11- Zen Cart
Zen Cart is a common PHP based web application for e-commerce sites. It is a traditional LAMP stack product, meaning it can be run with the combination Linux, Apache, MySQL, and PHP. It also can be installed with a demonstration shop filled with sample products; we will use this feature as well.
We will install the web site on a fresh installation of OpenSuSE 11.3, which we name
quarrylane.cosc.tu. We will use the same back-end database (
biers.cosc.tu) that we have used in Notes #9 and again in Notes #10.
Since this is a web application, start by enabling the web server and opening the ports in the firewall.
The default OpenSuSE 11.3 image provided to the class does have Apache installed, but it is not on by default. Start YaST by navigating Start Iguana → Computer → YaST. From there, navigate to System and then to System Services (Runlevel). Unlike the CentOS systems, OpenSuSE calls the service "Apache2" rather than "httpd" but otherwise the techniques for starting and stopping the service on the command line are the same. Enable the web server in YaST by selecting "apache2" and pressing the enable button.
To open the required ports in the firewall, again use YaST, but navigate Security and Users → Firewall. Enable the firewall, and be sure that your network interface is in the External Zone. [When you updated
/etc/udev/rules.d/70-persistent-net-rules and changed the interface name, the system did not know what zone to use for the new interface.] For allowed services, be sure to allow both HTTP Server and HTTPS Server- after all, out e-commerce site will use HTTPS.
Finally, update line 996 of the file
/etc/php5/apache2/php.ini to read
[Date] ; Defines the default timezone used by the date functions ; http://php.net/date.timezone date.timezone = America/New_York
Recall that we needed to make a similar change when we installed Snort Report in Notes #10; the only difference is that the file is located in a slightly different location. As before, you will need to restart apache for this change to take effect; in OpenSuSE the command is
quarrylane:~ # /etc/init.d/apache2 restart
Installation- the Files
Copy the ZenCart archive to your system, and uncompress it inside Document Root for the web page, which in the case of an OpenSuSE machine is
/srv/www/htdocs; the result is the directory
/srv/www/htdocs/zen-cart-v150-full-release-12302011. For simplicity later, rename that directory to the simpler
/srv/www/htdocs/shop. Also for simplicity, modify the original index page from DocumentRoot to now point to the shop by giving that file the contents
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <meta http-equiv="REFRESH" content="0;url=http://quarrylane.cosc.tu/shop/index .php"> </HEAD> </HTML>
Visit the home page of your website; you should now be directed to a configuration page for your Zen Cart site similar to the following:
Notice that though the URL visited was
http://quarrylane.cosc.tu it was seamlessly redirected to the correct URL inside the shop subdirectory.
We are going to use the web site to guide our installation of the completed shop; however before we can do so, we need to create some starter files.
In the directory
/srv/www/htdocs/shop/, copy the file
/srv/www/htdocs/shop/includes/configure.php and set permissions to 777.
quarrylane:~ # cp /srv/www/htdocs/shop/includes/dist-configure.php /srv/www/htdocs/shop/includes/configure.php quarrylane:~ # chmod 777 /srv/www/htdocs/shop/includes/configure.php
[Don’t worry- we will be changing the permissions back to safer values once installation is complete!]
Repeat the process in the admin subdirectory and copy the file
/srv/www/htdocs/OurShopSite/admin/includes/configure.php and set permissions to 777.
quarrylane:~ # cp /srv/www/htdocs/shop/admin/includes/dist-configure.php /srv/www/htdocs/shop/admin/includes/configure.php quarrylane:~ # chmod 777 /srv/www/htdocs/shop/admin/includes/configure.php
Next we need to modify the permissions on a number of directories. For each of these, set the permissions to 777:
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/cache/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/includes/languages/ english/html_includes/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/media/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/pub/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/admin/backups/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/admin/images/graphs quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/attributes/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/banners/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/categories/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/large/dvd/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/manufacturers/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/medium/ quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/uploads/
The Web Installation- Start
We will now solve each of the noted problems in turn. Our first issue is that curl is not compiled into out version of PHP. Let’s remedy that.
Point the VMWare CD to the .iso for OpenSuSE 11.3 (available on the labshare). Be sure that the disc is correctly mounted in the system, then run YaST. Navigate Software → Software Repositories. Unselect any Internet repositories leaving only the installation DVD
After the installation completes, restart Apache and revisit the configuration page.
At this point, there are no errors, but there are a few warnings. One of these lets us know that gd is not installed in PHP. We fix that in the same way we did above, save the package is called php5-gd. Installing php5-gd will also require an additional package (t1lib) to be installed; this will happen automatically.
Another warning is that the system does not show PHP ZLIB compression support; here the package name is php5-zlib.
Finally, Zen Cart wants to be able to use htaccess to control file access. To configure it, edit
/etc/apache2/default-server.conf. Line 26 configures AllowOverride for the default directory
/srv/www/htdocs to None; change that to
After all of these changes are made, restart Apache and revisit the configuration web site. There should be no noted errors or warnings. At this point, simply select the Install button on the bottom of the web page.
Next, we need to configure the database for our shop. As we did with Snort Report in Notes #10, we will continue to use our database server at
biers.cosc.tu for this purpose. Create a database, say "quarrylane" after the name of the web server that will host the shop. Add a MySQL user say zencart and give it full permissions to that database in the usual fashion, and verify your results on the database server.
[root@biers ~]# mysql -u root -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 38 Server version: 5.1.52 Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> create database quarrylane; Query OK, 1 row affected (0.00 sec) mysql> grant all on quarrylane.* to firstname.lastname@example.org identified by 'password1!'; Query OK, 0 rows affected (0.00 sec) mysql> use mysql; Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select user, host, password from user; +---------+---------------------+-------------------------------------------+ | user | host | password | +---------+---------------------+-------------------------------------------+ | root | localhost | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 | | root | biers.cosc.tu | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 | | root | 127.0.0.1 | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 | | snort | isleofgods.cosc.tu | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 | | zencart | quarrylane.cosc.tu | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 | | snort | satorsquare.cosc.tu | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 | +---------+---------------------+-------------------------------------------+ 6 rows in set (0.00 sec) mysql>
Then verfiy that you can connect to the database from the
quarrylane:~ # mysql -h biers.cosc.tu -u zencart -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 39 Server version: 5.1.52 Source distribution Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL v2 license Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> use quarrylane; Database changed
Once you accept these values, the installation script will create the required tables in the database. This can be seen by directly connecting to the database.
Now we would like to protect our website with SSL- it is an e-commerce site. We quickly notice however, that the Apache2 configuration for OpenSuSE is quite different than what we saw for CentOS. Let me give you a quick crash course and show you how to get SSL set up in OpenSuSE.
/etc/apache2 has subdirectories
ssl.key/, suggesting that the server has pre-built keys for SSL; this is not the case. Indeed, try
# cat /etc/apache2/ssl.key/server.key
to see that this is not the case.
We start by generating a server key:
quarrylane:~ # openssl genrsa -out /etc/apache2/ssl.key/server.key 4096 Generating RSA private key, 4096 bit long modulus ..........................................................++ ..++ e is 65537 (0x10001)
Generate a csr:
quarrylane:~ # openssl req -new -key /etc/apache2/ssl.key/server.key -out /etc/apache2/ssl.csr/server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Maryland Locality Name (eg, city) :Towson Organization Name (eg, company) [Internet Widgits Pty Ltd]:Towson University Organizational Unit Name (eg, section) :Security Laboratory Common Name (eg, YOUR name) :quarrylane.cosc.tu Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
Copy the csr to your CA (mine was named
dragonslanding.cosc.tu) and sign it:
[root@dragonslanding ~]# openssl x509 -req -days 365 -in ./server.csr -CA /etc/pki/CA/certs/ca.crt -CAkey /etc/pki/CA/private/ca.key -set_serial 01 -out /etc/pki/CA/newcerts/quarrylane.crt Signature ok subject=/C=US/ST=Maryland/L=Towson/O=Towson University/OU=Security Laboratory/CN=quarrylane.cosc.tu/emailAddressfirstname.lastname@example.org Getting CA Private Key Enter pass phrase for /etc/pki/CA/private/ca.key:
Copy the result back to
/etc/apache2/ssl.crt/server.crt on the web server; be sure the permissions are set correctly.
quarrylane:~ # mv /home/vimes/Desktop/quarrylane.crt /etc/apache2/ssl.crt/server.crt quarrylane:~ # chmod 400 /etc/apache2/ssl.crt/server.crt quarrylane:~ # chown root:root /etc/apache2/ssl.crt/server.crt quarrylane:~ # ls -l /etc/apache2/ssl.crt total 12 -rw-r--r-- 1 root root 1522 Oct 24 2002 Makefile -rw-r--r-- 1 root root 1386 Oct 24 2002 README.CRT -r-------- 1 root root 2037 Apr 15 21:19 server.crt
By default, the OpenSuSE apache server does not use SSL. To change this, edit the file
/etc/sysconfig/apache2. In that file on line 133 are the flags passed to the server. We need to modify that line to read
At this point, we can restart the apache server.
