[Security] osCommerce Security Fix


Monday, July 12th, 2010 - Security

Update July 19, 2010 1:15PM CDT – We have applied the fix to the osCommerce admin directories. For more information see our updated post.

As we stated in a previous post, lately we have had some security concerns regarding osCommerce scripts and they apparently do not want to fix their security holes. Instead they have published a work around for this. This work around involves password protecting the admin directory, which contains the administrative area that is used to make changes to your shopping catalog with your osCommerce script. This is a far cry from actually fixing the security issue, but it is better than nothing.

This essentially means that osCommerce administrative users will have to login twice in order to access the administrative side of their osCommerce script. Once for the Apache based directory protection and once for the osCommerce access. This is a less than ideal solution, but again this is the only solution that osCommerce is presenting.

It should be noted – We will be password protecting these admin directories ourselves in the next few days if you have not already password protected the area yourself. We will be using random passwords, that will essentially lock you out of accessing the administrative portion of your osCommerce install. This is meant to protect you and your website from hacking. If you want to remain in control of your osCommerce administrative area, then you should password protect your osCommerce admin directory yourself with a username and password that you are aware of. Instructions for doing so are given below. If your admin directory is already password protected when go through and perform our check, then we will not re-protect or change the password for your admin directory. If you find yourself locked out because of our password protecting of this directory, then you will need to open a support ticket with your account login credentials so that we can verify your account ownership.

To password protect your osCommerce admin directory, you will first need to log into your cPanel:

http://www.yourdomain.com/cpanel

Once you have logged in, find the section labeled Security and find the link labled Password Protect Directories

This will bring up a dialog box asking you from what directory do you want to start. Select the option for Web Root.

Now navigate your way into the directory containing your osCommerce admin directory. Click the folder icon beside the directory name to navigate into that directory. For example, if your osCommerce catalog is located in the directory:

/home/user/public_html/catalog

Then you would click on the folder beside the directory name catalog to navigate inside the catalog directory. It is important that you don’t navigate into the admin directory, you just want to navigate into the directory containing the admin directory.

Once you have done this, click on the admin directory name (not the folder icon).

This will take you to a page where you can turn on Directory Protection for that directory. This is a two part system. First you have to enable directory protection on this directory and then secondly you have to assign a username and password to access the directory under directory protection.

The first part is enabling directory protection. Complete the top part, under Security Settings.

and click Save. This will enable directory protection for this directory, but it does not assign a username and password to the area. Click on the link Go Back to go back to the previous page.

Now you will want to add a username and password to access this area.

You can use whatever you want for a Username and Password. I do recommend making the username and password something unique and not the same as your osCommerce administrative area username and password.

When you have this filled out click on Add/modify authorized user.

Now navigate to your osCommerce admin area, as you normally would. You should get a browser dialog box asking your for the username and password to access the Authorized Area. This is the username and password you just created with Directory Protection. You will then be presented to your osCommerce administrative login page, where you would enter your osCommerce administrative username and password.

Scott