Results 1 to 4 of 4
  1. #1
    Join Date
    Mar 2009

    Question OSCommerce sites compromised

    hi all,

    I have three OSCommerce sites running on a reseller UNIX account.

    I discovered that there were strange PHP files on all three installations. I have deleted the files, and kept one locally to poke around in.

    This seems to be quite common and is caused by having 777 permissions on the folders that need to have images etc uploaded to them. I have changed them to 755 for the time being, but now OSCommerce can't write to these folders, so customers can't add product photos.

    This page says the following:

    Set the permissions on ALL folders to 755. If your host has PHP installed as CGI through suExec (the proper method), then your site will run fine this way. If they have PHP installed as a module, you will get a warning from oscommerce saying that it is unable to write to the images folder. Setting permissions back to 777 will make the message go away but it will leave you open to an attack.
    Does this make sense? Is reseller hosting with this configuration generally available?

    My host has told me that customers should use cpanel or FTP to upload product images, which I've told them is not an option. Waiting for their reply.

    thanks in advance,


  2. #2
    Join Date
    Jul 2009
    give permissions of 775 if php is installed as dso.

    It is safe and will make applications run without any issues.

  3. #3
    Join Date
    Apr 2002
    Using 775 won't help unless the directory has a group ownership of the nobody (or whatever username Apache is running under) user. If the group of the directory is changed to nobody and the permissions are set to 775, then you still really haven't gained anything. If PHP is running as the nobody user on your account, then it is running as the nobody user for every other account on that server.

    Best bet is to run PHP through a suexec wrapper, like suphp. This has to be done by your webhost because it has to apply to all of the accounts on the server. Then permissions of 755 on your images directory will work.

    However, do note that if suphp is used, this does not by itself prevent these files from appearing on your account. If YOUR website has an old and outdated script that is vulnerable to attack then your files and directories being owned by your username and set to 755 will still allow someone to hijack your files through YOUR account. All suphp does is prevent someone from another account on the hosting server accessing your account and placing files in open directories. With suphp you are still responsible, maybe even more so, for keeping your scripts up-to-date.

  4. #4
    Join Date
    Mar 2009
    Thank you folks.

    My host has moved the accounts to SUPHP, so that should be sorted out now.

    I will now double check the scripts themselves.

    Thanks again.

Similar Threads

  1. Replies: 1
    Last Post: 01-18-2005, 12:19 PM
  2. Replies: 0
    Last Post: 12-08-2004, 02:49 AM
  3. Replies: 1
    Last Post: 11-24-2004, 11:02 AM
  4. osCommerce - any reviews in Magazines or other sites?
    By seiretto in forum Hosting Software and Control Panels
    Replies: 4
    Last Post: 04-15-2003, 12:04 PM
  5. Replies: 3
    Last Post: 04-15-2003, 09:40 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts