Forums / General Questions / User Permissions / Configuration / Potential Security Risk?

User Permissions / Configuration / Potential Security Risk?

Locked
Results 1 to 17 of 17
This thread is locked. New replies are disabled.
01 Aug 2009, 20:46
#1
silverspring avatar

silverspring

New Zenner

Join Date:
May 2007
Posts:
65
Plugin Contributions:
0

User Permissions / Configuration / Potential Security Risk?

On my site, winniesonline.co.uk the following appeared. Why and how do I fix it ?


Warning: I am able to write to the configuration file: /home/winnieso/public_html/store/includes/configure.php. This is a potential security risk - please set the right user permissions on this file (read-only, CHMOD 644 or 444 are typical). You may need to use your webhost control panel/file-manager to change the permissions effectively. Contact your webhost for assistance.
:shocking:


I would appreciate help to sort the problem.

Thanks
02 Aug 2009, 01:54
#2
website_rob avatar

website_rob

Inactive

Join Date:
Oct 2006
Posts:
4,572
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

Start with a blank text file and inside put the following code:

<?php
chmod("includes/configure.php", 0444);
chmod("admin/includes/configure.php", 0444);
echo 'Completed'
?>


Note: if you renamed the 'admin' directory then change "admin" to whatever you renamed it to and you're good to go.

Save the file as chmod.php and upload it to the same directory where these files are:
index.php - ipn_main_handler.php - nddbc.html

Now load this URL into your Browser: http://yoursite.com/chmod.php
(adjust URL accordingly if Zen Cart is in a sub-directory)

Once you see the 'Completed' msg. then load your Zen Cart "index" page to verify Error msg. is gone.

Now delete the chmod.php page/file.
02 Aug 2009, 02:18
#3
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

OR...
You have cpanel. Why not use the file manager inside cpanel to change the permissions.
Click on file manager, Select Web Root, double-click "includes" in the right-hand panel, find the configure.php file, right-click it, and select Change Permissions. Make sure the only check marks are the three across the top for Read. The numbers at the bottom should read 444.
Click the Change Permissions button and you're done.
02 Aug 2009, 22:56
#4
silverspring avatar

silverspring

New Zenner

Join Date:
May 2007
Posts:
65
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

Firstly Dbltoe, I sent you an email - did you get it ?


Should I log in via filezilla or is it ok to do it via the host ?

Doing it via the host when I log into my cpanel / file manager but dont see what you are referring to .....:eek:
03 Aug 2009, 00:42
#5
plymgary1 avatar

plymgary1

Zen Follower

Join Date:
Feb 2009
Posts:
121
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

silverspring:

Firstly Dbltoe, I sent you an email - did you get it ?


Should I log in via filezilla or is it ok to do it via the host ?

Doing it via the host when I log into my cpanel / file manager but dont see what you are referring to .....:eek:



Log into your cpanel then go into 'file manager'. Find your 'public_html' folder, expand it and click on 'includes'. Then find the file 'configure.php'. Right click this and select change permissions. Make sure the totals read 444 and that should get rid of that message.

Do the same for admin/includes/configure.php
03 Aug 2009, 00:59
#6
steven300 avatar

steven300

Totally Zenned

Join Date:
Jan 2008
Posts:
1,564
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

You can also use FileZilla. Basically the same steps as above.
03 Aug 2009, 03:35
#7
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

Filezilla will not work if the host has that feature turned off. And, most who use cpanel do have the feature disabled.
03 Aug 2009, 07:02
#8
silverspring avatar

silverspring

New Zenner

Join Date:
May 2007
Posts:
65
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

plymgary1:

Log into your cpanel then go into 'file manager'. Find your 'public_html' folder, expand it and click on 'includes'. Then find the file 'configure.php'. Right click this and select change permissions. Make sure the totals read 444 and that should get rid of that message.


Do the same for admin/includes/configure.php



I found the public_html folder and assumed that I should follow the store/includes/configure.php - there I changed the permissions to 444 and ensured that the 3 boxes at the very top were ticked.

However, where exactly is the admin/includes/configure.php -
could you give me the full path ?

Thanks
03 Aug 2009, 07:45
#9
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

both the admin/includes and the includes folders are under the public_html folder.

public_html/admin/includes/configure.php
public_html/includes/configure.php
03 Aug 2009, 09:10
#10
silverspring avatar

silverspring

New Zenner

Join Date:
May 2007
Posts:
65
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

Phew ! - I think I've done it ! Thanks !

