Security Settings Required?
Printed From: SalesCart
Category: Legacy Products
Forum Name: SalesCart Standard / PRO / SQL
Forum Description: All questions pertaining to SalesCart Standard, PRO and SQL should be posted here.
URL: http://forum.salescart.com/forum/forum_posts.asp?TID=410
Printed Date: April/25/24 at 5:52pm
Software Version: Web Wiz Forums 11.04 - http://www.webwizforums.com
Topic: Security Settings Required?
Posted By: Big Bear
Subject: Security Settings Required?
Date Posted: August/26/05 at 4:01pm
|
I just had an issue with my SQL 5.02 generated web site. I thought I had the security settings setup properly. The web site has been functional until today.
Someone HACKED my site & I was told I had security settings, which were not really secure. My question... what are ALL the Server side security settings supposed to be? I have bits & pieces written down here & there but most needed to be changed because they didn't work right & it has become a jumbled mess. Any help putting these all in one place for others & me would be appreciated! BigBear ------------- Big Bear |
Replies:
Posted By: Techno Geek
Date Posted: August/29/05 at 8:36am
|
I'm not sure if there are any security settings that you would have to enable. What was not secured? Did they mention that to you? ------------- Techno Geek Customer Support Engineer ComCity and SalesCart Technical Support |
Posted By: Big Bear
Date Posted: August/29/05 at 8:06pm
|
Perhaps I wasn't clear enough, that is my fault due to ignorance of the server permission requirements..
What I meant to ask is what are the server side permissions supposed to be set up as. I know some stuff is supposed to be set up as Read Only & yet others get Write Privileges. I hope this is clear enough as I am not very familiar with what is required for Sales Cart SQL to be set up properly on the server side. It seems I had a Global Write privilege set up.. I do not know why but I seem to remember it was required or Sales Cart SQL would not work properly. Anyway... this is how the Hacker got in. What I need to know now is what server side permission settings are required for Sales Cart SQL to function correctly & yet give me a secure web site. thanks, Big Bear ------------- Big Bear |
Posted By: Big Bear
Date Posted: August/29/05 at 11:41pm
|
Some of the security settings that I understand need to be set up are..
The IUSR only needs READ/WRITE permissions on the database directory. The permissions should be setup to propagate to the child objects. and Both the /fpdb and /online should have READ/WRITE permissions. The user that should have this permission is the IUSR. Am I missing any other settings? Big Bear ------------- Big Bear |
Posted By: qrsystems
Date Posted: August/30/05 at 8:13am
|
I'm getting similar message on my email on daily bases. The hacker is doing different stuff with my site.
sample of one of the emails is as shown below Is there any one who can help us on this. "This is an automated response sent from SalesCart Security Error: Unable to open referring page. Order Number: 90 Item Number: edrlcnfjzh@mydomain.com Posted Price: edrlcnfjzh@mydomain.com Actual Price: 0 Posting URL: http://www.mydomain.com/ Browser: Server: www.mydomanin.com " Thanks Dave  ------------- Dave |
Posted By: Techno Geek
Date Posted: August/30/05 at 10:37am
|
Big Bear: You're using SQL? If so, then the IUSR write privilages wouldn't necessarily apply to your site. The SQL database is hopefully hosted on a remote server and it should be behind a firewall at the very least. This is what your host would do for you.
How did you setup your connection strings? Are you using DSN to connect to the SQL server? ------------- Techno Geek Customer Support Engineer ComCity and SalesCart Technical Support |
Posted By: Big Bear
Date Posted: August/30/05 at 11:54am
|
Again, I apologize for my misscommunication.
This is a really simple request, please don't look into it further than necesasary. All I wish to know is what REAR WRITE priveleges need to be set up for the SALES CART FOLDERS. I got into this mess because some of the priveleges aparently gave the HACKER access to my web site so he could run a SCRIPT & change my index.htm page. In the mean time my host provider killed the READ WRITE priveledges which were set up on my site because they thought that they were too leanent & posed a SECURITY RISK. All I need to know is the RECOMENDED SALES CART READ WRITE Priveledges which will result in persons to be able to order items from my store. I only mentioned the version as SQL 5.0 because I thought that it might make a difference as to what READ WRITE priveledges are required. Big Bear ------------- Big Bear |
Posted By: Techno Geek
Date Posted: August/31/05 at 8:39am
|
FPDB: READ/WRITE
ONLINE: READ/WRITE That is it. Anything beyond the privileges above is not necessary. ------------- Techno Geek Customer Support Engineer ComCity and SalesCart Technical Support |
Posted By: Big Bear
Date Posted: August/31/05 at 4:11pm
|
What about this statement that I located in the Knowledge base???
"The IUSR only needs READ/WRITE permissions on the database directory. The permissions should be setup to propagate to the child objects." Should this also be set up this way? ------------- Big Bear |
Posted By: Techno Geek
Date Posted: September/01/05 at 10:13am
|
When you setup permissions on a directory, the child object will inherit the permissions as well. In some rare cases you will have to force the permissions to propagate. ------------- Techno Geek Customer Support Engineer ComCity and SalesCart Technical Support |
Posted By: Big Bear
Date Posted: September/04/05 at 11:10pm
|
Ok so does this mean that I should have..
FPDB: READ/WRITE ONLINE: READ/WRITE IUSR: READ/WRITE permissions on the database with permissions setup to propagate to the child objects Or is this incorrect? ------------- Big Bear |
Posted By: Techno Geek
Date Posted: September/06/05 at 9:58am
|
ummm... you're reiterating what I've said in my replies. But yeah, IUSR (the only web account) needs those permissions. ------------- Techno Geek Customer Support Engineer ComCity and SalesCart Technical Support |