OpenCart Community

I go through from your post its really so interesting and very knowledgeable..But actually I don't understand what to say exactly..But still nice content..

Can someone help me here please thought id change the name of the admin folder, so changed it to secure_admin

I then went in secure_admin/config.php and changed this -

<?php
// HTTP
define('HTTP_SERVER', 'https://www.mysite.co.uk/secure_admin/');
define('HTTP_CATALOG', 'https://www.mysite.co.uk/');
define('HTTP_IMAGE', 'https://www.mysite.co.uk/image/');

// HTTPS
define('HTTPS_SERVER', 'https://www.mysite.co.uk/secure_admin/');
define('HTTPS_IMAGE', 'https://www.mysite.co.uk/image/');

But i am just getting a blank page now when i got to

www.mysite.co.uk/secure_admin/

What am I doing wrong Thanks

that should be all you need to do.

That's what I thought but wondered if i had done something wrong, I even cleared my cookies etc but still had a blank page, is there away for me to clear the cache...

Thanks

Well I tried to rename the admin folder and then update the admin/config.php
But still getting a blank page afterwards, how strange is this.........I also have an xcart site and done this without any problems at all, Could this be a problem with the latest version or have others managed to do this with our problems..

Thanks

MORE INFO..........Ive just looked at the log and the only error I can really see is -

2011-12-18 22:29:10 - PHP Notice: Error: Could not load language english! in /home/puretabo/public_html/vqmod/vqcache/vq2-system_library_language.php on line 27

Could this be a cause??

Ok ive managed to sort this now there were 5 lines I had to change, thought their were only two -

<?php
// HTTP
define('HTTP_SERVER', 'https://www.mysite.co.uk/secured_admin/');


// HTTPS
define('HTTPS_SERVER', 'https://www.mysite.co.uk/secure_admin/');


// DIR
define('DIR_APPLICATION', '/home/mysite/public_html/secure_admin/');

define('DIR_LANGUAGE', '/home/mysite/public_html/secured_admin/language/');
define('DIR_TEMPLATE', '/home/mysite/public_html/secured_admin/view/template/');

I changed session.php and startup.php to make the session cookie httponly.
session_set_cookie_params(0, '/', NULL,NUll,true);

This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/0 ... ponly.html

aresn wrote:I changed session.php and startup.php to make the session cookie httponly.
session_set_cookie_params(0, '/', NULL,NUll,true);

This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/0 ... ponly.html

Can any of the mods confirm the above comment is worth doing?

Thanks

aresn wrote:I changed session.php and startup.php to make the session cookie httponly.
session_set_cookie_params(0, '/', NULL,NUll,true);

This will make XSS attacks much harder to pull off. for further information please have a look at http://www.codinghorror.com/blog/2008/0 ... ponly.html

This is interesting.. we've been looking for a better way to handle that cookie domain issue so I will look into this

Much appreciated Q! Please keep us posted as this is very interesting.

I think adding the httponly flag to the cookies is a must. It's harmless since from what I can see there is no place where in opencart, a javascript code access the session id cookie. Also to prevent session hijacking I'm thinking about creating two session ID cookies, here is my strategy, let me know what you think.

When a user login, the login page is ssl secure, two cookies will be set. one for secure pages such as account and checkout, and one for all the pages (secure and non-secure). set the secure session cookie to transmit only on secure pages. in non secure pages, check the non-secure cookie to identify the customer. the customer can add products to shopping card , or write reviews. In secure pages check both cookies to identify the customer.

the reason I'm adding the second ssl-secured session identifier cookie is because the ssl-secured can not be easily hijacked due to ssl-encryption.

I actually got the idea from here (under session management) :
http://publib.boulder.ibm.com/infocente ... ymodel.htm

let me know what you think.

Thank you

So I'm posting my algorithm and my code here in case somebody wanted to improve it

Hash of a random number gets created when the client login. This hash code gets stored in two places. A secured cookie on clients computer and in $session . This secure cookie expires with the session cookie. In secure pages such as checkout and account the secure cookie gets compared with the value in $session, if they were both equal each other ,the customer gets authorized to see the page otherwise it gets redirected to the login page.

without the secure cookie an attacker potentially can hijack the session and access the clients account, but since the secured cookie only gets transferred on a secure connection , the attacker doesn't have access to it, even if somebody steal the session cookie they still need the secured cookie to access the sensitive pages.

and here is my code.
I added these lines to login() customer.php in library
added these lines in account.php in controller
I know there is a better way but I was lazy hope someone else can clean up the code

no comments from anyone ? I expected a huge discussion, concerning session hijacking in opencart. Not even bashing my code ? I'm surprised Since anyone sniffing the connection wont bother with username or password when stealing the session cookie will do the job and opencart at its current state is vulnerable to session hijacking. Even with ssl connection on account and checkout page, all a hacker has to do is get the session cookie on non ssl protect pages and use it. Maybe I'm missing something here. anyone care to comment ?

link to wiki for session hijacking : http://en.wikipedia.org/wiki/Session_hijacking
and http://en.wikipedia.org/wiki/HTTP_cooki ... _hijacking

i'm with aresn, can someone with knowledge on this give some feedback??

cheers

How do I setup the .htpassword through my cpanel?

