Security Recommendations

We strongly encourage you to use the following security precautions to minimize the chance of unauthorized access to your ProductCart Control Panel and store database. It is especially important that confidential information such as FTP credentials and ProductCart Control Panel credentials are (1) regularly changed; (2) always changed after being shared with ANY third party.

Make sure to carefully review the section dedicated to PCI compliance and specifically the important ProductCart PA-DSS Implementation Guide.

• Rename the "pcadmin" folder
  By renaming the folder that contains the Control Panel files (by default named “pcadmin”), you can make the location of your Control Panel virtually impossible to find. See how to rename the "pcadmin" folder. For added security:
  • Regularly change the name of the folder
  • Always change the name of the folder when staff (or consultants) that had knowledge of it leaves the company
• Use the HTTPS protocol (SSL certificate)
  The use of a SSL (Secure Socket Layer) certificate ensures that all data exchanged between the browser and the Web server is encrypted. For more information about which SSL certificates are supported by ProductCart, please refer to the System Requirements section of this User Guide. SSL can be used both on the storefront and the Control Panel.
  • Storefront. The use of SSL ensures that sensitive information - such as credit card numbers - is submitted via the secure HTTPS protocol. Please refer to the Store Settings section of this User Guide for more information.
  • Control Panel. If you are using a dedicated SSL certificate, you can force all Control Panel pages to load through the HTTPS protocol. To do so, place the following ASP code at the very top of the file pcadmin/AdminHeader.asp. If you are using ProductCart v2.6 and above, you will find this code already on the page. Simply remove the apostrophe at the beginning of each line to enable this feature.

    <%
    Response.Buffer = True
    If (Request.ServerVariables("HTTPS") = "off") Then
        Dim xredir__, xqstr__
        xredir__ = "https://" & Request.ServerVariables("SERVER_NAME") & _
                   Request.ServerVariables("SCRIPT_NAME")
        xqstr__ = Request.ServerVariables("QUERY_STRING")
        if xqstr__ <> "" Then xredir__ = xredir__ & "?" & xqstr__
        Response.redirect xredir__
    End if
    %>

• Regularly change your Control Panel password
  You can do so from within the Control Panel, under “General Settings/Change Password”. We recommend that you change your Control Panel password every month or two, and whenever someone that had access to it no longer works for your company.
• Regularly backup your store
  Regularly backup your store to ensure quick and effortless recovery in case your store needs to be restored for any reason (e.g. hardware failures, unauthorized access, change of Web server, change of Web hosting company, etc.). This task should be performed on a weekly basis, more often for busy stores. You should back up the following store data:
  • Your store database (if you are using MS SQL, enquire with your Web hosting company to find out how often they back it up for you)
  • The “includes” folder, which contains a variety of store settings (include in backup when you have edited any of the store settings)
  • Any ProductCart files that you have modified to better meet your needs (include in backup any file that was recently edited)
• Disable directory browsing
  When directory browsing is disabled, Web site visitors cannot view a tree of the folders that exist within the Web site. Contact your Web hosting company to ensure that they have disabled directory browsing.
• Remove or rename cmd.exe
  If you are hosting your store on your own dedicated Web server, then this security tip can help you further reduce the chances of unauthorized access to the Web server. The objective of a hacker attack is often to gain full control of the victim’s computer. Hackers often do so by accessing a program called cmd.exe, which allows you to execute commands on the system. We recommend that you rename, move, or restrict access to cmd.exe. Renaming it or limiting its use to members of the administrator group removes this vulnerability. This is not a generally needed file for a Web server and if it doesn't exist then it is impossible for an attacker to gain access to it.
• Edit the Print Settings in Internet Explorer
  If you print out order invoices from the Control Panel and send them to your customers, note that Internet Explorer by default prints the complete URL to the page at the bottom of the document. You can easily change this setting in Internet Explorer by selecting File > Page Setup and removing the characters that appear in the Footer field.
• Regularly change FTP access credentials
  FTP access should never be shared with anyone.
  • Regularly change your FTP credentials: this applies to your entire Web site, not just ProductCart
  • Always change your FTP credentials when someone that had those credentials no longer works with you.
  • When you work with a third party (e.g. Web designer, Web developer, or during the troubleshooting of a software issue), change the credentials immediately after the project/task has been completed.
• Carefully review and apply the recommendations under Security of Sensitive Information
• Carefully review the section on PCI compliance

MS Access databases are inherently less secure because an Access database, unlike a MS SQL database, can be downloaded just like any other file if their location is known. Therefore, you should take the following precautions to ensure the location of your store database cannot be easily guessed.

• Change database location and the database name
  Your store database is located in the database subfolder of productcart. You should rename the folder or move the database to another folder on your Web server, as long as it has write/read permissions. You should also rename the database to any other name. When you change the folder name, or move the database to a new location, and rename it, remember to edit the DSN or DSN-less database connection string. After doing so, make sure to either run the ProductCart activation form again, or manually edit the database connection string in the includes/storeconstants.asp file. Also, for added security make sure that the folder that holds the database cannot be accessed by a browser (ask you Web hosting company how to disable HTTP access to the folder).

• Password-protect the store database
  You can password-protect the Microsoft® Access database that powers your online store. To do so, first download the database to your local machine. Then, launch Access and select File/Open. Locate the file that you just downloaded and open it using the Open Exclusive option. You can select the Open Exclusive option from the Open drop-down located in the bottom right corner of the Open File window (Access 2002). Once the database is open select Tools/Security/Set Database Password. Enter a password, confirm it and click OK.

  Upload the database back to your Web server. The database will now require a password before being opened or accessed by any application. This is true for ProductCart too. Therefore, you will need to modify the DSN or DSN-less connection to include the password information. You may easily do so by editing a filed called storeconstants.asp located in the productcart/includes folder.

  For example, if you are using a DSN connection “DSN=productcart” becomes “DSN=productcart;PWD=yourPassword”

  If you are using a DSN-less connection:

  “DRIVER={Microsoft Access Driver (*.mdb)};DBQ=c:\yourdatabase.mdb”

  becomes…

  “DRIVER={Microsoft Access Driver (*.mdb)};DBQ=c:\anydatabase.mdb;PWD=password”

• Regularly back-up your database
  Your store database contains all the information that is visible and used on your online store: product information, order details, customer information, etc. Because strange things happen even to the most reliable Web hosting providers, make sure that you keep a back-up copy of your store database in a location other than your Web server. You should back up the database regularly.

If you are particularly concerned about the possibility of SQL injection against your database, you can run the following two queries to reduce permissions on two system tables for the database user that is used in the ProductCart database connection string (UID located in the connection string saved to the file ”includes/storeconstants.asp”). This measure could prevent the execution of certain types of SQL injection attacks, however it is not seen as a necessity since the ASP source code already contains methods to sanitize data entered by users.

These queries can be run successfully as long as the database user that is employed in the ProductCart database connection string has permissions to create and drop tables.

The change in permissions consists in denying SELECT permissions for the ProductCart database user to the sysobjects and syscolumns tables in the MS SQL database. This measure specifically protects a database from SQL injection attacks such as the one performed in the spring of 2008, which relied on these system tables to be able to identify other, existing table names and crawl through the entire database injecting their fields with malicious code.

The commands to run in query analyzer are:

deny select on sysobjects to DatabaseUser
deny select on syscolumns to DatabaseUser

… where DatabaseUser corresponds to the UID value in the database connection string in your storeconstants.asp file.

If you are setting up a new ProductCart store, run these queries after setting up the ProductCart database.

If you receive an error similar to the following:

Msg 4604, Level 16, State 1, Line 1

There is no such user or group 'YOURUSER'.

This is probably due to the fact that the user “YOURUSER” belongs to the default database role called “Public”.

You can get around the problem by running the same queries with “Public” instead of the user name used in the connection string. Therefore, the queries become.

deny select on sysobjects to Public
deny select on syscolumns to Public

Can this have any adverse affects? Not within ProductCart. However, if there are other applications that are using the same database and the same database user, and need access those two tables, then this will affect those applications and not allow them to run properly. If this is the case, setup a different user that is used solely for ProductCart and run the queries above for that user only.

In addition, you will not be able to view any of the tables through Enterprise Manager or SQL Management Studio (since those functions require the use of the sysobjects and syscolumns tables). It does not affect the use of the Query Analyzer, since it does not need to dynamically retrieve information from the system tables in order to run straight queries.

Finally, if you need to reverse these commands, you can execute the following queries:

Grant  select on sysobjects to DatabaseUser
Grant  select on syscolumns to DatabaseUser

If any vulnerability is found in ProductCart:

1. A patch is developed as soon as possible
2. Information on the vulnerability is posted on the ProductCart Support Center
3. ProductCart users are notified via email (make sure to sign up for our product updates), Twitter, and the Early Impact blog.