AbanteCart Community

Shopping Cart Operations => Security => Topic started by: ArcherData on October 11, 2016, 11:38:51 AM

Title: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 11:38:51 AM
My site has been in operation since August 28, 2016.  Orders have been processed and things have been great. No AbanteCart update has been applied since installation.

When I go to admin, I get an Error 403 Forbidden and I am returned to the storefront.

I have attached the pertinent logs, error messages, etc. since I cannot figure out what this system considers "external links."

In addition, there's an installation of WordPress in a subdirectory beside / store / with it's own .htaccess which is not included here.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: digitalt on October 11, 2016, 12:05:16 PM
This part:

When I go to:    http://www.gowiththefloprods.com/store/admin/

You setup a secret link to the admin area during install.  Look at system/config.php and the admin "folder" is defined here

define('ADMIN_PATH', 'xxxx_xxxx');

Replace admin with admin path like this and you should be able to get in:

http://www.gowiththefloprods.com/store/xxxx_xxxx/
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 01:51:15 PM
I was so hoping it was something simple like this ... but it didn't work.  Is the admin folder supposed to also be renamed to match?
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 02:12:28 PM
When I use the secret name in the URL, I get:  "The page you requested cannot be found" in the storefront.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: digitalt on October 11, 2016, 02:18:05 PM
No. It's a security thing. Your admin URL should look something like this with the ADMIN_PATH being the last part with the X's:

http://www.gowiththefloprods.com/store/index.php?rt=index/login&s=xxxx_xxxx

It's a built in redirect.

Once you're in, check system-->settings-->store details to make sure you Store URL points to the correct URL  http://www.gowiththefloprods.com/store/


EDIT---> Take out the &s if you are not using SSL.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 02:44:29 PM
It works!

I must have missed ther instructions on all of this.

Now ... my password is no longer good. Can I use phpMyAdmin to go in and MD5 my password in the user table's password field directly?  I have occassionally had to do this with WordPress installations that had problems.

You're a savior! Thank you for patiently stinking with me to get this sorted out.

You'll notice that some code was added to the store and admin .htaccess files per the Troubleshooting Guide.  Leave it or take it out?
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: digitalt on October 11, 2016, 02:57:08 PM
The password thing I'm not sure about because I am not that familiar with encryption. You didn't change UNIQUE_ID or ENCRYPTION_KEY did you?

As for the .htaccess file, all I have for storefront is as follows to block some bad IP's and handle SSL:


Code: [Select]
RewriteEngine on
AddHandler mod-rewrite mod_rewrite

<Files 403.shtml>
order allow,deny
allow from all
</Files>

deny from 198.186.194.0/24
deny from 198.186.190.0/23
deny from 198.186.192.0/23
deny from 198.186.193.48/28
deny from 198.186.193.192/27
deny from 38.99.82.191
deny from 45.123.118.83
deny from 122.177.248.77
deny from 198.186.192.44
deny from 164.132.233.169

RewriteCond %{QUERY_STRING} s=(.*)  [NC]
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

And Admin is :

Code: [Select]
<Files *.php>
order allow,deny
deny from all
</Files>

Which really doesn't do anything.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 03:00:04 PM
I followed along and did a reset and all is good again, although I think I will remove the added .htaccess items I inserted from the Troubleshooting Guide.

Thanks again for your help.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: digitalt on October 11, 2016, 03:02:55 PM
No problem.  Glad to help.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 03:14:10 PM
Do you know ...

•  Can I change the secret admin name at any time by editing config.php and updating the URL?
•  Is there a restiction on length?
•  Are special characters allowed?
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: digitalt on October 11, 2016, 03:24:50 PM
Do you know ...

•  Can I change the secret admin name at any time by editing config.php and updating the URL?
•  Is there a restiction on length?
•  Are special characters allowed?

1. Never tried it. Should work because the info is being called from config.php and it's an internal redirect to Admin.
2. Don't think there is a length restriction
3. Not sure about special characters.  Try it.

Since all this can be controlled by the config.php file, you really can't break anything permanent.
Title: Re: Access to admin directory is Error 403 Forbidden
Post by: ArcherData on October 11, 2016, 03:38:55 PM
I will and will report back.  It might be useful information to know.

I checked ... it does not work. I reset everything back and it works.  I think I've fooled around enough for one day.