Let's face it...we need a forum dedicated to security. Viart is a great tool, but the hosting sites it lives on are not always secure. My site, for example, is victim to someone putting their own PayPal email address instead of mine, and took a lot of money from us in the process. It took me a week to figure out what was going on, and I still don't know how it happened or how to stop it in the future.
So, with your permission, Viart, may we start a dedicated forum for security here? It's something I think would make us all more secure and sharing our experiences is always good.
I got a lengthy list of things from my host company that need to be done and am working through them, and have shared with Vera at Viart. It might make sense to post them here for others.
Please consider this, Viart. I'll be happy to assist as much as I can, as I know a few things about security and I'm sure we can all learn from each other.
Ed
Last modified: 2 Nov 2012 3:04 PM
Rinos
31 Oct 2012 10:57 AM
I fully agree with you davis
ViArt is really powerful and fast .. but around the world ... find everything (good or bad)
Last modified: 31 Oct 2012 10:58 AM
daviswe
31 Oct 2012 7:43 PM
Update: I was not sure that the patch for google ads included the anti-hacking code needed to block user uploads (in user_uploads.php) but it does. There's a line in there that checks for double (or multiple) file extensions like
wipe_your_site_out.php.jpg
I tested my site after uploading the update and it forbids all kinds of files like this. Viart rocks!
At first, I deleted the update after looking at the code in it because it didn't have the usual Viart file header, and it looked like a malicious file, till I read through it and realized it was ok, just missing a header. Viart, how about a header on updates??
On another note, you can put a line in your .htaccess file to accomplish the same thing globally:
# Protects from Apache reading double suffixes
SetHandler EE_Upload_Security_Do_Not_Remove
I have not tested this yet, but it comes from a reputable security site. It will block files from ftp, http uploads, or other methods outside your Viart scripts, and will only process the last extension, ignoring others. Without that line in the .htaccess file, the Apache server will process the following file via PHP:
make_your_day_hell.php.jpg
The Apache server's PHP engine won't recognize the jpg extension, and will back up to the next one in line (php) and process the script as usual via the php engine, and as usual, there is never any helpful code in a hacker file like that!
===================================
Is it possible for us to move our config.php files outside the public_html folder and still have them referenced properly with Viart?
This method keeps the sensitive config files in an un-hackable area of the hosting account. In other words, the non-public part of your account. Only your public FTP and HTML folders should be available to hackers.
SO...back to the config.php files, will it break Viart to move them to the unhackable area, so we can increase the security?
I have four such files, two for my viart admin folder which is NOT named 'admin' and two for my own auxiliary code.
Ed
(I subscribe to this thread, and will respond to any info or inquires about this new forum if and when Viart posts it for use.)
Last modified: 2 Nov 2012 5:29 PM
Vera
2 Nov 2012 5:21 PM
It's hardly possible to hide config file outside the web because if it is read by other scripts then during any attack it would be possible to find and read as well. Also note, the config file you're talking about is called var_definition.php in ViArt Shop. This file contains login data to database and therefore if smb hacks the account they can use the data from this file to manipulate database settings without access to admin. So it would be nice to hide this file from attacker but reality is if scripts work with database then it will be possible to find login to this database.
Regards,
ViArt Team
daviswe
2 Nov 2012 5:40 PM
Perhaps if we place var_definition.php in root directory above public_html, for example, and then use mod_rewrite to re-direct to /root/var_definition.php instead of the /public_html/var_definition.php?
I am only asking this because my host asked everyone to move config.php and similar files with passwords in them into a secure directory outside public_html. They don't offer any advice on how to do that, so I'm looking into it myself, and may find an answer.
The bad guys were able to insert their email account into my PayPal payment settings, and I lost a lot of money before we figured out why so many orders were not being 'paid' status.
I am not sure, but it is possible they got to var_definitions.php and simply logged into MySql and made the change, or perhaps to my login for admin and did it that way.
At the moment, I'm using .htaccess to forbid anyone looking at my config files even if they get loose in my public_html directory:
<Files var_definition.ini>
Deny from all
</Files>
<Files php.ini>
Deny from all
</Files>
Last modified: 2 Nov 2012 5:56 PM
DanielBartsch
13 Dec 2012 2:26 AM
Hi everyone,
Could someone tell all the steps you have taken to prevent hackers from changing your PayPal email address? I got hacked in the last couple of days on two of my Viart web sites. Ouch. My installation was 4.1 from mid-October.
