X-Cart forums

[shan]

The main point is to set correct file permissions.

First make sure that you changed back permissions that you set during the installation:

chmod 777 .
chmod 666 config.php

Also make sure that your php scripts have 0644 permissions and directories have 0755 except for some special directories like: admin/newsletter and templates_c.

Make sure that SQL connections are allowed only from the local machine.

Protect script install.php with new Auth code or delete it completely.

For extra security you may want to disable trans_sid PHP feature.

Try to access your admin interface only via HTTPS protocol (start your URL with https://)

Do not keep any unnecessary files in your web drectory (for example X-cart distribution archive).

Forbid directory listing in your web server, so no one can browse through your script directories.

Thats all I can remember at the moment.

This information came direct from the Xcart team

[shan]

As an update to the previous post here is what permissions you should have your files and folders.

LIVE SITE

.php - 644
.tpl - 644
.pl - 755
.sh - 755
VERSION - 644

DEVELOPMENT SITE / UPGRADING

.php - 666
.tpl - 666
.pl - 777
.sh - 777
VERSION - 666

FOLDERS

templates_c - always 777
catalog - 777 - (to be able to write catalog and then 755 once catalog has been written)
files - 777 - (to be able to write to the folder / upload pics etc)
log - 777


install.php must be deleted or renamed on a live site
also remove any tar files that are no longer needed.

You can also use .htaccess files to protect certain directories for extra security on a live site

I think thats about it ...

[shan]

as an additional note

you should only have execuatable files (.pl, .sh) set to 777 if they wont patch when set to 666 or 755 and only have them set like that while doing an upgrade etc.

in normal operation, even if your site is not live keep executable files set to 755

[sanj-xcart]

Hi,

I recently asked X-Cart tech support for a complete and definitive list of file permissions for a live X-Cart store. This is the response below.

Quote:

All x-cart files should have 644 permissions and folders should have 755 permissions, apart from the exceptions below.

Exceptions

The following folders and all files in them should have 777 permissions:

.pgp
catalog
files
log
skin1
templates_c

How to set Permissions

If you have SSH access to your x-cart, you should run the following shell commands in order to set correct file permissions:

cd [xcart root directory]
find . -type d | xargs chmod 755
find . -type f | xargs chmod 644
chmod -R 777 .pgp catalog files log skin1 templates_c

If you are not going to edit x-cart templates with the Edit Templates page of X-Cart Admin Area or via Webmaster Mode, you may grant 755 permissions to the skin1 folder and 644 for all files in it.

If you not going to use HTML catalog feature, set file permission on the catalog folder to 755, and any files within to 644.

If your hosting provider uses suexec PHP binary (where all files are executed under your hosting account name and not as web user), then you should use the following commands:

cd [xcart root directory]
find . -type d | xargs chmod 750
find . -type f | xargs chmod 640

Hope this is useful to you.

sanj

[balinor]

Also covered here:

http://forum.x-cart.com/viewtopic.php?p=121255