Admin Help - Rapid Classified v3.3

Administrator Help - RC v3.3	Search for: by: Edit Help
Expand All \| Collapse All 1.0 Initial Configurations 1.1 Admin Preferences 1.2 Miscellaneous Configurations 1.3 Recovering Admin Logon 2.0 Categories Administration 2.1 Price Level 2.2 Optional Fields 2.3 Options Builder & Adv. Search 2.4 Alternative Adv. Search Page 3.0 Design and Appearance 3.1 XL Templates 3.2 Advanced Design 3.3 Logo 3.4 Main Page 3.5 CSS Editor 4.0 Translation/Text Modification 4.1 RC Lookup 5.0 Content Management 5.1 Email Templates 5.2 Page Content Templates 5.3 News Letter Templates 5.4 "True" Content Pages 5.5 Header/Footer Inclusive Pages 5.6 Side Bars Advert. Pages 5.7 Custom Inclusive Pages 5.8 Backup/Restore Templates 5.9 Top Content Pages 5.10 Side/Portal Bars, Main Page 5.11 Ticker at Remote Site 5.12 FAQ 6.0 Classified Operations 6.1 User Accounts 6.2 Multiple Accounts Detection 6.3 Posting Ads (Free Mode) 6.4 Miscellaneous Operations 6.5 Forum 6.6 Counter and Statistics 7.0 Payment System 7.1 Overview 7.2 Configuration (Credits Mode) 7.3 Configuration (Package Mode) 7.4 Merchant Configuration 7.5 Posting Ads in Pay Mode 7.6 Hot List Promotion 8.0 SE Optimization 8.1 Content exclusion list 8.2 Dynamic Meta Tags Builder 8.3 Caching Ads 8.4 Google Site Maps 8.5 URLs Rewrite 9.0 RSS Management 9.1 RSS Feeds Writer 9.2 RSS Feeds Reader 9.3 RSS Feeds Reference 10.0 Banners Rotator 10.1 Administration. Banners types 10.2 Automated Submissions 11.0 Relative Content Links 11.1 Relative Ad Description 12.0 Conversion Tools 12.1 SQL to Access (backup) 12.2 Access to SQL (restore) 12.3 Moving from Access to SQL 12.4 Moving between MySQL/MSSQL 12.5 Switching Hosting Service (SQL) 13.0 Maintaining Healthy Database	Chapter - 1.0 Initial Configurations Security Considerations When you run initial setup, most of the settings have already been set. There are however a few options, settings and configurations, which you might need to adjust for final classified personalization. You may easy identify whether you logged in as admin, by the indicator at the top-right corner with link to Admin tasks. But before you start site configuration, make sure to consider the following: Always delete the following pages from classified installation before going live: !setup.asp, !setup_database.asp. When you have finished board configuration (or even before that), remove an "Admin" link form navigation bar, rename Admin Logon page and create a bookmark to a new page in your browser so you can easily logon to admin section of the board. Do the following: - Open config/config.asp in an editor - Change value for variable adminPage. You may give it some cryptic name. For instance: [adminPage = "foobar_area"] - Rename physical admin_logon.asp page to foobar_area.asp - Set [showAdminLink = False] in config/config.asp (this would remove "Admin" link at the top navigational menu and may be done at any time; but make sure to set it before opening your board to clients) - Manually navigate to foobar_area.asp in your browser and create a bookmark for this page. Note: The other setting - "Display admin menu on all administration pages" only switches on/off a drop-down menu and does not pose a security threat. If you wish not to have it, set [showAdminMenu = False] in config/config.asp. The Content Management page and Conversion Tools require an additional logon. The initial security code logon to Content Management page and Conversion Tools is "admin". Make sure to change it - open config/secure_content.asp page is any text editor and set a new password. Go to Miscellaneous Configs admin page and change the "CAPTCHA Encode Key", which is used to encode sessions for CAPTCHA (turning number) generator at the classified. Change the Admin ID and password by going to "Admin Preferences" page, typing new ID and