Welcome, Guest ( Customer Panel | Login )




 All Forums
 VPCart Forum
 Credit card fraud and hackers
 Improved Security
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Davidwarnold
Starting Member

8 Posts

Posted - July 29 2003 :  04:29:03  Show Profile  Reply with Quote
Security:
1)
To help prevent search engines spidering your admin pages add:
<META NAME="ROBOTS" CONTENT="NOINDEX,NOFOLLOW"> inbetween the <head> </head> section of shopadmin_header.htm

2)
I wrote a simple include file that I put at the top of you shopadmin.asp (renamed of course) see below.
This carries out two operations: if your internet connection has a fixed IP it checks it and if OK does nothing.
If the IP is not known, it then checks the header for a password. If correct allows you in.
However, you only have a set amount of tries, over a given time. If you exceed the amount of tries, it locks you out for a while and redirect to a page not found. This makes it appear as if the page no longer exists.

I use this software for two reasons.
Although I normally do ‘Admin’ duties while at the office (Fixed ID)
I can still work from home using a dynamic IP or check what’s going on from any remote location.
It prevents Hackers using brute force password crackers to get into your site.

3)
Software note to VP-ASP programmer.
I see optional include files in your software controlled by asp.
Also in some case statement i.e.
Case a
<!-- #include file= A -- >
Case b
<!-- #include file= B -- >
Case c
<!-- #include file= C -- >

As far as I understand, this does not work as all include files are included BEFORE any the execution of the asp code???

Does this cause any problems / security problems.

4)
Final comment to VP-ASP Designer.
You must improve the credit card security section of your software against hackers. You also need to automate deleting and changing file names and locating the database. I got hacked BIG time it cost the credit card people over £10,000!
Security should be inherent in the design without the need to read a big fat manual.

PS Your tech support if second to none - thanks

-----------------
<%
Sub Added_IP_check_security()
'this will allow MY_IP_NUMBER through OR querystring QNAME=PASSWORD
'in this example www.mysite.com/myshop/adminpageforshop.asp?GetMeIn=Emergency
'the "?GetMeIn=Emergency" part is only required if your IP is dynamic or not equal to MY_IP_NUMBER

Const MY_IP_NUMBER = "12.3453.67.89" 'your fixed IP address - *** Change to fit
Const TIME_OUT = 3 'munites
Const MAX_TRIES = 4
Const PASSWORD = "Emergency" 'case sensitive - *** change
Const QNAME = "GetMeIn" ' -*** change
Const REDIRECT_TO = "http://www.yoursite.com/404" ' - ***change

if request.ServerVariables("REMOTE_ADDR") <> MY_IP_NUMBER then

If Application ("SecurityLastIn") = "" then Application("SecurityLastIn") = Now()
If Application("SecurityCount") = "" then Application("SecurityCount") = 0
if datediff("n",Application("SecurityLastIn"),Now()) => TIME_OUT then
Application("SecurityCount") = 0
Application("SecurityLastIn") = Now()
else
Application("SecurityCount") = Application("SecurityCount") + 1
end if
if (Application("SecurityCount") => MAX_TRIES) OR (request.querystring(QNAME) <> PASSWORD) then response.redirect(REDIRECT_TO)

end if
end sub

Added_IP_check_security
%>

keng
VP-CART New User

152 Posts

Posted - July 13 2004 :  22:27:08  Show Profile  Reply with Quote
Thanks for sharing your knowledge!

Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Snitz Forums 2000
0 Item(s)
$0.00