Post by i2Paq » Sun Jan 30, 2011 12:56 am

This is a topic based on a translation I made of a topic in the Dutch forums about getting your OpenCart installation more secure.

For good measure, you should set the following files to 444 or 644:
config.php
index.php
admin/config.php
admin/index.php
system/startup.php
OC is not as safe as we wish, a few simple tips for improving:

Always immediately delete the install directory when the shop is working.
Instantly set config.php in admin and root at CHmod 444

The folder: admin
Well it starts with the name, which is wrong, take a pretty cryptic name eg "not4you_min"
Then change the admin\config.php and replace "admin" with "the_new_name"
Contrary to claims in another topics, always use a .htpasswd / .htaccess "admin" (mostly done via your CPanel or Flexpanel)
Its unlikely that a hacker knows how to find your admin with the new name, and if found the .htpasswd stops him at a very high level.
The chances are a lot smaller to get past the .htaccess and if they do they still have to get past the second Admin login.
And if you hate to login twice then you should probably not read the rest of this topic.

The folder: system
This URL shows your error log
http://www.__store__ /system/logs/error.txt

This shows a kind of 404?
http://www.__store__ /system/start_up.php

All this should not be possible so seal this folder with a .htaccess with:

<Files *.*>
Order Deny,Allow
Deny from all
</Files>

It also protects all sub-folders (cache with 777, log with 77 etc.)
The useless index.html in these folders you then can remove.

Create a map called "circkel" in your store root.
Put a .htaccess file in there with:

Deny from all

The folder: catalog
That is also more difficult because there are templates and images and JScript, all other files should never be seen.
http://www.__webshop__ /catalog/controller /account/address.php
gives:
Fatal error: Class 'Controller'not found in / var / www / vhosts / ...........__webshop__ / catalog / controller / account / address.php on line 2

Put a .htaccess in the /catalog with:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /circkel/ [NC]

What does this do?
When someone wants to access any file or folder in \catalog (or one if its subdirs) it gets redirected to \cirkel and then shown:
Forbidden
You don't have permission to access /catalog/controller/account/account.php on this server.

The server will not give clues anymore like: "Fatal error: Class 'Controller' not found in /var/www/vhosts/.........."

The /image maps uses 777 as well.
Put a .htacces in your /image folder with:

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteRule ^(.+)$ /circkel/ [NC]

What does this do?
If a hacker would be able to get a .php file in your image folder he would not be able to execute this via his browser,
he will see:
Forbidden
You don't have permission to access /catalog/controller/account/account.php on this server.

If you use other files in /catalog or /image like .swf you have to add another RewriteCond to the .htaccess for that specific file extension.

The advantage of working with. htaccess is that messy requests do not get to the shop, apache will catch them all.

Make sure that when using extensions you do NOT upload files that should not be uploaded (like readme.txt files etc.)!
Make sure your public_html is free of rubbish!

On some servers 777 is not allowed, they use 733, the moral of this story is that lesser rights are the best.

Last but not least, the use of _POST and _GET should be looked at in future releases as they allow injection of hostile code.
To make your life easier, upload the content of \upload found in the attached zip to your store.

Updated 16-12-12: Released by RPH the Secure Random Password Reset

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by JAY6390 » Sun Jan 30, 2011 5:24 am

Last but not least, the use of _POST and _GET should be looked at in future releases as they allow injection of hostile code.
Not actually an issue since all code gets escaped with either type casting or $this->db->escape(), and there's no way of not using them so this point is moot

For the folders, filesmatch is better for the catalog, admin and image folders and means you don't need to add every type of image extension, just stop access to php files, tpl and txt (in case your logs have that extension)

Code: Select all

<FilesMatch "\.(php|tpl|txt)$">
Order Deny,Allow
Deny from all
</FilesMatch>
Stop all access to the system and download folder with

Code: Select all

<Files *.*>
Order Deny,Allow
Deny from all
</Files>
The admin folder name change I agree can be used to help, but again not a necessity since the login is secure, as is the htpasswd addition. That said, I always find it strange people think that a hacker is going to break your password into your admin any quicker than they would a .htpasswd
That might be the case if you have some kind of trigger after so many incorrects that it bans an ip, but you could set up the admin area to do the same thing tbh

The startup.php is indeed an issue but will be solved in the files deny above

Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by i2Paq » Sun Jan 30, 2011 5:31 am

Thanks JAY6390.

