WenzlerPaul
6-11-03, 04:29 AM
This is an advisory for osCommerce users regarding security, since Powweb Service automatically gives Writable permission to any subscriber. It can present vulnerability to some people using the tool.
The complete catalog includes an admin directory that is equipped with a File Manager under the Tools which can directly write files to the server without going through any FTP or Shell tool.
You will need to protect such directory (admin) with .htaccess so it will not be accessible to anyone. A good reference to this is on this link http://support.powweb.com/tutorials/passwordprotection.php .
Another thing you might need to consider is that Powweb service is not set up to recognize default.php as a directory index and is capable of listing your directory content once an index.htm, index.html or index.php is not found. This also presents security risk. One way of working around this thing is by placing another .htaccess in the htdocs directory with an override option for DirectoryIndex including default.php as one of your startup file.
A complete walk through is at the bottom:
Step 1
Create a directory/folder inside your FTP Space called ETC or any folder name you wish to call it (this will contain the .passwd file)
Step 2
Create an .htaccess for your admin directory. (refer to the link above) or look at the code below.
AuthUserFile /www/u/username/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic
<Limit GET>
require user username
</Limit>
For AuthUserFile, login to your Ops and look under HTTP (Website), you will see this line:
DocumentRoot: /www/u/username/htdocs
If you created a directory/folder inside your htdocs, the path should point like this:
/www/u/username/htdocs/etc/.htpasswd
You should directly follow the steps.
Step 3
Create the .htpasswd file. Use this link below to generate the needed info.
http://help.powweb.com/cgi-bin/crypt.cgi
Copy the information that was generated by the tool, paste it to a file named .htapsswd and directly upload it to the directory/folder you have created on Step 1.
Note: for Windows users, it is impossible to create a file starting with a dot, you can simply create a file named htaccess.txt, upoload it later then rename it through your FTP tool like WS_FTP PRO. For Linux or any Unix based OS users, this is not an issue.
Once you have accomplished this, upload the file .htaccess to any directory you want to protect. (Do not forget to rename both files to .htaccess and .htpasswd)
If you wish to add users to the login, repeat Step 3 and simply add any generated password to your file, do not forget to put them one line after another.
This is the complete step for the admin protection or any directory protection on your website.
Another issue is to set default.php as one of your startup file. to do this, create a separate .htaccess file with this code:
DirectoryIndex index.htm index.html index.php3 index.php default.html default.htm default.php index.cgi
It will actually depend on what startup files you want to add or remove. Upload this on your htdocs directory/folder and you are all set.
I also included sample files for you to just edit them according to your settings. Download the Sample Files Here (http://www.jcdesignpro.com/samples.zip)
In case you need further assistance, you can directly email me at wenzlerpaul@yahoo.com
I hope this helps
Paul V. Barrera
The complete catalog includes an admin directory that is equipped with a File Manager under the Tools which can directly write files to the server without going through any FTP or Shell tool.
You will need to protect such directory (admin) with .htaccess so it will not be accessible to anyone. A good reference to this is on this link http://support.powweb.com/tutorials/passwordprotection.php .
Another thing you might need to consider is that Powweb service is not set up to recognize default.php as a directory index and is capable of listing your directory content once an index.htm, index.html or index.php is not found. This also presents security risk. One way of working around this thing is by placing another .htaccess in the htdocs directory with an override option for DirectoryIndex including default.php as one of your startup file.
A complete walk through is at the bottom:
Step 1
Create a directory/folder inside your FTP Space called ETC or any folder name you wish to call it (this will contain the .passwd file)
Step 2
Create an .htaccess for your admin directory. (refer to the link above) or look at the code below.
AuthUserFile /www/u/username/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Desired Login Message Goes Here"
AuthType Basic
<Limit GET>
require user username
</Limit>
For AuthUserFile, login to your Ops and look under HTTP (Website), you will see this line:
DocumentRoot: /www/u/username/htdocs
If you created a directory/folder inside your htdocs, the path should point like this:
/www/u/username/htdocs/etc/.htpasswd
You should directly follow the steps.
Step 3
Create the .htpasswd file. Use this link below to generate the needed info.
http://help.powweb.com/cgi-bin/crypt.cgi
Copy the information that was generated by the tool, paste it to a file named .htapsswd and directly upload it to the directory/folder you have created on Step 1.
Note: for Windows users, it is impossible to create a file starting with a dot, you can simply create a file named htaccess.txt, upoload it later then rename it through your FTP tool like WS_FTP PRO. For Linux or any Unix based OS users, this is not an issue.
Once you have accomplished this, upload the file .htaccess to any directory you want to protect. (Do not forget to rename both files to .htaccess and .htpasswd)
If you wish to add users to the login, repeat Step 3 and simply add any generated password to your file, do not forget to put them one line after another.
This is the complete step for the admin protection or any directory protection on your website.
Another issue is to set default.php as one of your startup file. to do this, create a separate .htaccess file with this code:
DirectoryIndex index.htm index.html index.php3 index.php default.html default.htm default.php index.cgi
It will actually depend on what startup files you want to add or remove. Upload this on your htdocs directory/folder and you are all set.
I also included sample files for you to just edit them according to your settings. Download the Sample Files Here (http://www.jcdesignpro.com/samples.zip)
In case you need further assistance, you can directly email me at wenzlerpaul@yahoo.com
I hope this helps
Paul V. Barrera