Left in the dark...

[controlfreak]

Hi gang,

Great to find this forum. I currently have v2.0 loaded and have been using it for several years. A friend of mine has been doing all the web work for me which leaves me free to do my job. He has been unavailable for sometime now which leaves me to fend for myself plus as my username implies... I have very limited knowledge when it comes to php, well anything code based to be honest. Today I was stressed out with customers complaining about getting spam from my site (heard this before im sure) and did some fast research to find the security holes that I didn't know about with osCMax. I think I took care of at least 2 of them removed the two php lines and added the application top patch. I wll be searching the forum for more info but if anyone can provide tips send them my way. I have no idea what is involved to upgrade to v2.0.4 totally in the dark.

Thanks, CF

[ridexbuilder]

Welcome to the forums.

The simplicity of an upgrade will very much depend on how much customisation has been done to your installation.
You say that you have version 2.0 of 'Max - is that the exact version or is it more like osCMax 2.0.1 etc.?
If your installation is using a customised template and it has been done properly (not just changed fallback, for example), then an upgrade is considerably easier. Unless you have an osCommerce template 'shoe-horned' into 'Max, which could get quite involved.

A good search of the forums (using the Google option) may reveal some upgrade assistance and gotchas. Posting in the relevant forum, for someone to do it for you may be an option, if time is of the essence and/or you feel that you lack knowledge.

EJ

Please read: http://wiki.oscdox.com/setting_up_security

[trochia]

Ridexbuilder,

Thank you very much for the link but in regards to Item 7 being a 'blank page'...

A simple google search of SiteMonitor results of:

SiteMonitor | Monitor your websites

Is this what is supposed to eventually get into the wiki?

And then further down we have another unknown :

http://wiki.oscdox.com/suphp_check

I also just noticed (and I am sorry) that this is the introduction thread, I am sorry.

Seeing how I am unable to edit the security wiki, and looking forward to the unknowns it still contains...an addition of a "step" would also be to inside robots.txt

User-agent: *
disallow: /cart/YOUR-ADMIN-DIRECTORY-NAME


Thanks

[ridexbuilder]

Didn't write the wiki pages
They are relatively new and PGM has been putting in a vast effort to them - they are constantly being updated.

Re: the 'missing' links - yep, your guesses are as good as mine. They do form a pointer to do further research, however and with a little effort.... try osCommerce contribs.

Re: robots.txt
You've raised a valid point, in that it would be useful to include at least a sample one. The 'standard' osCommerce one can form a pretty good start.
osCommerce Community Add-Ons

[trochia]

Yes, and thank you for the reply. As for PGM and addtions...will look nice and save so much time over thread searching...and bever finding exact matches.

As for the siteMonitor that would have been my next step (dig osc fourums) but now I am trying to figure out why after doing a simple /admin rename and changing in the config files..

That I no longer am able to log in and use or create links?

Affiliate Program: Affiliate Links

I have changed it back to /admin now...yet when I log into an Afflialte account I had created...(and had no problem creating banners) for some reason products pop up does not work anymore?

The only other thing I have done is turn of a few InfoBox items...and left affliliate showing.

[ridexbuilder]

Can you post your URL? (hopefully you've a strong password on Admin. and locked it down with .htaccess - cPanel can set this up for you using password protection on directories )

When you changed the Admin. directory name, did you clear your browser cache? Might've caused the issue.

[I'm not au fait with affiliate stuff - none of my clients use it and you may have to wait for someone else to come along, to fix that.]

[trochia]

Thanks again for the reply, right now I am trying to track-figure it out..??

Laugh.. as that is the only thing I have done...other than InfoBox switches.

Affiliate Program - Build a Link, nothing is no longer showing... I had "cloned" a DIR per another example of Michaels... from 'fallback' to "32" etc... but nere made any files changes..as I was going to start to attempt a simple template mod later.

I have reverted back to Fallback...and have cleared browser cache, rebooted server etc...and yet somehow have lost all pop ups for >

to view available products.
Select the product number from the popup window and enter the number in the Build A Link field.

I also have manually tossed the *.jpg into /images and /images/banners dir.

Well, I have learned from many attempts at this...is even backups...don't work...but yet another fresh install.. and start over.. (and over...and over...lol)...and venting out loud....

But once again, I will just fresh install..,.and try to duplicate everything up until today...to see why it stopped working and when..in hopes of solving why.

[michael_s]

Just a note about robots.txt, it is actually a bad idea to put in a robots.txt, as it tells would be hackers exactly what your file structure is. PCI compliance recommendations are that you do not use a robots.txt file, other than very generic, and you limit access to things you want kept private and not indexed by other means.

[trochia]

Hello Michael and hope Christmas went well and thx for the reply.

Also a good point regarding robots.txt.

Now, as long as I have just done another fresh install..as somewhere diong some of the wiki mods...for security etc...something went haywire on the affiliate end..

Just a suggestion from the 'get go' as for possibly adding to the install routine? (If easy enough)

Would be to 'suggest the renaming' of the /admin folder...right then and there??

As face it...it's your canned install...This way, one less thing right from the start...to not have to ever mess with again?

Again, just a suggestion...but if it is an exploit...that is known...and that is the only workaround... It seems like an intelligent location and time to advise and get it taken care off.

[pgmarshall]

Wiki has been updated with Sitemonitor info - apologies for the oversight ... quite a lot of new pages in the Wiki.

We have been discussing adding the admin directory name change to the default install recently and with a bit of luck we should have it coded in for 2.1 ...

Due to the number of stores running osCommerce and osC variants and the open source nature of the source code it does attract a lot of hackers ... but as long as you follow the wiki and keep an eye open for updates to the code you should be okay.

Remember to backup your dbase and files regularily ... there is a mod that can be run as a CRON job ...

Regards,