Saturday, April 22, 2017

12 Tips For Improving OSCommerce Security

This is a post that caught my attention when I was browsing for security-related information for the OSCommerce platform. This is from the website Codemehappy
  1. Rename your Admin folder 
    – Edit the admin/includes/configure.php file. Find and replace all instances of /admin/ with /’your new admin name’/
    – Rename the Admin folder with ‘your new admin name’
  2. Delete the files ‘admin’/file_manager.php and ‘admin’/define_language.php
  3. Don’t reveal the new name of your ‘Admin’ folder
    – Remove any reference to the ‘Admin’ folder name from catalog/robots.txt.
    This file is readable by anyone at anytime. So anything entered here can be used to map your Store.
  4. Limit access to ‘Admin’ and remove old or unused ‘Admin’ accounts
    – htaccess rules can be used here. If your Apache server allows local htaccess files to ‘override’ its default settings (check with your host) then you can create an .htaccess file in the ‘admin’ folder and add the following: 
    01# deny *everything*
    02<FilesMatch ".*\..*">
    03  Order Allow,Deny
    04  Deny from all
    07# but now allow just *certain* necessary files:
    08<FilesMatch "(^$|^favicon.ico$|.*.(php|js|css|jpg|gif|png)$)">
    09  Order Allow,Deny
    10  Allow from all

    This snippet above will only allow certain file types to be run (as specified in the list php|js|css|jpg|gif|png.) Simply add more extensions with a pipe | to broaden. If you want to lock access to the ‘admin’ area to a range of Ip addresses you use, try:
    1# allow only your IP addresses
    2<FilesMatch ".*\..*">
    3  Order Deny,Allow
    4  Deny from all
    5  Allow from 123.123
    6  Allow from 456.456

    Note the above rule uses only the first two groups of numbers from two Ip addresses. This is because many people are on dynamically assigned IPs which although they do change (infrequently), they often don’t vary that much. If you have a static or dedicated IP address when you connect to the Net, you won’t have this problem.
    – set permissions on all folders to 755, all files to 644 (or 444 read only if configure.php). There are some exceptions here: ‘admin’/backups and ‘admin’/images will require write permissions of 757. These may be able to be protected using htaccess rules however.
    – delete old ‘admin’ accounts, especially ‘demo’ or ‘guest’ accounts or those created for temporary users.
  5. Change ‘Admin’ passwords regularly and password protect your ‘admin’ folder
    – to make a tough password, use a password generator like the PCTools Security Password Generator and store them in a password vault like KeePass
    – many control panels (like cPanel and Plesk) offer a simple ‘Password Protect Folder’ utility. This is a good idea, although it does mean you will have to log in twice to the ‘admin’ the first time (once in the popup, then again in the actual login.) However if you have cookies enabled for the session, you only have to do this once while the browser is open. If you don’t have access to such a utility, here are the steps to create your own password protected folder:
    Add your version of this to your ‘admin/.htaccess file (making sure you change the values in lines 2 & 3 after AuthName and AuthUserFile):
    1AuthType Basic
    2AuthName "whatever you would like it to ask you"
    3AuthUserFile /absolute/path/to/your/new/.htpasswd
    4Require valid-user

    (I’d recommend putting the .htpasswd file in a folder inaccessible from the web, with its own .htaccess file containing:)
    1<Files *.*>
    2  order allow,deny
    3  deny from all

    Use an htpasswd generator to create and encrypt your password – like this one at
    Copy and upload/save the .htpasswd file in its ‘hidden from the web’ location. Done!
  6. Don’t reveal the name of your ‘Admin’ folder on printed invoices, packing slips
    – If you print invoices or packing slips, switch off printing the url path on the page.
    For Internet Explorer: File >> Page Setup >> remove this two character combination: “&u” from the header or footer text box.
    For Firefox: File >> Page Setup >> Margins & Header/Footer >> set all of the drop downs to –blank–.
  7. Set up ‘Admin’ under another domain or subdomain
  8. Use secure Usernames and Passwords
    – If you have work done by a developer or coder who needs access to your admin, use a temporary username and password that you delete afterwards. Use a password generator (like the PCTools Generator mentioned above) and store them in a password vault (like KeePass)
  9. Check access dates in the database
    – If you do have developers etc access your ‘Admin’, use phpMyAdmin and browse the admin table for the admin id row of the account, looking at date_modified. This will show the last access date of that account. Ideally though issue temporary admin access to developers. Many versions of oscommerce-based carts (including zen-cart and oscommerce 2.3.x) now have admin logs so you can see a record of logins (and login attempts.)
  10. Be security conscious when accessing your ‘Admin’ account
    Not best practice to :
    – access the Admin from a public use computer or public wireless hotspot
    – write login details on a piece of paper stuck to the computer or wall in front of you
    – use ‘password’ as your password (lol)
  11. Don’t advertise the version of the Store software you’re running via the ‘admin’
    – Even if you’ve renamed your ‘admin’ folder (as mentioned back at the top of this post eh), there’s not a lot to be gained from advertising which version of the software you’re patched to:
    screenshot of Cre Loaded 6.4.0a admin login panel
    If a security fault was discovered in this version, why advertise you may not have patched? In this example using Cre Loaded, remove around line 135 -137 from ‘admin’/login.php:
    1  <tr>
    2     <td></td>
    3     <td align="left" style="font-size: 11px; color: #444;"><a href=""target="_blank"><?php echo PROJECT_VERSION;?></a></td>
    4     <td></td>
  12. When using the ‘admin’ panel …
    – use only one browser tab to access your admin area
    – avoid visiting other sites when your browser has an active admin login session enabled, even in another tab
    – always log out of your admin when not using it


No comments: