11- Zen Cart

Introduction

Zen Cart is a common PHP based web application for e-commerce sites. It is a traditional LAMP stack product, meaning it can be run with the combination Linux, Apache, MySQL, and PHP. It also can be installed with a demonstration shop filled with sample products; we will use this feature as well.

Installation

We will install the web site on a fresh installation of OpenSuSE 11.3, which we name quarrylane.cosc.tu. We will use the same back-end database (biers.cosc.tu) that we have used in Notes #9 and again in Notes #10.

The current version of Zen Cart is 1.5, which was released at the end of December. This is the version we will use in this example. Not only is it available online it is on the class labshare.

The Basics

Since this is a web application, start by enabling the web server and opening the ports in the firewall.

The default OpenSuSE 11.3 image provided to the class does have Apache installed, but it is not on by default. Start YaST by navigating Start Iguana → Computer → YaST. From there, navigate to System and then to System Services (Runlevel). Unlike the CentOS systems, OpenSuSE calls the service "Apache2" rather than "httpd" but otherwise the techniques for starting and stopping the service on the command line are the same. Enable the web server in YaST by selecting "apache2" and pressing the enable button.

To open the required ports in the firewall, again use YaST, but navigate Security and Users → Firewall. Enable the firewall, and be sure that your network interface is in the External Zone. [When you updated /etc/udev/rules.d/70-persistent-net-rules and changed the interface name, the system did not know what zone to use for the new interface.] For allowed services, be sure to allow both HTTP Server and HTTPS Server- after all, out e-commerce site will use HTTPS.

Finally, update line 996 of the file /etc/php5/apache2/php.ini to read

[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = America/New_York

Recall that we needed to make a similar change when we installed Snort Report in Notes #10; the only difference is that the file is located in a slightly different location. As before, you will need to restart apache for this change to take effect; in OpenSuSE the command is

quarrylane:~ # /etc/init.d/apache2 restart

Be sure that you check your settings at this point and visit the website from another host.

Installation- the Files

Copy the ZenCart archive to your system, and uncompress it inside Document Root for the web page, which in the case of an OpenSuSE machine is /srv/www/htdocs; the result is the directory /srv/www/htdocs/zen-cart-v150-full-release-12302011. For simplicity later, rename that directory to the simpler /srv/www/htdocs/shop. Also for simplicity, modify the original index page from DocumentRoot to now point to the shop by giving that file the contents

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="REFRESH" content="0;url=http://quarrylane.cosc.tu/shop/index
.php">
</HEAD>
</HTML>

Visit the home page of your website; you should now be directed to a configuration page for your Zen Cart site similar to the following:

Notice that though the URL visited was http://quarrylane.cosc.tu it was seamlessly redirected to the correct URL inside the shop subdirectory.

We are going to use the web site to guide our installation of the completed shop; however before we can do so, we need to create some starter files.

In the directory /srv/www/htdocs/shop/, copy the file /srv/www/htdocs/shop/includes/dist-configure.php to /srv/www/htdocs/shop/includes/configure.php and set permissions to 777.

quarrylane:~ # cp /srv/www/htdocs/shop/includes/dist-configure.php 
/srv/www/htdocs/shop/includes/configure.php
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/includes/configure.php 

[Don’t worry- we will be changing the permissions back to safer values once installation is complete!]

Repeat the process in the admin subdirectory and copy the file /srv/www/htdocs/shop/admin/includes/dist-configure.php to /srv/www/htdocs/OurShopSite/admin/includes/configure.php and set permissions to 777.

quarrylane:~ # cp /srv/www/htdocs/shop/admin/includes/dist-configure.php 
/srv/www/htdocs/shop/admin/includes/configure.php
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/admin/includes/configure.php 

Next we need to modify the permissions on a number of directories. For each of these, set the permissions to 777:

quarrylane:~ # chmod 777 /srv/www/htdocs/shop/cache/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/includes/languages/
english/html_includes/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/media/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/pub/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/admin/backups/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/admin/images/graphs
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/attributes/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/banners/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/categories/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/large/dvd/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/manufacturers/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/medium/
quarrylane:~ # chmod 777 /srv/www/htdocs/shop/images/uploads/

The Web Installation- Start

With the file permissions changed, visit the shop in a browser and click to begin the installation. You will be presented with a page like the following:

Read the Welcome page, and click continue. Read and agree to the licence requirements (GPL). You will then be presented with a page of errors and warnings similar to the following:

We will now solve each of the noted problems in turn. Our first issue is that curl is not compiled into out version of PHP. Let’s remedy that.

Point the VMWare CD to the .iso for OpenSuSE 11.3 (available on the labshare). Be sure that the disc is correctly mounted in the system, then run YaST. Navigate Software → Software Repositories. Unselect any Internet repositories leaving only the installation DVD

Then from YaST, navigate Software → Software Manager. Do a search for PHP.
Check the box for php5-curl, and select accept.

YaST will then install the software for you.

After the installation completes, restart Apache and revisit the configuration page.

