20 replies to this topic

[vicster]

I've never seen this before...LOL

When you go to advanced search and type in whatever, and check the box to include the description (and then hit 'search'), you are taken to an HTTP 403 Forbidden error page which says 'This site requires you to log in.'

Any ideas where this might be coming from?

(I'm so glad I'm finding these things before I go live...LOL)

[vicster]

Anyone?  I believe it may be from the anti-XSS contribution I added for security, but I'm not sure.  Here's a snippet from my htaccess file:

# anti xss script 1 - pci compliance - by pixclinic
Options +FollowSymLinks
RewriteEngine On 
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

If it is the htaccess file preventing people from doing an advanced search, is there any way around it?

Thanks!

[vicster]

Maybe I should ask this in the contribution forum...

[germ]

Or give your URL so someone can actually see what's going on.

I realize there are pro's and con's to posting store URL's (especially if it's a work in progress), but on the other hand "a link can be worth a thousand words" (to butcher a common phrase).

Posting your URL normally (like www.yoursite.com) can result in your posts here showing up when people search for your site.

If you phrase it like y o u r s i t e DOT c o m posts here probably won't normally appear on search engine searches for your site.

Just my two cents.

[vicster]

Thanks for taking a look, Jim!

its okay to sh o w of f DOT com  (without the spaces, of course )

Try searching for a 'red labret' in advanced search with the 'include description' checked.

[germ]

I'm not the sharpest tool in the shed, Ma'am, but I can't find a link to the osC part of the site anywhere.


If you want you can PM it to me.

Or maybe I'm just blind as a bat....

[vicster]

OOPS!  I forgot...you have to add /catalog/ to the url to get to the OSC part.  Sorry!

[germ]

When i do that, it says:

 HTTP 404  
   Most likely causes:
There might be a typing error in the address. 
If you clicked on a link, it may be out of date. 
 
   What you can try: 
	 Retype the address.  
 
	 Go back to the previous page. 
 
	 Go to  and look for the information you want.  
 
	 More information

s h o w o f f DOT c o m SLASH c a t a l o g

[vicster]

itsokay tosho woff DOT com SLASH catalog

[germ]

Can you just PM me a link that works for you?


That aint workin' for me neither...

[germ]

Stupid should hurt.

If so, I'd be in a lot of pain right about now...

[vicster]

[germ]

Believe it or not, I was under the impression the "itsoakay" was a reassurance.

*COUGH* *COUGH*


Anyway, enough of my stupidity...


I think one of your anti hacking measures is the culprit.

A URL like this:

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret

Works fine.

This:

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret&search_in_description=1&categories_id=&inc_subcat=1&manufacturers_id=&pfrom=&pto=&dfrom=&dto=&x=89&y=15

Or even:

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret&search_in_description=1

Yields the error.

I've compared the longer URL's to what works on my site and I don't see anything malformed in the URL.

I'm baffled.
(As if that's difficult...   )

[vicster]

You crack me up!    

Well, I'm baffled, too.  I'm really hoping that someone familiar with those two contributions will see this post.  (I'm really kicking myself for not posting this in the Contributions forum first).  I think I'm going to start with removing the .htaccess file and seeing what happens, though I won't know what to change or what to do to it to get my adv. search working again if it is, in fact, the culprit.

I do appreciate your looking at it, though.

BTW - I wanted to ask you if my site took a long time to load (I use a ton of jpg files) or if you experienced anything that was a nuisance.  You can be honest.  And, of course, if you're busy you don't have to answer.  

[germ]

Well, this thread wasn't a total bust... You got a good laugh out of it (I think)!


I'm not familiar enough with the anti-hacking (or .htaccess files in general) to be much use.

As for load time, I have what they call "economy cable" (which is supposed to be like 21 times faster than dial-up) and your site loads fast enough that if I blink I miss it (the load time, that is).

[vicster]

Thanks for letting me know about the load time!

Just in case someone comes along that knows .htaccess stuff, here's 'Part Two' of the .htaccess file (I should have posted this along with the first part):

# extra anti uri and xss attack script 2 - sql injection prevention
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} ("|%22).*(>|%3E|<|%3C).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (java script:).*(;).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteCond %{QUERY_STRING} (;|'|"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if).* [NC]
RewriteRule ^(.*)$ log.php [NC]
RewriteRule (,|;|<|>|'|`) /log.php [NC]

I will try removing the .htaccess file next, and then try to single out what part is messing with advanced search if removing it helps...

[vicster]

Well, here's the jist.  If I remove 'Part one' of the htaccess file, then advanced search works just fine.  When that part of the htaccess is there, advanced search will only work as long as you do not check the box to include the description...which defeats the purpose.

Any suggestions on what I can do to that 'Part one' (the first code box I posted) to allow my advanced search to work would be greatly appreciated!

[germ]

This line:

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

I think it's the "bad boy".

Change it to this:

# RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

BACKUP BEFORE EDITING.

Basically this renders that one line ineffective.

Does that fix the problem?

[vicster]

Yes, that seems to have worked.  You know more than you thought!   I guess it didn't like the '&'?  Just guessing...

[germ]

My hunch is because:

http://www.yoursite.com/catalog/advanced_search_result.php?keywords=labret&search_in_de[color="#FF0000"]script[/color]ion=1

And this:

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

Tells it to error out with anything with "script" in it.