Tag Archives: security

why do I need a SSL certificate (https connection) on my ecommerce site?

Your ecommerce website needs to have a valid SSL certificate installed and running.
Here’s some background and reasons why:

What’s does a SSL certificate do?

A Secure Socket Layer (SSL) certificate does a couple of things:

1. encrypts information entered into a form (a ‘form’ is exactly what it sounds like – any ‘fill in the box’ type page that requires you to enter in information and click a button on the screen; could be creating an account or sending an email to the store owner or signing up to a newsletter etc)
2. checks the integrity of the connection between the browser and the server (are you connected to the correct server?)

How can I tell it’s working?
The address bar will show a padlock and the word https:// in front of your website name on pages that require SSL encryption.


Note – there is no advantage in making all pages on your site https:// – it works with pages that have forms. Technically, https:// will slow down page loading speeds of your site and also may interfer with indexing by search engines. Most oscommerce-based carts have certain pages where https:// connections will be made, in particular logins, creating accounts and checkout.

But SSL certificates and https:// connections are just for payment pages though right?
Not true – a SSL certificate scrambles data and secures connections when any form is submitted (a form is basically what it sounds like – anytime you type information on a website, you’re probably filling out a form of some sort.)

So this means your admin and customer logins, contact us and create account pages as well all benefit from your server having a SSL certificate.

And if I don’t use one?
All of the data submitted will go as clear text, ie unencrypted. It is possible for unscrupulous people to set up ‘sniffer’ and ‘listening’ scripts and grab those clear text details being sent, which could gain them admin login details, customer address information as well as payment details.

Some payment gateways will not accept your payments without a valid SSL certificate installed and running on your site.

Also, the server may not in fact be the server you or your customers intended on reaching, as the integrity of the link will not have been verified to any extent.

Implications
Customers are now very aware of the https:// symbol in an address and if they don’t see it when they go to complete an order or set up an account, most will leave.

Identity fraud is a major industry around the world, so it is strongly recommended that if you want to get the business, you operate with a good SSL certificate in place and advertise the fact. Really, it’s a bare minimum to be in business online.

Furthermore, some payment gateways and processors require you as a merchant to have a valid SSL certificate installed before you can connect to them and use their services.

How do I get a SSL certificate?
There are a couple of ways – 1) contact your hosting company to set one up, orĀ  2) Do It Yourself (DIY)

Installing a SSL certificate is not difficult as long as you have access to the interface needed. If you use cPanel, you can use the TLS/SSL Manager in the Security box on the right. Create a CRT and private key, go buy the certificate and supply these parts, generate certificate, copy emailed certificate in certificate box, install – done.

If you don’t have access to the necessary interface, contact your hosting company and ask them to install the certificate.

Most SSL resellers like RapidSSL, Geotrust, Verisign, Digicert etc have instruction sheets to assist you as well as online support.

SSL certificate prices range from under USD100 a year through to bank-level EV SSLs with multiple verifications (ie way over the top) costing much more. Get one that fits with your business volume and turnover – but most importantly, get one!

 

If you need help installing a SSL certificate please contact me via my Contact page.

how to upgrade oscommerce-based scripts from php 5.2.x to php 5.3.x

More and more hosting companies are upgrading their servers to run php 5.3. For most carts, this will mean an error log file full of deprecated error messages – warnings that one day, the functions being used will be removed entirely and the script will break.

If you’re running an older version of your oscommerce-based cart software (eg Cre Loaded 6.4.1, Oscommerce 2.2 etc) you will find that your error log file will fill up with deprecated messages from a number of files still using old calls like ‘ereg’ and ‘ereg_replace.’

You could switch these error messages off if you can control the error_reporting configuration on the server you’re on, but there’s a chance that when php 5.4 is adopted by hosting companies (RC6 of this was released January 2012) many of these deprecated messages now will become broken scripts then.

Updating most of these old calls can be fairly easy – here is a reference table that will help:

ereg() = preg_match()
ereg_replace() = preg_replace()
eregi() = preg_match() with the 'i' modifier
eregi_replace() = preg_replace() with the 'i' modifier
split() = preg_split()
spliti() = preg_split() with the 'i' modifier

As an example – cre loaded 6.4.1a B2B file /includes/functions/general.php :

if (ereg('^[0-9]+$', $value)) {

would become

if (preg_match('/^[0-9]+$/', $value)) {

(note ereg becomes preg_match and the forward slashes (delimiters) are added in)

Other deprecated functions and directives are more involved and may in fact only be configurable by the hosting company if they don’t allow custom php.ini files. There are other examples in the code that can simply be removed to upgrade to php 5.3.x and will stop the deprecated message.

A popular old check in Cre Loaded is a 6.2 version check – this from /admin/includes/runtime/orders/RC_orders_boxesbottom.php:

if (defined('MODULE_ADDONS_RECOVERCARTS_STATUS') && MODULE_ADDONS_RECOVERCARTS_STATUS == 'True') {
  if (defined('PROJECT_VERSION') && ereg('6.2', PROJECT_VERSION)) {
    $rci = tep_admin_files_boxes(FILENAME_RECOVER_ABANDONED_CARTS, BOX_RECOVER_ABANDONED_CARTS, 'SSL','tdate=' . $tdate, '0');
  } else {
    $rci = tep_admin_files_boxes(FILENAME_RECOVER_ABANDONED_CARTS, BOX_RECOVER_ABANDONED_CARTS, 'SSL','tdate=' . $tdate, '2');
  }
}

In this case the ‘upgrade’ would be to remove the old version check (bypassing the need for the deprecated ereg check.)

Third-party modules may cause grief when your hosting company upgrades to php 5.3.
At the time of writing this, Magneticone’s modules that use Zend Optimizer for decoding will break as Zend hasn’t provided a backward compatible version of the ZO for scripts using php 5.2.x. Magneticone’s advice in this situation is to use the ioncube versions of the scripts only (as they haven’t upgraded their modules to use the standalone ZO php 5.3 version either.) Nuisance.

If you’re unsure about these changes, contact me for a quote to help you upgrade from php 5.2 to php 5.3

how to rename your admin folder

One recommended security step to take with any oscommerce-based e-commerce store is to rename the admin folder so it is harder for the uninvited to drop in.

Steps to take:

  • Choose new name
    Or don’t and use a randomiser like the PCTools Password Generator to make a new admin folder name of 8 or more characters for you. Use a mix of letters, cases, numbers and some symbols (avoid \ | / ‘ and ” however.) Copy it to the Clipboard so you can paste it in the next steps.
  • Although a 'hard-to-guess' admin name is good, 24-characters seems excessive.
  • Make the change
    Access your Store through your control panel or an (s)ftp connection, click the Rename button (or use right click ‘rename’) and paste in the new name.
    Refresh the display (or close and reopen the (s)ftp connection) to see the change take effect.
  • Update your ‘admin’/includes/configure.php file
    You may have to change the permission settings to be able to make the following change – ‘666’ or ‘Read/Write all groups’ is usually enough.
    Check the file for entries with /admin/ in the paths. Use Find and Replace to change all of these /admin/ entries to /new name/.
    Save the file and change permissions back to ‘444’ or ‘Read only all groups.’
  • Update any ‘admin’ bookmarks
    If you have the old admin panel bookmark in your browser(s) now’s the time to update these to reflect the new ‘admin’ folder name.
  • Don’t include references to the new ‘admin’ folder in the robots.txt file
    The /catalog/robots.txt file is a popular reference for would-be hackers to see which parts of your store you don’t want the bots to visit. Avoid mentioning the new ‘admin’ folder in this file. There are other ways of diverting bots attention away from areas of your store you may want to keep better hidden than others.

There’s more here about securing your admin – and although these steps do not guarantee 100% certain defence against the determined hacker, they will raise the bar out of the reach of ‘script kiddies’ and others who are looking for easy targets. 7JP9H7JXBRDZ

12 things you should do to improve your oscommerce-based admin security

Here are some ideas from protecting access to your ‘admin’ area – notice the use of ‘admin’ because one of the first moves is to change its name.
These ideas come from a variety of sources, in particular zen-cart which includes a number of useful security features and recommendations in its cart.

  1. Rename your Admin folder
    – Edit the admin/includes/configure.php file. Find and replace all instances of /admin/ with /’your new admin name’/
    – Rename the Admin folder with ‘your new admin name’
  2. Delete the files ‘admin’/file_manager.php and ‘admin’/define_language.php
  3. Don’t reveal the new name of your ‘Admin’ folder
    – Remove any reference to the ‘Admin’ folder name from catalog/robots.txt.
    This file is readable by anyone at anytime. So anything entered here can be used to map your Store.
  4. Limit access to ‘Admin’ and remove old or unused ‘Admin’ accounts
    – htaccess rules can be used here. If your Apache server allows local htaccess files to ‘override’ its default settings (check with your host) then you can create an .htaccess file in the ‘admin’ folder and add the following: 

    # deny *everything*
    <FilesMatch ".*\..*">
      Order Allow,Deny
      Deny from all
    </FilesMatch>
    
    # but now allow just *certain* necessary files:
    <FilesMatch "(^$|^favicon.ico$|.*.(php|js|css|jpg|gif|png)$)">
      Order Allow,Deny
      Allow from all
    </FilesMatch>