At this point, there are no errors, but there are a few warnings. One of these lets us know that gd is not installed in PHP. We fix that in the same way we did above, save the package is called php5-gd. Installing php5-gd will also require an additional package (t1lib) to be installed; this will happen automatically.

Another warning is that the system does not show PHP ZLIB compression support; here the package name is php5-zlib.

Finally, Zen Cart wants to be able to use htaccess to control file access. To configure it, edit /etc/apache2/default-server.conf. Line 26 configures AllowOverride for the default directory /srv/www/htdocs to None; change that to

AllowOverride All

After all of these changes are made, restart Apache and revisit the configuration web site. There should be no noted errors or warnings. At this point, simply select the Install button on the bottom of the web page.

The Database

Next, we need to configure the database for our shop. As we did with Snort Report in Notes #10, we will continue to use our database server at biers.cosc.tu for this purpose. Create a database, say "quarrylane" after the name of the web server that will host the shop. Add a MySQL user say zencart and give it full permissions to that database in the usual fashion, and verify your results on the database server.

[root@biers ~]# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 38
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database quarrylane;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on quarrylane.* to zencart@quarrylane.cosc.tu identified by 
'password1!';
Query OK, 0 rows affected (0.00 sec)

mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select user, host, password from user;
+---------+---------------------+-------------------------------------------+
| user    | host                | password                                  |
+---------+---------------------+-------------------------------------------+
| root    | localhost           | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| root    | biers.cosc.tu       | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| root    | 127.0.0.1           | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| snort   | isleofgods.cosc.tu  | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| zencart | quarrylane.cosc.tu  | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
| snort   | satorsquare.cosc.tu | *0262F498E91CA294A8BA96084EEEDB5F635B23A3 |
+---------+---------------------+-------------------------------------------+
6 rows in set (0.00 sec)

mysql> 

Then verfiy that you can connect to the database from the quarrylane.cosc.tu host:

quarrylane:~ # mysql -h biers.cosc.tu -u zencart -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 39
Server version: 5.1.52 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use quarrylane;
Database changed

Then enter the corresponding values in the database configuration page

Once you accept these values, the installation script will create the required tables in the database. This can be seen by directly connecting to the database.

SSL

Now we would like to protect our website with SSL- it is an e-commerce site. We quickly notice however, that the Apache2 configuration for OpenSuSE is quite different than what we saw for CentOS. Let me give you a quick crash course and show you how to get SSL set up in OpenSuSE.

The directory /etc/apache2 has subdirectories ssl.crt/, ssl.key/, and ssl.key/, suggesting that the server has pre-built keys for SSL; this is not the case. Indeed, try

# cat /etc/apache2/ssl.key/server.key

to see that this is not the case.

We start by generating a server key:

quarrylane:~ # openssl genrsa -out /etc/apache2/ssl.key/server.key 4096
Generating RSA private key, 4096 bit long modulus
..........................................................++
..++
e is 65537 (0x10001)

Generate a csr:

quarrylane:~ # openssl req -new -key /etc/apache2/ssl.key/server.key  
-out /etc/apache2/ssl.csr/server.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Maryland
Locality Name (eg, city) []:Towson
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Towson University
Organizational Unit Name (eg, section) []:Security Laboratory
Common Name (eg, YOUR name) []:quarrylane.cosc.tu
Email Address []:root@quarrylane.cosc.tu

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Copy the csr to your CA (mine was named dragonslanding.cosc.tu) and sign it:

[root@dragonslanding ~]# openssl x509 -req -days 365 -in ./server.csr 
-CA /etc/pki/CA/certs/ca.crt -CAkey /etc/pki/CA/private/ca.key -set_serial 01 
-out /etc/pki/CA/newcerts/quarrylane.crt
Signature ok
subject=/C=US/ST=Maryland/L=Towson/O=Towson University/OU=Security 
Laboratory/CN=quarrylane.cosc.tu/emailAddress=root@quarrylane.cosc.tu
Getting CA Private Key
Enter pass phrase for /etc/pki/CA/private/ca.key:

Copy the result back to /etc/apache2/ssl.crt/server.crt on the web server; be sure the permissions are set correctly.

quarrylane:~ # mv /home/vimes/Desktop/quarrylane.crt 
/etc/apache2/ssl.crt/server.crt 
quarrylane:~ # chmod 400 /etc/apache2/ssl.crt/server.crt 
quarrylane:~ # chown root:root /etc/apache2/ssl.crt/server.crt 
quarrylane:~ # ls -l /etc/apache2/ssl.crt
total 12
-rw-r--r-- 1 root root 1522 Oct 24  2002 Makefile
-rw-r--r-- 1 root root 1386 Oct 24  2002 README.CRT
-r-------- 1 root root 2037 Apr 15 21:19 server.crt

By default, the OpenSuSE apache server does not use SSL. To change this, edit the file /etc/sysconfig/apache2. In that file on line 133 are the flags passed to the server. We need to modify that line to read

APACHE_SERVER_FLAGS="SSL"

At this point, we can restart the apache server.

