Fresh install Zen Cart v1.5.5a-05052016
Linux/openSuSE 13.2
Apache/2.4.23 (Linux/SUSE)
PHP Version 5.6.21
MySQL 5.7.10 MySQL Community Server
While attempting a fresh install of v155a on my local machine for testing and trial configurations I encountered the errors with the Apache 2.2 syntax in .htaccess. Discovering this thread, I investigated more in Apache docs and found the references to the new syntax. I'm not a network or security person at all, but I'm thinking that if Apache updated the security system in such a major way there must be a reason. My Apache installed without the compatibility module, and that was why I got the errors, including from the installer saying it could access files it should not. I have kludged together a modification for the .htaccess files that seems to work on my system, replacing Apache 2.2 syntax with Apache 2.4 syntax. Then I merged old and new with conditionals to make it hopefully, work in either environment. As an example, from the /admin/.htaccess, the original has (in pertinent part)
Code:
# deny *everything*
<FilesMatch ".*\..*">
Order Allow,Deny
Deny from all
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
Order Allow,Deny
Allow from all
</FilesMatch>
IndexIgnore */*
<limit POST PUT>
order deny,allow
deny from All
</limit>
The rewritten version is
Code:
# Use the Apache2 >= 2.4 auth modules if available
<IfModule mod_authz_core.c>
# don't allow POST and PUT methods at all
Require not method POST PUT
# allow just *certain* necessary files
Require expr "%{REQUEST_URI} =~ /.*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$/i"
</IfModule>
# Use the Apache2 < 2.4 access controls if we have to
<IfModule !mod_authz_core.c>
# deny *everything*
<FilesMatch ".*\..*">
Order Allow,Deny
Deny from all
</FilesMatch>
# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
Order Allow,Deny
Allow from all
</FilesMatch>
<limit POST PUT>
order deny,allow
deny from All
</limit>
</IfModule>
IndexIgnore */*
The conditionals used are based on testing for the existence of the authz_core module, which seems to be the driving force in the new system, and will not be present in older versions. At first I was testing for the compatibility module, and using old style if present. My logic error with that was that old systems also have no compatibility module (they don't need it), and the new systems with it probably should use the newer (better?) system anyway.
Is there someone who understands Apache and security better that can vet my kludging?
If the Apache update is, in fact, a better security, wouldn't it be better for all Zenners to use the newer syntax where supported?
Is this something to address in coming upgrades?
As an extra note: I think something involved with this change-over was interfering with the installation process at the database creation stage as I got a slew of errors on my server log when the progress bar in the modal dialog froze. (This is discussed in other threads, which I lost track of before registering here.)
Code:
[Sun Aug 14 02:55:50.555062 2016] [:error] [pid 25471] [client xxx.xx.xx.xx.69:42163] client denied by server configuration: /srv/www/htdocs/store/zc_install/ajaxGetProgressValues.php, referer: https://my.machine.net/store/zc_install/index.php?main_page=database
Once I switched to the Apache 2.4 syntax I was able to complete the install without errors or issues.
Bookmarks