OpenCart Community

Dear Daniel,
first of all THANK YOU A LOT for the hard work you do for free !!!

I'd like to submit this request because of a little "security issue".
It would be nice if you could entirely hide the version of the installed OpenCart under http://www.mysite.com/admin
The version should be shown only to logged on administrators and not to the entire world.

Thank you for your attention.
Bye Kess.

You shouldn't even be allowing the world to see your admin page

Hiding the version number is not really going to help with security. A script kiddie is going to hack away if it is version 0.1 or 3.9 !

SapporoGuy wrote:You shouldn't even be allowing the world to see your admin page

It shows up in the admin log-in screen which anyone can get to on a default installation. The best thing is to rename the admin folder. I have a tutorial on it I'll try to finish up and post later tonight.

That is step 1. Still more to take.

Yes, don't make that change on its own. There are several more steps. A quick solution would be to password protect the directory with .htaccess.

BINGO! step 2!

Actually, that is a huge key that people just don't realize ....

Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.

It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.

SapporoGuy wrote:BINGO! step 2!

Actually, that is a huge key that people just don't realize ....

Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.

It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.

I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use, and who needs the pain of entering two passwords particularly given how weak http auth is?

Xsecrets wrote:I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use

Yes, this can be an issue if an extension is poorly designed and doesn't make use of the HTTPS_SERVER constant like it should. And it'll always be an issue for any admin VQMods.

But I don't consider it paranoia for a couple reasons:
1) No known security vulnerabilities is not the same as no security vulnerabilities. Making changes like this helps protect your store from that all important time between when a vulnerability is discovered and when it's patched.
2) OpenCart has nothing in place to limit log in attempts or enforce password strength requirements. Anyone can go to the admin page and start pounding away with the default admin account. It's a small security issue based on how slow such an attack would be but it's still there.

For the paranoiacs out there I've put together a short guide to nine changes to improve OpenCart security.

Great article rph!

Sent from my Desire HD using Tapatalk

Xsecrets wrote: I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use, and who needs the pain of entering two passwords particularly given how weak http auth is?

1.) Paranoia is your best friend
2.) No known security vulnerabilities could be that nobody has bothered telling people here that they exist, read a few blogs here and there and I can see why
3.) http auth may be weak but it still is another hurdle to go through.

opencart is a commerce solution it is NOT a forum or a blog. Money is being exchanged and people sign up with their "real" information and that burden goes on to the shop owner who is trusting the software that they use.

People are always taking the piss out of mac users because they believe that their machine is safe from trojans and viruses. This is the same type of argument here. Security is an issue.

As the longstanding joke goes, "Just because you're paranoid doesn't mean that nobody is out to get you."

Securing the admin/ directory with .ht* (there are several) not only interposes an additional log-in (which even automated hackers will not enjoy slowing them down), but also interposes a slower-cycling one in the same stroke (which even automated hackers will enjoy even less), before by raw chance anyone unauthorized might reach the administrative log-in. The server's challenge when failed takes longer to think and replant the log-in than occurs with the administrative log-in. Just be sure to have TWO user-pass pairs, in order to reduce the odds of unauthorized access.

And rph's http://opencarthelp.com/a/?q=improve-opencart-security succinctly spells out cookbook steps.

Hackers can easily obtain the documentation showing in considerable detail how carts, forums, blogs, name it (including routers), work. Reset user/pass defaults as a general rule, not just in OC.

Another aspect, limiting numbers of log-in attempts, was raised as to customers and applies to administrators. See
http://forum.opencart.com/viewtopic.php ... 55#p395655
among others.