# /etc/init.d/apache2 restart

Be sure to check both /var/log/messages and /var/log/apache2/error_log for errors. You can also run a netstat command to see that apache is now listening on TCP/443.

Create the directory /srv/www/htdocs/ssltest and be sure to include a basic web page. We are going to protect that site with SSL. Examine the file /etc/apache2/httpd.conf and note that lines 21-92 describe the default file structure used to configure apache. The first thing to notice is that they recommend that configuration for virtual hosts be kept in the directory /etc/apache2/vhosts.d. They even provide templates for virtual hosts in that directory.

Copy the template vhost-ssl.template to /etc/apache2/vhosts.d/ssl.conf.

quarrylane:~ # cp /etc/apache2/vhosts.d/vhost-ssl.template 
/etc/apache2/vhosts.d/ssl.conf

Open that file. Let us add an SSL protected directory to the system by adding the following (outside the <VirtualHost> directive)

<Directory "/srv/www/htdocs/ssltest">
SSLRequireSSL
SSLOptions +StrictRequire
</Directory>

Because we used the default file locations, we did not have to modify any of the other lines in the ssltest.conf file.

You can then check that the page http://quarrylane.cosc.tu/ssltest/ is not accessible while the page https://quarrylane.cosc.tu/ssltest/ is accessible, and without certificate errors (if you import your CA key!). This completes our discussion of the SSL differences between OpenSuSE and CentOS.

Visit the page https://quarrylane.cosc.tu/shop/index.php and verify that you can connect without trouble. If so, you can delete the SSL protected web page- both the files from the file system and the <Directory> directive from ssl.conf.

Returning to the Zen Cart installation web page, set both the HTTPS domain (e.g. https://quarrylane.cosc.tu) and the HTTP Server URL (e.g. https://quarrylane.cosc.tu/shop). Enable SSL and Enable SSL in the Admin Area; then Save System Settings.

Completing the Web Installation

You can select the variables in the Store Setup page as you see fit. For practice purposes, install the Store Demo to see how the system will function when complete.

Set up an administrator user name (e.g. zenadmin) and password (e.g. password1!). We don’t have email set up, but you must enter a value or the install will throw an error. You do not want to check for updates- the lab does not have an Internet connection, and you don’t want the connections to wait todiscover this fact.

Files, File Permissions, and Directory Names

Change permissions on the configuration scripts and the directories back to a more palatable 644 for files and 755 for directories.

quarrylane:~ # chmod 644 /srv/www/htdocs/shop/includes/configure.php 
quarrylane:~ # chmod 644 /srv/www/htdocs/shop/admin/includes/configure.php 
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/cache/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/includes/languages/english/html_includes/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/media/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/pub/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/secretadmin/backups/           
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/secretadmin/images/graphs/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/attributes/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/banners/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/categories/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/large/dvd/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/manufacturers/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/medium/
quarrylane:~ # chmod 755 /srv/www/htdocs/shop/images/uploads/

Delete the directory /srv/www/htdocs/shop/zc_install/.

To make it more difficult for an adversary to exploit the system, rename the admin page. By itself, this is of no value, but combined with good passwords and other good policies, it does make it more difficult for an adversary to gain access to your site.

quarrylane:~ # mv /srv/www/htdocs/shop/admin /srv/www/htdocs/shop/secretadmin

Hmm. I guess I am not that creative. Perhaps you could come up with a better name?

Testing

Test your system as a shopper; buy something. Note that the ordering page is SSL encrypted.

Visit the admin page, and verify that your shopper’s order actually appears.

Securing Zen Cart

Zen Cart make a number of recommendations to secure their site. For the complete list, see http://www.zen-cart.com/wiki/index.php/Important_Site_Security_Recommendations.

We will summarize some of the more important recommendations from that document.

• Use SSL; moreover use SSL with a certificate that is specific to your site.
• Do not use FTP to access files on your site.
• A number of files & folders in the default install should be removed
  • /docs/
  • /extras/
  • /zc_install/ [Which we removed as part of the install]
  • /install.txt
• If the shop does not contain downloadable products or music, you can also
  remove the directories
  • /download/
  • /media/
  • /pub/

  but you need to tell Zen Cart that downloads have been disabled. Do so from the admin page, through Configuration -> Attribute Settings, then set Enable Downloads to false.

  They recommend renaming the admin folder, but as we saw, this is now required as part of the install process.

• If you are going to send email from the admin portion of your site, be sure to use SMTP rather than the default PHP methods for email transport (Admin -> Configuration -> Email options -> Email Transport method) as the PHP method will expose your admin directory.
• Set permissions on the two configure.php files to 644 (or 444).
• Know how many admin accounts you have on your system. (Admin -> Tools -> Admin Settings).
• During installation, a number of directories are set to 777 so that the contents can be changed during installation. Once the install is complete, the permission can be tuned dowm, usually to 755 for folders and 644 for files. We did this as part of our installation as well.