I'm ready to buy but need a bit more on Security

[quote name=‘markav’]I’m ready tor drop my dough on CS-Cart. I really like it a lot… it kicks ass on everything else I’ve looked at in a standalone cart. The configurabilty is top notch (Smarty templates are really sweet). But I’m a bit freaked out about security issues after reading some of the posts on this forum.



In particular, this thread on SSL and access to sensitive files:



[url]http://vb.cs-cart.com/showthread.php?t=1196&highlight=table+css[/url]



This seemed to raise more questions than it answered. Anyone have any answers as to which files need to reconfigured or moved (and where) in order to prevent sensitive data from being scanned? What about database encryption of passwords and credit card info?



And this thread.



[url]http://vb.cs-cart.com/showthread.php?t=516&highlight=file+permissions[/url]



Is there a list of file permissions that can be set on all cart files that can be as restrictive as possible and still allow the cart to function properly? Also, which folders should be secured with .htaccess files and what should the settings be?



I’d like to get the warm fuzzies on how to button down security as tightly as possible. If CS-Cart has a procedure for this or if anyone has developed a configuration that is secure (obviously this is a moving target) I’d sure like to hear about it.



Thanks Much

Mark[/QUOTE]The credit card information is already encrypted. Once your order is processed, the information can be deleted in Admin Panel. The only place where sensitive data is located is config.php. If PHP were to go down, your config.php could be displayed as plain text exposing the database username and password. You can solve this two ways. First, move config.php outside of document root and replace the original config.php with an include(your/new/location/config.php) to the new location. The other way is to place it into another folder and add an .htaccess along with it containing:


options -Indexes
deny from all

[quote name=‘sculptingstudio’]The credit card information is already encrypted. Once your order is processed, the information can be deleted in Admin Panel. The only place where sensitive data is located is config.php. If PHP were to go down, your config.php could be displayed as plain text exposing the database username and password. You can solve this two ways. First, move config.php outside of document root and replace the original config.php with an include(your/new/location/config.php) to the new location. The other way is to place it into another folder and add an .htaccess along with it containing:


options -Indexes
deny from all
[/QUOTE]



Hello,

I’m not clear on the steps needed to implement the above two security suggestions:



(1) How to replace the original config.php with an include config.php?;

(2) How to place the config.php into another folder and add an .htaccess along with it?;



Also:

(3) Is it advisable to do both of the above?;

(4) Would it be advisable to do this with the admin.php file as well?

(5) Does CS-Cart have any official documentation on securing the cart? One thing I liked about VP-ASP was that the admin control panel welcome page displayed the results of a fresh security scan of shop system vulnerabilities with advice on how to fix the vulnerabilities. Would be great to see something like this in CS-Cart.



Thanks!

I’m not clear on the steps needed to implement the above two security suggestions:



(1) How to replace the original config.php with an include config.php?;

Create a new config.php file with the path inside:

@require_once('c:/mynewfolder/config.php');
?>


(2) How to place the config.php into another folder and add an .htaccess along with it?;

Use your FTP program to create a new folder. Copy your original config.php to this new folder. The .htaccess is just a file you can create in Notepad. Open Notepad and add this:

options -Indexes
deny from all
In Notepad, click File > Save As. Where it says “Save as type” choose “All Files”. In the “File name” enter .htaccess Don’t give it the extension like this .htaccess.txt



Also:

(3) Is it advisable to do both of the above?; If PHP goes down, I would.

(4) Would it be advisable to do this with the admin.php file as well? There are no passwords or encryption keys in it.

(5) Does CS-Cart have any official documentation on securing the cart? One thing I liked about VP-ASP was that the admin control panel welcome page displayed the results of a fresh security scan of shop system vulnerabilities with advice on how to fix the vulnerabilities. Would be great to see something like this in CS-Cart. I don’t believe there’s a document. I scan my cart for over 12,000 vulnerabilities and post XSS and SQL injections into my form data and nothing is found. The cart’s GET and POST variables are sanitized in CS-Cart to prevent SQL injection or XSS. If you want it scanned, I’m thinking about offering my HackerShield service.

Thanks so much for the tips and taking the time to respond. I’m on the road and haven’t had a chance to implement this yet, but feel much more clear on how to go about it.

Thanks!

[quote name=‘argosmedia’]Can you tell me what exactly to do where? Sorry, I’m a non-coder, and don’t know what to do exactly… Can you take me by the hand please? :-)[/QUOTE]Place the code in a text file and name it .htaccess. Place the file .htaccess in the folder where you relocated config.php.

Hey,



Sorry to post in an old topic like this… But I didn’t see any reason to open a new one, when this one had already been started.



I just have a quick question in regards to moving to config.php. You say that if PHP crashes, someone can view all of your database info. Well, even if you move the file, once php goes down and they see where it is located, why couldn’t they just go there? Since they already know the URL of the file.



Thanks.

[quote name=‘Brandito’]

I just have a quick question in regards to moving to config.php. You say that if PHP crashes, someone can view all of your database info. Well, even if you move the file, once php goes down and they see where it is located, why couldn’t they just go there? Since they already know the URL of the file.

