Secure your osCommerce store!

安全问题一直是任何电子商务店主最重要的事情之一. 在这篇文章中，我们将向您展示一些提高osCommerce 2安全性的方法.2 store and increase safety of your store visitors.

OsCommerce 2.引擎本身有几个漏洞，修复它们是非常重要的，因为它们没有被一些“邪恶的祝愿者”使用。. Moreover, 由于osCommerce是一个开源产品，成千上万的开发人员正在努力为您提供一些插件和贡献，以扩展您的商店的功能, add new features and opportunities. 但是安装任何第三个插件可以确保它不会给你的商店增加更多的漏洞?

Let’s start from the basic things.

Remove Install directory

When you are opening your installed osCommerce website for the first time you can see the warning messages at the top of the page. One of them is related to the “install” directory

Warning: Installation directory exists at: …/install. Please remove this directory for security reasons.

You can go two ways from this point:

• Delete the “install” directory from the osCommerce folder on your server (Recommended)
• Rename the “install” folder (to “install1” for example).

Set permissions

另外两个警告与配置文件的正确CHMOD权限有关. Feel free to check the detailed tutorial on how to resolve permissions warning message

另外请注意，其他目录的CHMOD权限不应超过755. If your hosting 对文件夹要求777权限，是时候考虑新的了 hosting provider.

Secure administration panel

For the moment two things can be done:

• rename the admin directory
• add the .htaccess protection to the renamed directory

Renaming the admin directory 一直是一个很好的措施，但从未在安装过程中突出建议. After you rename the admin directory you will have to change two lines in the renamed_admin_directory/includes/configure.php:

	define('DIR_WS_ADMIN', '/renamed_admin_directory/');
	定义(' DIR_FS_ADMIN ', ' / /路径/ /目录/ renamed_admin_directory / ');

For password protecting of your admin directory you can use the Password Protect feature in your web hosting control panel. Please contact your hosting provider for more details.

Remove Filemanager

It has long been known the filemanger is a security risk & should be removed, 如果用于编辑您的网站，它可能会损坏您的文件, so is a bad utility to keep anyway. Its also been known its a possible hacking route & 更糟糕的是，现在有一个非常讨厌的黑客使用filemanger来访问您的站点.

To remove filemanager please follow the steps below:

1. Open your osCommerce installation directory and delete file_manager.php from catalog/admin folder
2. Open “admin/includes/boxes/tools.php” file and delete the line:

   			'' . BOX_TOOLS_FILE_MANAGER . '
   ' .
   		

3. It is also known that “admin/define_language.php 和文件管理器一样容易受到黑客攻击，所以也应该被删除吗.

Secure the Forms

Security Pro cleans the query string, however any forms using $_POST are un-affected, 如果您有任何使用post方法的表单，建议您在接受$_POST变量的页面上执行以下操作.

Open the file with the form that uses POST method and after:

	require('includes/application_top.php');

add the following:

	// clean posted vars
reset($_POST);
          while (list($key, $value) = each($_POST)) {
                   if (!is_array($_POST[$key])) {
                          $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@%:{}_.-]/i", "", urldecode($_POST[$key]));
                } else { unset($_POST[$key]); } // no arrays expected 
          }

Prevent injection attacks

Security Pro

此贡献的主要目标是防止通过查询字符串($_GET/$ . js)中的漏洞对osCommerce存储进行任何注入攻击HTTP_GET_VARS). It’s a valuable addon for both osCommerce 2.2 and 2.3

About addon(info taken from the addon manual)

第一个Security Pro是在2008年3月编写的，当时很明显osCommerce商店正在通过查询字符串被黑客攻击，这些查询字符串来自编码糟糕的贡献，比如推荐信. Is it still necessary with the new 2.3.X versions of osCommerce. Yes it is still just as valid. Security Pro的目标不是我们都知道很好的核心osCommerce编码, 目标是成千上万篇通常写得很差的文章.

This is all new code but the concept remains the same .. 安装了Security Pro后，只要页面加载application_top，就不可能通过查询字符串传递不良字符.php, which all osCommerce pages do.

The XSS .htaccess 在我看来，如果安装了它，贡献是毫无价值的，因为它们只是复制了Security Pro的一小部分功能. 我能看到的唯一例外是REQUEST_METHOD和TRACE|TRACK.

The concept is simple but effective. 尝试像XSS脚本那样将大量的黑客向量列入黑名单是浪费时间 .. 唯一的答案是白名单，这是Security Pro非常擅长的.

Installation

安装过程又快又简单，所以你在这里应该不会遇到任何困难.

1. Download the addon package and extract the files
2. Open the Security Pro package and go to the “upload > catalog” directory. Then upload the “includes” directory to your osCommerce root. 该文件夹包含一个新文件，所以它不会损害您的存储.
3. Now go to “catalog/includes” folder and open the “application_top.php” file
4. Use the Find and Replace tool and locate the line

   			if ($request_type == 'NONSSL') {
   		

   and add the following straight before it:

   				// Security Pro by FWR Media
   				include_once DIR_WS_MODULES . 'fwr_media_security_pro.php';
   				$security_pro = new Fwr_Media_Security_Pro;
   				//如果你需要从清理中排除一个文件，那么你可以像下面这样添加它
   				//$security_pro->addExclusion( 'some_file.php' );
   				$security_pro->cleanse( $PHP_SELF );
   				// End - Security Pro by FWR Media
   		

Thats all. The installation is complete.

How to check if it is working?

您已经执行了一些文件修改并上传了一个新文件. 我相信你愿意测试如果插件工作良好. 对于测试，打开高级搜索页面或使用搜索框. Into the search input field paste the following mix: [w](o)%3Cr%3Ek|i*n^g. 然后运行搜索，搜索查询应该显示工作: “working”.

Monitor site for unauthorised changes

Site Monitor

此贡献将创建您的文件的记录，以便以后可以检查它们. If any files have been added or deleted, or the size, timestamp or permissions were changed, you are notified via email.

The addon can be used for both osCommerce 2.2 or 2.3

Installation

1. Download the contribution and extract the files
2. Depending on your version of osCommerce open oscommercce_2.3 or oscommerce_MS2_or_RC2 folder and copy the admin folder to your osCommerce root. 只有用于此贡献的文件才会被覆盖.
3. Open admin/includes/languages/english.php file and add the following anywhere before the closing ?> tag

   			// sitemonitor text in includes/boxes/sitemonitor.php
   			define('BOX_HEADING_SITEMONITOR', 'SiteMonitor');
   			define('BOX_SITEMONITOR_ADMIN', 'Admin');
   			define('BOX_SITEMONITOR_CONFIG_SETUP', 'Configure');
   			define('IMAGE_EXCLUDE', 'Exclude');
   		

4. Open “admin/includes/filenames.php” file and add the following anywhere before the closing ?> tag

   			define('FILENAME_SITEMONITOR_ADMIN', 'sitemonitor_admin.php');
   			定义(“FILENAME_SITEMONITOR_CONFIG_SETUP”、“sitemonitor_configure_setup.php');
   			定义(“FILENAME_SITEMONITOR_CONFIGURE”、“sitemonitor_configure.txt');
   		

5. Open “admin/includes/column_left.php” file and add the following before the closing ?> tag:

   			require(DIR_WS_BOXES . 'sitemonitor.php');
   		

   for osCommerce 2.2 and

   			include(DIR_WS_BOXES . 'sitemonitor.php');
   		

   for osCommerce 2.3
6. Open osCommerce administration panel and go to admin->Sitemonitor->Configure. There you can configure the addon according to your needs.
7. For more configuration settings check the readme.txt file from the addon package.

Block elicit access attempts with IP trap

Secure your site with an IP trap

该贡献的工作原理是在一个只有恶意程序的文件夹中设置一个陷阱, 或者有人在你的网站上闲逛会发现(黑客使用) Robots.txt 试图在你的服务器上找到敏感文件)，然后它会重定向到一个消息页面，告诉他们他们被阻止了, at the same time writing their IP number to file.If they try to return they will only get the blocked message.

Installation

1. Download the addon package and extract the files
2. Open the addon package and go to the “catalog” folder.
3. 将所有文件和文件夹上传到osCommerce安装根目录.
4. Go to the “personal/index.php” 在线将样本电子邮件地址存档并替换为您自己的电子邮件地址:

   			$emailad = 'you@yoursite.com';
   		

   ensure you keep it within the apostrophes.
5. Open “includes/application_top.php” file and find the lines:

   			// include the list of project filenames
   			require(DIR_WS_INCLUDES . 'filenames.php');
   		

   after these lines add:

   			// IP Trap V5
   			include(DIR_WS_INCLUDES . 'secret.php'); 
   		

6. Thats all. The addon is installed.

有关插件配置的更多信息，请查看 “install.txt” file from the addon package.

Htaccess protection

Protect your site via htaccess

此贡献包含脚本，可帮助您通过您的 htaccess file. It’s a collection of .htaccess scripts to help protect you from the nasties out there. With lots of attacks going on, this file bans lots of bad bots, libwww-perl in particular which will take all your bandwidth. .htaccess cannot be used on a Windows server

1. Download the addon package and extract the files
2. Open htaccess_protection.html file in your browser and use the htaccess scripts adding them to the .htaccess file located in your osCommerce installation.

Usage of htaccess 脚本需要一些先进的技能，所以如果你不熟悉他们，请确保 backup the .htaccess file before performing any modifications