12- Zen Cart 1.3.9f on CentOS 6.2

Introduction

Zen Cart is a common PHP based web application for e-commerce sites. It is a traditional LAMP stack product, meaning it can be run with the combination Linux, Apache, MySQL, and PHP. It also can be installed with a demonstration shop filled with sample products; we will use this feature as well.

Notice that we are using an older version of Zen Cart; version 1.3.9f was released in August 2010, and was quickly followed by 1.3.9g, roughly a month later; the current version is 1.5.1. Why use the older version? Two reasons- its release time is contemporaneous with many of the tools we are using (Windows 2008 R2 came out in late 2009, Ubuntu 10.04 in 2010, and CentOS 6.2 in late 2011). It is also the case that some older versions of Zen Cart have some interesting vulnerabilities. Real web applications all have vulnerabilities, and real systems need to be configured to minimize them. By working with a web application that we know to be vulnerable in class, we all pay close attention to mitigation methods.

Installation

We will install the web site on a fresh installation of CentOS 6.2, which we name haven.cosc.tu. We will use the same back-end database (comporellon.cosc.tu) that we have used in Notes #9 and again in Notes #11.

You can grab a copy of Zen Cart 1.3.9f online or on the lab share.

The Basics

Since this is a web application, we need to get our web server started; be sure you

• Update the ServerName directive in httpd.conf
• Configure the web server to start on boot
• Open the proper ports (80, 443) in the firewall
• Set SELinux to permissive mode

You can go back to notes #6 for details.

As we saw in our installation of Snort Report, the PHP time zone must be correctly set; this can be done by editing /etc/php.ini, line 946 and make the change:

[Date]
; Defines the default timezone used by the date functions
; http://www.php.net/manual/en/datetime.configuration.php#ini.date.timezone
date.timezone = America/New_York

As before, you will need to restart apache for this change to take effect.

Installation- the Files

Copy the ZenCart archive to your system, and uncompress it inside Document Root for the web page at /var/www

[root@haven ~]# mv /home/seldon/Desktop/zen-cart-v1.3.9f-full-fileset-08142010.zip /var/www/html/
[root@haven ~]# cd /var/www/html/
[root@haven html]# unzip ./zen-cart-v1.3.9f-full-fileset-08142010.zip 

The unzipped package has the name zen-cart-v1.3.9f-full-fileset-08142010, so we rename the directory to shop and remove the .zip archive from Document Root.

[root@haven html]# mv ./zen-cart-v1.3.9f-full-fileset-08142010.zip
/home/seldon/Desktop/
[root@haven html]# mv ./zen-cart-v1.3.9f-full-fileset-08142010 
shop

Also for simplicity, modify the original index page from DocumentRoot to now point to the shop by giving that file the contents

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<meta http-equiv="REFRESH" content="0;url=http://haven.cosc.tu/shop/index
.php">
</HEAD>
</HTML>

Visit the home page of your website; you should now be directed to a configuration page for your Zen Cart site similar to the following:

Notice that though the URL visited was http://haven.cosc.tu it was seamlessly redirected to the correct URL inside the shop subdirectory.

We are going to use the web site to guide our installation of the completed shop; however before we can do so, we need to create some starter files.

Now we copy the file shop/includes/dist-configure.php to shop/includes/configure.php and set its permissions to 777.

[root@haven ~]# cp /var/www/html/shop/includes/dist-configure.php 
/var/www/html/shop/includes/configure.php 
[root@haven ~]# chmod 777 /var/www/html/shop/includes/configure.php 

[Don’t worry- we will be changing the permissions back to safer values once installation is complete!]

Repeat the process in the shop/admin subdirectory and copy the file shop/admin/includes/dist-configure.php to shop/admin/includes/configure.php and set permissions to 777.

[root@haven ~]# cp /var/www/html/shop/admin/includes/dist-configure.php 
/var/www/html/shop/admin/includes/configure.php 
[root@haven ~]# chmod 777 /var/www/html/shop/admin/includes/configure.php 

Next we need to modify the permissions on a number of directories. For each of these, set the permissions to 777:

