Forum Home Forum Home > Legacy Products > SalesCart Standard / PRO / SQL
  New Posts New Posts RSS Feed - Security Settings Required?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Forum LockedSecurity Settings Required?

 Post Reply Post Reply
Author
Message
Big Bear View Drop Down
Newbie
Newbie
Avatar

Joined: March/20/04
Location: United States
Status: Offline
Points: 18
Direct Link To This Post Topic: Security Settings Required?
    Posted: August/26/05 at 4:01pm
I just had an issue with my SQL 5.02 generated web site. I thought I had the security settings setup properly. The web site has been functional until today.
Someone HACKED my site & I was told I had security settings, which were not really secure.
My question... what are ALL the Server side security settings supposed to be?

I have bits & pieces written down here & there but most needed to be changed because they didn't work right & it has become a jumbled mess.

Any help putting these all in one place for others & me would be appreciated!

BigBear

Back to Top
Techno Geek View Drop Down
Admin Group
Admin Group
Avatar
Evil monkey living in my closet!

Joined: March/11/04
Location: United States
Status: Offline
Points: 1206
Direct Link To This Post Posted: August/29/05 at 8:36am
I'm not sure if there are any security settings that you would have to enable. What was not secured? Did they mention that to you?
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support
Back to Top
Big Bear View Drop Down
Newbie
Newbie
Avatar

Joined: March/20/04
Location: United States
Status: Offline
Points: 18
Direct Link To This Post Posted: August/29/05 at 8:06pm
Perhaps I wasn't clear enough, that is my fault due to ignorance of the server permission requirements..
What I meant to ask is what are the server side permissions supposed to be set up as.
I know some stuff is supposed to be set up as Read Only & yet others get Write Privileges.
I hope this is clear enough as I am not very familiar with what is required for Sales Cart SQL to be set up properly on the server side.

It seems I had a Global Write privilege set up.. I do not know why but I seem to remember it was required or Sales Cart SQL would not work properly. Anyway... this is how the Hacker got in.

What I need to know now is what server side permission settings are required for Sales Cart SQL to function correctly & yet give me a secure web site.

thanks,
Big Bear
Back to Top
Big Bear View Drop Down
Newbie
Newbie
Avatar

Joined: March/20/04
Location: United States
Status: Offline
Points: 18
Direct Link To This Post Posted: August/29/05 at 11:41pm
Some of the security settings that I understand need to be set up are..

The IUSR only needs READ/WRITE permissions on the database directory. The
permissions should be setup to propagate to the child objects.

and

Both the /fpdb and /online should have READ/WRITE permissions. The user
that should have this permission is the IUSR.

Am I missing any other settings?

Big Bear
Back to Top
qrsystems View Drop Down
Newbie
Newbie
Avatar

Joined: November/16/04
Location: United States
Status: Offline
Points: 20
Direct Link To This Post Posted: August/30/05 at 8:13am
I'm getting similar message on my email on daily bases. The hacker is doing different stuff with my site.

sample of one of the emails is as shown below
Is there any one who can help us on this.

"This is an automated response sent from SalesCart

Security Error: Unable to open referring page.

Order Number: 90
Item Number: edrlcnfjzh@mydomain.com
Posted Price: edrlcnfjzh@mydomain.com
Actual Price: 0

Posting URL: http://www.mydomain.com/
Browser:
Server: www.mydomanin.com "

Thanks
Dave
Back to Top
Techno Geek View Drop Down
Admin Group
Admin Group
Avatar
Evil monkey living in my closet!

Joined: March/11/04
Location: United States
Status: Offline
Points: 1206
Direct Link To This Post Posted: August/30/05 at 10:37am
Big Bear: You're using SQL? If so, then the IUSR write privilages wouldn't necessarily apply to your site. The SQL database is hopefully hosted on a remote server and it should be behind a firewall at the very least. This is what your host would do for you.

How did you setup your connection strings? Are you using DSN to connect to the SQL server?
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support
Back to Top
Big Bear View Drop Down
Newbie
Newbie
Avatar

Joined: March/20/04
Location: United States
Status: Offline
Points: 18
Direct Link To This Post Posted: August/30/05 at 11:54am
Again, I apologize for my misscommunication.
This is a really simple request, please don't look into it further than necesasary.

All I wish to know is what REAR WRITE priveleges need to be set up for the SALES CART FOLDERS.

I got into this mess because some of the priveleges aparently gave the HACKER access to my web site so he could run a SCRIPT & change my index.htm page.

In the mean time my host provider killed the READ WRITE priveledges which were set up on my site because they thought that they were too leanent & posed a SECURITY RISK.

All I need to know is the RECOMENDED SALES CART READ WRITE Priveledges which will result in persons to be able to order items from my store.

I only mentioned the version as SQL 5.0 because I thought that it might make a difference as to what READ WRITE priveledges are required.

Big Bear
Back to Top
Techno Geek View Drop Down
Admin Group
Admin Group
Avatar
Evil monkey living in my closet!

Joined: March/11/04
Location: United States
Status: Offline
Points: 1206
Direct Link To This Post Posted: August/31/05 at 8:39am
FPDB: READ/WRITE
ONLINE: READ/WRITE

That is it. Anything beyond the privileges above is not necessary.
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support
Back to Top
Big Bear View Drop Down
Newbie
Newbie
Avatar

Joined: March/20/04
Location: United States
Status: Offline
Points: 18
Direct Link To This Post Posted: August/31/05 at 4:11pm
What about this statement that I located in the Knowledge base???

"The IUSR only needs READ/WRITE permissions on the database directory. The permissions should be setup to propagate to the child objects."

Should this also be set up this way?
Back to Top
Techno Geek View Drop Down
Admin Group
Admin Group
Avatar
Evil monkey living in my closet!

Joined: March/11/04
Location: United States
Status: Offline
Points: 1206
Direct Link To This Post Posted: September/01/05 at 10:13am
When you setup permissions on a directory, the child object will inherit the permissions as well. In some rare cases you will have to force the permissions to propagate.
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support
Back to Top
Big Bear View Drop Down
Newbie
Newbie
Avatar

Joined: March/20/04
Location: United States
Status: Offline
Points: 18
Direct Link To This Post Posted: September/04/05 at 11:10pm
Ok so does this mean that I should have..

FPDB: READ/WRITE
ONLINE: READ/WRITE
IUSR: READ/WRITE permissions on the database with permissions setup to propagate to the child objects

Or is this incorrect?
Back to Top
Techno Geek View Drop Down
Admin Group
Admin Group
Avatar
Evil monkey living in my closet!

Joined: March/11/04
Location: United States
Status: Offline
Points: 1206
Direct Link To This Post Posted: September/06/05 at 9:58am
ummm... you're reiterating what I've said in my replies. But yeah, IUSR (the only web account) needs those permissions.
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.04
Copyright ©2001-2015 Web Wiz Ltd.

Copyright 2015 by ComCity® LLC and SalesCart™.  All Rights Reserved