Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Emergency! Urgent! Rate Topic   - - - - -

 
  • dominos_2004
  • Senior Member
  • Members
  • Join Date: 02-Jan 06
  • 257 posts

Posted 10 February 2007 - 10:46 PM #1

This is from Google search results:

Index of /skins/default_blue/admin/affiliate/products_pages... 30-Dec-2006 23:20 - products_list.tpl 30-Dec-2006 23:20 2k products_list_update..> 30-Dec-2006 23:20 2k. Apache/1.3.37 Server at www.bla.com Port 80.
www.bla.com/skins/default_blue/admin/affiliate/products_pages/ - 2k - Supplemental Result - Cached - Similar pages
CS-Cart 3.0.3

 
  • glyndon
  • Senior Member
  • Members
  • Join Date: 07-Dec 06
  • 187 posts

Posted 10 February 2007 - 11:52 PM #2

A deny index listing .htaccess file in every skin directory will stop this from happening, right?

 
  • dominos_2004
  • Senior Member
  • Members
  • Join Date: 02-Jan 06
  • 257 posts

Posted 11 February 2007 - 12:01 AM #3

A deny index listing .htaccess file in every skin directory will stop this from happening, right?


I did it but it's not stop it
CS-Cart 3.0.3

 
  • glyndon
  • Senior Member
  • Members
  • Join Date: 07-Dec 06
  • 187 posts

Posted 11 February 2007 - 12:12 AM #4

That is worrying.

I haven't yet launched my site so I would be interested to hear from CS-Cart about how this can be stopped?

I don't want anyone snooping around my files.

 
  • Zyles
  • Senior Member
  • Members
  • Join Date: 06-Nov 06
  • 596 posts

Posted 11 February 2007 - 12:47 AM #5

Just put a .htaccess file in skins directory with:

Options -Indexes

<Files ~ "\.tpl$">
Order allow,deny
Deny from all
</Files>

<Files ~ "^\.css">
Order allow,deny
Allow from all
</Files>

And the problem is gone.
Marketing tip:

Did you know a targeted e-mail marketing campaign can bring conversion rates up to 3.9%? By using reliable e-mail marketing software you can upsell to existing customers on a tight budget. If you are not using e-mail marketing you are missing out big time. I recommend and use Aweber.

 

Posted 11 February 2007 - 01:36 AM #6

That is worrying.

I haven't yet launched my site so I would be interested to hear from CS-Cart about how this can be stopped?

I don't want anyone snooping around my files.


What Zyles said,
Try to access my site if you would?
http://www.southeastauto.com.au/skins/

It secured via the same .htaccess method we all use.
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 11 February 2007 - 04:40 AM #7

Very simple to stop access but perhaps CS would consider putting an htaccess file in this directory with a default install?

 

Posted 11 February 2007 - 09:02 AM #8

I suppose the devs could but it won't solve all users issues,

<rant>
It's upto the webmasters themselves to ensure they understand basic security procedures. I understand there is a great range of skillsets here however I do believe we've gone over this a few times.</rant>

If someone would make a new thread with the appropriate titles listing .htaccess methods and usage I'm sure it can be stickied by a mod/admin
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • recedo
  • Senior Member
  • Members
  • Join Date: 24-Apr 06
  • 498 posts

Posted 11 February 2007 - 10:37 AM #9

I am sorry but I disagree slightly here. CS should be including information about ways of providing extra security for your site in the manual and addressing any new problems as they are found, either by forum posts or posts in the helpdesk.

I know they have posted with regards to 'proper' security threats in the past but it would be good for them to create a security 101 with required steps and more optional steps.

As you stated there are users here of all levels, and to a certain extent they are responsible for their own security at the end of the day. However, CS provides a Business to Business solution and they do not want to be pushing away the more 'basic' customers.

This cart attracts newbie ecommerce business people, I would say in large because of the very professional looking skins. They should be embracing this as much as possible.

Come on, how long would it take for those guys to add a few pages in the manual about optional/general steps for securing their site? Ad you'd be suprised as how much this would improve customer confidence.

I have been creating websites and using various scripts for many, many years now and I'll always go more towards ones who show they are security concious and want to pass that knowledge onto their customers. I even look like things like use of .htaccess files in the default installs.

CS already have some ht files in the var dir etc so they should really add to this directory as well so users dont need to be adding this themselves - I can't see anyone wanting people to be able to see their templates.

So, in summary;

YES - Webmasters do have a responsibility to secure their own servers/websites but CS should aim to provide as much of their know-how to their customers as possible. People would be a lot happier and confident to see a sticky post from Admin with this information as oppose to a general forum member.

You have to look at it in that CS are providing a service/product that is attracting novice users and they should be doing as much as they can to keep these customers.

Simon

I suppose the devs could but it won't solve all users issues,

<rant>
It's upto the webmasters themselves to ensure they understand basic security procedures. I understand there is a great range of skillsets here however I do believe we've gone over this a few times.</rant>

If someone would make a new thread with the appropriate titles listing .htaccess methods and usage I'm sure it can be stickied by a mod/admin



 

Posted 11 February 2007 - 01:01 PM #10

I am sorry but I disagree slightly here.

Simon


I fully support your post as shown,

While I'm always in favour of educating the user, due to the 'webs' nature there will always be a potential security issue. Addressing .htaccess files with certain directories can be a godsend for people, Dominos here as an example.

However I believe that it gives users a false sense of security thinking they 'don't' need to secure their server/website from potential threats. Obviously Google ain't going to go hacking websites but adding a security 101 will in most cases only be beneficial to those who would want to read such an article.

If we/cscart do propose to assist with security issues then the forum itself becomes a mild security site whereas it takes away from cart development and hence-forth expectations. I'm just weary of supporting security issues whereas server admins would be better equipped to assist based upon the server config. What I would like is a security 'manual' that states the BASICs otherwise it becomes a bigger pie then the most of us can eat.
(Of 622 members only 22/24 users are above the 100 post mark)
I've moved on from CS-Cart to WooC******** - If you need anything I can be of little help.

 
  • jobosales
  • Senior Member
  • Members
  • Join Date: 04-Nov 06
  • 3114 posts

Posted 12 February 2007 - 12:55 AM #11

One thing that I think would be useful is a separate security forum. This would provide a place to not only discuss security issues but also give people just starting out a kind of "library" of problems and best practices.

Of course, information in the manual would also be helpful but I fear the documentation has fallen woefully behind the software and it is likely to be a while before it is brought up to date.

Bob

EDIT: Geez, that was quick. I am feeling very special today. :)
CS-Cart 2.0.14 (testing)

 
  • disneyana
  • Senior Member
  • Members
  • Join Date: 06-Nov 05
  • 130 posts

Posted 13 February 2007 - 07:32 PM #12

Thanks guys for the .htaccess code on this. I agree that a Security 101 file or section would be a nice feature.
- disneyana
CS-Cart v1.3.3
CS-Cart v1.3.4sp3
http://disneyana.com/store