http://www.prestashop.com/

 

admin url : http://<ip>/admin456/

admin email (username) : admin@prestashop-turnkeylinux.org  admin@example.com

admin pass : admin123

customer url : http://<ip>

 

base : Turnkey LAMP Hardy  or Turnkey LAMP Lucid

Forum: 
Tags: 
Liraz Siri's picture

Sorry for the late response! I was looking forward to reviewing this one as I've had my eye on Prestashop for some time now. This will make a great addition to the library. It's already one of the most popular ecommerce platforms, surpassed only by Magento according to Google Trends

Regarding the patch, a few comments:

  • We'll need to regenerate the COOKIE_KEY and COOKIE_IV in the settings file, otherwise certain attacks against the DB hashes become easier. I found a post on their forum that provide more information.
  • Could you explain the rational behind moving the admin interface from admin/ to admin456/?
  • Is it true that special SSL support is not required in this patch because it's already taken care of by Basil's Lucid LAMP patch?

PS: I cleaned up this thread a bit. Hope you don't mind.

New patch attached . Made some modification regarding cookie . Please check thescript in overlay/usr/lib/live-installer.d

SSL support is already provided in LAMP Patch.

Prestashop insist on renaming the admin folder to something different

Jeremy Davis's picture

Prestashop insist on renaming the admin folder to something different

I assume that it is a security measure to make it just that little bit harder for the bad guys to locate the admin area and hence making abusing it that little bit harder? If that is the case then perhaps to maintain the intentions of the Prestashop devs this admin folder/location could be generated randomly, or set by the user during install (or first boot)? I know that would make the patch a little more complex but it could be a nice touch. I don't know, perhaps its more trouble than its worth?

Adding

mv /var/www/admin /var/www/admin$(mcookie)

in the script in overlay/usr/lib/live-installer.d and commenting this line

mv admin/ admin456

in conf will do that. But users need to inspect the /var/www/ folder to get the the admin-login url

Should I add it in the patch ??

Jeremy Davis's picture

I was just throwing ideas around. Perhaps wait for Liraz or Alon and see what they think.

Liraz Siri's picture

Forcing the URL of the admin interface to be something different is security by obscurity. Setting the /admin URL to something truly random on first boot is a good way to guarantee nobody will find it.

This is the first time I've heard of a webapp forcing you to change URLs for "security". IMHO, it's terribly misguided. This is what the authentication credentials are for (e.g., username/password)!

I propose we set the admin URL to something predictable like /prestadmin.

Jeremy Davis's picture

I am well aware that security by obscruity is certainly not an adequite defense against the bad guys. But I guess I was thinking that as an added security measure it may be of some value (especially seeing as the devs are encouraging it). By my understanding that remains the main rationale behind Ubuntu disabling the root account by default (hackers need to discover username as well as password before gaining entry). But I suppose by enabling and using the root account by default in TKL appliances, you guys demonstrate the value you see in the notion!

We again come back to the reality that all decisions like this are tradeoffs. In this instance its usability and user friendliness vs security by obscurity. I have nowhere near the experience or technical skills required to make the judgement so I am more than happy to defer to those that do - Liraz! :)

BTW the requirement to change admin location as added security was pure speculation by me. I didn't read it anywhere and no one said it (that I know of). I just jumped to that conclusion because that's the only reason I could think of. So perhaps there is some other (legitimate) reason why they want you to do that? But I can't imagine what!?

Jeremy Davis's picture

They have a todo list a mile long so unless there is a pressing need to update the Prestashop component of the appliance I doubt it will be a priority. But there is nothing to stop you from updating it yourself. In fact you could have a play with updating to the RC to see if there are any gotchas (I'd just do it in a VM so you can easily rinse & repeat to double check your process). Other users may also be interested so it'd be great if you could document the process (that is if you choose to do that).

Add new comment