Post by kess78 » Tue Aug 09, 2011 12:28 am

Dear Daniel,
first of all THANK YOU A LOT for the hard work you do for free !!!

I'd like to submit this request because of a little "security issue".
It would be nice if you could entirely hide the version of the installed OpenCart under http://www.mysite.com/admin
The version should be shown only to logged on administrators and not to the entire world.

Thank you for your attention.
Bye Kess.

Newbie

Posts

Joined
Tue Aug 09, 2011 12:22 am

Post by SapporoGuy » Tue Aug 09, 2011 4:23 am

You shouldn't even be allowing the world to see your admin page :o :o :o

Hiding the version number is not really going to help with security. A script kiddie is going to hack away if it is version 0.1 or 3.9 !

930sc ... because it is fun!


User avatar
Active Member

Posts

Joined
Mon Nov 01, 2010 7:29 pm

Post by rph » Tue Aug 09, 2011 8:28 am

SapporoGuy wrote:You shouldn't even be allowing the world to see your admin page :o :o :o
It shows up in the admin log-in screen which anyone can get to on a default installation. The best thing is to rename the admin folder. I have a tutorial on it I'll try to finish up and post later tonight.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by SapporoGuy » Tue Aug 09, 2011 2:06 pm

That is step 1. Still more to take.

930sc ... because it is fun!


User avatar
Active Member

Posts

Joined
Mon Nov 01, 2010 7:29 pm

Post by rph » Tue Aug 09, 2011 3:59 pm

Yes, don't make that change on its own. There are several more steps. A quick solution would be to password protect the directory with .htaccess.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by SapporoGuy » Tue Aug 09, 2011 7:37 pm

BINGO! step 2!

Actually, that is a huge key that people just don't realize .... :-\

Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.

It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.

930sc ... because it is fun!


User avatar
Active Member

Posts

Joined
Mon Nov 01, 2010 7:29 pm

Post by Xsecrets » Tue Aug 09, 2011 7:51 pm

SapporoGuy wrote:BINGO! step 2!

Actually, that is a huge key that people just don't realize .... :-\

Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.

It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.
I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use, and who needs the pain of entering two passwords particularly given how weak http auth is?

OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter


Guru Member

Posts

Joined
Sun Oct 25, 2009 3:51 am
Location - FL US

Post by rph » Tue Aug 09, 2011 8:51 pm

Xsecrets wrote:I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use
Yes, this can be an issue if an extension is poorly designed and doesn't make use of the HTTPS_SERVER constant like it should. And it'll always be an issue for any admin VQMods.

But I don't consider it paranoia for a couple reasons:
1) No known security vulnerabilities is not the same as no security vulnerabilities. Making changes like this helps protect your store from that all important time between when a vulnerability is discovered and when it's patched.
2) OpenCart has nothing in place to limit log in attempts or enforce password strength requirements. Anyone can go to the admin page and start pounding away with the default admin account. It's a small security issue based on how slow such an attack would be but it's still there.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by rph » Wed Aug 10, 2011 1:57 pm

For the paranoiacs out there I've put together a short guide to nine changes to improve OpenCart security.

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by madimar » Wed Aug 10, 2011 2:48 pm

Great article rph!

Sent from my Desire HD using Tapatalk

-----------------------------------------------------------------------
My last mods: Partita IVA e CF | Pro EU VAT Number | Sales Agents | Pricelist Pro
-----------------------------------------------------------------------


User avatar
Active Member

Posts

Joined
Thu Sep 24, 2009 6:27 pm


Post by SapporoGuy » Thu Aug 11, 2011 12:57 am

Xsecrets wrote: I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use, and who needs the pain of entering two passwords particularly given how weak http auth is?
1.) Paranoia is your best friend ;D
2.) No known security vulnerabilities could be that nobody has bothered telling people here that they exist, read a few blogs here and there and I can see why :-\
3.) http auth may be weak but it still is another hurdle to go through.

opencart is a commerce solution it is NOT a forum or a blog. Money is being exchanged and people sign up with their "real" information and that burden goes on to the shop owner who is trusting the software that they use.

People are always taking the piss out of mac users because they believe that their machine is safe from trojans and viruses. This is the same type of argument here. Security is an issue.

930sc ... because it is fun!


User avatar
Active Member

Posts

Joined
Mon Nov 01, 2010 7:29 pm

Post by butte » Fri Apr 05, 2013 1:32 pm

As the longstanding joke goes, "Just because you're paranoid doesn't mean that nobody is out to get you."

Securing the admin/ directory with .ht* (there are several) not only interposes an additional log-in (which even automated hackers will not enjoy slowing them down), but also interposes a slower-cycling one in the same stroke (which even automated hackers will enjoy even less), before by raw chance anyone unauthorized might reach the administrative log-in. The server's challenge when failed takes longer to think and replant the log-in than occurs with the administrative log-in. Just be sure to have TWO user-pass pairs, in order to reduce the odds of unauthorized access.

And rph's http://opencarthelp.com/a/?q=improve-opencart-security succinctly spells out cookbook steps.

Hackers can easily obtain the documentation showing in considerable detail how carts, forums, blogs, name it (including routers), work. Reset user/pass defaults as a general rule, not just in OC.

Another aspect, limiting numbers of log-in attempts, was raised as to customers and applies to administrators. See
http://forum.opencart.com/viewtopic.php ... 55#p395655
among others.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am
Who is online

Users browsing this forum: No registered users and 5 guests