly then successfully protected both "administration panel" and "catalog".

 

After a while, today I tried to switch the whole to unprotected status and no matter the folder I always get a red error saying "Failed to change protection of Administration Panel" and "Failed to change protection of catalog"; if I tried to chmod 775 or 777 on server, I get nothing done and still wind up with 755 permission.

 

Can anybody help me out to find what is wrong?

 

Thanks a lot in advance

 

Mendoh

Link to comment
Share on other sites

  • 3 weeks later...
Hi,

 

this is Mendoh with a problem using this contribution.

 

I have installed version 1.1 correctly then successfully protected both "administration panel" and "catalog".

 

After a while, today I tried to switch the whole to unprotected status and no matter the folder I always get a red error saying "Failed to change protection of Administration Panel" and "Failed to change protection of catalog"; if I tried to chmod 775 or 777 on server, I get nothing done and still wind up with 755 permission.

 

Can anybody help me out to find what is wrong?

 

Thanks a lot in advance

 

Mendoh

 

Try installing the latest version. I had the same problem and switched. It makes it easy to see the permissions you need on certain important files.

 

Yol

I repeat myself when under stress, I repeat myself when under stress, I repeat myself...

 

--King Crimson (“Discipline”)

Link to comment
Share on other sites

Try installing the latest version. I had the same problem and switched. It makes it easy to see the permissions you need on certain important files.

 

Yol

 

Oh, just one thing. Shouldn't the images and backup folders be CHMOD to 0777? Otherwise I get an error message in the admin panel, as the backup file is not writable, and my store gets really slow, due to the images taking longer than usual. I keep those folders (and the graphs folder) at 0777.

 

Yol

I repeat myself when under stress, I repeat myself when under stress, I repeat myself...

 

--King Crimson (“Discipline”)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...