[Not a ZC bug] Problems using '3 AND 4' comments during checkout

**linuxguy2** · 1 Aug 2015, 03:42 AM

Existing installation & Fresh OUT OF THE BOX install.
Buy and item and at step "Step 1 of 3 - Delivery Information" in the "Special Instructions or Comments About Your Order" box enter any 2 numeric values with an "and" or "or" between them, click continue "Check Out" and you get this catastrophic failure.

Forbidden
You don't have permission to access /zctest/index.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

EXAMPLE entries:
3 and 4
7 or 9

You may test at this site:
www.pcsnnets.com/zctest

Name: fail 01.jpg
Views: 119
Size: 93.3 KB

Name: fail 01.jpg
Views: 119
Size: 93.3 KB

Thanks, Linuxguy2

**DrByte** · 1 Aug 2015, 03:57 AM

That's not a Zen Cart bug. It's mod_security (or other security rules) your hosting company has enabled in Apache to filter out common malicious SQL injection attempts.

If you want to prevent that from triggering, work with your hosting company to customize the rules specific to your site.

**linuxguy2** · 1 Aug 2015, 04:04 AM

Hi,

Can you explain to me why does it ONLY fail if I enter "3 and 4" but if I enter "3and4" it accepts the entry?
Do not enter the "

It also fails when making entries on the next checkout pages

Have you tested it?
I'm not sure my why but it looks like my site is down for the moment.
Please try this on ANY 1.5.1 site and I believe it will fail.

**DrByte** · 1 Aug 2015, 04:07 AM

Because "3and4" does not contain any SQL keywords like "AND" or "OR" with spaces around them to make them actual keywords.

**DrByte** · 1 Aug 2015, 04:07 AM

The problem doesn't happen if mod_security isn't installed. (or any equivalent trapping tool)

**linuxguy2** · 1 Aug 2015, 04:15 AM

Thanks, I did not make the connection between the failure and SQL keywords AND OR.
I just figured it was a mathematical operator of some kind.
This thing has been driving me nuts for two days.

THANK YOU!

**linuxguy2** · 1 Aug 2015, 04:31 AM

I hate to be a nag about this but this makes no sense. I'm sure my Hosting provider isn't the only one with mod_security enabled.
People enter numbers with the words AND or OR between them in comment boxes all the time.
Is it possible ZC could do something to prevent this?

**linuxguy2** · 2 Aug 2015, 02:30 PM

My hosting provider (Host Tornado) allows each domain to control their mod_security setting.
Meanwhile I was thinking:
To allow mod_security to be turned on one could parse the comments field and in my case add a . before commonly used SQL keywords words ( and or ) when used between numeric values and no one would be the wiser.
Do you know if there is there a way to do this with an .htaccess file to allow just (and or) to pass thru when used between numeric values?

Beings you don't consider this to be a bug do you think this thread should be moved to some other category?
I'd like to see how others have dealt with this issue.

Thanks for your time

Thread: [Not a ZC bug] Problems using '3 AND 4' comments during checkout

Thread Tools

Search Thread

Display

[Not a ZC bug] Problems using '3 AND 4' comments during checkout

Re: Step 1 of 3 - Delivery Information

Re: [Not a ZC bug] Step 1 of 3 - Delivery Information

Re: [Not a ZC bug] Step 1 of 3 - Delivery Information

Re: [Not a ZC bug] Step 1 of 3 - Delivery Information

Re: [Not a ZC bug] Step 1 of 3 - Delivery Information

Re: [Not a ZC bug] Step 1 of 3 - Delivery Information

Re: [Not a ZC bug] Step 1 of 3 - Delivery Information

Similar Threads

v151 Problems with Checkout when using Paypal and Cheques/Money Orders

Switching languages during checkout bug?

Problems during checkout

'comments' not being passed to next page during checkout

Member Cannot change adres or add comments during checkout procces

Bookmarks

Bookmarks

Posting Permissions