HOWEVER, what would have changed the permissions in the first place ?
03 Aug 2009, 09:30
#11
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

The permissions would have been set like they were at installation. They have to be changed in order to write/change them.
If this is not a new install, perhaps someone helping you has changed the permissions to work on the files.
If none of the above is the case, you will need to check to see if you've been hacked.
05 Aug 2009, 08:48
#12
silverspring avatar

silverspring

New Zenner

Join Date:
May 2007
Posts:
65
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

Having sorted one situation out another has presented itself - the images from the mainpage went missing - fortunately, I managed to re-instate them !

The hosting is through RENTACART - guys, DONT USE THEM - seriously their support is non existent, as well as their telephone service !!!!!!!:yuck:

Browsing on their site I found the following :

Security Announcement -- Admin Security Patch
A vulnerability has been discovered in the admin section of the carts we use. To take advantage of this vulnerability any attacker must know the URL of your admin section.

A link to the patch is posted below. Please download the patch file and unzip it. The file contains a readme.html with full details on how to install the security patch.

IMPORTANT NOTE:

There are Directories/Folders embedded in the zip. So, when you expand/unzip, you MUST tell your unzip program to expand the folders too! Otherwise you are likely to end up putting the wrong files in the wrong places.

Follow the instructions carefully and remember, the documentation tells you exactly where to put the files. This is an ADMIN patch so all the files go under your admin directory in their respective folders.

Click Here For Patch Download

REMEMBER WHEN APPLYING ANY PATCHES ALWAYS DO A FULL BACKUP. That includes your MySQL database, data and your PHP/HTML/CSS/TEMPLATE/IMAGES files by downloading them to your computer.
We can do all this for you if required.

For 19.88 we will apply the patch, check your site, change your admin directory & update the details in your configure.php file to reflect the changes made. To purchase please click here.

Yeah, I'd have immediate attention if I gave them £19.88 !!!!

My gripe aside, I have downloaded the patch to my HD so now how do I install in without causing MORE PROBLEMS to the site.

I'd appreciate help !

Kind regards
05 Aug 2009, 17:46
#13
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

Please read the line in your post that starts
A link to the patch is posted below. Please download the patch...


I wouldn't charge a penny over $33.78 to fix this:P
26 Aug 2009, 15:35
#14
schneckster avatar

schneckster

New Zenner

Join Date:
Aug 2009
Posts:
2
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

Hi,

I'm new to Zen, having used osCommerce before. As an aside, I'm surprised at the similarities between the two... and the differences!!

Anyway, I recently had a problem with an osCommerce install where it required certain folders to have file permissions set to 777. That lead to Russian hackers (so my host told me) writing files to those folders that basically allowed click throughs elsewhere. It was suggested by the osC forums that no folder should be set to anything more than 755.

Now I find a similar vulnerability with Zen. So, will it work with 755 or is there a way to prevent this happening?

Thanks,

Schneckster
26 Aug 2009, 15:46
#15
schneckster avatar

schneckster

New Zenner

Join Date:
Aug 2009
Posts:
2
Plugin Contributions:
0

Re: User Permissions / Configuration / Potential Security Risk?

Re-reading my previous post, it isn't clear.

What I meant to say was that the suggestions for osC were to set permissions to 755 and rely on suexec on the PHP server. But this is only available on PHP 5+. My server is currently PHP4.49 so this wouldn't work.

Zen has similar suggestions (no mention of suexec, though). Will Zen still work with permissions of 755 without the latest version of PHP?

Schneckster
26 Aug 2009, 15:51
#16
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

Yes, Zen Cart is technically "sone of osc", but the is NOT your daddy's shopping cart! In 2004, OSC got some ideas that didn't jive with what some of the folks had in mind. An agreement was made to "divide and conquer". I believe ZC won.:clap:

Anyway, unless you mess with it, Zen Cart will install the files with the proper permissions. After installation, you will need to change the permissions on two files (both configure.php).

You will need to due the security patch as it is not incorporated in the 1.3.8a as yet.

You will need to create a custom directory to keep customized files from being overwritten when you upgrade.

You will need to delete the install directory and rename the admin directory (this means you'll have to edit BOTH config files) and set the permissions back to 444 for the config files.

If you are storing any credit card data, you will want to add the PCI patch as well.
26 Aug 2009, 15:52
#17
dbltoe avatar

dbltoe

Totally Zenned

Join Date:
Jan 2004
Posts:
9,707
Plugin Contributions:
6

Re: User Permissions / Configuration / Potential Security Risk?

You need to run away from PHP 4.49. If your host is not staying current, something WILL happen and probably soon.:no: