Hmm... I need to find out myself. I don't know what is the right answer. I'll do some investigation and get back to you if I find an good answer. You should email the people at iPage as they probably could answer your iPage question..
Thanks for this script download info; I really appreciate it. But when I downloaded it, I got a warning that files are corrupt. Downloaded it a second time; got the same warning. Hmmm, that's a bit scary. Do you know of any other similar scripts, or does anyone know of any painless password protection scripts that a dummy could set up pretty easily? Or do you think I should go ahead and try this one anyway?..
If you have the ability to run your own CGI scripts, you might have a look at Locked Area (locked-area.com, I believe)..
They have two free scriptsDirectoryPass is very simple, Locked-Area Lite may have a bit more than what you are looking for. You will need to know the path to PERL on your server, and as well how to use your FTP program or control panel to CHMOD the files (set their permissions correctly, instructions are provided with the programs)..
It does basically the same thing as the gossamer-threads scriptssets up .htaccess for you..
I suspect DirectoryPass would get the job done for one user, one directory..
I have installed a login system similar to the login system of the shop (i.e. with database tables for the admin users and cookie-registration of their names an id)..
But I have installed different grades of authorization as well, so users are eventually only able to add or modify products and attributes but aren't allowed to alter any configurations of the shop or to add other users..
But, apart from the login and create user files, to get this to work you have to add a login information script to every file in the root directory of your admin. And, of course, to the links of the navigation as well..
So it's a lot of work to do, but it runs pretty well..
For a simpler way to do it, you could look at the Admin Access w/ Levels contribution. It only modifies the admin/includes/application_top.php file and adds some files..
Sorry I'm not understanding this.
Are you saying that we should password protect the shop admin folder ? .
(which we're supposed to rename anyway)..
Would doing so make no difference to OScommerce scripts themselves ? .
Aka do they need password permissions to access the admin folder and if so how would you do that?.
The control panel is password potected anyway so which files are vulnerbale?.
Are the scripts not tied down so that they can only be called form scripts on the same server?.
I think that's what PHPNuke does, isn't it?.
Security is obviously a major issue, so I'd really like to know what to do..
Yes, unless you want potentially anyone to be able to edit products, etc..
No, the catalog scripts never need to access files from the admin side..
Good to know that the admin folder isn't used by the shop itself..
(Guess the database is the common link. Never thought of it like that till now).
I'm confused though ;-).
I'm not doubting you. However unless I understand the problem I don't know how to deal with it. AKA I need to know how to hack it myself to prevent this..
OsC is mainly php scripts and accessed from the WWW web the server compiles them and only outputs the result and not the script itself?.
So how could someone see the raw script?.
Also how could they re-save that script in edited form back on to my server?.
Also if a script can be passed parameters to run, are they not tied down to make sure the parameter passing was from another "local" same server form? Or use a script to script password for verification..
I think this is what PHPnuke does. SQL queries can also be locked down like this too AFAIK..
I understand that if someone got ftp or telnet access, or had your password, they could of course reak havoc. But from a WWW web only access, I don't see how the scripts can do more than compile and run and do what they're supposed to do..
Or are we talking about some "ini" files which can be read raw if the filename is known? But I don't see how they could be edited..
If the ini files contained passwords, then these would be encrypted and/or stored in a non WWW accessable directory no?! and only interogated via a local authorised script..
I think your talking abotu two different things. Yo ucan access the admin portion of your iPage site at.
(or whatever you changed it to). This is not password protected out of the box...
What I did to protect my admin was go down to my server and protect the admin folder with a password. So when I go to the admin section on the web it asks me for a password...
Sure, but I think this is pretty unsecure.
Has anybody tried the Admin login contribution? Or does anyone have a great way to secure the admin and database without using password protection in a control panel? I just survived installation, and I'm really new at this...so I'm wondering if there's any chance that this contribution would mess things up? I'm looking for a way to secure the database and the admin, but I'm experimenting with a free host that doesn't have password protection. So I'm open to any and all ideas...
This works great provided perl is installed on the server. Most have it..
It's free for one user and pretty simple to install. It sets up .htaccess protection for you painlessly..