| Directory Permissions and Security Subscription
directories must have permissions chmod to 777 and contain two hidden
files; one to limit access and the other to keep usernames and passwords. The
username/password file must also have permissions 777. Several other directories
are required to have permissions 777 for product files, updates, product images,
preview, banner, and member files to be managed through the browser based admin
panel. There is a tradeoff between functionality and risk when using features
within AShop Deluxe that require PHP to write to a directory or file. To
keep password protected directories completely secure the permissions should
be set lower than 777, but this would prevent writing of usernames and passwords
to the .htpasswd (hidden) file. PHP usually won't have write permissions because
it is running under a different user than the one who owns the directory. One
way to handle this would be to chown (change owner of) the directory to the user
that the web server is running under, but then any script run from any web site
would still have permissions to change the directory. The need for 777
permissions is in the way Apache and PHP works. Apache by default won't let
you password protect a directory in another way than by using a .htpasswd file
and PHP can't write to that file without write permissions. Using PHP
safe mode is an option but this puts a lot of other restrictions on PHP that
prevents many things in AShop from working. The only other practical alternative
is to avoid using any feature in AShop that needs write permissions, which severely
limits functionality. A possible solution is to use suPHP.
If you have root access to the server or can persuade your hosting provider to
install this it should allow you to use secure permissions on the directories
while still allowing your PHP scripts to write to them. We will eventually
add support for mod_auth_mysql,
which may increase security, but you will need to install mod_auth_mysql on your
server to be able to use it. Sites hosted by virtual services may not have this
option. We believe that the most cost effective choice for most users
is to leave the permissions at 777. In our opinion the security threat is
only theoretical since exploiting the .htaccess protection would require shell
access to the server, which most hosting providers don't allow anyway. For
users who have privileges to create directories and place files outside of the
public root, we have added a "Secure File System Path" setting in
Advanced Options, which will default to the regular ashoppath but can be set outside
of the document root. To use the secure path the following directories must be
moved or copied there: products, updates and all subscription directories. The
previews, prodimg, members and banners directories can't be protected this way
since they are supposed to be accessible from the document root. The only way
to avoid using 777 permissions on them is to stop using the file upload feature
in AShop Deluxe for the files that are stored in them and instead upload the files
manually by ftp. Tips to avoid hacking attempts - Avoid
installing unsecure, exploitable software - like many versions of phpBB and
phpNuke.
- Keep software up to date. Hackers get to know
commonly available programs, but it usually doesn't take too long for a popular
program to have security patches, which plug the security holes.
- Maintaining
the server operating system and web server software is also important. A reliable
web hosting company that stays current with security patches is a valuable resource.
If you maintain your own server, good luck and stay on top of it.
- IonCube
encryption protects against exploits since the hackers don't know anything
about the software source code.
| 
