This post list contributions and small code snippets for osCommerce security enhancement. After doing some research on various forums, practical problem solving and referring few documents we have compiled this
- If site is not under development mode and very few edits are expected
then we recommend all .php and.js files to be set to 444 (hosting
company should allow execution with this permission).
- All folders to have 555 excluding images folder.
- If you have any logs created then that folder to be treated as image folder.
- Protect your site via htaccess
- Site Monitor
- Security pro
- Ip trap
- Anti XSS(ANTI Cross Site Scripting attacks)
- Admin access level
- In admin under session you should set the following if settings allow:
- Force cookies TRUE
- Check for IP address
- Check for user agent
- Regenerate session TRUE
- Kill spider session TRUE
- Google Webmaster
5.Ways to get to security hole :
- We will add code snippets in coming days.
6.Suggested changes to osCommerce:
- Rename admin folder
- htaccess protected admin
- Change $current_page=//something like script path rather than php self
- Apply patches that have been placed in osCommerce 2.3.1
- Remove unwanted language folders and sample osCommerce data
- Apply register global patches and set register global to OFF
- Captcha for create account reviews contact us
- We will add code snippets in coming days