Dear Daniel,
first of all THANK YOU A LOT for the hard work you do for free !!!
I'd like to submit this request because of a little "security issue".
It would be nice if you could entirely hide the version of the installed OpenCart under http://www.mysite.com/admin
The version should be shown only to logged on administrators and not to the entire world.
Thank you for your attention.
Bye Kess.
first of all THANK YOU A LOT for the hard work you do for free !!!
I'd like to submit this request because of a little "security issue".
It would be nice if you could entirely hide the version of the installed OpenCart under http://www.mysite.com/admin
The version should be shown only to logged on administrators and not to the entire world.
Thank you for your attention.
Bye Kess.
You shouldn't even be allowing the world to see your admin page
Hiding the version number is not really going to help with security. A script kiddie is going to hack away if it is version 0.1 or 3.9 !
Hiding the version number is not really going to help with security. A script kiddie is going to hack away if it is version 0.1 or 3.9 !
930sc ... because it is fun!
It shows up in the admin log-in screen which anyone can get to on a default installation. The best thing is to rename the admin folder. I have a tutorial on it I'll try to finish up and post later tonight.SapporoGuy wrote:You shouldn't even be allowing the world to see your admin page
-Ryan
BINGO! step 2!
Actually, that is a huge key that people just don't realize ....
Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.
It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.
Actually, that is a huge key that people just don't realize ....
Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.
It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.
930sc ... because it is fun!
I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use, and who needs the pain of entering two passwords particularly given how weak http auth is?SapporoGuy wrote:BINGO! step 2!
Actually, that is a huge key that people just don't realize ....
Actually, somebody here did a write up on how to take care of some of these problems. I just don't remember the thread. However, they also went into doing some changes in htaccess to protect directories and stuff like that.
It's a shame that Daniel is so happy to work in the confines of his code or else opencart could even be that much more securer. Having complained about that, he has done a pretty dam good job on what is possible within those confines.
OpenCart commercial mods and development http://spotonsolutions.net
Layered Navigation
Shipment Tracking
Vehicle Year/Make/Model Filter
Yes, this can be an issue if an extension is poorly designed and doesn't make use of the HTTPS_SERVER constant like it should. And it'll always be an issue for any admin VQMods.Xsecrets wrote:I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use
But I don't consider it paranoia for a couple reasons:
1) No known security vulnerabilities is not the same as no security vulnerabilities. Making changes like this helps protect your store from that all important time between when a vulnerability is discovered and when it's patched.
2) OpenCart has nothing in place to limit log in attempts or enforce password strength requirements. Anyone can go to the admin page and start pounding away with the default admin account. It's a small security issue based on how slow such an attack would be but it's still there.
-Ryan
For the paranoiacs out there I've put together a short guide to nine changes to improve OpenCart security.
-Ryan
Great article rph!
Sent from my Desire HD using Tapatalk
Sent from my Desire HD using Tapatalk
-----------------------------------------------------------------------
My last mods: Partita IVA e CF | Pro EU VAT Number | Sales Agents | Pricelist Pro
-----------------------------------------------------------------------
1.) Paranoia is your best friendXsecrets wrote: I don't get the paranoia there are no known security vulnerabilities in opencart. By changing the admin folder name you are guaranteed to have to have to change every single mod you want to use, and who needs the pain of entering two passwords particularly given how weak http auth is?
2.) No known security vulnerabilities could be that nobody has bothered telling people here that they exist, read a few blogs here and there and I can see why
3.) http auth may be weak but it still is another hurdle to go through.
opencart is a commerce solution it is NOT a forum or a blog. Money is being exchanged and people sign up with their "real" information and that burden goes on to the shop owner who is trusting the software that they use.
People are always taking the piss out of mac users because they believe that their machine is safe from trojans and viruses. This is the same type of argument here. Security is an issue.
930sc ... because it is fun!
As the longstanding joke goes, "Just because you're paranoid doesn't mean that nobody is out to get you."
Securing the admin/ directory with .ht* (there are several) not only interposes an additional log-in (which even automated hackers will not enjoy slowing them down), but also interposes a slower-cycling one in the same stroke (which even automated hackers will enjoy even less), before by raw chance anyone unauthorized might reach the administrative log-in. The server's challenge when failed takes longer to think and replant the log-in than occurs with the administrative log-in. Just be sure to have TWO user-pass pairs, in order to reduce the odds of unauthorized access.
And rph's http://opencarthelp.com/a/?q=improve-opencart-security succinctly spells out cookbook steps.
Hackers can easily obtain the documentation showing in considerable detail how carts, forums, blogs, name it (including routers), work. Reset user/pass defaults as a general rule, not just in OC.
Another aspect, limiting numbers of log-in attempts, was raised as to customers and applies to administrators. See
http://forum.opencart.com/viewtopic.php ... 55#p395655
among others.
Securing the admin/ directory with .ht* (there are several) not only interposes an additional log-in (which even automated hackers will not enjoy slowing them down), but also interposes a slower-cycling one in the same stroke (which even automated hackers will enjoy even less), before by raw chance anyone unauthorized might reach the administrative log-in. The server's challenge when failed takes longer to think and replant the log-in than occurs with the administrative log-in. Just be sure to have TWO user-pass pairs, in order to reduce the odds of unauthorized access.
And rph's http://opencarthelp.com/a/?q=improve-opencart-security succinctly spells out cookbook steps.
Hackers can easily obtain the documentation showing in considerable detail how carts, forums, blogs, name it (including routers), work. Reset user/pass defaults as a general rule, not just in OC.
Another aspect, limiting numbers of log-in attempts, was raised as to customers and applies to administrators. See
http://forum.opencart.com/viewtopic.php ... 55#p395655
among others.
Who is online
Users browsing this forum: No registered users and 81 guests