Print Page | Close Window

Security Settings Required?

Printed From: SalesCart
Category: Legacy Products
Forum Name: SalesCart Standard / PRO / SQL
Forum Description: All questions pertaining to SalesCart Standard, PRO and SQL should be posted here.
URL: http://forum.salescart.com/forum/forum_posts.asp?TID=410
Printed Date: November/23/24 at 9:06pm
Software Version: Web Wiz Forums 11.04 - http://www.webwizforums.com


Topic: Security Settings Required?
Posted By: Big Bear
Subject: Security Settings Required?
Date Posted: August/26/05 at 4:01pm
I just had an issue with my SQL 5.02 generated web site. I thought I had the security settings setup properly. The web site has been functional until today.
Someone HACKED my site & I was told I had security settings, which were not really secure.
My question... what are ALL the Server side security settings supposed to be?

I have bits & pieces written down here & there but most needed to be changed because they didn't work right & it has become a jumbled mess.

Any help putting these all in one place for others & me would be appreciated!

BigBear



-------------
Big Bear



Replies:
Posted By: Techno Geek
Date Posted: August/29/05 at 8:36am
I'm not sure if there are any security settings that you would have to enable. What was not secured? Did they mention that to you?

-------------
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support


Posted By: Big Bear
Date Posted: August/29/05 at 8:06pm
Perhaps I wasn't clear enough, that is my fault due to ignorance of the server permission requirements..
What I meant to ask is what are the server side permissions supposed to be set up as.
I know some stuff is supposed to be set up as Read Only & yet others get Write Privileges.
I hope this is clear enough as I am not very familiar with what is required for Sales Cart SQL to be set up properly on the server side.

It seems I had a Global Write privilege set up.. I do not know why but I seem to remember it was required or Sales Cart SQL would not work properly. Anyway... this is how the Hacker got in.

What I need to know now is what server side permission settings are required for Sales Cart SQL to function correctly & yet give me a secure web site.

thanks,
Big Bear


-------------
Big Bear


Posted By: Big Bear
Date Posted: August/29/05 at 11:41pm
Some of the security settings that I understand need to be set up are..

The IUSR only needs READ/WRITE permissions on the database directory. The
permissions should be setup to propagate to the child objects.

and

Both the /fpdb and /online should have READ/WRITE permissions. The user
that should have this permission is the IUSR.

Am I missing any other settings?

Big Bear


-------------
Big Bear


Posted By: qrsystems
Date Posted: August/30/05 at 8:13am
I'm getting similar message on my email on daily bases. The hacker is doing different stuff with my site.

sample of one of the emails is as shown below
Is there any one who can help us on this.

"This is an automated response sent from SalesCart

Security Error: Unable to open referring page.

Order Number: 90
Item Number: edrlcnfjzh@mydomain.com
Posted Price: edrlcnfjzh@mydomain.com
Actual Price: 0

Posting URL: http://www.mydomain.com/
Browser:
Server: www.mydomanin.com "

Thanks
Dave

-------------
Dave


Posted By: Techno Geek
Date Posted: August/30/05 at 10:37am
Big Bear: You're using SQL? If so, then the IUSR write privilages wouldn't necessarily apply to your site. The SQL database is hopefully hosted on a remote server and it should be behind a firewall at the very least. This is what your host would do for you.

How did you setup your connection strings? Are you using DSN to connect to the SQL server?

-------------
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support


Posted By: Big Bear
Date Posted: August/30/05 at 11:54am
Again, I apologize for my misscommunication.
This is a really simple request, please don't look into it further than necesasary.

All I wish to know is what REAR WRITE priveleges need to be set up for the SALES CART FOLDERS.

I got into this mess because some of the priveleges aparently gave the HACKER access to my web site so he could run a SCRIPT & change my index.htm page.

In the mean time my host provider killed the READ WRITE priveledges which were set up on my site because they thought that they were too leanent & posed a SECURITY RISK.

All I need to know is the RECOMENDED SALES CART READ WRITE Priveledges which will result in persons to be able to order items from my store.

I only mentioned the version as SQL 5.0 because I thought that it might make a difference as to what READ WRITE priveledges are required.

Big Bear

-------------
Big Bear


Posted By: Techno Geek
Date Posted: August/31/05 at 8:39am
FPDB: READ/WRITE
ONLINE: READ/WRITE

That is it. Anything beyond the privileges above is not necessary.

-------------
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support


Posted By: Big Bear
Date Posted: August/31/05 at 4:11pm
What about this statement that I located in the Knowledge base???

"The IUSR only needs READ/WRITE permissions on the database directory. The permissions should be setup to propagate to the child objects."

Should this also be set up this way?

-------------
Big Bear


Posted By: Techno Geek
Date Posted: September/01/05 at 10:13am
When you setup permissions on a directory, the child object will inherit the permissions as well. In some rare cases you will have to force the permissions to propagate.

-------------
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support


Posted By: Big Bear
Date Posted: September/04/05 at 11:10pm
Ok so does this mean that I should have..

FPDB: READ/WRITE
ONLINE: READ/WRITE
IUSR: READ/WRITE permissions on the database with permissions setup to propagate to the child objects

Or is this incorrect?


-------------
Big Bear


Posted By: Techno Geek
Date Posted: September/06/05 at 9:58am
ummm... you're reiterating what I've said in my replies. But yeah, IUSR (the only web account) needs those permissions.

-------------
Techno Geek
Customer Support Engineer
ComCity and SalesCart Technical Support



Print Page | Close Window

Forum Software by Web Wiz Forums® version 11.04 - http://www.webwizforums.com
Copyright ©2001-2015 Web Wiz Ltd. - http://www.webwiz.co.uk