Results 1 to 4 of 4
  1. #1
    Join Date
    Aug 2005
    Location
    Vic, Oz
    Posts
    1,905
    Plugin Contributions
    5

    Default sqlpatch.php blocked by webhost

    My webhost as part of improving security is now automatically preventing sqlpatch.php from running.
    I ask them to remove that restriction and it works fine for a couple of weeks until the next update and its back again.

    Just wanted to know if there is any downside to renaming this file to something else, (and the text file definitions also)?
    It seems to run fine if renamed to something else?

  2. #2
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: sqlpatch.php blocked by webhost

    It's too bad that they've decided to block legitimate scripts instead of properly getting all the offending sites (running old insecure versions) to upgrade.

    Yes you can easily rename it and its language file and its filename definition.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Mar 2004
    Posts
    16,042
    Plugin Contributions
    5

    Default Re: sqlpatch.php blocked by webhost

    Quote Originally Posted by DrByte View Post
    instead of properly getting all the offending sites (running old insecure versions) to upgrade.
    I can tell you, I wish it was that easy

  4. #4
    Join Date
    Jan 2004
    Posts
    66,364
    Blog Entries
    7
    Plugin Contributions
    274

    Default Re: sqlpatch.php blocked by webhost

    Quote Originally Posted by Merlinpa1969 View Post
    I can tell you, I wish it was that easy
    Understood.

    Alternate ideas that would be more effective than what the OP is being subjected to:

    Instead of only blocking "sqlpatch.php" they could block a more specific pattern like:
    - "/admin/sqlpatch.php" since that would catch nearly all the vulnerable sites fairly accurately, or at least those who've not obscured the foldername, and the ones that have obscured have probably done some patching anyway and aren't as vulnerable.
    - "sqlpatch.php/forgotten_password.php" since it's a specific attack vector
    - or any other combination of multiple ".php" mentions in the URI since it would be rare to have a valid use-case for that

    There are LOTS of much smarter ways of specifically dealing with the problem rather than wimping out and blindly setting up a block which shows they've done little research to actually understand the issue at hand.


    Or if they want to protect themselves by getting the offending customers who are using old software to stop using old software, they could take direct measures on sites that have traces of old versions lingering on their accounts:
    - OBSOLETE SINCE 1.3.9a: /admin/includes/function/sessions.php
    - OBSOLETE SINCE 1.3.9a: /extras/curltest.php
    ... and other similar evidences.


    They could even apply a combination of both, ie: only apply the "blocking" rules on accounts that are clearly running the old software. That's likely to be less work (and probably easily automated) than dealing with all the support tickets that get logged because the account is suddenly unexpectedly blocked because of overzealous protections that aren't even relevant to the software being used by non-troublesome accounts.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. Replies: 3
    Last Post: 28 Mar 2011, 01:17 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR