There are known security exploits that can affect your Hotcakes installation, whereby an attacker can create a superuser account and reset/change nearly any configuration option that they'd like. In most of those known cases, they've even uploaded files and changed sites in a way that "phishes" your unsuspecting customers.
The following prerequisites will be necessary to accomplish the goals of this article:
- Have access to your Hotcakes file system
When the solution is first installed, your file system will still have an "Install" folder with several files and folders in it. These files can be used in the future for valid use cases, but until you find a need for that, you should take the measures outlined below.
Prevent Exploitation of Installation Files
These manual steps are no longer necessary if you're using Hotcakes Commerce version 2.0.1 or newer.
Also, if you're a Cloud customer, these steps have already been performed on your behalf.
When your site is first installed, you'll have an "Install" folder in the root level of your website directory, like shown below. You can either log directly into your server, or use FTP to look at the file system.
Once you go into the Install folder, you'll see a view like the example below. There are 3 files and related codebehind files that can potentially be exploited in this security flaw.
Each of the highlighted files will either need to be removed or renamed to prevent anyone from directly accessing them. We suggest renaming them in a way that uses built-in methods to prevent access. In the example below, you'll see that we simply added the .resources file extension to the end of the file name.
If your Install folder files look like the example below, you're done. This exploit is prevented.