Sudden ModSecurity issues in admin

[cheddars]

I am running Zencart 1.3.9h on 5 domains. Today they all failed. My server support staff put this down to the file "seo.url.php" [part of ultimate seo urls] being missing so it must have disappeared from them all at the same time. The shops are now running normally.

However I still have problems in admin. If I view a product description and then click preview I receive the following error message:
An appropriate representation of the requested resource /shop/**admin**/product.php could not be found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
The server error log returned:
=============================
[Wed Sep 14 18:40:52 2011] [error] [client 77.102.184.71] ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGSroducts_description[1]. [offset "32"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "xxxx.co.uk"] [uri "/shop/**admin**/product.php"] [unique_id "TnDnJNXlepQAABC7ROQAAAAR"]
[Wed Sep 14 18:40:52 2011] [error] [client 77.102.184.71] File does not exist: /home/xxxxxx/public_html/406.shtml, referer: http://xxxx.co.uk/shop/**admin**/pro...on=new_product
=============================
I get similar messages when I try to edit a file using define_pages_editor.php

The server support staff say the error indicates ModSecurity the apache web application firewall rule is getting violated by the application, so they will have to disable the particular rule of the ModSecurity for my domain.
I am somewhat baffled as to why these problems should happen in standard Zencart applications. I have checked and all the Zencart files look ok. Have my apps come under attack? Should I just go ahead and have ModSecurity amended or is there more that I should be aware of?

[DrByte]

It would be helpful if your host would actually supply the "rule details" for the mod_security rule that's being triggered.
Yours seems to be the only site experiencing the problem consistently.

There's nothing specifically built-in to Zen Cart that should be triggering such security rules, unless you're typing text into one of your product descriptions that contains a pattern of letters/characters that are flagging mod_security rules. If that's the case, then you'll need to work with your hosting company to find a way around the problem, such as amending which rules they "use" within your admin folder.


Further, if your problems were caused by files like "seo.url.php" which are NOT part of Zen Cart, then you'll need to deal with those addons specifically.

AND, if all your sites suddenly started missing certain files, then you should probably start a serious investigation about WHY files suddenly went missing.

[schoolboy]

Further, if your problems were caused by files like "seo.url.php" which are NOT part of Zen Cart, then you'll need to deal with those addons specifically.

As these so-called "SEO modules" have no useful purpose whatsoever for SEO, you should just remove it completely. Core ZC is WELL-indexed by all search engines, and in fact, many of these URL re-writers can do more SEO "damage" than good.

[Website Rob]

Looks like your Hoster is using the default Rules that come with mod_sec. They will create many false positives such as what already happened. Customizing, removing and/or disabling per site will be required for many of the Rules.

[cheddars]

Thank you all for your comments. My server support team have come back with the following comment on seo.url.php:

While investigation your issue with the file "seo.url.php" I found that the file containing string "$gzip == 1 ? base64_encode". We have malware/virus scanner (LMD) on all our shared servers. LMD has inbuilt cleaner rules to attempt removal of malware injected strings , base64 and gzinflate(base64 injected malware as well as quarantine 100% infected/malware file but the file "seo.url.php" is genuine file. I have added file's path in the /usr/local/maldetect/ignore_paths list so that this file will not delete again in the future by the system scanner. I would request you to please edit this file rather than rename/reupload it if you wish to make any changes into it.

Regarding the product.php they say
"The issue caused due to mod_security rules restrictions which are as follows :-
=============================
ModSecurity: Access denied with code 406 (phase 2). Invalid UTF-8 encoding: invalid byte value in character at ARGSroducts_description[1]. [offset "153"] [file "/usr/local/apache/conf/modsec2.user.conf"] [line "23"] [id "950801"] [msg "UTF8 Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "billando.co.uk"] [uri "/xxx/xxxx/product.php"] [unique_id "TnHZV9XlepQAAGG@jw8AAAAf"]
=============================

I have disabled the rules for th URI "/xxx/xxxx/product.php' , now the product can be Previewed ."

They seem to have been able to edit with define_page_editor.php but it is still throwing out errors for me.