oscMax Admin reports configure.php as writeable when it is not

[thowden]

Hi

I did a fresh install of v2.5beta3 and found when I was in the Admin Home page that it was reporting the configure.php file as being writeable when I knew that I had set permissions correctly.

I found that the admin page was not differentiating between the catalog configure and the admin configure files.

I wrote a blog on it and included the code changes that I made at

Tonys Tech Blog » Blog Archive » oscMax Admin page reports configure.php as writeable when it is not

But my Wordpress site is not setup to handle 'code' politely and is messing with the formatting. So I've copied the changes here.

Two files need changing:

admin/includes/languages/english/index.php
modify the setting at line 115

Code:

define('WARNING_CONFIG_FILE_WRITEABLE', 'Error: I am able to write to the catalog configuration file: ' . (DIR_FS_CATALOG) . 'includes/configure.php. This is a potential security risk - please set the right user permissions on this file.');

:: only change is to add the word ‘catalog’ in the text.

Then add a new constant setting at line 116

Code:

define('WARNING_ADMIN_CONFIG_FILE_WRITEABLE', 'Error: I am able to write to the admin configuration file: ' . (DIR_FS_ADMIN) . 'includes/configure.php. This is a potential security risk - please set the right user permissions on this file.');

:: the main changes here highlight that its the admin configure file that is the issue.

Then update the system.php file that calls the above messages:
:: the main changes are copying the config check to test the catalog configure, the nesting of the dirname function to get the parent directory for the catalog, and the change to the code comments to differentiate between the two checks.

admin/includes/modules/dashboard/system.php
at around line 117 to replace the section referring to the configure file with the following code:

Code:

<!-- Start check for catalog configure file -->
  <?php
	if ( (file_exists(dirname(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME'])) . '/includes/configure.php')) && (is_writeable(dirname(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME'])) . '/includes/configure.php')) ) { $system_permission_errors++; ?>
  <tr>
    <td class="messageStackError"><?php echo tep_image(DIR_WS_ICONS . 'error.gif') . ' ' . WARNING_CONFIG_FILE_WRITEABLE; ?></td>
  </tr>
  <?php } ?>
  <!-- End check for catalog configure file -->

  <!-- Start check for admin configure file -->
  <?php
    if ( (file_exists(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) && (is_writeable(dirname($HTTP_SERVER_VARS['SCRIPT_FILENAME']) . '/includes/configure.php')) ) { $system_permission_errors++; ?>
  <tr>
    <td class="messageStackError"><?php echo tep_image(DIR_WS_ICONS . 'error.gif') . ' ' . WARNING_ADMIN_CONFIG_FILE_WRITEABLE; ?></td>
  </tr>
  <?php } ?>
  <!-- End check for admin configure file -->

Save your files and test by changing the permissions on each configure.php file to being writeable. Change the permissions back and in future the Admin screen will highlight if you have unwanted changes to the permissions.

cheers
Tony

[michael_s]

This was already fixed for the upcoming RC release - nice work though, even if you are a little late to the dance!

It was fixed a while back:
0000583: System info shows incorrect path when admin configure.php is writable causing confusion. - osCmax Bug Tracking System

[met00]

Tony, just a heads up when working in 2.5 Beta or even RC1.

Always check the bugtracker first. The fix you are looking for may already exist.

In addition, if you are making any changes to a beta (or even an RC), take copious notes. For example...

Code:

added distributors.php to admin
added distributors.php to admin/includes/languages/english
added distributors defines to admin/includes/languages/english/core.php
added distributors table to admin/includes/database_tables.php
added distributors to admin/include/filenames.php
added distributors to admin/includes/boxes/catalog.php 
mods to products table
- added products_cost
- ALTER  TABLE  `products`  ADD  `products_cost` DECIMAL( 15, 4  )  NOT  NULL  COMMENT  'product cost' AFTER  `products_msrp` ; 
- added distributors_id
- ALTER  TABLE  `products`  ADD  `distributors_id` INT( 11  )  NOT  NULL  COMMENT  'distributor id' AFTER  `manufacturers_id` ; 
- added products_oversized
- ALTER  TABLE  `products`  ADD  `products_oversized` INT( 1 )  NOT  NULL  COMMENT  'product special order' AFTER  `products_min_order_qty` ; 
- added products_specialorder
- ALTER  TABLE  `products`  ADD  `products_specialorder` INT( 1 )  NOT  NULL  COMMENT  'product special order' AFTER  `products_oversized` ; 
orders_products table
- added products_cost
- ALTER  TABLE  `orders_products`  ADD  `products_cost` DECIMAL( 15, 4  )  NOT  NULL  COMMENT  'product cost' AFTER  `products_price` ; 
added products_cost to: catalog/checkout_process.php
added products_cost to: catalog/includes/classes/shopping_cart.php
added products_cost to: catalog/includes/classes/order.php

In line code should look like

Code:

//BOF: cost
   $cost_query = tep_db_query("select products_cost from " . TABLE_PRODUCTS . " where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'");
   $cost_value = tep_db_fetch_array($cost_query);
// EOF: cost

This is time consuming, but the upside is that when you get the next Beta, or the RC you can replace/update files not touched quickly and apply any changes to the files you did touch with much less time spent wondering what was touched and what was not. The inclusion of the SQL to update the database makes it easy to get your database back to where it was in your development environment.

[pgmarshall]

Hi again Tony,

Having had a browse through your blog I would suggest that you test out osCmax using the SVN version of osCmax ... the development has been quite rapid recently and I wouldn't want you duplicating work unnecessarily.

I would also be interested in hearing what you think of osCmax (being a potential convert from osCommerce and CRE) ... anything missing that should go into v2.6?

Regards,

[thowden]

Tony, just a heads up when working in 2.5 Beta or even RC1.

Always check the bugtracker first. The fix you are looking for may already exist.

Doh!

I must have had a 'little boy look' as I did not find it.......

[elaineben]

if there had been a fix, how come it is happening to my admin. how can i change it?

[pgmarshall]

Because you are using RC1 ... the current work is being done on RC2 ... You can change it by looking in the Google Code link in the header marked "Developers" ... find the fix linked above and hand code the changes ...

Regards,

[elaineben]

that's a little bit complicated for me...i might as well wait for the RC2. thanks again.