I will update the files I created with your advice.

Anything we can do/need in the .htacces in the root of OpenCart as security prevention?

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by Xsecrets » Sun Jan 30, 2011 6:00 am

That's funny could you ask the person who said you shouldn't use _POST or _GET how it is that they would expect to pass any data back from the client? As far as I know one of those two methods is the only way and every php program written in the history of php programs uses it because there is no other option.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by JAY6390 » Sun Jan 30, 2011 7:19 am

haha my thoughts exactly X

@i2paq - There's not really anything you can do other than MAYBE hide the php.ini file, although it's not got anything super secret inside it - everyone knows what it contains, and it is available to download openly...

There's also a .txt file in there too, which personally I think if you don't need it delete it, don't mask them
I wasn't really sure why the person who wrote the original said to not upload txt files. Sure people can read them but again, you can get them openly (unless they're paid for mods, but even those don't have anything magical inside them)

Image


User avatar
Guru Member

Posts

Joined
Wed May 26, 2010 11:47 pm
Location - United Kingdom

Post by Qphoria » Sun Jan 30, 2011 8:51 am

Most of this stuff has nothing to do with opencart. It is all personalization choices, mostly at the server level.
- Yes the default name is "admin" for the admin folder. It is admin for ALL scripts ever made. You seem to overlook that the security feature is the ability to rename the admin to anything you want very easily with one line in one file.
- Yes all scripts have an install folder that should be deleted after install, opencart has a HUGE red banner in the admin that reminds you of this.
- Yes all scripts have a config file of sorts and yes they should always be 444. So do it? This has nothing to do with opencart. This is server level security.
- Using .htpasswd / .htaccess is always a good idea, again has nothing to do with opencart as this is a server level choice.
- For the system/logs/error.txt file, this filename is configurable from the system setting area. You can name it anything you want, it is your choice to name it error.txt, not ours.
- The htaccess already has a <FilesMatch> section. I suppose it would be a good idea to add ".txt" to the list but that is minor and htaccess is again at the server level.
- The so called "useless" index.html files I think are used for non-apache servers because ones like litespeed don't read htaccess the same.
-_POST and _GET are not actually used at all in the opencart code. They are captured immediately and replaced with "$this->request->get" and "$this->request->post". This is so we can clean and escape them before processing to avoid XSS and injection. Additionally, all GET data for things like product_id and such is escaped, cleaned, and formatted before processing.

So it looks like OpenCart Security is already above and beyond any of these claims.

The redirect for js, jpg, etc is probably the only good idea that we haven't covered in opencart, but again that is at the server level. We can't force the htaccess file, we only give what is needed. Additional security and performance is up to you. But we can certainly add those entries as a default in future versions.

I've never heard of any server using 733.. It is usually 777 or 755 based on whether you are suphpexec or phpcgi. Some of these facts are just wrong.

I think I'll just rename this thread to "Good ideas for Website security" as the current title give false ideas about opencart.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by zrxraver » Sun Jan 30, 2011 10:21 am

You are missing the point.
Because a number of things can be done on server level (.htaccess) it will make OC more secure.
For instance, why should the name of the error.txt be important, nobody should ever be able to see anything in that directory, no mather what name the error log has.
Im not going to defend the use of a htpasswd again after this, but why should anyone be able to hammer the admin site, if you could let him try to do the first round with apache, which would be a though one, and only if he wins round one, then the OC admin comes in place with a login procedure based on ... a recently patched ... system. Well, and all that is opensource, can we make it more more difficult ?
In my dutch topic I never stated that OC was insecure, what I wanted to share is that we can make OC more secure with simple things.
I dont have the time and will, try to defend anymore what the purpose is of my topic, because all programmers know better.... ;)
Fact is that software will always be behind hackers. When a site is hacked, only then we look further.
Im not going to mention the last time somebody tried to tell you about a weak point in OC ;-)
The validation of POST and GET is also an issue, which is, in my opinion, very poor. I have seen encoded script that is impossible to read and when that is injected in a form field, there is almost no way to stop it anymore. Point is, the validation should be done before it ever reaches the shop. And not like now when it is done in the script on the end with some simple php functions. A posted form value or a get value should be validated much sooner, before it can do harm. I think that you are realy underestimate the capabilities of hackers.
To prevent somebody to view some directory, there are index.html, yes that will do the trick ... and any file with the extension html can not have php inside ??
What are you thinking ... I have even seen image file's where there was php in the EXIF data...and it executed ...
Im not going to spend more time, trying to tell that OC can be made more secure with higher level catches.... it seems you know better.
From my point of view there is a big gap between a hoster/server and a site, the hoster blaims the site when something goes wrong, and the site is depended on the writer of the script.

Active Member

Posts

Joined
Fri Oct 30, 2009 5:36 am

Post by Qphoria » Sun Jan 30, 2011 11:06 am

Im not missing the point. But the topic title was misdirected that these were issues in opencart when they are really just generic security tips for ANY site platform. The tips are good but dont call it "About OC security" because that just raises eyebrows from others that there may be a security issue that doesn't exist

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Xsecrets » Sun Jan 30, 2011 2:07 pm

zrxraver wrote:The validation of POST and GET is also an issue, which is, in my opinion, very poor. I have seen encoded script that is impossible to read and when that is injected in a form field, there is almost no way to stop it anymore. Point is, the validation should be done before it ever reaches the shop. And not like now when it is done in the script on the end with some simple php functions. A posted form value or a get value should be validated much sooner, before it can do harm. I think that you are realy underestimate the capabilities of hackers.
I would honestly like for you to explain this one. The post and get variables are cleaned immediately when they are acquired by the php script. I would love for you to tell me a way to clean them sooner. Sure you can do some javascript verification and there is some, but regardless hackers will use their own form and bypass any client side verification.

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by Qphoria » Sun Jan 30, 2011 2:24 pm

Agreed with X, clientside javascript is not a valid form of validation. Anyone with firebug and a second grade education could bypass that. POST and GET are cleaned as soon as the request class is instantiated from the index.php. No calls to POST or GET are ever called before that, and still they are only referenced by their cleaned objects. This is not a threat. This is like those people who hear that virii can delete your files while the computer is off... unfounded paranoia

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by i2Paq » Sun Jan 30, 2011 5:02 pm

Qphoria wrote:I think I'll just rename this thread to "Good ideas for Website security" as the current title give false ideas about opencart.
This I have done already as you can see :)
I'm sorry f the title I've chosen was misleading, that was never my intention :-\

I still think that "we", as OpenCart, should provide the .htaccess files in the named directory's to build the first defense.
Most people here know a little about php etc. but lack knowledge on security, most hosters/providers give shit support on so-called "third party scripts" but when a site/server gets hacked they immediately blame the software used: OpenCart.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by glolar » Thu Mar 03, 2011 7:37 pm

If I add an .htaccess file containing the following, in the admin folder:

<FilesMatch "\.(php|tpl|txt)$">
Order Deny,Allow
Deny from all
</FilesMatch>

... then I cannot log into the admin module (because of the "php". So, are you saying that for security, we should include "php" in the FilesMatch, then remove it any time we want to log into the Admin system?

As you can see, I am a security newb, but I do want my site as secure as possible.

Thank you.

Increase Your Child's I.Q.
iPad Wallpapers
Turtle & Tortoise Screen Savers


User avatar
Active Member

Posts

Joined
Thu Jul 29, 2010 12:35 pm
Location - San Diego, CA

Post by i2Paq » Fri Mar 04, 2011 3:08 am

I have secured my "admin" directory with Directory security offered in my PleskPanel, so I'm not using that.

Norman in 't Veldt
Moderator OpenCart Forums

_________________ READ and Search BEFORE POSTING _________________

Our FREE search: Find your answer FAST!.

[How to] BTW + Verzend + betaal setup.


User avatar
Global Moderator

Posts

Joined
Mon Nov 09, 2009 7:00 pm
Location - Winkel - The Netherlands

Post by zrxraver » Mon Mar 07, 2011 5:07 am

I don't think we are allowed to see the log file from Qphoria but we can. :choke:

for example:

2011-03-01 19:12:36 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489
2011-03-01 19:12:52 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489
2011-03-01 19:12:54 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489
2011-03-01 19:12:55 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489
2011-03-01 19:13:25 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489
2011-03-01 19:13:26 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489
2011-03-01 19:15:51 - PHP Notice: Undefined index: message in /home/qdomain/public_html/ocstore/catalog/controller/product/product.php on line 489


I hope Q also sees this post and fixes this.

Active Member

Posts

Joined
Fri Oct 30, 2009 5:36 am

Post by al3xandr1a » Thu Mar 10, 2011 4:25 pm

I wonder if its possible to just create a module/add-on that will automatically do all these suggested actions...

If its a possible module, I wouldn't mind paying for it, if its not too dear.

~al3xandr1a
Newbie / Student


User avatar
New member

Posts

Joined
Fri Jul 02, 2010 7:27 pm

Post by imadam » Thu Sep 08, 2011 7:44 pm

just done the security updates though not 100% same for obvious reasons. thanks for the tips.

any others are welcome.

is deny from all but one ip the safest bet for admin aea or can they get around ip block?

my opencart carpet cleaning woking guildford and Office Cleaning Services in Guildford


Active Member

Posts

Joined
Sun Jan 10, 2010 10:47 pm
Location - Surrey

Post by Qphoria » Thu Sep 08, 2011 11:09 pm

imadam wrote:just done the security updates though not 100% same for obvious reasons. thanks for the tips.

any others are welcome.

is deny from all but one ip the safest bet for admin aea or can they get around ip block?
deny from all but one means only one ip.. there is no way around that

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by SXGuy » Fri Sep 09, 2011 3:41 am

Qphoria wrote:
imadam wrote:just done the security updates though not 100% same for obvious reasons. thanks for the tips.

any others are welcome.

is deny from all but one ip the safest bet for admin aea or can they get around ip block?
deny from all but one means only one ip.. there is no way around that
Lets hope you have a static i.p address ;)

Active Member

Posts

Joined
Sun Nov 08, 2009 2:07 am

Post by imadam » Fri Sep 09, 2011 3:57 am

i do well the one i've been using for another site that's denied using same addres still works a year later, but if not worst case i can always update the file

my opencart carpet cleaning woking guildford and Office Cleaning Services in Guildford


Active Member

Posts

Joined
Sun Jan 10, 2010 10:47 pm
Location - Surrey

Post by average_joe » Fri Sep 23, 2011 3:55 pm

Hello,

I know this is an older topic, but I have a question..

I have tried the .htaccess code for the /catalog/ folder..

Options +FollowSymlinks
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.jpeg$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.png$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.gif$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.css$
RewriteCond %{REQUEST_FILENAME} !^(.+)\.js$
RewriteRule ^(.+)$ /circkel/ [NC]

However, i'm using a different theme, /mytheme/ instead of /default/.
whenever i enter this code, my website becomes very glitchy, almost like my theme is blocked from entering that code.

Is there any way around this?
same goes for my /image/ folder.

Thank you

New member

Posts

Joined
Sat Sep 03, 2011 1:47 pm
Who is online

Users browsing this forum: No registered users and 4 guests