Admin Login Page and Malicious Users

For general questions and discussions specific to the AbleCommerce 7.0 Asp.Net product.
Post Reply
michael.p.larsen
Lieutenant (LT)
Lieutenant (LT)
Posts: 70
Joined: Fri Jan 15, 2010 8:17 am

Admin Login Page and Malicious Users

Post by michael.p.larsen » Tue Apr 06, 2010 3:36 pm

I'm trying to remove all references (images, header, footer) to AbleCommerce on the admin login page. I'm doing this so it doesn't make it so easy for malicious users to identify what ecommerce platform we are using.
I tried creating a masterpage specifically for the login page... I removed all theme references and even changed the code behind to inherit only from Page... but still, when I view the page source in a browser, there are references to AbleCommerceAdmin CSS files.

How can I get rid of those CSS references?

Thanks
Last edited by michael.p.larsen on Wed Apr 07, 2010 9:03 am, edited 1 time in total.
Top
michael.p.larsen
Lieutenant (LT)
Lieutenant (LT)
Posts: 70
Joined: Fri Jan 15, 2010 8:17 am

Re: Login Page and Malicious Users

Post by michael.p.larsen » Wed Apr 07, 2010 8:51 am

Okay, rather than renaming the AbleCommerceAdmin theme and potentially tearing the fabric of the universe apart, I decided to create a HTTP Module that removes all the content from the HEAD of the login page... thus removing all references to AbleCommerceAdmin.

Here is the module, called LoginRequest.cs in the App_Code folder:

Code: Select all

using System;
using System.Web;
using CommerceBuilder.Products;
using CommerceBuilder.Catalog;
using System.Collections.Specialized;
using System.Collections.Generic;
using System.Web.UI;

    public class LoginRequest : IHttpModule
    {
        private HttpApplication _app;
        void IHttpModule.Dispose()
        {
            // Nothing to dispose; 
        }

        public void Init(HttpApplication application)
        {
            _app = application;
            application.PostMapRequestHandler += (new EventHandler(OnPostMapRequestHandler));
        }

        private void OnPostMapRequestHandler(Object source, EventArgs e)
        {
            IHttpHandler pageHandler = null;
            if (_app.Context.Handler is System.Web.UI.Page)
            {
                pageHandler = _app.Context.Handler;
            }

            if (pageHandler != null)
            {
                AddEventsToPage((Page)pageHandler);
            }
        }

        private void AddEventsToPage(Page pageHandler)
        {
            pageHandler.LoadComplete += new EventHandler(LoadComplete);
        }

        private void LoadComplete(Object sender, EventArgs e)
        {
            if (_app.Request.RawUrl.Contains("Login.aspx"))
            {
                ((Page)sender).Header.Controls.Clear();
                ((Page)sender).Header.InnerHtml = "";
            }
        }
    }
Then, I added a reference to it in the HTTP Modules section of the Web.Config:

Code: Select all

<modules>
     <add name="ScriptModule" preCondition="integratedMode" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
     <add name="AbleCommerceHttpModule" type="CommerceBuilder.Services.AbleCommerceHttpModule, CommerceBuilder.Services" preCondition="managedHandler"/>
     <add name="LoginRequest" type="LoginRequest"/>
</modules>
I then created a master page for the Login.
Here is the meat of the Login.master:

Code: Select all

<body onLoad="initAjaxProgress();">
    <form id="form1" runat="server">
        <ajax:ScriptManager ID="ScriptManager1" runat="server" EnablePartialRendering="true" AsyncPostBackTimeOut="600" />
        <ajax:UpdateProgress ID="UpdateProgress1" runat="server" DisplayAfter="1000">
            <ProgressTemplate>
                <div id="ajaxProgressBg"></div>
                <div id="ajaxProgress"></div>
            </ProgressTemplate>
        </ajax:UpdateProgress>
        <asp:contentplaceholder ID="MainContent" runat="server">
        </asp:contentplaceholder>
    </form>
</body>
Then, in the Login.aspx page, I changed the first line to reference this master page:

Code: Select all

<%@ Page Language="C#" MasterPageFile="~/Admin/Login.master"  CodeFile="Login.aspx.cs" Inherits="Admin_Login" Title="Login" %>
The result? The admin login page looks very plain... no reference to AbleCommerce
Top
User avatar
igavemybest
Captain (CAPT)
Captain (CAPT)
Posts: 388
Joined: Sun Apr 06, 2008 5:47 pm

Re: Admin Login Page and Malicious Users

Post by igavemybest » Wed Apr 07, 2010 8:44 pm

Another way would be a simple URL rewrite so that no one can even access /admin, so if they just typed "www.yoursite.com/admin" they would get a 404 error unless they typed "www.yoursite.com/admin?yoursuffixhere" I guess that is only practical if it would be you using it though and not for a client.
Top
Post Reply

Return to “AbleCommerce 7.0 Asp.Net Shopping Cart”