Category Archives: osCommerce / oscMax

osCommerce and its derivatives. I am working mostly with osCMax these days.

osCmax Security contrib 2.5beta3

Update: Changes in osCmax between this version (beta3) and the RC1 release in early April 2011 has required an update to the osCmax-Security-2.5 bundle. The new information can be found in a post on osCmax Security 2.5RC1.

As I was working with the Check Permissions and the Site Monitor contribs I decided to save myself some longer term pain and bring the two together as the basis for my own Security setup for the sites that I manage.

In the process I have made changes that enable:

Single install process
Check Permissions saves the file and directory permissions to the database for consistent use
Check Permissions now recognises the Site Monitor files that need to be writable
Site Monitor & Check Permissions work with osCmax 2.5 (minor changes)
Both contribs appear within a dedicated Security menu option

You can grab a copy of osCmax-Security-2.5 from here and shortly from the osCmax projects area.

I’ve tested the quick install with a fresh copy of osCmax 2.5 and against an already installed ‘slow install’ with edits and it all seems ok.

Once installed just follow the instructions for each of the two contribs.

osCmax and Site Monitor

Site Monitor is a security monitoring and reporting tool for osCommerce.

I’ve been working through an update that will allow version 2.9 to work with osCmax version 2.5

I documented it in the osCmax wiki Site Monitor page last night including all the changes that I made to the files.

It should appear as a project / contrib in the osCmax web site in the next few days.

You can download my latest version of Site Monitor 2.9 for osCmax from here as well.

SME Server 8 and session.use_trans_sid

Downloaded the svn of osCmax to do some dev work and the first install screen advised that session.use_trans_sid was enabled and should not be.

After some quick research that simply suggested I add a rule to .htaccess, I went looking at the php.ini and how to turn it off permanently.

[php]
# grep session /etc/e-smith/templates/etc/php.ini/*
returns
/etc/e-smith/templates/etc/php.ini/80ModuleSettings16Session:session.use_trans_sid = 1
[/php]

Which tells me to copy the offending template section to the templates-custom area, set it to 0, and recompile the template for php.ini

[php]
# cp /etc/e-smith/templates/etc/php.ini/80ModuleSettings16Session /etc/e-smith/templates-custom/etc/php.ini/
[/php]

I like using mcedit on my linux systems but you might prefer vi or something else.

[php]
#mcedit /etc/e-smith/templates-custom/etc/php.ini/80ModuleSettings16Session
[/php]
and change the setting for session.use_trans_sid from 1 to 0 and save the file.

Then rebuild the php.ini and restart apache.
[php]
# /sbin/e-smith/expand-template /etc/php.ini
# apachectl graceful
[/php]

Of course these notes pretty much apply to any SME Server template snippet to adjust the server settings permanently so that reboots don’t lose your changes.

oscMax Check Permissions add-on update for v2.5

I was working through a trial install of oscMax v2.5beta3 and following the security setup instructions.

In doing so I found a number of changes that I wanted to make and the first one that I have completed is the Check Permissions add-on.

You can download Check_permissions_2.5
(Edit: this file was updated 20110312)

The references that you can use are included in the zip file README etc.

Also you may want to look at

The oscMax Security documentation which is what started me on this update

The oscMax link to version 1.3 of Check Permissions if you want to compare the code I added

The oscMax wiki page on Check Permissions that I added with the details regarding both the install of 1.3 or 2.5