Remove old threads to stop hackers

[Website Rob]

For our Clients, I usually setup extra security while still making it easy for using whatever script. This, along with our Server-wide security, makes it hard for bad things, security wise, to happen within their account.

For others, I can only suggest they follow these security steps and speak with their Hoster, about beefing up security for their account. Scripts such as; ZenCart, osCommerce, e107, and many others, require very open settings on the front-end so that ease-of-use is provided within the back-end or Admin section.

Perfect example is an images dir. Almost every type of the previously mentioned scripts require the 'images' dir. to have permissions of 777 -- so that one can use the 'images' dir. from within the Admin section. Currently, it requires using 755 permissions when not using it and changing to 777 when working in the Admin section, for uploading or working with images. Then, when finished, you change permissions back to 755; the default setting and very secure.

Trouble is, most people forget to change permission back to 755 and thus, it is only a matter of time till they remember and change it or some hacker finds it wide open and abuses it.

[ellis200200]

Thanks Rob

In honesty I have been a little lax with the permissions as the site is not live.
But the hackers don’t seem to be that bothered if it’s live or not
Again thanks for all your help
Andy

[ca18]

...
Perfect example is an images dir. Almost every type of the previously mentioned scripts require the 'images' dir. to have permissions of 777 -- so that one can use the 'images' dir. from within the Admin section. Currently, it requires using 755 permissions when not using it and changing to 777 when working in the Admin section, for uploading or working with images. Then, when finished, you change permissions back to 755; the default setting and very secure.

Now that zencart.org/images seems to be "hacked into" **edited**, please explain how anyone can upload *anything at all* to any directory with *no* scripts inside no matter what the permissions are??! Answer is: you possibly couldn't, nor can anyone else, because it's not possible. Because apache itself doesn't upload anything by itself at all, a "program" or script(like ZC) is required first to begin with! In other words: ZC is bugged since this is not the first time such "(picture-)vandalism" etc is reported and going on. If it was just for the permission(s) then ZC *itself* could change them(back) when/as required during file-upload or deletion etc ... Anyway, the hole thing really sux now, and I guess the ZC-developers not only ought to address this issue IMMEDIATLY but also owe everyone a better explanation than is currently to find under section 9) (and also 6))of the you-know-what secure-your-cart-"GUIDE", it's *NOT* just permissions that cause something like this thats far-fetched, unsubstantiated or better ... simply bollox ...

[DrByte]

ca18, posting a reply to you is mostly a futile effort, as you appear to have a sinister agenda far beyond being genuinely concerned about security or being empathetic to a legitimate issue. Your numerous other negatively-toned posts essentially disqualify the majority of your arguments, as they demonstrate tyranny rather than beneficial to the community at large.

Nevertheless, for the sake of those reading this thread, it's worth pointing out that:
*any* folder that is chmod 777 is vulnerable on a shared-hosting server if *any* *other* account on that server gets hacked via any vulnerability.

For the record, the single hacked index.html file in the images folder of the zencart.org site was completely unrelated to any security vulnerability in Zen Cart. There are a number of ways to prove this if it were necessary, but frankly, it's none of your business.