PrestaShop 1.4
Child pages
  • System Administrator Guide

Versions Compared

Old Version 1

changes.mady.by.user Xavier Borderie

Saved on

compared with

New Version 2

changes.mady.by.user Xavier Borderie

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

To configure PHP, you must edit the php.ini file, found in your server PHP install (not in PrestaShop's folder). Not all host will allow you to edit this file, so contact your host if you cannot access it.
Editing the php.ini file requires you to change some values, most of the time from "On" to "Off" or vice versa. The file contains a lot of documentation for each line, be sure to read them in order to better understand your changes. Be careful of what you edit, as this has a direct impact on the way PHP runs, and therefore on your servers stability and even security.

The register_globals rule directive, when activatedenabled, defines all environment variables (GET, POST, COOKIE, SERVER...) as global variables. It is unsafe to use unset variables, because a user could easily set a value into this variable by using the GET method, for example. It is therefore imperative to set register_globals to OFF.

The magic_quotes directive automatically escapes (or "adds slashes") to all characters special character sequences (', ", \, NULL) for all types environment variables (GET, POST, COOKIE, SERVER...). This option must be set to OFF because it will addslash each variable even if it does not need to be addslashed. Moreover, some Web applications overlook this option, so some variables will could be addslashed twice, resulting in corrupted data.

The allow_url_include_url rule directive is used to allow to include any file via the require and include statements, even if it is does not come from your Web server. This option must be set to OFF, because if one application on your web server suffers of "include vulnerability", users will be able to include any file from any server and those will be executed on your own server.

Safe Mode configuration

PHP Safe Mode enables you to limit access to some potentially harmful functionalities, and forbid others. It is useful to establish a security perimeter, by configuring a Web folder as base folder and forbidding PHP to come down this one.

To activate Safe Mode, you just need to set “safe_mode” to “On” into php.ini file. This is a configuration exampleIn short, it is imperative to find the following directives, and change their values to "Off":

Code Block
html
html
safe_mode = On
safe_mode_gid = Off
; ...
safe_mode_include_dir =
; ...
safe_mode_exec_dir = “/var/www/bin”
safe_mode_allowed_env_vars = PHP_
safe_mode_protected_env_vars = LD_LIBRARY_PATH,LD_PRELOAD
; ...
open_basedir = “/var/www/prestashop”
disable_functions = shell_exec,system,sleep,syslog,link,sockopen,ftp_connect,
pfsockopen,socket_connect,usleep,symlink,virtual,ini_set,ini_alter,
ini_restore,passthru,popen,exec
disable_classes =
; ...
register_globals = Off
magic_quotes_gpc = Off
allow_url_fopen = Off
allow_url_include = Off
; ...
Code Block
html
html

[MySQL]
mysql.allow_persistent = On
mysql.max_persistent = -1
mysql.max_links = -1
mysql.connect_timeout = 10
mysql.trace_mode = Off
; ...
[Session]
session.save_handler = files
session.save_path = “/var/www/sessions”
session.use_cookies = 1
session.name = PHPSESSID
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
  • Safe Mode:
    • safe_mode_gid: Turned on, PHP will just verify group’s file and not owner.
    • safe_mode_include_dir: All files into the directory given, will not be checked by PHP.
    • safe_mode_exec_dir: Put here the folder containing binaries application allowed to execution by using exec() function for example.
    • safe_mode_allowed_env_vars: PHP will allowed to only modified environment variables which prefix appears here.
    • safe_mode_protected_env_vars: This rule permit to forbid modification of variables which prefix appears here.
    • open_base_dir: Put here the base application folder. Your web applications may not come down of this folder.
    • disable_functions: Put here every functions you want to disable. If you try to call one of these, an exception will be called.
    • disable_classes: Put here each classes you want to disable.
    • For more information about Safe Mode rules: http://fr.php.net/manual/en/features.safe-mode.php
  • MySQL:
    • mysql.allow_persistent: Turn on if you want to enable mysql to have persistent connection (mysql will close its connections after several HTTP request)
    • mysql.max_persistent: Put here the maximum number of persistent connections allowed by MySQL (-1 correspond to the maximum that system can offer)
    • mysql.max_links: Put here the maximum number of connections allowed by MySQL (-1 correspond to the maximum that system can offer)
    • mysql.connec_timeout: Put here the number of seconds MySQL must wait before declare connection as lost.
    • mysql.trace_mode: When this mode is activated, MySQL will show errors when there is non-free ressources or a MySQL error.
    • For more informations about MySQL directives:
    • http://fr.php.net/manual/en/mysql.configuration.php
  • Session:
    • session.save_handler: Define the name of session’s handler. It will be used to save and read data.
    • session.save_path: Put here the directory where session will be saved.
    • session.use_cookie: Notice if server will use cookie to save customer’s sessions.
    • session.name: Notice the name of session, which is used as cookie name.
    • session.cookie_path: Specialize the path used during cookie creation.
    • session.cookie_domain: Specialize the domain used during cookie creation (default: “/”). If it is empty, server’s host name will be used according to the cookie’s specifications.
    • session.cookie_httponly: Turned on, cookie will only be available by HTTP protocol. It means cookie will not be available by script language, like Javascript. This configuration allows to limit XSS (but it is not supported by every web browser).
    • session.serialize_handler: Defines the name of the handler which is used to serialize/deserialize data.
    • For more informations about session: http://fr.php.net/manual/en/session.configuration.php

The only problem is Safe Mode is included in PHP. If PHP machine is vulnerable then user could bypass this Safe Mode. If you have several web applications on the same server, or if you just want to protect your server by an other solution, I invite you to read the first paragraph of the recommendations part.

MySQL configuration

MySQL have often has an administrator account as default ("root", which permit "admin"...), which gives access to all data-base’s dataof the databases' content, no matter who the database is managed by. The administrator have has all the rights, and can do every possible actions. To prevent an application A to be vulnerable when one of your server application have a SQL injection (if user succeed in recover the administrator password), you need to walled your databases.For each new web applications installed, you need to You therefore need to safekeep your databases, so as to prevent your web applications from succumbing to SQL injections (which can happen when a user succeeds in obtaining the admin password).

Each time you install a new web application on your server, you must create a new MySQL user who when just have the necessary rights .We just installed prestashop. We have a MySQL user with rights to create new usersto handle that application's data. Do NOT use the same username to handle the databases for all of your installed web applications.

Let's say we manage MySQL with user account that can create new users. Let's do just that, using the following command line:

Code Block
html
html
mysql -u userUSERNAME -p password mysql:

PASSWORD

...or using the following SQL query:

Code Block
html
html

mysql> USE mysql;
mysql> CREATE USER 'new_userusername'@'localhostservername' IDENTIFIED BY 'new_password';

For now, we created a user ‘new_user’ who just have rights to local connect and have ‘new_password’ as password.

We now Note that your host might give you access to an online tool to do MySQL administration tasks more easily, such as cPanel. Do use that, since you probably won't have access to the command line in that case.

Now we have a username with just enough rights to connect to the local database.

We need to allow this user to use the ‘prestashop’ 'prestashop' database, and , configure his rights at the same time, configure his rights. Here is a template for the SQL query to do that:

Code Block
html
html
mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP
     > ON `prestashop`'prestashop'.* TO 'new_user'@'localhost';
mysql> FLUSH PRIVILEGES;

We now have now one user just for our ‘prestashop’ 'prestashop' database. Think Remember to do this for each new web application you add to your server.

You can now install PrestaShop safely.

Warning

If you just installed MySQL, think to add a password for the root account, who has no password as default.

Basic authentication establishment (.htaccess)

NowIn order to better protect your PrestaShop install, we are going need to established establish a basic authentification authentication on the prestashop’s admin directory. Principe

One of the aim of the .htaccess file is to protect , by using an self-supported authentification, a directory your folders and all its sub-folder by adding a .htaccess file in this directory.So, we folders. It only works on Apache servers, and a few others. Make sure your web server is Apache before creating a .htaccess file.

To achieve basic authentication on your admin folder, we need to add a .htaccess file in the prestashop admin that folder (for instance, /var/www/prestashop/admin):

Code Block
html
html
AuthUserFile /var/www/.prestashop_admin
AuthName "Prestashop Admin Access"
AuthType Basic
Require valid-user
Options -Indexes

Explanation:

  • AuthUserFile: Shows the path to the file containing allowed users and their passwords. .prestashop_admin is a text file.
  • AuthName: Defines the message to show when the authentication window poppops up.
  • AuthType: Defines the authentication type.
  • Require: Requires users to log in in order to access the content. valid-user: Shows that we need to be authenticated to read this enables multiple users to connect and access the folder.
  • Options: Defines folder’s the folder's options. Here ‘-Indexes” fobids directory browsing on this folder -Indexes disables automatic generation of a directory index if no index file is available.

Here is a sample content for the content of .prestashop_admin file, with a login and a password:

Code Block
html
html
login1:$apr1$/wJeliK8$e9OzgRaVL8J8wSsFBXjor1
login2:$apr1$yV65Kqqz$cFt3sV2.Q7hhLRRUJDo5a/

This file contains logins and hashed password who are allowed to access to the folder.
To hash password, you can follow this link: .htpasswd file generation.

It is strongly recommend recommended to put this file into an inaccessible directory by your wep applications and a directory that is inaccessible to your web applications, so before the “openbase/openbase_dir” dir folder. It prevent of prevents .htpasswd file injection if , in case one of yours web applications is vulnerable.

...

It is also possible to perform IP and domain restrictions using your .htaccess file:

Code Block
html
html
Order Allow, Deny
Deny from all
Allow from .myboutique.com
Allow from 127.0.0.1

However, it is strongly inadvisable to you should not put this kind of directivesdirective:

Code Block
html
html
<LIMIT GET POST>
Require valid-user
</LIMIT>

Recommendations

suPHP Installation

...

Safe Mode

PHP's Safe Mode is a part of PHP machine and if PHP machine is vulnerable (it’s append), user can potentially bypass this Safe Mode. There is a solution: suPHP.
suPHP is an Apache module which allowed to control and walled web applications, in order that even if user bypass Safe Mode, it will be control and stop by an other protection: suPHP.

You find documentation and download here: suPHP.

Updates

Sometimes it is not PHP developer code which is vulnerable, so it is strongly recommended to update server’s application (PHP, MYSQL, Apache) and the rest.

There is a command on UNIX/BSD system: cron, which allowed to execute programmed actions based on configuration files (edited with crontab). It permit to automate application’s update, and to backup files and databases without an administrator intervention.

It just limit the authentication to GET and POST HTTP Request, but it is possible to bypass this and get the content of a known pagedeprecated in the latest version of PHP, and should not be used anymore.

Updates

Your applications' PHP code is the only vulnerable path to your server. It is therefore strongly recommended to always update your server's applications: PHP, MySQL, Apache and any other application on whic your website runs.

UNIX/BSD systems have the cron command, which enables the recurring execution of command lines, based on configuration files (named crontab). It enables you to automate application updates, and to backup your files and databases without needing an administrator to intervene.