lextech Posted March 23, 2011 Share Posted March 23, 2011 A customer wrote to me: I tried a work computer. I installed Chrome on the work computer. Tried creating an account from the Android phone. 406 Not Acceptable An appropriate representation of the requested resource /osCommerce/password_forgotten.php could not be found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. The above message I?m getting when I do a ?forgot password? Similarly after I fill the fields for create account I get: 406 Not Acceptable An appropriate representation of the requested resource /osCommerce/create_account.php could not be found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. I believe we have narrowed down the error to the server side. Please look into it. So I wrote my server host and her wrote this back as a response: Turning off mod_security2... 1. Increases the chances of your site being hacked 2. Increase the chances of your site violating the policy when it is hacked. They will upload paypal phishing pages, send spam, etc. 3. Increases the chances of your site overloading the server resulting in downtime for everyone 4. Increase the chances of your site being immediately deleted from the server when it causes a problem for the server. If you want mod_security2 turned off for your domain, reopen this ticket and... 1. Provide the account ID. The account ID is the domain name listed in the activation notice and in invoices 2. Provide the domain name in which you want mod_security2 turned off 3. Provide that domain's correct username 4. Send statement: "I will keep all of my scripts up-to-date on a daily basis." I have tried searching around and I am not seeing the proper fix for this so users can use my site. I just want to be accessible again by everyone. This is a real issue with most people using IE8. What is the proper fix without having to write the host back? RC2.2a Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 mod_security2 is an apache mod, its not something you can install on your website or uninstall. But it is possible for your domain host to switch that mod off for your website. What they are asking you to do is send them your website information and agree to a disclaimer and they will let your site pass thru the mod_security2 firewall without filtering. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
lextech Posted March 23, 2011 Author Share Posted March 23, 2011 what is making the users get caught by the mod_security2? Some users have no issue. I have used this host for 8 years I hate to do something that would get me banned if I get hacked. RC2.2a Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 You would have to determine the difference between those users. What browsers they are using in particular. If you know of a user that is getting this error, then try adding this to your htaccess SecFilterEngine off And request that affected user try it out and see if that has cleared the problem. Modsecurity is a bit like a packet filter that among other things monitors POST data like that when you try to log in. If they have tweaked it a bit much then it may for example be banning the use of @ in post data. If that code above results in the error clearing, then remove it (as that will turn modsecurity completely off for your site, and add the following: SecFilterEngine On SecFilterSelective "REQUEST_URI" "/osCommerce/password_forgotten.php" "allow,nolog" That should allow modsecurity to ignore that particular file, rather than the entire website. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
lextech Posted March 23, 2011 Author Share Posted March 23, 2011 Thank you for the suggestion. I got internal server error when I added it to my HTACCESS. I stuck it near the top by itself away from the security mods. RC2.2a Link to comment Share on other sites More sharing options...
Taipo Posted March 23, 2011 Share Posted March 23, 2011 Probably means your ISP does not allow local manipulation of SecFilterEngine....which is a good thing. You will have to contact them directly then as they suggested in that message, and offer them this option asking if it is possible to just allow the password_forgotten.php thru the modsec firewall. SecFilterSelective "REQUEST_URI" "/osCommerce/password_forgotten.php" "allow,nolog" If they say no, they will probably re-offer to you the option to either leave mod_security2 as it is, or switched off for your site. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
lextech Posted March 24, 2011 Author Share Posted March 24, 2011 How severe of a hole am I opening by turning that off? I have forums, galleries and a home page on my site as well as the OSC install. RC2.2a Link to comment Share on other sites More sharing options...
Taipo Posted March 24, 2011 Share Posted March 24, 2011 Well if they agree to just turn it off for the lost password, as in write an exception rule to bypass filtering for those two files alone, it should be fine...this is of course, if that is even possible for them to do. If that is the case you would need to add in a whitelist filter for email addresses into the top of both the lost password page and create account page under the application_top.php include. Something along the lines of what has been discussed in other discussion threads (but with amendments just for an email address): reset($_POST); while (list($key, $value) = each($_POST)) { if (!is_array($_POST[$key])) { $_POST[$key] = preg_replace("/[^ a-zA-Z0-9@_.-]/i", "", urldecode($_POST[$key])); } else { unset($_POST[$key]); } // no arrays expected } But that comes down to in the end, the server admin being able to write in firewall rule exceptions just for those two pages. If they cannot then that is another bridge that will have to be crossed when you get to that point. But to be honest, if people are having problems with input fields on those two pages, I would suggest that they would be having probs with any field inputs period. So even if your host could write in exceptions for those two files, you might find you get further complaints from others concerning other pages that have user data inputted. But that is just conjecture on my part, best try it out and see what they say, and see if that even clears the problem. My suspicions are up though especially since some users have no issue which sounds to me like something more local like browser problems or even something as simple as cookie caches. mod_security2 would be indiscriminent, and if it had a conflict with a user input returning unacceptable data to the server then it could well be something particular browers are doing rather than the mod itself. - Stop Oscommerce hacks dead in their tracks with osC_Sec (see discussion here)- Another discussion about infected files ::here::- A discussion on file permissions ::here::- Site hacked? Should you upgrade or not, some thoughts ::here::- Fix the admin login bypass exploit here- Pareto Security: New security addon I am developing, a remake of osC_Sec in PHP 5 with a number of fixes- BTC:1LHiMXedmtyq4wcYLedk9i9gkk8A8Hk7qX Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.