Page 2 of 2 FirstFirst 12
Results 11 to 17 of 17
  1. #11
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,701
    Plugin Contributions
    11

    Default Re: User Permissions / Configuration / Potential Security Risk

    The permissions would have been set like they were at installation. They have to be changed in order to write/change them.
    If this is not a new install, perhaps someone helping you has changed the permissions to work on the files.
    If none of the above is the case, you will need to check to see if you've been hacked.
    A little help with colors.
    myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
    Free SSL & Domain with semi-annual and longer hosting. Updating 1.5.2 and Up.

  2. #12
    Join Date
    May 2007
    Posts
    65
    Plugin Contributions
    0

    Default Re: User Permissions / Configuration / Potential Security Risk

    Having sorted one situation out another has presented itself - the images from the mainpage went missing - fortunately, I managed to re-instate them !

    The hosting is through RENTACART - guys, DONT USE THEM - seriously their support is non existent, as well as their telephone service !!!!!!!

    Browsing on their site I found the following :
    Security Announcement -- Admin Security Patch
    A vulnerability has been discovered in the admin section of the carts we use. To take advantage of this vulnerability any attacker must know the URL of your admin section.

    A link to the patch is posted below. Please download the patch file and unzip it. The file contains a readme.html with full details on how to install the security patch.

    IMPORTANT NOTE:

    There are Directories/Folders embedded in the zip. So, when you expand/unzip, you MUST tell your unzip program to expand the folders too! Otherwise you are likely to end up putting the wrong files in the wrong places.

    Follow the instructions carefully and remember, the documentation tells you exactly where to put the files. This is an ADMIN patch so all the files go under your admin directory in their respective folders.

    Click Here For Patch Download

    REMEMBER WHEN APPLYING ANY PATCHES ALWAYS DO A FULL BACKUP. That includes your MySQL database, data and your PHP/HTML/CSS/TEMPLATE/IMAGES files by downloading them to your computer.
    We can do all this for you if required.

    For 19.88 we will apply the patch, check your site, change your admin directory & update the details in your configure.php file to reflect the changes made. To purchase please click here.
    Yeah, I'd have immediate attention if I gave them £19.88 !!!!

    My gripe aside, I have downloaded the patch to my HD so now how do I install in without causing MORE PROBLEMS to the site.

    I'd appreciate help !

    Kind regards

  3. #13
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,701
    Plugin Contributions
    11

    Default Re: User Permissions / Configuration / Potential Security Risk

    Please read the line in your post that starts
    A link to the patch is posted below. Please download the patch...
    I wouldn't charge a penny over $33.78 to fix this
    A little help with colors.
    myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
    Free SSL & Domain with semi-annual and longer hosting. Updating 1.5.2 and Up.

  4. #14
    Join Date
    Aug 2009
    Posts
    2
    Plugin Contributions
    0

    Default Re: User Permissions / Configuration / Potential Security Risk

    Hi,

    I'm new to Zen, having used osCommerce before. As an aside, I'm surprised at the similarities between the two... and the differences!!

    Anyway, I recently had a problem with an osCommerce install where it required certain folders to have file permissions set to 777. That lead to Russian hackers (so my host told me) writing files to those folders that basically allowed click throughs elsewhere. It was suggested by the osC forums that no folder should be set to anything more than 755.

    Now I find a similar vulnerability with Zen. So, will it work with 755 or is there a way to prevent this happening?

    Thanks,

    Schneckster

  5. #15
    Join Date
    Aug 2009
    Posts
    2
    Plugin Contributions
    0

    Default Re: User Permissions / Configuration / Potential Security Risk

    Re-reading my previous post, it isn't clear.

    What I meant to say was that the suggestions for osC were to set permissions to 755 and rely on suexec on the PHP server. But this is only available on PHP 5+. My server is currently PHP4.49 so this wouldn't work.

    Zen has similar suggestions (no mention of suexec, though). Will Zen still work with permissions of 755 without the latest version of PHP?

    Schneckster

  6. #16
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,701
    Plugin Contributions
    11

    Default Re: User Permissions / Configuration / Potential Security Risk

    Yes, Zen Cart is technically "sone of osc", but the is NOT your daddy's shopping cart! In 2004, OSC got some ideas that didn't jive with what some of the folks had in mind. An agreement was made to "divide and conquer". I believe ZC won.

    Anyway, unless you mess with it, Zen Cart will install the files with the proper permissions. After installation, you will need to change the permissions on two files (both configure.php).

    You will need to due the security patch as it is not incorporated in the 1.3.8a as yet.

    You will need to create a custom directory to keep customized files from being overwritten when you upgrade.

    You will need to delete the install directory and rename the admin directory (this means you'll have to edit BOTH config files) and set the permissions back to 444 for the config files.

    If you are storing any credit card data, you will want to add the PCI patch as well.
    A little help with colors.
    myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
    Free SSL & Domain with semi-annual and longer hosting. Updating 1.5.2 and Up.

  7. #17
    Join Date
    Jan 2004
    Location
    N of San Antonio TX
    Posts
    9,701
    Plugin Contributions
    11

    Default Re: User Permissions / Configuration / Potential Security Risk

    You need to run away from PHP 4.49. If your host is not staying current, something WILL happen and probably soon.
    A little help with colors.
    myZenCartHost.com - Zen Cart Certified, PCI Compatible Hosting by JEANDRET
    Free SSL & Domain with semi-annual and longer hosting. Updating 1.5.2 and Up.

 

 
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Security Risk - HTMLArea Image Manager
    By beasleybub in forum All Other Contributions/Addons
    Replies: 7
    Last Post: 17 Jan 2011, 06:17 AM
  2. Weird order - Korea - security risk?
    By mcarbone in forum Managing Customers and Orders
    Replies: 3
    Last Post: 26 Mar 2010, 09:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg