Category Archives: security fixes

how to rename your admin folder

One recommended security step to take with any oscommerce-based e-commerce store is to rename the admin folder so it is harder for the uninvited to drop in.

Steps to take:

  • Choose new name
    Or don’t and use a randomiser like the PCTools Password Generator to make a new admin folder name of 8 or more characters for you. Use a mix of letters, cases, numbers and some symbols (avoid \ | / ‘ and ” however.) Copy it to the Clipboard so you can paste it in the next steps.
  • Although a 'hard-to-guess' admin name is good, 24-characters seems excessive.
  • Make the change
    Access your Store through your control panel or an (s)ftp connection, click the Rename button (or use right click ‘rename’) and paste in the new name.
    Refresh the display (or close and reopen the (s)ftp connection) to see the change take effect.
  • Update your ‘admin’/includes/configure.php file
    You may have to change the permission settings to be able to make the following change – ‘666’ or ‘Read/Write all groups’ is usually enough.
    Check the file for entries with /admin/ in the paths. Use Find and Replace to change all of these /admin/ entries to /new name/.
    Save the file and change permissions back to ‘444’ or ‘Read only all groups.’
  • Update any ‘admin’ bookmarks
    If you have the old admin panel bookmark in your browser(s) now’s the time to update these to reflect the new ‘admin’ folder name.
  • Don’t include references to the new ‘admin’ folder in the robots.txt file
    The /catalog/robots.txt file is a popular reference for would-be hackers to see which parts of your store you don’t want the bots to visit. Avoid mentioning the new ‘admin’ folder in this file. There are other ways of diverting bots attention away from areas of your store you may want to keep better hidden than others.

There’s more here about securing your admin – and although these steps do not guarantee 100% certain defence against the determined hacker, they will raise the bar out of the reach of ‘script kiddies’ and others who are looking for easy targets. 7JP9H7JXBRDZ

top 10 ways to secure your oscommerce-based store, security

Here is a list of basic security measures you can carry out to protect your store. Use it as a checklist and consider implementing any missing from your server’s security policy. Some of security steps have certain server requirements that may or may not be available to you, depending on your hosting plan. This post is for stores on Linux servers with LAMP (LinuxApacheMysqlPhp) configurations.

These ideas come from a variety of sources, in particular zen-cart which includes a number of useful security features and recommendations in its cart.

  • Check and Set Permissions
    Permissions are assigned to each folder and file which indicate access rights to specific users or groups.
    screenshot of permissions matrix
  • Folders should be a maximum of 755, however certain folders – /images; /admin/backups; /tmp; may require 757 for writing to, depending on your server configuration. All files should be 644 (configure.php files 444 if possible)
  • Disable the ‘Allow Guest to Tell a Friend’ feature
    Some carts allow visitors to the site to send emails through this feature. By disabling this feature, you will prevent non-logged-in customers from using your server to send ‘spam’ email messages.
  • Update your store and module software to the latest versions and patches
    With every new software release, there are usually security or bug fixes which improve the functionality and stability of your store. If you don⬔t upgrade, hackers will be able to easily exploit your websites from known vulnerabilities.
  • Use local htaccess files to restrict script execution, access
    For local htaccess files to work, the server must be setup to allow this, usually in with the command ‘AllowOverride All’ or ‘AllowOverride Limit’ in the apache/conf/httpd.conf file. Check with your hosting company if this is configured.
  • In the htaccess file itself, start by denying access to everything:
  • <FilesMatch ".*">
      Order Deny,Allow
      Deny from all
    </FilesMatch>

  • Then allow access to only certain files:
  • <FilesMatch ".*.(ADD INDIVIDUAL FILE EXTENSIONS | SEPARATED BY | HERE)$" >
      Order Allow,Deny
      Allow from all
    </FilesMatch>

  • For example, the /images folder:
  • <FilesMatch ".*.(jpe?g|JPE?G|gif|GIF|png|PNG|swf|SWF)$" >
      Order Allow,Deny
      Allow from all
    </FilesMatch>

  • Prevent these variables from being used in say the /cache folder:
  • <Limit GET POST PUT>
      Order Deny,Allow
      Deny from All
    </Limit>
    

  • If a folder of downloads, the code can be added so the file is treated automatically as ‘Save As’ and not run as an application:
  • <FilesMatch ".*.(zip|ZIP|gzip|pdf|PDF|mp3|MP3|swf|SWF|wma|WMA)$">
      Order Allow, Deny
      Allow from all
      ForceType application/octet-stream
      Header set Content-Disposition attachment
    </FilesMatch>

  • If you want to prevent snoopers from listing the contents of a folder, there are several ways to do this. The first thing to establish is whether your hosting company already does this via the Apache config file. Ask your hosting company if the following exist in the Apache config file:
    DirectoryIndex index.php
    Options -Indexes -ExecCGI
    (the -ExecCGI is particularly useful as it prevents hackers executing scripts in the folder)
  • If not, ask what the DirectoryIndex is set to (usually it will be “index.php”) – if this is the case, you can add this to a local htaccess file :
    IndexIgnore */*

    or you can create a blank index.php and upload that to the folder

  • Monitor your error and access logs
    You’re looking for suspicious entries here – any links that go to pages not on your site; links that have http after the index.php; that sort of thing. Your store my have /error or /debug folders in its directory structure – check here too.
  • Backup your store regularly
    mySQL database – this can be done through Admin/Tools/Mysql Backup. Use whatever compression is available. Avoid downloading the compressed backup over an unsecured (http://) connection. The zipped backup file is created in admin/backups, so consider how to secure this folder too.
  • Your store’s files – these AREN’T saved using the mySQL backup and must be done separately. Basically you need a copy of everything in /catalog (or ‘root’ which may be called ‘public_html’.)
  • Server settings – more applicable to stores running on their own server (in which case you should have a maintenance program set up already), however check with your hosting company to see how they manage backing up the server configurations.
  • Check with hosting company on what they have done to make your site secure
    Your store can be severely compromised if your hosting company hasn’t correctly secured the server. There are many configuration features that can be enabled by them (eg suHosin, apache config settings and php.ini settings are a few) – so it pays to be clear on what they’re doing to make your store more secure. This is particularly important if you’re running on a shared server and using shared SSL (not recommended.)
  • Get a dedicated SSL certificate and static IP address for your store
    This will help in many ways and if you’re serious about presenting a dependable, secure store, these are essential requirements.
  • Seek help
    If your business warrants, or you still want additional assurance (esp if running forum software on your site, or other scripts outside of your e-cart software), hire a security consultant to check your site regularly and give you peace of mind in exchange for a few dollars.
  • Admin-specific security
    Check this post about securing your admin with specific points related to this important utility’s function. The admin is often the point of entry for hacking attempts.

12 things you should do to improve your oscommerce-based admin security

Here are some ideas from protecting access to your ‘admin’ area – notice the use of ‘admin’ because one of the first moves is to change its name.
These ideas come from a variety of sources, in particular zen-cart which includes a number of useful security features and recommendations in its cart.

  1. Rename your Admin folder
    – Edit the admin/includes/configure.php file. Find and replace all instances of /admin/ with /’your new admin name’/
    – Rename the Admin folder with ‘your new admin name’
  2. Delete the files ‘admin’/file_manager.php and ‘admin’/define_language.php
  3. Don’t reveal the new name of your ‘Admin’ folder
    – Remove any reference to the ‘Admin’ folder name from catalog/robots.txt.
    This file is readable by anyone at anytime. So anything entered here can be used to map your Store.
  4. Limit access to ‘Admin’ and remove old or unused ‘Admin’ accounts
    – htaccess rules can be used here. If your Apache server allows local htaccess files to ‘override’ its default settings (check with your host) then you can create an .htaccess file in the ‘admin’ folder and add the following: 

    # deny *everything*
    <FilesMatch ".*\..*">
      Order Allow,Deny
      Deny from all
    </FilesMatch>
    
    # but now allow just *certain* necessary files:
    <FilesMatch "(^$|^favicon.ico$|.*.(php|js|css|jpg|gif|png)$)">
      Order Allow,Deny
      Allow from all
    </FilesMatch>

    This snippet above will only allow certain file types to be run (as specified in the list php|js|css|jpg|gif|png.) Simply add more extensions with a pipe | to broaden. If you want to lock access to the ‘admin’ area to a range of Ip addresses you use, try:

    # allow only your IP addresses
    <FilesMatch ".*\..*">
      Order Deny,Allow
      Deny from all
      Allow from 123.123
      Allow from 456.456
    </FilesMatch>

    Note the above rule uses only the first two groups of numbers from two Ip addresses. This is because many people are on dynamically assigned IPs which although they do change (infrequently), they often don’t vary that much. If you have a static or dedicated IP address when you connect to the Net, you won’t have this problem.
    – set permissions on all folders to 755, all files to 644 (or 444 read only if configure.php). There are some exceptions here: ‘admin’/backups and ‘admin’/images will require write permissions of 757. These may be able to be protected using htaccess rules however.
    – delete old ‘admin’ accounts, especially ‘demo’ or ‘guest’ accounts or those created for temporary users.
  5. Change ‘Admin’ passwords regularly and password protect your ‘admin’ folder
    – to make a tough password, use a password generator like the Nortons Security Password Generator or Secure Password Generator and store them in a password vault like KeePass
    – many control panels (like cPanel and Plesk) offer a simple ‘Password Protect Folder’ utility. This is a good idea, although it does mean you will have to log in twice to the ‘admin’ the first time (once in the popup, then again in the actual login.) However if you have cookies enabled for the session, you only have to do this once while the browser is open. If you don’t have access to such a utility, here are the steps to create your own password protected folder:
    Add your version of this to your ‘admin/.htaccess file (making sure you change the values in lines 2 & 3 after AuthName and AuthUserFile):
    AuthType Basic
    AuthName "whatever you would like it to ask you"
    AuthUserFile /absolute/path/to/your/new/.htpasswd
    Require valid-user

    (I’d recommend putting the .htpasswd file in a folder inaccessible from the web, with its own .htaccess file containing:)
    <Files *.*>
      order allow,deny
      deny from all
    </Files>

    Use an htpasswd generator to create and encrypt your password – like this one at dynamicdrive.com
    Copy and upload/save the .htpasswd file in its ‘hidden from the web’ location. Done!
  6. Don’t reveal the name of your ‘Admin’ folder on printed invoices, packing slips
    – If you print invoices or packing slips, switch off printing the url path on the page.
    For Internet Explorer: File >> Page Setup >> remove this two character combination: “&u” from the header or footer text box.
    For Firefox: File >> Page Setup >> Margins & Header/Footer >> set all of the drop downs to –blank–.
  7. Set up ‘Admin’ under another domain or subdomain
  8. Use secure Usernames and Passwords
    – If you have work done by a developer or coder who needs access to your admin, use a temporary username and password that you delete afterwards. Use a password generator (like the PCTools Generator mentioned above) and store them in a password vault (like KeePass)
  9. Check access dates in the database
    – If you do have developers etc access your ‘Admin’, use phpMyAdmin and browse the admin table for the admin id row of the account, looking at date_modified. This will show the last access date of that account. Ideally though issue temporary admin access to developers. Many versions of oscommerce-based carts (including zen-cart and oscommerce 2.3.x) now have admin logs so you can see a record of logins (and login attempts.)
  10. Be security conscious when accessing your ‘Admin’ account
    Not best practice to :
    – access the Admin from a public use computer or public wireless hotspot
    – write login details on a piece of paper stuck to the computer or wall in front of you
    – use ‘password’ as your password (lol)
  11. Don’t advertise the version of the Store software you’re running via the ‘admin’
    – Even if you’ve renamed your ‘admin’ folder (as mentioned back at the top of this post eh), there’s not a lot to be gained from advertising which version of the software you’re patched to:
    screenshot of Cre Loaded 6.4.0a admin login panel
    If a security fault was discovered in this version, why advertise you may not have patched? In this example using Cre Loaded, remove around line 135 -137 from ‘admin’/login.php:
       <tr>
          <td></td>
          <td align="left" style="font-size: 11px; color: #444;"><a href="http://www.creloaded.com" target="_blank"><?php echo PROJECT_VERSION;?></a></td>
          <td></td>
     </tr>
     
  12. When using the ‘admin’ panel …
    – use only one browser tab to access your admin area
    – avoid visiting other sites when your browser has an active admin login session enabled, even in another tab
    – always log out of your admin when not using it

sitemonitor

This free to download version of SiteMonitor is based on a contribution written by Jack_mcs and modified by pyramids for cre loaded in 2006. This version updated April 2011.

What it does:
SiteMonitor emails you any changes to the files and folders you specify to monitor. It compares various file details with a reference file created at installation and if the current file details don’t match the reference, off goes the email to you. After creating the reference file, SM is best run as a cronjob daily.

How it works:
SM takes a snapshot (reference.txt) of files and folders specified by you and compares this to the current details of your files and folders.
SM watches for –

  • any new files to monitored folders
  • any deletions
  • any changes in file size
  • any changes in permission settings
  • any time stamp mismatches (so watching for file changes even if size kept the same)

SM can also be used to journal changes you make to your own website, as it writes all details to log.txt.

This version:
This version of SiteMonitor does not have the Admin interface of the original contribution by jack_mcs, which means you must hardcode the settings in the SM file first before running it. However the advantage here is that there is only 1 file to deal with – all of the functions etc have been combined into one script.

SM is also ideally run as a cronjob (an automated server process that you set and forget.)

The downloadable .zip (37KB) contains:

  1. sitemonitor files in their directory structure (the main programme)
  2. SM_instructions.txt (a short list of instructions, plus example reference file, log file, and email message)
  3. Version Checker (so you can keep up-to-date with new releases)

Fill out your name, email address to receive an email with the download link (37KB, zip file):
[lab_subscriber_download_form download_id=4]

admin security issue (2009) – all oscommerce-based carts

A security loophole was discovered mid-2009 in the Admin code whereby a hacker could manipulate the admin page url to bypass the login / password function. It affected osCommerce and all derivatives of it – Cre Loaded, oscMax etc. Cre Loaded version 6.4.0a applied this patch – if you are running versions prior to 6.4.0a then you should definitely keep reading.

Files to check:
admin/includes/application_top.php around line 56
/includes/application_top.php around line 46

The two lines of code that should be replaced may both occur in each file depending on your version.

This code should be replaced asap (ie bad):

$PHP_SELF = (isset($_SERVER['PHP_SELF']) ? $_SERVER['PHP_SELF'] :
$_SERVER['SCRIPT_NAME']);

and / or

$PHP_SELF = (isset($HTTP_SERVER_VARS['PHP_SELF']) ? $HTTP_SERVER_VARS['PHP_SELF'] : $HTTP_SERVER_VARS['SCRIPT_NAME']);

This code is the replacement (ie good):

$PHP_SELF = $_SERVER['SCRIPT_NAME'];

One simple change to the code – no need to pay to get this done!