Extra security to change the config.php file names.

index.php and admin/index.php in file

FIND
config.php

REPLACE
newfilename.php

and this two files name change as newfilename.php

Hi,

I have 1.5.2.1

After this discussion and the first and second posts, is there a definitive htaccess file for the root category directory and/or any other directories which we should use?

Also noticed a htaccess to use in the image folders

Thank you.

oz

Hi guys,
I am trying to implement some of the suggestions on my site and have question. There is line in config.php file from the root directory:
define('HTTP_ADMIN', 'http://localhost/example.com/admin/'); should I make changes to this line too?
to make it look like this: define('HTTP_NEW_ADMIN', 'http://localhost/example.com/new_admin/');
Another question is about .htaccess file, acording earlier posts should I put it in admin (new_admin), catalog, system and image folders?
One more question:
What does mean - "Create a map called "circkel" in your store root; Put a .htaccess file in there"? File .htaccess is already in the root directory, should I edit it or add new and how to reate map?
All comments and answers are greatly appresiated.
Thank you,
Bob

ozstar wrote:Hi,

I have 1.5.2.1

After this discussion and the first and second posts, is there a definitive htaccess file for the root category directory and/or any other directories which we should use?

Also noticed a htaccess to use in the image folders

Thank you.

oz

The short answer is no.

Many of the techniques described above are not security measures, but obscurity measures. They're useful for what they're useful for, but that usefulness depends on introducing some random factors.

Here are a few potentially useful additions to the list...

I noticed no mention at all of applying an SSL certificate to the account. htpassword and the store admin authentication systems can both be rendered useless when used across an insecure connection. Providing this
security should be the store owners responsibility, because generally this certificate is a critical factor in establishing the trust necessary to drive conversion and a certificate which covers the admin is going to cover the cart as well.

File based access SSL coverage may be applied by the host, and the control panel's SSL coverage must be. Make sure you can use FTP over TLS for file access and that you do so. SFTP can be equally useful in securing the connection, but implies the presence of a shell account. This is generally more useful to a hacker than to a store owner and should be avoided if possible. If not, an alternative port should be used.

If your host uses the default SSL certificates provided by the control panel vendor to secure your control panel, or worse yet, none at all - ditch them. They're not serious about their business, and you can't be either as long as you are on their platform. Strongly consider moving if they allow access to insecure control panel pages even if they do have secure pages available.

Turn off every service you don't need, perl and front page in particular should not be activated.

Look for a host which will provide mod_security and a vulnerability scanner for all uploaded files (via ftp and across the web). These aren't substitutes for good coding in the cart (or any other application you use), but can help a lot in avoiding problems with unexpected attack vectors, and reducing effectiveness of certain types of malicious activities if you are cracked.

Make sure that virus scanning which includes your site files and email is provided on the server. Can prevent viruses and trojans from reaching you or your site, should reduce the work load on your local machine and is just good practice.

Make sure your local net and machine are secured. These are more frequently penetrated than most people think. Firewall the router, firewall each machine, and have anti-virus software on all of them. Encourage all your friends and neighbors to do the same. Bot-nets suck, and the site you save may be your own.

Avoid using free hosting for scripts and fonts. As far as your customers are concerned, your site is only as secure as theirs. The freebie saving you bandwidth today may cost you your butt tomorrow. Is it really worth it?


Anyway, hope someone fines something helpful in this list...

David

bobwhite wrote:Hi guys,
I am trying to implement some of the suggestions on my site and have question. There is line in config.php file from the root directory:
define('HTTP_ADMIN', 'http://localhost/example.com/admin/'); should I make changes to this line too?
to make it look like this: define('HTTP_NEW_ADMIN', 'http://localhost/example.com/new_admin/');
Another question is about .htaccess file, acording earlier posts should I put it in admin (new_admin), catalog, system and image folders?
One more question:
What does mean - "Create a map called "circkel" in your store root; Put a .htaccess file in there"? File .htaccess is already in the root directory, should I edit it or add new and how to reate map?
All comments and answers are greatly appresiated.
Thank you,
Bob

Not entirely sure about the last question, but the answer to the first is NO.

The 'HTTP_ADMIN' in :
is what is called a 'constant'. It is a 'handle' the programmer can use to access something which will vary from site
to site, but will almost always be the same once the application is installed.

That part of the definition should only be changed by application developers.

Should look something like:
David