[root@haven ~]# chmod 777 /var/www/html/shop/cache/
[root@haven ~]# chmod 777 /var/www/html/shop/images/
[root@haven ~]# chmod 777 
/var/www/html/shop/includes/languages/english/html_includes/
[root@haven ~]# chmod 777 /var/www/html/shop/media/
[root@haven ~]# chmod 777 /var/www/html/shop/pub/
[root@haven ~]# chmod 777 /var/www/html/shop/admin/backups/
[root@haven ~]# chmod 777 /var/www/html/shop/admin/images/graphs
[root@haven ~]# chmod 777 /var/www/html/shop/images/attributes/
[root@haven ~]# chmod 777 /var/www/html/shop/images/banners/
[root@haven ~]# chmod 777 /var/www/html/shop/images/categories/
[root@haven ~]# chmod 777 /var/www/html/shop/images/large/dvd/
[root@haven ~]# chmod 777 /var/www/html/shop/images/manufacturers/
[root@haven ~]# chmod 777 /var/www/html/shop/images/medium/
[root@haven ~]# chmod 777 /var/www/html/shop/images/uploads/

The Web Installation- Start

With the file permissions changed, visit the shop in a browser and click to begin the installation. You will be presented with a page like the following:

Read the Welcome page, and click continue. Read and agree to the license requirements (GPL). You will then be presented with a status page with a single warning similar to the following:

To handle the warning, we need to install the appropriate gd packages on our web server. To do so, mount the first installation .iso and use rpm to add the two needed packages.

[root@haven ~]# rpm -ivh 
/media/CentOS_6.2_Final/Packages/php-gd-5.3.3-3.el6_1.3.x86_64.rpm 
/media/CentOS_6.2_Final/Packages/libXpm-3.5.8-2.el6.x86_64.rpm 

When this completes, restart the web server;

[root@haven ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Verify that the warning has been handled by reloading the configuration page.

At this point, we are just about ready to install. All we need to do is to make sure that the database is ready for us.

The Database

As we did with Snort Report in notes #10, we will continue to use our database server at comporellon.cosc.tu for this purpose. Create a database, say "haven" after the name of the web server that will host the shop. Add a MySQL user say zencart and give it full permissions to that database in the usual fashion, and verify your results on the database server.

[seldon@comporellon ~]$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database haven;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on haven.* to zencart@haven.cosc.tu identified by 'password1!';
Query OK, 0 rows affected (0.01 sec)

Then verify that you can connect to the database from the server (haven.cosc.tu)

[seldon@haven ~]$ mysql -u zencart -h comporellon.cosc.tu -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 4
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use haven;
Database changed

Then enter the corresponding values in the database configuration page

Once you accept these values, the installation script will create the required tables in the database. This can be seen by directly connecting to the database.

[seldon@haven ~]$ mysql -u zencart -h comporellon.cosc.tu -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 18
Server version: 5.1.67 Source distribution

Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> use haven;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+---------------------------------------------+
| Tables_in_haven                             |
+---------------------------------------------+
| address_book                                |
| address_format                              |
| admin                                       |
| admin_activity_log                          |
| authorizenet                                |
| banners                                     |
| banners_history                             |
| categories                                  |

.... Much omittage ....

| zones                                       |
| zones_to_geo_zones                          |
+---------------------------------------------+
93 rows in set (0.00 sec)

By the way- if you get hung up here with errors indicating that you can’t connect to the database (at all) even though you can do so from the mysql client and end up seeing error code (13), I can tell you the source of the problem. SELinux. (Again). It only took me six hours to debug that one out. Error messages people- they are your friend, except when they come (or actually, don’t) from SELinux.

SSL

As you look at the next page in the installation script, you see that it is now asking some pertinent questions about SSL.

Now we would like to protect our website with SSL, after all it is an e-commerce site. Proceedings as we did in notes #6, first generate a server key:

[root@haven ~]# openssl genrsa -out /etc/pki/tls/private/haven.key 4096
Generating RSA private key, 4096 bit long modulus
....................................................................................++
..............................................++
e is 65537 (0x10001)

Next, we generate the certificate signing request:

[root@haven ~]# openssl req -new -key /etc/pki/tls/private/haven.key 
-out /etc/pki/tls/misc/haven.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:Maryland
Locality Name (eg, city) [Default City]:Towson
Organization Name (eg, company) [Default Company Ltd]:Towson University
Organizational Unit Name (eg, section) []:Security Laboratory
Common Name (eg, your name or your server's hostname) []:haven.cosc.tu
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now back in notes #6, we set up a CA, which we named smyrna.cosc.tu. Copy the .csr (haven.csr) back to the CA and sign it.

[root@smyrna ~]# openssl x509 -req -days 365 -in 
/home/seldon/Desktop/haven.csr -CA /etc/pki/CA/certs/ca.crt 
-CAkey /etc/pki/CA/private/ca.key -set_serial 05
-out /etc/pki/CA/newcerts/haven.crt
Signature ok
subject=/C=US/ST=Maryland/L=Towson/O=Towson University
/OU=Security Laboratory/CN=haven.cosc.tu
Getting CA Private Key
Enter pass phrase for /etc/pki/CA/private/ca.key:

Copy the signed certificate haven.crt back to the web server. Install it in the proper place /etc/pki/tls/certs/haven.crt. Tell Apache to use this certificate and key in the usual way updating the <VirtualHost> directive of the /etc/httpd/conf.d/ssl.conf file modify the following lines:

SSLCertificateFile /etc/pki/tls/certs/haven.crt
SSLCertificateKeyFile /etc/pki/tls/private/haven.key

Restart Apache in the usual fashion.

Completing the Installation

You will be able to continue the ZenCart installation from where you left off.

The remaining configuration elements are standard. I strongly recommend using the Demo store; either the demo or something of your own creation will be required in Exercise #3.

Don’t forget to set good solid passwords for your administrator account. You can give it any name you wish; for simplicity I am using "seldon". There is no need to check for Zen Cart upgrades- we know they exist, and we won’t be on a public network anyway.

Files, File Permissions, and Directory Names

Change permissions on the configuration scripts and the directories back to a more palatable 644 for files and 755 for directories.

[root@haven ~]# chmod 644 /var/www/html/shop/includes/configure.php 
[root@haven ~]# chmod 644 /var/www/html/shop/admin/includes/configure.php 
[root@haven ~]# chmod 755 /var/www/html/shop/cache/
[root@haven ~]# chmod 755 /var/www/html/shop/images/
[root@haven ~]# chmod 755 
/var/www/html/shop/includes/languages/english/html_includes/
[root@haven ~]# chmod 755 /var/www/html/shop/media/
[root@haven ~]# chmod 755 /var/www/html/shop/pub/
[root@haven ~]# chmod 755 /var/www/html/shop/admin/backups/
[root@haven ~]# chmod 755 /var/www/html/shop/admin/images/graphs/
[root@haven ~]# chmod 755 /var/www/html/shop/images/attributes/
[root@haven ~]# chmod 755 /var/www/html/shop/images/banners/
[root@haven ~]# chmod 755 /var/www/html/shop/images/categories/
[root@haven ~]# chmod 755 /var/www/html/shop/images/large/dvd/
[root@haven ~]# chmod 755 /var/www/html/shop/images/manufacturers/
[root@haven ~]# chmod 755 /var/www/html/shop/images/medium/
[root@haven ~]# chmod 755 /var/www/html/shop/images/uploads/

Delete the directory /var/www/html/shop/zc_install/.

Finally, we want to change the location of the admin directory; this will make it more difficult for attackers to try to brute-force the administrator password. Lacking a certain degree of cleverness, in this example let’s just rename the admin folder to secretadmin. [Who would guess that?]

[root@haven ~]# mv /var/www/html/shop/admin/ /var/www/html/shop/secretadmin

Next we update the directives in the file /var/www/html/shop/secretadmin/includes/configure.php with the new information. Update lines 42-45 with the new folder location

  define('DIR_WS_ADMIN', '/shop/secretadmin/');
  define('DIR_WS_CATALOG', '/shop/');
  define('DIR_WS_HTTPS_ADMIN', '/shop/secretadmin/');
  define('DIR_WS_HTTPS_CATALOG', '/shop/');

Also update lines 61-62 in the same fashion

  define('DIR_FS_ADMIN', '/var/www/html/shop/secretadmin/');
  define('DIR_FS_CATALOG', '/var/www/html/shop/');

Testing

Test your system as a shopper; buy something. Note that the ordering page is SSL encrypted.

Visit the admin page (in its new location), and verify that your shopper’s order actually appears.

Vulnerabilities

When we started this installation, I mentioned that this version of Zen Cart was vulnerable to some known security problems. What are they?

Suppose that you set register_globals = On in line 693 of your file /etc/php.ini despite knowing that this is a security risk. What could happen?

Oops.

Suppose instead that you are able somehow to get the admin password. What kind of fun can you have? Suppose you visit a URL like http://haven.cosc.tu/shop/secretadmin/options_name_manager.php?option_page=1&option_order_by=123. Take a look at the resulting page, and let me know if any nasty SQL ideas come to mind. I just keep asking myself what would happen if "123" was replaced by something more "SQLish".