Osclass forums
Support forums => General help => Topic started by: aprendiz on November 18, 2012, 02:03:50 am
-
Hi! I was triying to secure a little the oc-admin directory.
My idea are some how this:
if(!isset($_GET["word"])){
header("Location: ../");
}
If you enter to domain.com/oc-admin/index.php?word=sometext you can enter, else, you back to root directory
I hope that I am explain this well :)
PD: Sorry my english :S
-
Hi aprendiz,
That's not a good idea. Since you will need to modify ALL of the links and options in the admin panel to have this new param.
For example, all the links in the admin menu lack of it, also, the login form,.. so you will be able to get the login page, but not to be able to perform login.
I think the admin is secure enough, of course, if some security flaw or improvement appear will fix/add it, but we're using the standard method for it.
Thanks
-
hi,
You can secure by configuring .htaccess, .htpassword in your admin folder.
It'll implement extra layer of security
-
Thanks for the answers :)
I dont think that osclass isn't secure. But my idea is than nobody can view the admin loguin, and avoid, brute force attacks, etc.. For sure I can edit the .htaccess and add my IP but we are more than 1 admin, and all have dinamyc ips.
I try found some for this, if I found some, I will wrote here :)
-
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip
-
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip
Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.
Thanks
-
Another valid option for me, is activate captcha on login form. With Captcha I am sleep good hahaha
-
Hi aprendiz,
Captcha will only works on brute force attacks, but again, given that a bot will take 1 second to load the page and try login, and given a password of length 8 (not too long, not too short) it will take 6923519 years (yeah, almost 7 MILLIONS years) to break into your admin panel. So... the attacker should be very dumb to try brute force on that.
Of course, you could add captcha there, but it will only annoy you and not any attacker. Captcha is used to avoid bots and spammer to register/comment/publish/... but not bruteforce.
-
Hi aprendiz,
Captcha will only works on brute force attacks, but again, given that a bot will take 1 second to load the page and try login, and given a password of length 8 (not too long, not too short) it will take 6923519 years (yeah, almost 7 MILLIONS years) to break into your admin panel. So... the attacker should be very dumb to try brute force on that.
Of course, you could add captcha there, but it will only annoy you and not any attacker. Captcha is used to avoid bots and spammer to register/comment/publish/... but not bruteforce.
It's true :D Well.. I am a little worried, but I'm more trusted now :) Thanks for all replys guys ando sorry for my bad english
-
There is this strange thing that happens though... and aprendiz has a valid point.
If a non-logged in user accidentally finds the oc-admin login page, then clicks on the "back to mysite.com" link at the top and tries to login from the main site, if user exists and password is correct, osclass takes that user back to the oc-admin login page rather than the main page. A user has to clear their browser history/cache to fix it. So, it would actually be a good idea for an average user to not be able to accidentally see the oc-admin login page in the first place.
-
There is this strange thing that happens though... and aprendiz has a valid point.
If a non-logged in user accidentally finds the oc-admin login page, then clicks on the "back to mysite.com" link at the top and tries to login from the main site, if user exists and password is correct, osclass takes that user back to the oc-admin login page rather than the main page. A user has to clear their browser history/cache to fix it. So, it would actually be a good idea for an average user to not be able to accidentally see the oc-admin login page in the first place.
Again, in that case, stick to .htaccess and .htpasswd solution
-
Some ISP's, such as mine, issue dynamic public IP's and users from different locations can be issued my public IP from yesterday. It's currently not really a problem for me... but, it could be something that I will be looking into in the future as the number of users grows and thus the probability of that happening also grows...
-
add this code to \oc-admin\login.php line 156 (default: ....)
default:
if(!isset($_GET['word']) || $_GET['word'] != 'sometext')
{
$this->redirectTo( osc_base_url() );
}
osc_run_hook( 'init_admin' ) ;
Session::newInstance()->_setReferer(osc_get_http_referer());
$this->doView( 'gui/login.php' );
use this: http://domain.com/oc-admin/index.php?page=login&word=sometext
for login.
-
goto oc-includes/osclass/helpers/hDefines.php
change following code
line 61
$path .= "oc-admin/";to
$path .= "ANYTHING/";
And line 81
return(osc_base_path() . "oc-admin/");to
return(osc_base_path() . "ANYTHING/");
And change oc-admin folder name to ANYTHING
All three ANYTHING should be same.
then login to admin http://domain.tld/ANYTHING
nobody will know what is ANYTHING except you. and every url will be correct. Nothing more need to be changed.
-
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip
Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.
Thanks
my friend, is it possible not to edit (.htaccess) for password, and instead in Cpanel, right-click on (oc-admin) Folder and set password for it???
-
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip
Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.
Thanks
my friend, is it possible not to edit (.htaccess) for password, and instead in Cpanel, right-click on (oc-admin) Folder and set password for it???
you dont want to answer?
-
hy!secure your oc-admin folder with additional password ,cpanel help u to do this!
i dont suggest you to modify oc-admin name folder.
instructions here:
http://www.youtube.com/watch?v=51FFX_TF5yQ
cheers!
-
goto oc-includes/osclass/helpers/hDefines.php
change following code
line 61
$path .= "oc-admin/";to
$path .= "ANYTHING/";
And line 81
return(osc_base_path() . "oc-admin/");to
return(osc_base_path() . "ANYTHING/");
And change oc-admin folder name to ANYTHING
All three ANYTHING should be same.
then login to admin http://domain.tld/ANYTHING
nobody will know what is ANYTHING except you. and every url will be correct. Nothing more need to be changed.
yes I know its old thread but I didnt found any newer nor working ideas how to secure/change oc-admin slug and the folder name? anyone?
Method to change oc-admin name in helpers/hDefines.php works only for admin login page and then for browsing through the admin panel.
Then it causes a lot of issues with installing and setting up the plugins because most of newer or more complex plugins have 'oc-admin/ path hardcoded.
-
Using directly a path to "oc-admin" in a plugin is bad practic, nobody do this, or that person don't have any notion what is doing, or with that bad pratic can be more easy do that, so it just can be lazy. So, using a helper to connect to current admin folder is the correct to exectute (variables do that, or no make any sense use them). You said the newer plugins or more complex plugins have 'oc-admin/ path hardcoded (so, seems you says these plugins have a directly path to oc-admin) what plugins you saw that with that direct path? it's easy said something genericall, but with no names to reference, can be complicated to guess what plugins you not refered yet for anyone with that issue. Indeed, if you know about that issue in some plugins you knowed, you cab change that "traditional" path to the correct helper on your current plugins. The oc-admin folder is fine, no need changed that, just because anyone can access the page. "They" not will access to anything without a currect admin name and password anyway. Do not wories about that is totally safe.
-
@fog:
no my knowledge is not genericall
I uses several plugins from osclass_point and they does it to link various plugin setup sub-screens (like tabs)
$text .= '<li><a href="' . osc_base_url() . 'oc-admin/index.php?page=plugins&action=renderplugin&file=invoice/admin/configure.php"><i class="fa fa-wrench"></i><span>' . __('Configure', 'invoice') . '</span></a></li>';
"They" not will access to anything without a currect admin name and password anyway. Do not wories about that is totally safe.
Let me disagree. Exposing admin login page to ANYONE to do whatever they wants to do there is stupid idea. I.e. the brute-force is not 'totally safe'.
Also to show to all what script you are using gives the attacker a chance to use attacking method specific to your script.
But of course you may have other point of view on how to bulletproof your resources.
-
$text .= '<li><a href="' . osc_base_url() . 'oc-admin/index.php?page=plugins&action=renderplugin&file=invoice/admin/configure.php"><i class="fa fa-wrench"></i><span>' . __('Configure', 'invoice') . '</span></a></li>';
Is this a plugin settings page in the Admin menu? Then, no one except logged-in admin(s) can see it.
But, it is unusual to form a link this way (hard coding paths is bad practice)
Also, all plugin settings pages (should) have a direct access protection, even if someone finds out direct link, it will be useless anyway.
-
@fog:
no my knowledge is not genericall
I uses several plugins from osclass_point and they does it to link various plugin setup sub-screens (like tabs)
$text .= '<li><a href="' . osc_base_url() . 'oc-admin/index.php?page=plugins&action=renderplugin&file=invoice/admin/configure.php"><i class="fa fa-wrench"></i><span>' . __('Configure', 'invoice') . '</span></a></li>';
"They" not will access to anything without a currect admin name and password anyway. Do not wories about that is totally safe.
Let me disagree. Exposing admin login page to ANYONE to do whatever they wants to do there is stupid idea. I.e. the brute-force is not 'totally safe'.
Also to show to all what script you are using gives the attacker a chance to use attacking method specific to your script.
But of course you may have other point of view on how to bulletproof your resources.
My point of view is like yours or anyone. And is not a stupid idea, or wordpress have the same stupid idea with the wp-admin folder?
This is the only method known to rename oc-admin folder: here (https://forums.osclass.org/general-help/%28solved%29-how-to-rename-the-oc-admin-folder/msg2559/#msg2559)
I tested before with a old osclass version and I not saw any issue at least during a year. But you decide what is better to you. With time you will see you don't need use it anymore. Currently, I think is no needed rename any folder. So I don't use it anymore since to 3 years or more.