password in [Reset Admin ID and Password] section and then clicking [Submit] button. While at the "Admin Preferences" page, select the [Enable Turning Number] check box to enable turning number (requires to type a 6 digit number during user registration and ads posting - prevents automated registration and ads posting). In addition, you may select [Enable Secure Logon] check box at "Admin Preferences" page. Secure Logon means the password will be posted to the server MD5 hashed and/or RSA encrypted with randomly generated seed/key sent by a server. Note: For the secure logon to work properly, it is advisable to select Admin ID/password and Users password in English. If your board is running in language other than English and you are using Secure Logon, advise your clients to use English passwords. Else, test it thoroughly making sure it functions properly under your character set. After you enable Secure Logon never set your Admin ID or Password to empty values. Else, you will not be able to logon anymore. When classified is running with MS Access database (or SQL database frequently backed up with Conversion Tools to MS Access file), then it is strongly recommended to prevent downloading of the db/cldb.mdb database file by site visitors. Some web hosting providers incorporate various solutions to forbid access to .mdb files from browser. To test, you could try to download database in a browser: http://www.your_site.com/db/cldb.mdb If you receive a message: Access denied or forbidden, then MS Access database secure. Moving MS Access database off the site root Nevertheless, regardless of an outcome of the test above, it is recommended to move database under the site root. In other words, move "db" folder to the location unreachable from a browser. Some providers allow that and some do not. For example: you open your site in FTP and see a folder [httpdocs]. Your site root (all web pages) located inside that folder (name of the folder could be different from httpdocs). If you are able to create a new folder or upload files to the same level as [httpdocs], then those files and folders pretty much secure and cannot be accessed from web browser. Move "db" folder to the same level as [httpdocs]. Since location of "db" folder changed, you need to change configuration files and point to the new database location. Do the following: Open config/config.asp configuration file in text editor and amend [dbFolder] variable, which points to the "db" folder location. By default the line looks like: dbFolder = "db/" Change it to: dbFolder = "../db/" [../"] in the reference above tells to look for the folder below the site root. It also called parent folder. Note: Some providers disallow to reference parent folders in this way. In which case, this method of extra protection is not applicable. Renaming "db" folder or placing "db" folder into special App_Data folder The other method is renaming "db" folder. This method provides the least protection however. Rename "db" folder and change the value for [dbFolder] variable in config/config.asp configuration file. Example: dbFolder = "new_db_folder_name/" Alternatively you may place the "db" folder into special App_Data folder. With functional ASP.NET at the site, this folder is not accessible from web browser at all. After moving "db" folder, make respective changes in config/config.asp configuration file: dbFolder = "Apps_Data/db/" When classified is running with MS Access database (or SQL database frequently backed up with Conversion Tools to MS Access file), then it is strongly recommended to prevent downloading of the db/cldb.mdb database file by site visitors. Some web hosting providers incorporate various solutions to forbid access to .mdb files from browser. To test, you could try to download database in a browser:
©2003-2010 Rapid Classified v3.3 GA Soft