    This snippet above will only allow certain file types to be run (as specified in the list php|js|css|jpg|gif|png.) Simply add more extensions with a pipe | to broaden. If you want to lock access to the ‘admin’ area to a range of Ip addresses you use, try:

    # allow only your IP addresses
    <FilesMatch ".*\..*">
      Order Deny,Allow
      Deny from all
      Allow from 123.123
      Allow from 456.456
    </FilesMatch>

    Note the above rule uses only the first two groups of numbers from two Ip addresses. This is because many people are on dynamically assigned IPs which although they do change (infrequently), they often don’t vary that much. If you have a static or dedicated IP address when you connect to the Net, you won’t have this problem.
    – set permissions on all folders to 755, all files to 644 (or 444 read only if configure.php). There are some exceptions here: ‘admin’/backups and ‘admin’/images will require write permissions of 757. These may be able to be protected using htaccess rules however.
    – delete old ‘admin’ accounts, especially ‘demo’ or ‘guest’ accounts or those created for temporary users.
  5. Change ‘Admin’ passwords regularly and password protect your ‘admin’ folder
    – to make a tough password, use a password generator like the Nortons Security Password Generator or Secure Password Generator and store them in a password vault like KeePass
    – many control panels (like cPanel and Plesk) offer a simple ‘Password Protect Folder’ utility. This is a good idea, although it does mean you will have to log in twice to the ‘admin’ the first time (once in the popup, then again in the actual login.) However if you have cookies enabled for the session, you only have to do this once while the browser is open. If you don’t have access to such a utility, here are the steps to create your own password protected folder:
    Add your version of this to your ‘admin/.htaccess file (making sure you change the values in lines 2 & 3 after AuthName and AuthUserFile):
    AuthType Basic
    AuthName "whatever you would like it to ask you"
    AuthUserFile /absolute/path/to/your/new/.htpasswd
    Require valid-user

    (I’d recommend putting the .htpasswd file in a folder inaccessible from the web, with its own .htaccess file containing:)
    <Files *.*>
      order allow,deny
      deny from all
    </Files>

    Use an htpasswd generator to create and encrypt your password – like this one at dynamicdrive.com
    Copy and upload/save the .htpasswd file in its ‘hidden from the web’ location. Done!
  6. Don’t reveal the name of your ‘Admin’ folder on printed invoices, packing slips
    – If you print invoices or packing slips, switch off printing the url path on the page.
    For Internet Explorer: File >> Page Setup >> remove this two character combination: “&u” from the header or footer text box.
    For Firefox: File >> Page Setup >> Margins & Header/Footer >> set all of the drop downs to –blank–.
  7. Set up ‘Admin’ under another domain or subdomain
  8. Use secure Usernames and Passwords
    – If you have work done by a developer or coder who needs access to your admin, use a temporary username and password that you delete afterwards. Use a password generator (like the PCTools Generator mentioned above) and store them in a password vault (like KeePass)
  9. Check access dates in the database
    – If you do have developers etc access your ‘Admin’, use phpMyAdmin and browse the admin table for the admin id row of the account, looking at date_modified. This will show the last access date of that account. Ideally though issue temporary admin access to developers. Many versions of oscommerce-based carts (including zen-cart and oscommerce 2.3.x) now have admin logs so you can see a record of logins (and login attempts.)
  10. Be security conscious when accessing your ‘Admin’ account
    Not best practice to :
    – access the Admin from a public use computer or public wireless hotspot
    – write login details on a piece of paper stuck to the computer or wall in front of you
    – use ‘password’ as your password (lol)
  11. Don’t advertise the version of the Store software you’re running via the ‘admin’
    – Even if you’ve renamed your ‘admin’ folder (as mentioned back at the top of this post eh), there’s not a lot to be gained from advertising which version of the software you’re patched to:
    screenshot of Cre Loaded 6.4.0a admin login panel
    If a security fault was discovered in this version, why advertise you may not have patched? In this example using Cre Loaded, remove around line 135 -137 from ‘admin’/login.php:
       <tr>
          <td></td>
          <td align="left" style="font-size: 11px; color: #444;"><a href="http://www.creloaded.com" target="_blank"><?php echo PROJECT_VERSION;?></a></td>
          <td></td>
     </tr>
     
  12. When using the ‘admin’ panel …
    – use only one browser tab to access your admin area
    – avoid visiting other sites when your browser has an active admin login session enabled, even in another tab
    – always log out of your admin when not using it