Here's what I've done so far today:
Deleted all files (other than the database, of course) and reinstalled from scratch using the latest .zip that Viart has available. This is supposed to have all the last 2 months of patches in it (although now my Google Wallet express checkout option does not work again -- I believe this was something that was supposed to have been fixed by one of the recent patches so I'm wondering whether all patches are truly included).
Deleted install.php and install_zend.php
Changed both passwords (for the database and for Viart backend)
Changed directory location of 'admin' files. I already had it in what should have been an unguessable folder name, but now it's in another.
Permissions are 555 for all folders except 755 for includes and images. I have not modified permissions of files in root folder. (Do I need to?)
What else should I do?
DanielBartsch
13 Dec 2012 5:38 AM
Based on what you said, Ed, I'm worried about the var_definitions.php being the weakness in my case. As you noted, the database username and pw are there if someone can open it. I've put the two sections of "deny from all" code into my .htaccess file (and it didn't cause any problems, as far as I can tell)... but, shouldn't the first one read 'var_definitions.php' not 'var_definitions.ini'? Or do I not understand how this works?
daviswe
13 Dec 2012 1:53 PM
DanielBartsch,
---
Disclaimer: I'm not a security expert, but I do know a bit about it from years of experience and daily learning.
---
Your permissions on files should be at least 0644, and folders should be 0755. Your 555 is far too lose for security. You can change them using a FTP program. I use FireFTP, free.
Remember that IF someone gets into your public_html folder, or whatever yours is called, they have read/write permissions, or not, depending on your file permissions. This keeps most exploits from modifying your files based on group/world permissions. Attackers won't have admin permissions unless they get into your var_definitions.php, which they could with your file settings.
For others reading this, you can protect var_definitions.php in your .htaccess file to protect it and other critical files explicitly:
<Files var_definitions.php>
Deny from all
</Files>
Nobody outside your domain, even with credentials, can see or modify the files listed in this simple 'deny' code.
Google the regular expressions used in .htaccess, you can put lists of files or even file matching in there to forbid access to files in a very powerful way. In all this, it is not obvious that your code will still run as usual but it does because you are 'inside' and have the credentials, outsiders don't.
More security:
This code below from Viart removes handlers built into Apache that would normally run PHP files by default if someone simply called them, but this code tells Apache to ignore any attempts to run PHP files from outsiders.
It works because you don't actually have to name handlers for PHP, they will be processed based on your php.ini file, and not the Apache config. The code below tells Apache to ignore php related files. Your code will still run properly, but attackers won't be able to convince Apache to run them.
There isn't a var_definitions.ini, it was my typo... The var_definitions.php is in the 'includes' folder, and is easily protected as we mention above.
Ed
daviswe
13 Dec 2012 2:01 PM
In many sites, there are multiple ".ini" files. Here's how to protect them with double-barrier security:
1. Forbid anyone but the owner from seeing/reading/writing it:
Set the file permissions to 0600 with your hosting control panel or an FTP program.
2. Deny access to the file in general from EVERYONE outside your domain using your .htaccess file in your top level public html folder (root for your Viart cart code):
<Files *.ini>
Order deny,allow
Deny from All
</Files>
Ed
DanielBartsch
13 Dec 2012 8:35 PM
Thanks so much for all the info, Ed.
2 follow up questions:
First, you said: Your permissions on files should be at least 0644, and folders should be 0755. Your 555 is far too lose for security.
I'm confused. In my understanding, 555 is actually tighter than 755. The higher the number the looser the permissions. Am I wrong? If I'm right, what should my files and folders be set at?
Second question:
Can I have multiple "<files> sections in .htaccess?
In other words, can I do this in .htaccess:
<Files var_definitions.php>
Deny from all
</Files>
<Files *.ini>
Order deny,allow
Deny from All
</Files>
Or do all the file names need to be some how merged together into one <Files> section?
Thanks again for your help!
SajMalik
14 Dec 2012 1:33 PM
Ooooo - that's going a bit fast for me. But thanks very much for all your info which really is appreciated.
If I start but adding to my .htaccess:
<Files *.ini>
Order deny,allow
Deny from All
</Files>
How far will I be towards keeping out these pesky hackers, assuming I just have the standard Viart 4.1 installation?