• Posted by Melanie
• 15 November 2012
• Small Business, Store Development, Zen Cart

PCI Compliance is a struggle for all merchants. The time, cost and knowledge needed is perhaps excessive when you factor in that no one is policing the rules. Having said that we have recently come across a really stupid pain in the ass new fail for scans from a few of the PCI scanning companies. The fail is simple.... Your Zen Cart contact form is now supposed to be protected under SSL.

So I argued this with the scanning company CSR on the phone, but the fact is, fail is fail and they are not budging.... even though they are using a GIGANTIC amount of imagination to interpret the PCI Standards. So yes it's completely asinine, it is NOT sensitive information and people using the form are not even necessarily customers who have or will checkout. In fact I suspect many are idiot spammers selling you PPC with their highly professional GMAIL business email =) .... But, even the stupid must be protected from nothing I suppose.

So, making your Zen Cart secure your contact page under SSL is a PIA.

The absolutely easiest thing to do is to secure the whole catalog front end under SSL. This is done by editing includes/configure.php and completing the following.

On lines 15 you will make the following edits.

define('HTTP_SERVER', 'https://domain.com);

On line 19 just verify that the value is true and not false.

define('ENABLE_SSL', 'true');

Now this method while easy to accomplish has some pitfalls. Your urls will ALL change, some server's SSL config can be significantly slower and you'll have to properly secure all of your resources or face the "Broken Lock of Death". If you want to avoid these pitfalls, the task is a genuine, annoying PIA to complete.

Turning Your Contact Page to SSL the Hard Way

• First open up your admin and go to Tools >> Developers Tool Kit
• Now scroll down to the last field and enter zen_href_link(FILENAME_CONTACT_US and set it for PHP files only and Catalog only.
• This search is going to bring up all the link references for the contact us page, so we can hunt them all down and edit them like crazy people. I could just tell you where they are, but then you would miss template and override files.

For each of these instances you will change the code from

<a href="' . zen_href_link(FILENAME_CONTACT_US) . '">

to

<a href="' . zen_href_link(FILENAME_CONTACT_US, '', 'SSL') . '">

• No that the references are now trained to be SSL we have to change the actual form action to be SSL as well. In theory this is ALL that should be required, but the idiots at the scanning companies cannot teach their pet tool to recognize that the function itself is secured, so the page doesn't need to be.

In /public_html/includes/templates/your_template/templates/tpl_contact_us_default.php on line 17 locate the following.

<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send')); ?>

replace it with

<?php echo zen_draw_form('contact_us', zen_href_link(FILENAME_CONTACT_US, 'action=send','SSL')); ?>

That's all, now you can rescan and have a beer, you earned it!

• Posted by Melanie
• 12 March 2010
• Ecommerce Marketing, Store Development

Security

First and foremost make sure your Zen Cart is fully patched! No exceptions. Your Zen Cart you just downloaded and installed still needs these.

Now, do these items on Zen Cart's recommended security list. On this list please ignore the following. If you choose to do these things, your robots.txt cannot be accessed and the php command will not work properly for you in most server environments.

#.htaccess to prevent unauthorized directory browsing or access to .php
files
IndexIgnore */*
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
#add the following to protect against people discovering what version your
spiders.txt file is
<Files *.txt>
Order Deny,Allow
Deny from all
</Files>

Now, lets add some cool stuff to help you stay safe.

Tip #1: Use strong passwords for everything! Change them every 30 days.

Tip #2: When renaming your admin DO NOT use any admin or business related
term. Try banana for example, something like manage, control or anything XXadmin is a dead guess for most hackers to discover your admin directory.

Tip #3: Make sure all admins have their OWN accounts and install this module to track their access more conveniently.

Tip #4: Protect your admin directory with an additional auth when possible. Perhaps you can password protect the directory or allow access by IP address for example.

# password-protect the directory
AuthType basic
AuthName "This directory is protected"
AuthUserFile /home/path/.htpasswd
AuthGroupFile /dev/null
Require valid-user

# deny all except
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 192.168.1.1
allow from .*domain\.com.*
</Limit>

Tip #5: Protect ALL directories from browsing with an index.html file. This file can be blank, it just prevents the directory from displaying in an index to browse. If a folder has an index.anything... It's protected.

Tip #6: Protect your images directories (all) with the following .htaccess to prevent browsing, executing php files and more. These directories will also need an index file. When done, login to your hosting control panel and change the permissions on both the index.html and .htaccess files to 444 to prevent modification.

#PRO-Webs ver 1.8 1/2010
#Prevent directory viewing and the ability of any scripts to run.
#While a bit overkill this file prevents a wide array of access and executions
#of known exploits in your Zen Cart
#This file and a index.html should have the chmod 444
#This low setting allowance differs from server to server and should be set as
#low as possible and no higher that 644
#Permissions this low will likely need set in filemanager
#Place this in all images directories except BMZ_Cache
Options -ExecCGI -Indexes
IndexIgnore *
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} libwww [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)=http [NC]
RewriteRule ^(.*)$ - [F,L]
<Files .htaccess>
order allow,deny
deny from all
</Files>
<Files ~ "\.php$">
Order allow,deny
Deny from all
</Files>
chmod .htaccess files 444

Tip #7: If you have an SSL force all of your admin pages to load in only secured urls with the following htaccess code.

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} /admin_dir/
RewriteRule ^(.*)$ https://domain.com/admin_dir/$1 [R,L]

Tip #8: Make sure your cache folder has the correct index.php and .htaccess. Download a fresh version of Zen Cart and upload them to be sure. Now CHMOD, change the permissions of these to 444.

I may be adding to this, as we are always testing... so stay tuned.