Post by WileECoyote » Thu Oct 23, 2014 8:57 am

Our company is taking over development and support for an existing opencart 1.5.5.1 site and the current developer is unavailable and unresponsive to the owners of the website/business and has been for a few months. I am a well experienced .net e-commerce developer, and this is our first real forray into php, mysql, unix/linux, and opencart. I think my manager didn't realize quite what we were getting ourselves into before agreeing to take on this project. Suffice it to say, I am expected to figure this out and in short order.

We have the logins for the admin section of the site and for the hosting site itself, but we are unsure of where or if there is a section for developers similar to the admin section. We combed thru the admin section and didn't find much that helped.

At this point, we need to know where the db is located. In the admin\config.php we see the settings for HTTP, HTTPS, DIR, and DB. The db is defined as being in the \web\system\database\ folder, which I am sure is the default. There are 5 files in that folder all of which are either 2k or empty and they can't possibly be the db files. Those files are:

mmsql.php 2k
mysql.php 2k
muysqli.php 2k
pdo.php 0k
postgre.php 2k


I have begun to read sections of this set of documentation:

http://docs.opencart.com/display/openca ... t+1.5+Home

In the Basic Security Practices section, there is mention of .htaccess and .htpasswd files in the admin folder, but we don't see them when we connect via ftp. My guess, and I apologize for being a linux/unix newbie, is that they are hidden and only available to connections from some defined IP addresses? If that is the case, then perhaps the db files are also hidden.

Any help would be great as my manager wants me to get this figured out asap! Poor me!

Thx
Last edited by i2Paq on Thu Oct 23, 2014 8:50 pm, edited 1 time in total.
Reason: Title adjusted

Newbie

Posts

Joined
Thu Oct 23, 2014 8:31 am

Post by uksitebuilder » Thu Oct 23, 2014 3:02 pm

Those files you listed are simply database drivers

To access you data, you should visit the web hosting control panel (most likely cpanel)

In there you will find a tool called phpmyadmin which will allow you to view/edit the database entries

ImageImageImageImageImage

For Friendly Professional Support - Click Here


User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by rph » Thu Oct 23, 2014 4:34 pm

In addition to what Simon said, OpenCart runs on MySQL for its database. The various files you saw were drivers for connecting to it. In 1.5.5.x the only driver that's functional is mysql.php (if you are using PHP 5.5 or later you'll need to backport the mysqli.php file from OpenCart 1.5.6).

.htaccess and .htpasswd files in admin are just additional security features. They're not strictly required to be implemented. I have some more developer-centered information up at http://wiki.opencarthelp.com .

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by WileECoyote » Fri Oct 24, 2014 1:22 am

Thanks to both of you, that helps a lot. We are going to see if the dev'r will give us the hosting site login info, all we have is the ftp login so far.

One of the issues that the company has with the site is the results of a Trustwave vulnerability scan. There are several vulnerabilities noted, mostly having to do with "Unsupported version of Nginx Detected". I think this is a reverse proxy server and we must get it updated or addressed some how. My guess is that it is something that the hosting company manages? Do you guys have any ideas on this one?

Thx

Newbie

Posts

Joined
Thu Oct 23, 2014 8:31 am

Post by WileECoyote » Fri Oct 24, 2014 1:28 am

On that Trustwave vulnerability scan report there are also these items:

- nginx Request Line Parsing Vulnerability, CVE-2013-4547, high severity, 7.50 CVSS score
- OpenSSL ChangeCipherSpec Man in the Middle, medium severity, 6.80 CVSS score
- nginx HTTP Server memory disclosure via HTTP backend responses, CVE-2013-2070, medium severity, 5.80 CVSS score
- HTTP Server Overlapping Byte-Range Denial of Service, CVE-2011-3192, high severity, 7.80 CVSS score

Newbie

Posts

Joined
Thu Oct 23, 2014 8:31 am

Post by aelgate3 » Fri Oct 24, 2014 1:45 am

The only thing i can help you with that. I was have a project with Vulnerabilities (not opencart project) but i didn't have a lot of time to fix it.
That vulnerabilities need to get fixed by your hosting company (but they don't have to do it).
My reccomendation is to move to webhosting.uk.com as I did. They care a lot about PCI compliance.
Otherwise if the server is on a shared hosting account the hosting company will not help you.
Those vulnerabilities you mention some of them maybe just need to get update and will get fixed. As I mention you the most of companies don't provide PCI Compliance support.
Godaddy for example which is a big company they don't provide.
Hostgator they provide but they are slow....
I recommend you webhosting.uk.com . I was have a dead line of 5 days. I was have more than 20 errors and it was work for more than one month and webhosting.uk.com help me alot

New member

Posts

Joined
Fri Mar 23, 2012 11:47 am

Post by WileECoyote » Fri Oct 24, 2014 1:48 am

Thank you so much. I have left a voice mail with the hosting company and hope they will get back to us. I figured these were issues that the hosting company need to address. It is a shame that GoDaddy doesn't support PCI Compliance...

Newbie

Posts

Joined
Thu Oct 23, 2014 8:31 am

Post by aelgate3 » Fri Oct 24, 2014 2:51 am

It's not about godaddy. I will explain you why they don't support and you will understand.

All the servers (shared) THEY DON'T HAVE TO BE UPDATE in the latest servers to be PCI compliance.

So you can't say it's a shame for a hosting company that they don't provide PCI compliance.

I was searching for a lot of time. The only shared server that is cheap that they provide this support is hostgator and a company with the name webhosting.uk.com

Other companies will reccomend you to move on a VPS / Dedicated server but if you don't know how to configure a server and you have to find someone to do it it's very expensive.

Some companies spend more than 15.000 EUROS per year for be PCI compliant and maintenance their own servers.

PCI Compliance is a complicate thing. So you don't have to say godaddy is not good because they don't offer.

If you buy a VPS server for godaddy and you pay 100-150 euros per month and ask for help they will provide to you but for shared cheap hostings is very difficult to find a company.

Here is the link of hostgator

http://support.hostgator.com/articles/p ... -compliant

*If you buy a from here or from webhosting.uk.com DONT MEAN THAT WHEN YOU WILL MAKE THE SCAN YOU WILL PASS IT.
Maybe they will find 2-3 faults and you need to contact the hosting company

New member

Posts

Joined
Fri Mar 23, 2012 11:47 am

Post by rph » Fri Oct 24, 2014 5:00 pm

WileECoyote wrote:Thanks to both of you, that helps a lot. We are going to see if the dev'r will give us the hosting site login info, all we have is the ftp login so far.

One of the issues that the company has with the site is the results of a Trustwave vulnerability scan. There are several vulnerabilities noted, mostly having to do with "Unsupported version of Nginx Detected". I think this is a reverse proxy server and we must get it updated or addressed some how. My guess is that it is something that the hosting company manages? Do you guys have any ideas on this one?

Thx
If you can't get the login info you can always use a stand-alone script like phpMiniAdmin to dump the database (OpenCart's internal backup isn't really adequate for the job). phpMiniAdmin isn't particularly pretty software but it gets the job done in a pinch.

Nginx is an HTTP server. OpenCart is technically designed for Apache but it'll run on Nginx. I'm going to disagree with the other advice on PCI compliance. Your scanner is disclosing high severity vulnerabilities, some years old. They need to be addressed immediately. Unless you're on a self-managed VPS or dedicated server this is something the hosting company should absolutely be taking care of.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska
Who is online

Users browsing this forum: No registered users and 18 guests