[/QUOTE]



If your public_html is the viewable directory from browser. And you place config file one step above it. There is no way to browse to the config file using a browser, this would only be possible with having FTP or SSH access.



For example:



/home/mydir/config.php

/home/mydir/public_html/cart.php

[quote name=‘Zyles’]If your public_html is the viewable directory from browser. And you place config file one step above it. There is no way to browse to the config file using a browser, this would only be possible with having FTP or SSH access.



For example:



/home/mydir/config.php

/home/mydir/public_html/cart.php[/QUOTE]



Oh… So I should make a folder at the same level as the “public_html” folder, in my control panel, correct? I thought sculpting studio was saying to make a sub-folder in my “public_html” folder. Thats why I was confused as to why that would stop anyone from viewing the config.php file.



I do see one problem with doing it this was, if you are using cPanel(as most people are) and someone sees the “/mydir/” part, they know your control panel username… Any thoughts on how to avoid that?



Thanks.

[quote name=‘Brandito’]Oh… So I should make a folder at the same level as the “public_html” folder, in my control panel, correct?[/QUOTE]



Correct.



On my cpanel host, anything I put outside the public_html is not visible to a visitor. Even if they try to access via /~username/ it will point to the public_html dir. Not the parent dir.

[quote name=‘Zyles’]Correct.



On my cpanel host, anything I put outside the public_html is not visible to a visitor. Even if they try to access via /~username/ it will point to the public_html dir. Not the parent dir.[/QUOTE]



Ok, but what about the problem of someone finding out what your username is. Is there anyway around that? Because if I make my link relevant to /home/username/newfolder/config.php, the “hacker” has gotten my username to cPanel…

If you can browse your whole /home directory from the web, your webhost isn’t that good setup. It should only be accessed to public_html/



As for finding out your username, I wouldn’t worry too much about it. I can figure out everyones username on my shared hosting…



If you wanna be completely secure, go VPS or dedicated.

[quote name=‘Zyles’]If you can browse your whole /home directory from the web, your webhost isn’t that good setup. It should only be accessed to public_html/



As for finding out your username, I wouldn’t worry too much about it. I can figure out everyones username on my shared hosting…



If you wanna be completely secure, go VPS or dedicated.[/QUOTE]



No, thats not what I’m saying. You can’t browse the home directory from the web. What I am saying is that when you make your link /home/username/newfolder/config.php, people will know your cPanel username.



As for hosting, I am on a VPS. Its completely private and secure, I just don’t like the idea of people having my cPanel username…

Yes. Even if you get a php error it will show the full path.



The only thing they could do is brute force your account. And if they would want to bother with yours in particular that is. If this was a major security issue, the whole web would be in trouble. So I wouldn’t sorry about it, just keep your passwords safe.



Everyone knows the user “root”. :wink:

[quote name=‘Zyles’]Yes. Even if you get a php error it will show the full path.



The only thing they could do is brute force your account. And if they would want to bother with yours in particular that is. If this was a major security issue, the whole web would be in trouble. So I wouldn’t sorry about it, just keep your passwords safe.



Everyone knows the user “root”. ;)[/QUOTE]

Hmm… I don’t know who you host with, but all of the hosts I deal with give unique usernames and passwords for each account. So, none of my usernames are “root”.



Moving on to the link itself, when I go into my home directory and make a new folder for the config.php should the link be like this:


@require_once('/home/username/mynewconfigurationfolder/config.php');
?>




Thanks.

The user “root” is the super admin account for any UNIX flavored systems (Linux, BSD, etc).



cat /etc/passwd



gives:



root:x:0:0:root:/root:/bin/bash



And that account exist on every UNIX based webhost. My point is, if they were to try hacking your server, they would target other users not your username. Like it is common knowledge that apache usually runs as “apache” or “httpd”. Knowing the usernames of a system is not a security threat.



Yes, thats how you do it.

Hmm… I moved the config.php file, and now I am getting like 8 errors saying:



Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 40

Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 41

Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 46

Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 47

Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 48

Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 72

Warning: Cannot modify header information - headers already sent by (output started at /protected/config.php:1) in /public_html/core/sessions.php on line 73




Any thoughts?



Thanks.

Do you have two config.php files?



One with the require_once code at the old location, and one with the real values in hidden directory?

[quote name=‘Zyles’]Do you have two config.php files?



One with the require_once code at the old location, and one with the real values in hidden directory?[/QUOTE]



Yep, I kept the original config.php in the root public_html folder, and replaced the old code with the require once. Then I moved the real code to its own directory. And then I started getting that error…

[quote name=‘Brandito’]Yep, I kept the original config.php in the root public_html folder, and replaced the old code with the require once. Then I moved the real code to its own directory. And then I started getting that error…[/QUOTE]

do you have a .htaccess file within the folder (real config) and if so what are the entries?

[quote name=‘JesseLeeStringer’]do you have a .htaccess file within the folder (real config) and if so what are the entries?[/QUOTE]



No, I don’t. Do I need one? I put the real config.php in its own directory, at the public_html level. I just named it “protected” and put the real config.php file there, then I added the require_once function in my new config.php



Thanks.