Draft:Config.php

From X-Cart 4 Classic
Revision as of 16:05, 31 January 2013 by Dohtur (talk | contribs) (Setting the protection method for SQL/security and file changes from the Admin area)
Jump to: navigation, search

Section marked "DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING"

We strongly recommend you do not change any configuration settings that go below the line that says:

# DO NOT CHANGE ANYTHING BELOW THIS LINE UNLESS
# YOU REALLY KNOW WHAT ARE YOU DOING

Editing the settings below this line requires profound knowledge of X-Cart architecture. Tampering with these settings may cause considerable damage to your store.

Below are some notes on the contents of this section: &&&&&

$x_time_threshold = 4;
$x_mem_threshold = 4194304;

&&&&&

mysql_autorepair = true;

Data caching

define('USE_DATA_CACHE', true);

The constant USE_DATA_CACHE defines whether your store should use data caching. The possible values for this constant are:

  • 'true': Data caching is enabled.
  • 'false': Data caching is disabled.

By default the value is set to 'true'. Changing the value to 'false' is reasonable only if you experience problems in using the store with caching enabled (e.g. if you keep getting error messages about the files in the /var/cache directory of your X-Cart installation).

&&&&&

define('DATA_CACHE_TTL', 24*3600);

define('USE_SQL_DATA_CACHE', false);

define('SQL_DATA_CACHE_TTL', 3600);
define('USE_MEMCACHE_DATA_CACHE', false);
define('MEMCACHE_SERVER_ADDRESS', 'localhost');
define('MEMCACHE_SERVER_PORT', 11211);
abstract class XCSecurity { //{{{

Setting the protection method for SQL/security and file changes from the Admin area

const PROTECT_DB_AND_PATCHES = 'ip';
const PROTECT_ESD_AND_TEMPLATES = 'ip';

The constants PROTECT_DB_AND_PATCHES and PROTECT_ESD_AND_TEMPLATES define whether the store should use protection against unauthorized SQL/security and file operations from the Admin area and set the type of protection method to be used:

  • PROTECT_DB_AND_PATCHES applies to SQL/security and upgrade/patch operations performed via X-Cart's Admin area.
  • PROTECT_ESD_AND_TEMPLATES applies to upload of distribution files for ESD products and the 'Edit templates' feature.

The possible values for these constants are:

  • 'ip': Access to the protected pages is allowed only from specific IP addresses.
  • 'file': (Strongly recommended) Access to the protected pages is allowed only after creating a special file in the var/tmp folder. Using this value provides the highest level of security.
  • FALSE: (Not recommended) Protection for SQL/Security and file operations from the Admin area is disabled.

Binding the session id of admin user to IP address

const PROTECT_XID_BY_IP = 'mask';

The constant PROTECT_XID_BY_IP defines whether the session id of admin user should be locked to the IP address from which this session originated. The possible values are:

  • 'ip': (Strongly recommended) The session id of admin user is locked to a specific IP address. Using this value provides the highest level of security.
  • 'mask': The session id of admin user is locked to the IP subnetwork including the IP address from which the admin session originated. Using this value provides medium level of security.
  • FALSE: (Not recommended) Binding of admin user session id to his IP address is disabled. You may want to use this value if admin is going to work via two or more ISPs alternating all the time.

By default the value of PROTECT_XID_BY_IP is 'mask'. Note that, if the value of PROTECT_XID_BY_IP at your store is set to 'ip', in rare cases (namely, if your ISP changes your IP address too often, like every few seconds) you may experience problems logging in to the Admin area. If this happens, consider switching to 'mask' or disable binding of admin user session IDs to IP addresses altogether by setting the value of PROTECT_XID_BY_IP to FALSE.

