zencart网店安全

公司的网站今天再次受到竞争对手的而已攻击，本来是准备将所有的网站全部做一下升级的，但是由于工作忙，所以一直也没有做这个工作。今天才遭遇了这样的困难，现在将所有zencart安全运营的一些技巧总结如下：（一下文字针对于zencart 1.38a版本）
1.修改
admin/includes/initsystem.php
admin/includes/languages/english.php（如果有别的语言文件，也要修改。）
在页面的最前端，

if (!defined(‘IS_ADMIN_FLAG’)) {
die(‘Illegal Access’);
}

你也可以下载修改好了的文件：admin_security_patch_v138
2.更新以防止SQL注入风险；
/includes/extra_configures/下有些文件存在SQL 注入风险。
请下载以下文件覆盖同名文件
security_patch_v138_20080919

3.请修改你的admin目录名;如果可能，请限制此目录的访问范围。

修改admin文件夹的名字，需要对以下文件作相应修改:

define('DIR_WS_ADMIN', '/admin/');
define('DIR_WS_CATALOG', '/');
define('DIR_WS_HTTPS_ADMIN', '/admin/');
define('DIR_WS_HTTPS_CATALOG', '/'); define('DIR_FS_ADMIN', '/home/mystore.com/www/public/admin/');
define('DIR_FS_CATALOG', '/home/mystore.com/www/public/');主要是针对 includes/configure.php 和admin/includes/configure.php 做修改。4.将以下文件覆盖管理员目录下的同名文件。注意，如果你修改了管理员目录，请对应相应的目录。security_patch_v138_20090619

5.建立以个新文件 /includes/extra_configures/pci_patch_v13x_search.php
将以下代码 拷贝为文件内容:
3) {
$_GET['sort'] = substr($_GET['sort'], 0, 3);
}
6.删除以下文件夹:
- /docs
- /extras
- /zc_install
- /install.txt (this file can be removed, too)
7.如果你不会使用下载功能，请删除以下文件夹-
/download
- /media
- /pub
8.修改管理目录下的文件。
具体参照 http://www.zen-cart.com/forum/showthread.php?t=142927

9.更新UPS模块。

USPS_UPDATE_2010_0104

10：.hataccess 文件中添加 以下代码:

# redirects any URL that includes: record_company.php/password_forgotten.php
RedirectMatch Permanent ^/(.*[record_company.php]+)/(password_forgotten.php)$ /page_not_found.php

# redirects any URL that includes: /images/wp- with ‘wp-’ being anything that ends with ‘.php’
# this allows for images named such as ‘wp-header.jpg’ to work
RedirectMatch Permanent ^/(.*[images]+)/(wp-.*\.php)$ /page_not_found.php

11.建议在 /includes/application_top.php中添加以下代码:

/**
* inoculate against hack attempts which waste CPU cycles
*/
$contaminated = (isset($_FILES['GLOBALS']) || isset($_REQUEST['GLOBALS'])) ? true : false;
$paramsToAvoid = array(‘GLOBALS’, ‘_COOKIE’, ‘_ENV’, ‘_FILES’, ‘_GET’, ‘_POST’, ‘_REQUEST’, ‘_SERVER’, ‘_SESSION’, ‘HTTP_COOKIE_VARS’, ‘HTTP_ENV_VARS’, ‘HTTP_GET_VARS’, ‘HTTP_POST_VARS’, ‘HTTP_POST_FILES’, ‘HTTP_RAW_POST_DATA’, ‘HTTP_SERVER_VARS’, ‘HTTP_SESSION_VARS’);
$paramsToAvoid[] = ‘autoLoadConfig’;
$paramsToAvoid[] = ‘mosConfig_absolute_path’;
$paramsToAvoid[] = ‘hash’;
$paramsToAvoid[] = ‘main’;
foreach($paramsToAvoid as $key) {
if (isset($_GET[$key]) || isset($_POST[$key]) || isset($_COOKIE[$key])) {
    $contaminated = true;
    break;
}
}
$paramsToCheck = array(‘main_page’, ‘cPath’, ‘products_id’, ‘language’, ‘currency’, ‘action’, ‘manufacturers_id’, ‘pID’, ‘pid’, ‘reviews_id’, ‘filter_id’, ‘zenid’, ’sort’, ‘number_of_uploads’, ‘notify’, ‘page_holder’, ‘chapter’, ‘alpha_filter_id’, ‘typefilter’, ‘disp_order’, ‘id’, ‘key’, ‘music_genre_id’, ‘record_company_id’, ’set_session_login’, ‘faq_item’, ‘edit’, ‘delete’, ’search_in_description’, ‘dfrom’, ‘pfrom’, ‘dto’, ‘pto’, ‘inc_subcat’, ‘payment_error’, ‘order’, ‘gv_no’, ‘pos’, ‘addr’, ‘error’, ‘count’, ‘error_message’, ‘info_message’, ‘cID’, ‘page’, ‘credit_class_error_code’);
if (!$contaminated) {
foreach($paramsToCheck as $key) {
    if (isset($_GET[$key]) && !is_array($_GET[$key])) {
      if (substr($_GET[$key], 0, 4) == ‘http’ || strstr($_GET[$key], ‘//’)) {
        $contaminated = true;
        break;
      }
      if (isset($_GET[$key]) && strlen($_GET[$key]) > 43) {
        $contaminated = true;
        break;
      }
    }
}
}
unset($paramsToCheck, $paramsToAvoid, $key);
if ($contaminated)
{
header(‘HTTP/1.1 406 Not Acceptable’);
exit(0);
}
unset($contaminated);
/* *** END OF INNOCULATION *** */