TurnKey Linux Virtual Appliance Library

Appliance created : PrestaShop

Basil Kurian's picture

http://www.prestashop.com/

 

admin url : http://<ip>/admin456/

admin email (username) : admin@prestashop-turnkeylinux.org  admin@example.com

admin pass : admin123

customer url : http://<ip>

 

base : Turnkey LAMP Hardy  or Turnkey LAMP Lucid

Liraz Siri's picture

Prestashop is a rising ecommerce star

Sorry for the late response! I was looking forward to reviewing this one as I've had my eye on Prestashop for some time now. This will make a great addition to the library. It's already one of the most popular ecommerce platforms, surpassed only by Magento according to Google Trends

Regarding the patch, a few comments:

  • We'll need to regenerate the COOKIE_KEY and COOKIE_IV in the settings file, otherwise certain attacks against the DB hashes become easier. I found a post on their forum that provide more information.
  • Could you explain the rational behind moving the admin interface from admin/ to admin456/?
  • Is it true that special SSL support is not required in this patch because it's already taken care of by Basil's Lucid LAMP patch?

PS: I cleaned up this thread a bit. Hope you don't mind.

Basil Kurian's picture

Made some modification

New patch attached . Made some modification regarding cookie . Please check thescript in overlay/usr/lib/live-installer.d

SSL support is already provided in LAMP Patch.

Prestashop insist on renaming the admin folder to something different


Jeremy's picture

Is admin folder/location renamed for added security?

Prestashop insist on renaming the admin folder to something different

I assume that it is a security measure to make it just that little bit harder for the bad guys to locate the admin area and hence making abusing it that little bit harder? If that is the case then perhaps to maintain the intentions of the Prestashop devs this admin folder/location could be generated randomly, or set by the user during install (or first boot)? I know that would make the patch a little more complex but it could be a nice touch. I don't know, perhaps its more trouble than its worth?

Basil Kurian's picture

Workaround

Adding

mv /var/www/admin /var/www/admin$(mcookie)

in the script in overlay/usr/lib/live-installer.d and commenting this line

mv admin/ admin456

in conf will do that. But users need to inspect the /var/www/ folder to get the the admin-login url


Basil Kurian's picture

.

Should I add it in the patch ??


Jeremy's picture

I don't know Basil

I was just throwing ideas around. Perhaps wait for Liraz or Alon and see what they think.

Liraz Siri's picture

No. Admin URL should be predictable

Forcing the URL of the admin interface to be something different is security by obscurity. Setting the /admin URL to something truly random on first boot is a good way to guarantee nobody will find it.

This is the first time I've heard of a webapp forcing you to change URLs for "security". IMHO, it's terribly misguided. This is what the authentication credentials are for (e.g., username/password)!

I propose we set the admin URL to something predictable like /prestadmin.

Jeremy's picture

Cool - just chucking my (probably misguided) 2c in the ring :)

I am well aware that security by obscruity is certainly not an adequite defense against the bad guys. But I guess I was thinking that as an added security measure it may be of some value (especially seeing as the devs are encouraging it). By my understanding that remains the main rationale behind Ubuntu disabling the root account by default (hackers need to discover username as well as password before gaining entry). But I suppose by enabling and using the root account by default in TKL appliances, you guys demonstrate the value you see in the notion!

We again come back to the reality that all decisions like this are tradeoffs. In this instance its usability and user friendliness vs security by obscurity. I have nowhere near the experience or technical skills required to make the judgement so I am more than happy to defer to those that do - Liraz! :)

BTW the requirement to change admin location as added security was pure speculation by me. I didn't read it anywhere and no one said it (that I know of). I just jumped to that conclusion because that's the only reason I could think of. So perhaps there is some other (legitimate) reason why they want you to do that? But I can't imagine what!?

Prestashop 1.4 integration

I love the Prestashop appliance. Awesome work guys!

As of 2/17/2011 Prestashop is in RC4 and says they will be releasing the final version in a few weeks.

I am excited about the new features. About how long does the integration of updates like this take to make them part of the Appliance packages?

I'd love to be able to install the appliance, upload my theme changes and graphics, import my product data and go live with Prestashop 1.4.

Thanks again for the great work!

Jeremy's picture

Unless there are security fixes I doubt TKL devs will be rushing

They have a todo list a mile long so unless there is a pressing need to update the Prestashop component of the appliance I doubt it will be a priority. But there is nothing to stop you from updating it yourself. In fact you could have a play with updating to the RC to see if there are any gotchas (I'd just do it in a VM so you can easily rinse & repeat to double check your process). Other users may also be interested so it'd be great if you could document the process (that is if you choose to do that).

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)