Restricting access to Admin area by IP

const BLOCK_UNKNOWN_ADMIN_IP = FALSE;

The constant BLOCK_UNKNOWN_ADMIN_IP (in X-Cart versions prior to 4.5.5 known as SECURITY_BLOCK_UNKNOWN_ADMIN_IP) defines whether the store's user access control functionality is enabled. This functionality prevents usage of your store's back-end from IP addresses unknown to the system. The possible values are:

  • TRUE: User access control functionality is enabled; the Admin area can be accessed only from the IP address specified in the value of the ADMIN_ALLOWED_IP constant (see below).
  • FALSE: User access control functionality is disabled; the Admin area can be accessed from any IP address.

By default the value of this constant is set to FALSE. For more information, see the section User Access Control.

const ADMIN_ALLOWED_IP = '';

The constant ADMIN_ALLOWED_IP (in X-Cart versions prior to 4.5.5 known as $admin_allowed_ip) specifies the IP addresses from which access to the Admin area should be allowed. You can leave the value empty for unrestricted access or provide a comma separated list of trusted IP addresses to allow access only from these IP addresses.
For example:

  • Unrestricted access:
ADMIN_ALLOWED_IP = '';
  • Access is allowed only from IP 192.168.0.1 and 127.0.0.1:
ADMIN_ALLOWED_IP = "192.168.0.1, 127.0.0.1";

Blocking IFRAME / FRAME calls

const FRAME_NOT_ALLOWED = FALSE;

The constant FRAME_NOT_ALLOWED defines whether IFRAME / FRAME calls should be allowed for X-Cart. You may want to forbid calling X-Cart in IFRAME / FRAME tags to prevent attacks in which the attacker displays X-Cart through a frame and, using web browser vulnerabilities, intercepts the information being entered in it. The possible values for this constant are TRUE and FALSE. If you do not use X-Cart in any pages where X-Cart is displayed through a frame, you can set the value of this constant to TRUE to enhance security. By default the value of this constant is set to FALSE.

Setting disallowed file types

 const DISALLOWED_FILE_EXTS =
        'phtml, phar, php5, php4, php3, php, pl, cgi, asp, exe, com, bat, pif, htaccess';

The constant DISALLOWED_FILE_EXTS specifies the file types disallowed for upload. Here disallowed file extensions should be specified as a comma separated list.

Checking MD5 of compiled templates

const COMPILED_TPL_CHECK_MD5 = TRUE;

The constant COMPILED_TPL_CHECK_MD5 enables/disables the functionality of checking the MD5 checksums of compiled templates for better store protection at a shared hosting. The possible values for this constant are TRUE and FALSE. By default the value of this constant is set to TRUE.

Setting the length for the list of unique form identifiers

const FORM_ID_ORDER_LENGTH = 100;

The constant FORM_ID_ORDER_LENGTH sets the length for the list of unique form identifiers.

A unique form identifier ensures that a form is valid and serves as a protection from CSRF (cross-site request forgery) attacks. For each user session, the system generates an ordered list of unique identifiers and assigns them to every X-Cart’s page opened by the user which contains a submittable HTML form designed for sending input data using the POST method. These identifiers are intended to ensure the authenticity of every single form: every time the user makes an attempt to submit a form, X-Cart checks whether the form identifier is on the list. If it is, the form is considered genuine (i.e. generated by X-Cart during the current session) and, thus, safe for sending input data. If the identifier is missing from the list, the form is treated as suspicious, and no input data can be submitted through it.

The number of identifiers in the list corresponds to the value of the FORM_ID_ORDER_LENGTH constant. By default the value is set to 100. It means that for every section the list can contain no more than 100 unique identifiers, and at any given time X-Cart will treat no more than 100 forms as genuine. If the number of forms opened by the user during one section exceeds the value defined by FORM_ID_ORDER_LENGTH, X-Cart will remove from the list the earliest identifiers and replace them with new identifiers for the recently opened forms.

By editing the value of the FORM_ID_ORDER_LENGTH constant you can increase or decrease the number of forms that will be concurrently considered genuine. If FORM_ID_ORDER_LENGTH is not declared or is set to a non-numeric value or a value smaller than 1, its value will be automatically set to 100.