ADDED SECURITY FOR UNIX USERS

shadow · Addict

There is a security problem with access to files in the users directory but I have a solution for those of you on unix servers. (I don't know if it works on windows servers, I have never worked on one) I created a .htaccess file that you can load into your users directory that will only allow access from the payment processors sites and your own. For some reason when you login instead of giving the index page to the members area it gives the navigation for the members area but leaves the login up. Hopefully Daniel can fix this. I will tell you what I did to fix this later. Here is the .htaccess file

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://YOUR SITE.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.YOUR SITE.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.YOUR SITE.com/rand/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.YOUR SITE.com/rand/users/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.intgold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.intgold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://intgold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://intgold.com/ [NC]
RewriteRule /* http://www.YOUR SITE.com/rand/login.php [R,L]

You need to copy and paste this into its own file, change the YOUR SITE to your site name, name it .htaccess and upload to your users directory.
IMPORTANT you must make sure that the file name is only .htaccess there can be no .txt after it. I find it easiest to change this in my FTP program.

Please notice that I have included all the lower level folders that I have it listed on my site and there is a version with the www and without the www for all the payment processors there is also a http and a https this should cover all the bases.

The last line is the page you want to send unauthorized people to as you see I send them to the login page.

OKAY now it is time for the work around I came up with for the login page re-appearing. It's not fancy but it works.

In the template/main.navigation.php file at line 22 you will see
<a href=<?=$CONFIG->siteurl?>/users/details.php>Account Details</a>

Above this line add another line that says
<a href=<?=$CONFIG->siteurl?>/users/index.php>Members Home</a>

This will add a Members Home link to the top of your members navigation bar.

Now to tell the people that they are actually logged in I edited the login.php

I changed line 22 from

<td colspan=\"2\" align=center class=text>Members Login !</td>

To
<td colspan=\"2\" align=center class=text>Members Login If you already logged in and are seeing this again, look at the navigation bar to your left if you see the Members Home link click
on it. If not please log in!</td>

Now it works and is secure. It will only let links that come from the payment processors or your site in. You can try it on my site if you like

<removed>

Shadow

yousave · Guest

Hi Shadow,

OK I made my .htaccess file see below
But when I upload it to site, site refuses to load up
When I put a blank .htaccess file up site loads fine
I want to make sure to get security up but not at the cost of site not loading at all. Any ideas?

Jim Heckt
http://www.yousave.nu
http://www.dvdpriceshop.com
http://www.aboutwebmarketing.com

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://aboutwebmarketing.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.aboutwebmarketing.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.aboutwebmarketing.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.aboutwebmarketing.com/users/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://paypal.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://stormpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://assuredpay.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://egold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.intgold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.intgold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://intgold.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://intgold.com/ [NC]
RewriteRule /* http://www.aboutwebmarketing.com/index.php [R,L]

DS · Visitor

I had the same problem

shadow · Addict

Sorry but it seems that some host don't have the support for all the rewrite configs in .htaccess. Daniel is making v2.2 so that you can change the name of the file any time you like to what ever you like and that should handle your security.

Shadow