X-Cart:Protected Mode - Revision history

Aim: Config.php is added

2016-09-20T08:36:53Z

Config.php is added

Aim: #Enabling_Protected_mode_for_security_sensitive_operations_performed_via_the_store.27s_back_end is added

2016-09-20T08:34:44Z

#Enabling_Protected_mode_for_security_sensitive_operations_performed_via_the_store.27s_back_end is added

Dohtur: /* See also */

2013-03-26T09:54:32Z

‎See also

Dohtur at 07:36, 26 March 2013

2013-03-26T07:36:26Z

Dohtur: Created page with 'X-Cart versions 4.5.5 and later allow you to enable the so-called Protected mode for the store's back end. Protected mode provides protection against unauthorized access to secur…'

2013-03-25T16:27:31Z

Created page with 'X-Cart versions 4.5.5 and later allow you to enable the so-called Protected mode for the store's back end. Protected mode provides protection against unauthorized access to secur…'

New page

X-Cart versions 4.5.5 and later allow you to enable the so-called Protected mode for the store's back end. Protected mode provides protection against unauthorized access to security sensitive operations performed via the store's back end and thus allows you to minimize the risk of a malicious script being uploaded to your store's site or your database getting compromised in case an intruder manages to gain access to the store's back end.

Protected mode can be switched on and off by editing the values of the constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' in X-Cart's main configuration file config.php.

'''PROTECT_DB_AND_PATCHES''' applies to SQL/security and upgrade/patch operations including the following:
:* admin/db_backup.php - operations of creating a backup of your store's database and restoring the database from backup via the 'Database Backup/Restore' page in Admin area;
:* CHANGE_SECURITY_OPTIONS - changing any settings on the General settings/Security options page (Settings->General settings->Security) in Admin area;
:* PATCH_FILES, PATCH_SQL - Apply Patch and Apply SQL patch operations via the Patch/Upgrade center page (Tools->Patch/Upgrade) in Admin area;
:* UPGRADE - Upgrade operations via the Patch/Upgrade center page (Tools->Patch/Upgrade) in Admin area;
:* ADD_ALLOWED_ADMIN_IP - adding allowed IP addresses via the 'Allowed IP addresses' section on the User access control page (Tools menu -> Maintenance -> "See also" tab (right-side menu) -> User access control) in Admin area.

'''PROTECT_ESD_AND_TEMPLATES''' applies to file operations and template editing:
:* Edit templates - any operations via the Browse templates section in Admin and (X-Cart PLATINUM) Provider area;
:* FILE_OPERATIONS - any operations via the Browse files section in Admin and (X-Cart PLATINUM) Provider area (includes upload of files for ESD products).

The possible values for the constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' are ''''ip'''', ''''file'''' and ''''FALSE''''.

''''FALSE'''' corresponds to disabled Protected mode. When this value is used, security sensitive operations can be performed by anyone with access to the store's back end. Using this value is strongly discouraged.

''''file'''' and ''''ip'''' are values that enable Protected mode. The difference between the two is the protection method provided:
:* 'file'-based protection method: This method provides the highest level of security. With this method, the user is not allowed to make any changes on the protected pages unless a file named XC_UNLOCK has been created in the directory var/tmp. It is essential that X-Cart software be able to delete this file, which means you must set write permissions accordingly - both for the directory var/tmp and the file XC_UNLOCK. If X-Cart does not have the permissions to delete the file, the store continues working in Protected mode. The file XC_UNLOCK is removed automatically after six hours.
:* 'ip'-based protection method: With this method, users are not allowed to make changes on the protected pages unless they are using an 'allowed' IP address. To define, whether or not an IP address is 'allowed', X-Cart uses the same base of IP addresses as the [[X-Cart:User_Access_Control|User access control]] functionality. This means that if you are going to use Protected mode based on the 'ip'-based protection method, you should make sure your store's list of allowed IP addresses contains the IP addresses from which you allow security sensitive admin operations.

Note that the values of the constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' can be adjusted independently of one another to give you more flexibility; for instance, you can use 'file'-based protection method for SQL/security and upgrade/patch operations and 'ip'-based protection method for file uploads and template editing.

==See also==
* [[X-Cart:Config.php|Config.php]]
* [[X-Cart:User_Access_Control|User Access Control]]
* [[X-Cart:Security_Profiles|Security Profiles]]

[[Category:X-Cart user manual]]

@@ Line 1: / Line 1: @@
 X-Cart versions 4.5.5 and later allow you to enable the so-called Protected mode for the store's back end. Protected mode provides protection against unauthorized access to security sensitive operations performed via the store's back end and thus allows you to minimize the risk of a malicious script being uploaded to your store's site or your database getting compromised in case an intruder manages to gain access to the store's back end.
-Protected mode can be switched on and off by editing the values of the constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' in X-Cart's main configuration file <u>config.php</u>.
+Protected mode can be switched on and off by editing the values of the constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' in X-Cart's main configuration file [[X-Cart:Config.php#Enabling_Protected_mode_for_security_sensitive_operations_performed_via_the_store.27s_back_end|config.php]].
 '''PROTECT_DB_AND_PATCHES''' applies to SQL/security and upgrade/patch operations including the following:

@@ Line 27: / Line 27: @@
 ==See also==
-* [[X-Cart:Config.php|Config.php]]
+* [[X-Cart:Config.php#Enabling_Protected_mode_for_security_sensitive_operations_performed_via_the_store.27s_back_end|Config.php]]
 * [[X-Cart:User_Access_Control|User Access Control]]
 * [[X-Cart:Security_Profiles|Security Profiles]]

@@ Line 20: / Line 20: @@
 ''''file'''' and ''''ip'''' are values that enable Protected mode. The difference between the two is the protection method provided:
 :* 'file'-based protection method: This method provides the highest level of security. With this method, the user is not allowed to make any changes on the protected pages unless a file named <u>XC_UNLOCK</u> has been created in the directory <u>var/tmp</u>. It is essential that X-Cart software be able to delete this file, which means you must set write permissions accordingly - both for the directory <u>var/tmp</u> and the file <u>XC_UNLOCK</u>. If X-Cart does not have the permissions to delete the file, the store continues working in Protected mode. The file <u>XC_UNLOCK</u> is removed automatically after six hours.
-:* 'ip'-based protection method: With this method, users are not allowed to make changes on the protected pages unless they are using an 'allowed' IP address. To define, whether or not an IP address is 'allowed', X-Cart uses the same base of IP addresses as the [[X-Cart:User_Access_Control|User access control]] functionality. This means that if you are going to use Protected mode based on the 'ip'-based protection method, you should make sure your store's list of allowed IP addresses contains the IP addresses from which you allow security sensitive admin operations.
+:* <div id="IPBasedProtectionMethod"> </div>'ip'-based protection method: With this method, users are not allowed to make changes on the protected pages unless they are using an 'allowed' IP address. To define, whether or not an IP address is 'allowed', X-Cart uses the same base of IP addresses as the [[X-Cart:User_Access_Control|User access control]] functionality. This means that if you are going to use Protected mode based on the 'ip'-based protection method, you should make sure your store's list of allowed IP addresses contains the IP addresses from which you allow security sensitive admin operations.
 Note that the values of the constants '''PROTECT_DB_AND_PATCHES''' and '''PROTECT_ESD_AND_TEMPLATES''' can be adjusted independently of one another to give you more flexibility; for instance, you can use 'file'-based protection method for SQL/security and upgrade/patch operations and 'ip'-based protection method for file uploads and template editing.