Error: I am able to write to the configuration file....even though its set to 444

[sandersonsite]

When I log into the store admin I get this warning...

Error: I am able to write to the configuration file: /home/xyz/public_html/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

I have set and reset and deleted and recreated and reset etc etc the permissions on that file without any change.

Currently it's set to 0444

Any suggestions would be appreciated.

Cheers
Jay

[michael_s]

Try chmod 400 and also make sure you set both the catalog and admin configure.php files - there are two!

[sandersonsite]

Again thanks for the help. I did not realise there were 2. Once I set the permissions on the admin one it was all good.

[ridexbuilder]

http://wiki.oscdox.com/v2.5/oscmax_docs

[articleck]

I am also having this problem

Warning: I am able to write to the configuration file: /home/askdanbl/public_html/store/includes/configure.php. This is a potential security risk - please set the right user permissions on this file.

File permission are 644 which as far as I know is secure. I cannot set the permissions any lower. If I try 444 the permissions revert back to 644

2 questions?

1. Are 444 permissions securtiy overkill? 644 should be secure.
2. Is there anyway to remove the error message from the public store?

If there is really no problem with 644 permissions, removing the message from the public store will fix my problem.

[articleck]

I am sorry if this comes across the wrong way, but don't you think the biggest security problem here is that the script is advertising the everyone who visits that the store is insecure?

Why is this "insecure store" warning appearing on the public site?

[articleck]

Going to have to uninstall until this is worked out. I don't want to get hacked because my store is asking people to hack it.

[pgmarshall]

I would stick with 444 as per the wiki instructions ... are you sure you have done this on BOTH configure.php files?

Otherwise,

Just edit catalog/admin/includes/modules/dashboard/system.php

Look for: <!-- Start check for configure file -->

You can remove that section - but I would strongly recommend that you just fix the permissions on BOTH of the configure files.

Security is a real issue in the eCommerce world and this code is just checking if the configure file is writable which it should not be.

Regards.

[pgmarshall]

Sorry I mis-read your post ... you want to remove from the public side.

It is there because the old system did not warn you from within admin. (and probably should be removed!)

Go to: catalog/includes/warnings.php

and remove the bit after:

// check if the configure.php file is writeable

Leave the other bit - that was the code within the admin panel! Which I thought was a bit odd for you to ask to remove!!

Regards.

[pgmarshall]

I have actually just updated this in the core since it makes no sense to broadcast insecurities to the outside world.

r1550 - oscmax2 - osCmax - osCommerce Maximized - Google Project Hosting

If you follow the link above you will be able to see which bit of code to remove.

Thanks for pointing it out.

Regards.