# /etc/init.d/apache2 restart
Be sure to check both /var/log/messages and /var/log/apache2/error_log for errors. You can also run a netstat command to see that apache is now listening on TCP/443.
Create the directory
/srv/www/htdocs/ssltest and be sure to include a basic web page. We are going to protect that site with SSL. Examine the file
/etc/apache2/httpd.conf and note that lines 21-92 describe the default file structure used to configure apache. The first thing to notice is that they recommend that configuration for virtual hosts be kept in the directory
/etc/apache2/vhosts.d. They even provide templates for virtual hosts in that directory.
Copy the template
quarrylane:~ # cp /etc/apache2/vhosts.d/vhost-ssl.template /etc/apache2/vhosts.d/ssl.conf
Open that file. Let us add an SSL protected directory to the system by adding the following (outside the <VirtualHost> directive)
<Directory "/srv/www/htdocs/ssltest"> SSLRequireSSL SSLOptions +StrictRequire </Directory>
Because we used the default file locations, we did not have to modify any of the other lines in the ssltest.conf file.
You can then check that the page
http://quarrylane.cosc.tu/ssltest/ is not accessible while the page
https://quarrylane.cosc.tu/ssltest/ is accessible, and without certificate errors (if you import your CA key!). This completes our discussion of the SSL differences between OpenSuSE and CentOS.
Visit the page
https://quarrylane.cosc.tu/shop/index.php and verify that you can connect without trouble. If so, you can delete the SSL protected web page- both the files from the file system and the
<Directory> directive from
Returning to the Zen Cart installation web page, set both the HTTPS domain (e.g.
https://quarrylane.cosc.tu) and the HTTP Server URL (e.g.
https://quarrylane.cosc.tu/shop). Enable SSL and Enable SSL in the Admin Area; then Save System Settings.
Completing the Web Installation
You can select the variables in the Store Setup page as you see fit. For practice purposes, install the Store Demo to see how the system will function when complete.
Set up an administrator user name (e.g. zenadmin) and password (e.g. password1!). We don’t have email set up, but you must enter a value or the install will throw an error. You do not want to check for updates- the lab does not have an Internet connection, and you don’t want the connections to wait todiscover this fact.
Files, File Permissions, and Directory Names
Change permissions on the configuration scripts and the directories back to a more palatable 644 for files and 755 for directories.
quarrylane:~ # chmod 644 /srv/www/htdocs/shop/includes/configure.php quarrylane:~ # chmod 644 /srv/www/htdocs/shop/admin/includes/configure.php quarrylane:~ # chmod 755 /srv/www/htdocs/shop/cache/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/includes/languages/english/html_includes/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/media/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/pub/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/secretadmin/backups/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/secretadmin/images/graphs/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/attributes/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/banners/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/categories/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/large/dvd/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/manufacturers/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/medium/ quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/uploads/
Delete the directory
To make it more difficult for an adversary to exploit the system, rename the admin page. By itself, this is of no value, but combined with good passwords and other good policies, it does make it more difficult for an adversary to gain access to your site.
quarrylane:~ # mv /srv/www/htdocs/shop/admin /srv/www/htdocs/shop/secretadmin
Hmm. I guess I am not that creative. Perhaps you could come up with a better name?
Test your system as a shopper; buy something. Note that the ordering page is SSL encrypted.
Visit the admin page, and verify that your shopper’s order actually appears.
Securing Zen Cart
Zen Cart make a number of recommendations to secure their site. For the complete list, see http://www.zen-cart.com/wiki/index.php/Important_Site_Security_Recommendations.
We will summarize some of the more important recommendations from that document.
- Use SSL; moreover use SSL with a certificate that is specific to your site.
- Do not use FTP to access files on your site.
- A number of files & folders in the default install should be removed
- /zc_install/ [Which we removed as part of the install]
- If the shop does not contain downloadable products or music, you can also
remove the directories
but you need to tell Zen Cart that downloads have been disabled. Do so from the admin page, through Configuration -> Attribute Settings, then set Enable Downloads to false.
They recommend renaming the admin folder, but as we saw, this is now required as part of the install process.
- If you are going to send email from the admin portion of your site, be sure to use SMTP rather than the default PHP methods for email transport (Admin -> Configuration -> Email options -> Email Transport method) as the PHP method will expose your admin directory.
- Set permissions on the two configure.php files to 644 (or 444).
- Know how many admin accounts you have on your system. (Admin -> Tools -> Admin Settings).
- During installation, a number of directories are set to 777 so that the contents can be changed during installation. Once the install is complete, the permission can be tuned dowm, usually to 755 for folders and 644 for files. We did this as part of our installation as well.