AbleCommerce Shopping Cart Software


http://forums.ablecommerce.com/

Admin Login Page and Malicious Users

http://forums.ablecommerce.com/viewtopic.php?f=42&t=13422

Page 1 of 1

Admin Login Page and Malicious Users

Posted: Tue Apr 06, 2010 3:36 pm
by michael.p.larsen
I'm trying to remove all references (images, header, footer) to AbleCommerce on the admin login page. I'm doing this so it doesn't make it so easy for malicious users to identify what ecommerce platform we are using.
I tried creating a masterpage specifically for the login page... I removed all theme references and even changed the code behind to inherit only from Page... but still, when I view the page source in a browser, there are references to AbleCommerceAdmin CSS files.

How can I get rid of those CSS references?

Thanks

Re: Login Page and Malicious Users

Posted: Wed Apr 07, 2010 8:51 am
by michael.p.larsen
Okay, rather than renaming the AbleCommerceAdmin theme and potentially tearing the fabric of the universe apart, I decided to create a HTTP Module that removes all the content from the HEAD of the login page... thus removing all references to AbleCommerceAdmin.

Here is the module, called LoginRequest.cs in the App_Code folder:

Code: Select all

using System;
using System.Web;
using CommerceBuilder.Products;
using CommerceBuilder.Catalog;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Web.UI;

    public class LoginRequest : IHttpModule
    {
        private HttpApplication _app;
        void IHttpModule.Dispose()
        {
            // Nothing to dispose; 
        }

        public void Init(HttpApplication application)
        {
            _app = application;
            application.PostMapRequestHandler += (new EventHandler(OnPostMapRequestHandler));
        }

        private void OnPostMapRequestHandler(Object source, EventArgs e)
        {
            IHttpHandler pageHandler = null;
            if (_app.Context.Handler is System.Web.UI.Page)
            {
                pageHandler = _app.Context.Handler;
            }

            if (pageHandler != null)
            {
                AddEventsToPage((Page)pageHandler);
            }
        }

        private void AddEventsToPage(Page pageHandler)
        {
            pageHandler.LoadComplete += new EventHandler(LoadComplete);
        }

        private void LoadComplete(Object sender, EventArgs e)
        {
            if (_app.Request.RawUrl.Contains("Login.aspx"))
            {
                ((Page)sender).Header.Controls.Clear();
                ((Page)sender).Header.InnerHtml = "";
            }
        }
    }
Then, I added a reference to it in the HTTP Modules section of the Web.Config:

Code: Select all

<modules>
     <add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
     <add name="AbleCommerceHttpModule" type="CommerceBuilder.Services.AbleCommerceHttpModule, CommerceBuilder.Services" preCondition="managedHandler"/>
     <add name="LoginRequest" type="LoginRequest"/>
</modules>
I then created a master page for the Login.
Here is the meat of the Login.master:

Code: Select all

<body onLoad="initAjaxProgress();">
    <form id="form1" runat="server">
        <ajax:ScriptManager ID="ScriptManager1" runat="server" EnablePartialRendering="true" AsyncPostBackTimeOut="600" />
        <ajax:UpdateProgress ID="UpdateProgress1" runat="server" DisplayAfter="1000">
            <ProgressTemplate>
                <div id="ajaxProgressBg"></div>
                <div id="ajaxProgress"></div>
            </ProgressTemplate>
        </ajax:UpdateProgress>
        <asp:contentplaceholder ID="MainContent" runat="server">
        </asp:contentplaceholder>
    </form>
</body>
Then, in the Login.aspx page, I changed the first line to reference this master page:

Code: Select all

<%@ Page Language="C#" MasterPageFile="~/Admin/Login.master"  CodeFile="Login.aspx.cs" Inherits="Admin_Login" Title="Login" %>
The result? The admin login page looks very plain... no reference to AbleCommerce

Re: Admin Login Page and Malicious Users

Posted: Wed Apr 07, 2010 8:44 pm
by igavemybest
Another way would be a simple URL rewrite so that no one can even access /admin, so if they just typed "www.yoursite.com/admin" they would get a 404 error unless they typed "www.yoursite.com/admin?yoursuffixhere" I guess that is only practical if it would be you using it though and not for a client.
All times are UTC-05:00
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/