Security Considerations

When you run initial setup, most of the settings have already been set. There are however a few options, settings and configurations, which you might need to adjust for final classified personalization. You may easy identify whether you logged in as admin, by the indicator at the top-right corner with link to Admin tasks.

But before you start site configuration, make sure to consider the following:

Always delete the following pages from classified installation before going live:
!setup.asp, !setup_database.asp.
When you have finished board configuration (or even before that), remove an "Admin" link form navigation bar, rename Admin Logon page and create a bookmark to a new page in your browser so you can easily logon to admin section of the board. Do the following:
- Open config/config.asp in an editor
- Change value for variable adminPage. You may give it some cryptic name. For instance: [adminPage = "foobar_area"]
- Rename physical admin_logon.asp page to foobar_area.asp
- Set [showAdminLink = False] in config/config.asp (this would remove "Admin" link at the top navigational menu and may be done at any time; but make sure to set it before opening your board to clients)
- Manually navigate to foobar_area.asp in your browser and create a bookmark for this page.

Note: The other setting - "Display admin menu on all administration pages" only switches on/off a drop-down menu and does not pose a security threat. If you wish not to have it, set [showAdminMenu = False] in config/config.asp.
The Content Management page and Conversion Tools require an additional logon. The initial security code logon to Content Management page and Conversion Tools is "admin". Make sure to change it - open config/secure_content.asp page is any text editor and set a new password. Go to Miscellaneous Configs admin page and change the "CAPTCHA Encode Key", which is used to encode sessions for CAPTCHA (turning number) generator at the classified.
Change the Admin ID and password by going to "Admin Preferences" page, typing new ID and password in [Reset Admin ID and Password] section and then clicking [Submit] button.
While at the "Admin Preferences" page, select the [Enable Turning Number] check box to enable turning number (requires to type a 6 digit number during user registration and ads posting - prevents automated registration and ads posting).
In addition, you may select [Enable Secure Logon] check box at "Admin Preferences" page. Secure Logon means the password will be posted to the server MD5 hashed and/or RSA encrypted with randomly generated seed/key sent by a server.
Note: For the secure logon to work properly, it is advisable to select Admin ID/password and Users password in English. If your board is running in language other than English and you are using Secure Logon, advise your clients to use English passwords. Else, test it thoroughly making sure it functions properly under your character set.
After you enable Secure Logon never set your Admin ID or Password to empty values. Else, you will not be able to logon anymore.
When classified is running with MS Access database (or SQL database frequently backed up with Conversion Tools to MS Access file), then it is strongly recommended to prevent downloading of the db/cldb.mdb database file by site visitors. Some web hosting providers incorporate various solutions to forbid access to .mdb files from browser. To test, you could try to download database in a browser:

http://www.your_site.com/db/cldb.mdb

If you receive a message: Access denied or forbidden, then MS Access database secure.

Moving MS Access database off the site root

Nevertheless, regardless of an outcome of the test above, it is recommended to move database under the site root. In other words, move "db" folder to the location unreachable from a browser. Some providers allow that and some do not. For example: you open your site in FTP and see a folder [httpdocs]. Your site root (all web pages) located inside that folder (name of the folder could be different from httpdocs). If you are able to create a new folder or upload files to the same level as [httpdocs], then those files and folders pretty much secure and cannot be accessed from web browser.

Move "db" folder to the same level as [httpdocs]. Since location of "db" folder changed, you need to change configuration files and point to the new database location. Do the following:

Open config/config.asp configuration file in text editor and amend [dbFolder] variable, which points to the "db" folder location.

By default the line looks like: dbFolder = "db/"
Change it to: dbFolder = "../db/"

[../"] in the reference above tells to look for the folder below the site root. It also called parent folder.

Note: Some providers disallow to reference parent folders in this way. In which case, this method of extra protection is not applicable.

Renaming "db" folder or placing "db" folder into special App_Data folder

The other method is renaming "db" folder. This method provides the least protection however. Rename "db" folder and change the value for [dbFolder] variable in config/config.asp configuration file.

Example: dbFolder = "new_db_folder_name/"

Alternatively you may place the "db" folder into special App_Data folder. With functional ASP.NET at the site, this folder is not accessible from web browser at all. After moving "db" folder, make respective changes in config/config.asp configuration file:

dbFolder = "Apps_Data/db/"

When classified is running with MS Access database (or SQL database frequently backed up with Conversion Tools to MS Access file), then it is strongly recommended to prevent downloading of the db/cldb.mdb database file by site visitors. Some web hosting providers incorporate various solutions to forbid access to .mdb files from browser. To test, you could try to download database in a browser: