Post by truelove » Tue Nov 22, 2011 9:06 pm

I go through from your post its really so interesting and very knowledgeable..But actually I don't understand what to say exactly..But still nice content..

Newbie

Posts

Joined
Mon Nov 21, 2011 10:37 pm
Location - canada

Post by puretaboo » Fri Dec 16, 2011 9:52 pm

Can someone help me here please thought id change the name of the admin folder, so changed it to secure_admin

I then went in secure_admin/config.php and changed this -

<?php
// HTTP
define('HTTP_SERVER', 'https://www.mysite.co.uk/secure_admin/');
define('HTTP_CATALOG', 'https://www.mysite.co.uk/');
define('HTTP_IMAGE', 'https://www.mysite.co.uk/image/');

// HTTPS
define('HTTPS_SERVER', 'https://www.mysite.co.uk/secure_admin/');
define('HTTPS_IMAGE', 'https://www.mysite.co.uk/image/');

But i am just getting a blank page now when i got to

www.mysite.co.uk/secure_admin/ :bash:

What am I doing wrong ??? Thanks

v1.5.1.3

Using custom skin "Mango"


User avatar
Newbie

Posts

Joined
Sun Dec 11, 2011 3:52 am

Post by Qphoria » Sat Dec 17, 2011 12:21 am

that should be all you need to do.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by puretaboo » Sat Dec 17, 2011 3:07 am

That's what I thought but wondered if i had done something wrong, I even cleared my cookies etc but still had a blank page, is there away for me to clear the cache...

Thanks

v1.5.1.3

Using custom skin "Mango"


User avatar
Newbie

Posts

Joined
Sun Dec 11, 2011 3:52 am

Post by puretaboo » Sun Dec 18, 2011 8:54 pm

Well I tried to rename the admin folder and then update the admin/config.php
But still getting a blank page afterwards, how strange is this.........I also have an xcart site and done this without any problems at all, Could this be a problem with the latest version or have others managed to do this with our problems..

Thanks

MORE INFO..........Ive just looked at the log and the only error I can really see is -

2011-12-18 22:29:10 - PHP Notice: Error: Could not load language english! in /home/puretabo/public_html/vqmod/vqcache/vq2-system_library_language.php on line 27

Could this be a cause??

v1.5.1.3

Using custom skin "Mango"


User avatar
Newbie

Posts

Joined
Sun Dec 11, 2011 3:52 am

Post by puretaboo » Mon Dec 19, 2011 7:05 am

Ok ive managed to sort this now there were 5 lines I had to change, thought their were only two -

<?php
// HTTP
define('HTTP_SERVER', 'https://www.mysite.co.uk/secured_admin/');


// HTTPS
define('HTTPS_SERVER', 'https://www.mysite.co.uk/secure_admin/');


// DIR
define('DIR_APPLICATION', '/home/mysite/public_html/secure_admin/');

define('DIR_LANGUAGE', '/home/mysite/public_html/secured_admin/language/');
define('DIR_TEMPLATE', '/home/mysite/public_html/secured_admin/view/template/');

v1.5.1.3

Using custom skin "Mango"


User avatar
Newbie

Posts

Joined
Sun Dec 11, 2011 3:52 am

Post by aresn » Fri Jan 13, 2012 1:35 am

I changed session.php and startup.php to make the session cookie httponly.
session_set_cookie_params(0, '/', NULL,NUll,true);

This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/0 ... ponly.html

User avatar
Newbie

Posts

Joined
Fri Jan 13, 2012 12:54 am

Post by webpie it. » Fri Jan 13, 2012 3:14 am

aresn wrote:I changed session.php and startup.php to make the session cookie httponly.
session_set_cookie_params(0, '/', NULL,NUll,true);

This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/0 ... ponly.html
Can any of the mods confirm the above comment is worth doing?

Thanks

Regards

Chris


Active Member

Posts

Joined
Mon Jan 31, 2011 7:28 pm

Post by Qphoria » Fri Jan 13, 2012 5:36 am

aresn wrote:I changed session.php and startup.php to make the session cookie httponly.
session_set_cookie_params(0, '/', NULL,NUll,true);

This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/0 ... ponly.html
This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by webpie it. » Fri Jan 13, 2012 6:47 am

Much appreciated Q! Please keep us posted as this is very interesting.

Active Member

Posts

Joined
Mon Jan 31, 2011 7:28 pm

Post by aresn » Fri Jan 13, 2012 10:12 am

I think adding the httponly flag to the cookies is a must. It's harmless since from what I can see there is no place where in opencart, a javascript code access the session id cookie. Also to prevent session hijacking I'm thinking about creating two session ID cookies, here is my strategy, let me know what you think.

