Page Editor and Mod Security issues

[Scarlet]

I was getting an Internal Server 500 Error when I tried to edit pages using the Define Pages Editor. I narrowed it down to not being able to use the word "From", as strange as that sounds.

I then looked in my server logs and found it was triggering a mod_security error with the word From.

The odd thing is, I have several clients on the machine using Zen, and this is the only one that has this problem.

Can anyone tell me how to fix it?

Thanks!

[Scarlet]

Forgot to mention that I did try the htaccess entry in the other thread to no avail.

[DrByte]

Forgot to mention that I did try the htaccess entry in the other thread to no avail.

Which specific other thread?


You may need to ask your hosting company whether they will even allow you to override the mod_security 'protections' for specific sections of your website.

[Scarlet]

Hi:

I tried the htaccess entries you posted. I wound up having to whitelist the domain, which is odd because I have about 10 other zen carts on the machine that don't have the problem and aren't whitelisted. (I am the host).

It's working now, regardless :)

[DrByte]

Be careful whitelisting the entire domain ... because that basically removes all mod_security protection on the storefront side too ... which is where most rogue visitors first come in contact with your site.

[Scarlet]

I was told that the whitelist file on the server can only do the entire domain. htaccess doesn't work. Do you know of another way?

[Website Rob]

There is more here than meets the eye. Mod Security Rules usually return something other than a 500 msg. as that msg. is generally used for script and .htaccess "errors".

500 Internal Server Error
The server encountered an unexpected condition that prevented it from fulfilling the request.

Most common mistakes:
- script not uploaded in ASCII
- server permission set incorrectly
- syntax error within the script itself
- server missing required script module(s)


You should check with your Hoster to see why the word "From" trips a mod_sec rule.

As another workaround, you could try editing the define page on your computer and then uploading it. Also, which define page are you trying to edit?

[Scarlet]

[Tue Apr 21 18:41:05 2009] [error] [client 71.236.111.245] ModSecurity: Access
denied with code 500 (phase 2). Pattern match
"((select|grant|delete|insert|drop|alter|replace|truncate|update|create|rename|d escribe)[[:space:]]+[A-Z|a-z|0-9|\\*|
|\\,]+[[:space:]]+(from|into|table|database|index|view)[[:space:]]+[A-Z|a-z|0-9|\\*|
|\\,]|UNION SELECT.*\\'.*\\'.*,[0-9].*INTO.*FROM)" at
REQUEST_BODY. [file "/usr/local/apache/conf/modsec2.user.conf"]
[line "345"] [id "300013"] [rev "1"] [msg
"Generic SQL injection protection"] [severity "CRITICAL"]
[hostname "www.uniqueflyingobjects.com"] [uri
"/admin/define_pages_editor.php"] [unique_id
"Se5LgUPhjPIAAHn7UzIAAAAV"]

[Scarlet]

It's on any of the pages - I need the client to be able to easily edit his pages and he doesn't know how to ftp or upload - that was a big reason we migrated from Miva to Zen - easier for him to maintain.

[Website Rob]

I see no reason for such a wonky mod_sec rule as they currently have but then again, it's their Server, their rules.

I need the client to be able to easily edit his pages

Unless your Hoster is willing to have better defined mod_sec Rules, your Client will not be able to do what you want.