For good measure, you should set the following files to 444 or 644:
config.php
index.php
admin/config.php
admin/index.php
system/startup.php
To make your life easier, upload the content of \upload found in the attached zip to your store.OC is not as safe as we wish, a few simple tips for improving:
Always immediately delete the install directory when the shop is working.
Instantly set config.php in admin and root at CHmod 444
The folder: admin
Well it starts with the name, which is wrong, take a pretty cryptic name eg "not4you_min"
Then change the admin\config.php and replace "admin" with "the_new_name"
Contrary to claims in another topics, always use a .htpasswd / .htaccess "admin" (mostly done via your CPanel or Flexpanel)
Its unlikely that a hacker knows how to find your admin with the new name, and if found the .htpasswd stops him at a very high level.
The chances are a lot smaller to get past the .htaccess and if they do they still have to get past the second Admin login.
And if you hate to login twice then you should probably not read the rest of this topic.
The folder: system
This URL shows your error log
http://www.__store__ /system/logs/error.txt
This shows a kind of 404?
http://www.__store__ /system/start_up.php
All this should not be possible so seal this folder with a .htaccess with:
<Files *.*>
Order Deny,Allow
Deny from all
</Files>
It also protects all sub-folders (cache with 777, log with 77 etc.)
The useless index.html in these folders you then can remove.
Create a map called "circkel" in your store root.
Put a .htaccess file in there with:
Deny from all
The folder: catalog
That is also more difficult because there are templates and images and JScript, all other files should never be seen.
http://www.__webshop__ /catalog/controller /account/address.php
gives:
Fatal error: Class 'Controller'not found in / var / www / vhosts / ...........__webshop__ / catalog / controller / account / address.php on line 2
Put a .htaccess in the /catalog with:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /circkel/ [NC]
What does this do?
When someone wants to access any file or folder in \catalog (or one if its subdirs) it gets redirected to \cirkel and then shown:
Forbidden
You don't have permission to access /catalog/controller/account/account.php on this server.
The server will not give clues anymore like: "Fatal error: Class 'Controller' not found in /var/www/vhosts/.........."
The /image maps uses 777 as well.
Put a .htacces in your /image folder with:
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /circkel/ [NC]
What does this do?
If a hacker would be able to get a .php file in your image folder he would not be able to execute this via his browser,
he will see:
Forbidden
You don't have permission to access /catalog/controller/account/account.php on this server.
If you use other files in /catalog or /image like .swf you have to add another RewriteCond to the .htaccess for that specific file extension.
The advantage of working with. htaccess is that messy requests do not get to the shop, apache will catch them all.
Make sure that when using extensions you do NOT upload files that should not be uploaded (like readme.txt files etc.)!
Make sure your public_html is free of rubbish!
On some servers 777 is not allowed, they use 733, the moral of this story is that lesser rights are the best.
Last but not least, the use of _POST and _GET should be looked at in future releases as they allow injection of hostile code.
Updated 16-12-12: Released by RPH the Secure Random Password Reset