When a user login, the login page is ssl secure, two cookies will be set. one for secure pages such as account and checkout, and one for all the pages (secure and non-secure). set the secure session cookie to transmit only on secure pages. in non secure pages, check the non-secure cookie to identify the customer. the customer can add products to shopping card , or write reviews. In secure pages check both cookies to identify the customer.

the reason I'm adding the second ssl-secured session identifier cookie is because the ssl-secured can not be easily hijacked due to ssl-encryption.

I actually got the idea from here (under session management) :
http://publib.boulder.ibm.com/infocente ... ymodel.htm

let me know what you think.

Thank you

User avatar
Newbie

Posts

Joined
Fri Jan 13, 2012 12:54 am

Post by aresn » Fri Jan 13, 2012 1:58 pm

So I'm posting my algorithm and my code here in case somebody wanted to improve it :)

Hash of a random number gets created when the client login. This hash code gets stored in two places. A secured cookie on clients computer and in $session . This secure cookie expires with the session cookie. In secure pages such as checkout and account the secure cookie gets compared with the value in $session, if they were both equal each other ,the customer gets authorized to see the page otherwise it gets redirected to the login page.

without the secure cookie an attacker potentially can hijack the session and access the clients account, but since the secured cookie only gets transferred on a secure connection , the attacker doesn't have access to it, even if somebody steal the session cookie they still need the secured cookie to access the sensitive pages.

and here is my code.
I added these lines to login() customer.php in library

Code: Select all

           //secure cookie
            $random=md5(mt_rand());
            $this->session->data['random']=$random;
            setcookie('s',$random,NULL,'/','',true,true);
           //end of secure cookie 
added these lines in account.php in controller

Code: Select all

	if (!$this->customer->isLogged()) {
	  		$this->session->data['redirect'] = $this->url->link('account/login', '', 'SSL');
	  		$this->redirect($this->url->link('account/login', '', 'SSL'));
    	}else if (isset($_COOKIE['s'])){
            if ($_COOKIE['s']!=$this->session->data['random']){
              $this->customer->Logout();
              $this->session->data['redirect'] = $this->url->link('account/login', '', 'SSL');
              $this->redirect($this->url->link('account/login', '', 'SSL'));
            } 
        }else if (!isset($_COOKIE['s']))  {
              $this->customer->Logout();
              $this->session->data['redirect'] = $this->url->link('account/login', '', 'SSL');
              $this->redirect($this->url->link('account/login', '', 'SSL'));
        } 
I know there is a better way but I was lazy :) hope someone else can clean up the code

User avatar
Newbie

Posts

Joined
Fri Jan 13, 2012 12:54 am

Post by aresn » Sun Jan 15, 2012 8:09 am

no comments from anyone ? I expected a huge discussion, concerning session hijacking in opencart. Not even bashing my code ? I'm surprised :) Since anyone sniffing the connection wont bother with username or password when stealing the session cookie will do the job and opencart at its current state is vulnerable to session hijacking. Even with ssl connection on account and checkout page, all a hacker has to do is get the session cookie on non ssl protect pages and use it. Maybe I'm missing something here. anyone care to comment ?

link to wiki for session hijacking : http://en.wikipedia.org/wiki/Session_hijacking
and http://en.wikipedia.org/wiki/HTTP_cooki ... _hijacking

User avatar
Newbie

Posts

Joined
Fri Jan 13, 2012 12:54 am

Post by webpie it. » Sun Jan 15, 2012 4:31 pm

i'm with aresn, can someone with knowledge on this give some feedback??

cheers

Regards

Chris


Active Member

Posts

Joined
Mon Jan 31, 2011 7:28 pm

Post by adamanto75 » Tue Mar 13, 2012 7:41 am

How do I setup the .htpassword through my cpanel?

Newbie

Posts

Joined
Tue Mar 13, 2012 6:49 am

Post by eka7a » Thu Mar 15, 2012 1:39 am

Extra security to change the config.php file names.

index.php and admin/index.php in file

FIND
config.php

REPLACE
newfilename.php

and this two files name change as newfilename.php


User avatar
Active Member

Posts

Joined
Sun Apr 12, 2009 12:59 am
Location - Türkiye

Post by ozstar » Wed Apr 11, 2012 10:10 am

Hi,

I have 1.5.2.1

After this discussion and the first and second posts, is there a definitive htaccess file for the root category directory and/or any other directories which we should use?

Also noticed a htaccess to use in the image folders

Thank you.

oz

Active Member

Posts

Joined
Fri Mar 09, 2012 7:47 am
Location - Sydney OZ

Post by bobwhite » Fri Apr 20, 2012 2:00 am

Hi guys,
I am trying to implement some of the suggestions on my site and have question. There is line in config.php file from the root directory:
define('HTTP_ADMIN', 'http://localhost/example.com/admin/'); should I make changes to this line too?
to make it look like this: define('HTTP_NEW_ADMIN', 'http://localhost/example.com/new_admin/');
Another question is about .htaccess file, acording earlier posts should I put it in admin (new_admin), catalog, system and image folders?
One more question:
What does mean - "Create a map called "circkel" in your store root; Put a .htaccess file in there"? File .htaccess is already in the root directory, should I edit it or add new and how to reate map?
All comments and answers are greatly appresiated.
Thank you,
Bob

User avatar
New member

Posts

Joined
Thu Jan 26, 2012 8:20 am

Post by Nimitz1061 » Sat Apr 28, 2012 11:55 pm

ozstar wrote:Hi,

I have 1.5.2.1

After this discussion and the first and second posts, is there a definitive htaccess file for the root category directory and/or any other directories which we should use?

Also noticed a htaccess to use in the image folders

Thank you.

oz
The short answer is no.

Many of the techniques described above are not security measures, but obscurity measures. They're useful for what they're useful for, but that usefulness depends on introducing some random factors.

Here are a few potentially useful additions to the list...

I noticed no mention at all of applying an SSL certificate to the account. htpassword and the store admin authentication systems can both be rendered useless when used across an insecure connection. Providing this
security should be the store owners responsibility, because generally this certificate is a critical factor in establishing the trust necessary to drive conversion and a certificate which covers the admin is going to cover the cart as well.

File based access SSL coverage may be applied by the host, and the control panel's SSL coverage must be. Make sure you can use FTP over TLS for file access and that you do so. SFTP can be equally useful in securing the connection, but implies the presence of a shell account. This is generally more useful to a hacker than to a store owner and should be avoided if possible. If not, an alternative port should be used.

If your host uses the default SSL certificates provided by the control panel vendor to secure your control panel, or worse yet, none at all - ditch them. They're not serious about their business, and you can't be either as long as you are on their platform. Strongly consider moving if they allow access to insecure control panel pages even if they do have secure pages available.

Turn off every service you don't need, perl and front page in particular should not be activated.

Look for a host which will provide mod_security and a vulnerability scanner for all uploaded files (via ftp and across the web). These aren't substitutes for good coding in the cart (or any other application you use), but can help a lot in avoiding problems with unexpected attack vectors, and reducing effectiveness of certain types of malicious activities if you are cracked.

Make sure that virus scanning which includes your site files and email is provided on the server. Can prevent viruses and trojans from reaching you or your site, should reduce the work load on your local machine and is just good practice.

Make sure your local net and machine are secured. These are more frequently penetrated than most people think. Firewall the router, firewall each machine, and have anti-virus software on all of them. Encourage all your friends and neighbors to do the same. Bot-nets suck, and the site you save may be your own.

Avoid using free hosting for scripts and fonts. As far as your customers are concerned, your site is only as secure as theirs. The freebie saving you bandwidth today may cost you your butt tomorrow. Is it really worth it?


Anyway, hope someone fines something helpful in this list...

David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States

Post by Nimitz1061 » Sun Apr 29, 2012 12:08 am

bobwhite wrote:Hi guys,
I am trying to implement some of the suggestions on my site and have question. There is line in config.php file from the root directory:
define('HTTP_ADMIN', 'http://localhost/example.com/admin/'); should I make changes to this line too?
to make it look like this: define('HTTP_NEW_ADMIN', 'http://localhost/example.com/new_admin/');
Another question is about .htaccess file, acording earlier posts should I put it in admin (new_admin), catalog, system and image folders?
One more question:
What does mean - "Create a map called "circkel" in your store root; Put a .htaccess file in there"? File .htaccess is already in the root directory, should I edit it or add new and how to reate map?
All comments and answers are greatly appresiated.
Thank you,
Bob
Not entirely sure about the last question, but the answer to the first is NO.

The 'HTTP_ADMIN' in :

Code: Select all

define('HTTP_ADMIN', 'http://localhost/example.com/admin/');
is what is called a 'constant'. It is a 'handle' the programmer can use to access something which will vary from site
to site, but will almost always be the same once the application is installed.

That part of the definition should only be changed by application developers.

Should look something like:

Code: Select all

define('HTTP_ADMIN', 'http://localhost/example.com/new_admin/');
David

Specializing in secure Hosting 4 OpenCart based eCommerce websites.


New member

Posts

Joined
Sat Mar 24, 2012 7:49 pm
Location - United States
Who is online

Users browsing this forum: No registered users and 6 guests