Post by Joe1234 » Fri Jan 10, 2025 4:12 am

Having an odd issue. I'm making an admin mod that has been working fine during tests. My host moved me to another server and all of a sudden I can't save my mods settings that are being saved to the settings table. I'm getting a forbidden message. OC regular settings is going through the save process with no issue, and I've tested a few other saving processes in the admin. I've removed the permission validation in my mod. I'm getting no errors in OC error log and no server error logs....right now I can't see any php error logs because they are working out an issue of them not logging. Any thoughts on what I should look at that would cause a forbidden message upon saving? Yes, I know I'm showing no code, too much to post, just need direction for now.

v3.0.3.9 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.


Active Member

Posts

Joined
Sat Jan 01, 2022 5:47 am

Post by softmonke » Fri Jan 10, 2025 10:59 am

By "forbidden message", I assume you are referring to 403 Forbidden error? If yes, then it's unlikely an issue with your code but more of a server issue. For this just off the top of my head, could be folder/files permissions/ownership, misconfigured .htaccess, web application firewall like ModSecurity.

Might be helpful to check with your web host too.

Check out our ever-growing list of extensions for OpenCart here.
Some useful extensions for a better admin experience: Image File Manager ProDrag & Drop Sort Order

Reach out to us at hello@softmonke.com for your OpenCart web development needs or feedback for our extensions.


User avatar
Active Member

Posts

Joined
Tue May 23, 2023 4:42 am


Post by Joe1234 » Fri Jan 10, 2025 1:03 pm

It looks like the problem is because I'm saving the htaccess path and file name to the database (I didn't have this issue on my old server). So my question is can this issue be bypassed pragmatically? I dont exactly fully understand how the config settings are saved, I don't see how this could possibly help, but I tried the following.

Code: Select all

		if (isset($this->request->post['guardian_g_htaccess_path'])) {
			$data['guardian_g_htaccess_path'] = $this->db->escape($this->request->post['guardian_g_htaccess_path']);
		} else {
			$data['guardian_g_htaccess_path'] = $this->db->escape($this->config->get('guardian_g_htaccess_path'));
		}
From there the twig picks up the data.

The only way I can think off the top of my head as a work around is to just save the path and then hardcode the actual ".htaccess" name in the file, but I'd just prefer not do it that way. Let me know.

v3.0.3.9 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.


Active Member

Posts

Joined
Sat Jan 01, 2022 5:47 am

Post by nonnedelectari » Fri Jan 10, 2025 4:49 pm

Well, we don't know exactly what you are trying to do, nor do we have any code, nor do we know which "forbidden" message you are receiving, when and where, you "dont exactly fully understand how the config settings are saved", yet you want answers.

Active Member

Posts

Joined
Thu Mar 04, 2021 6:34 pm

Post by paulfeakins » Fri Jan 10, 2025 6:59 pm

Joe1234 wrote:
Fri Jan 10, 2025 4:12 am
just need direction for now.
It's probably ModSecurity or Immunify360. Ask your host to disable those then try again.

UK OpenCart Hosting | OpenCart Audits | OpenCart Support - please email info@antropy.co.uk


User avatar
Guru Member
Online

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - London Gatwick, United Kingdom

Post by Joe1234 » Sat Jan 11, 2025 7:47 am

You were right modsecurity ID 211190. I don't understand why, because from what I was able to read about it, that's supposed to detect remote file access. I don't understand how that affects the local website inserting the info into the database. Either way, I guess I should leave that enabled and just save and retrieve the info the way I initially didn't want to do it. Thanks.

v3.0.3.9 php 8.1
I'm here for a reason, if your response is contact a/the developer, just don't reply.


Active Member

Posts

Joined
Sat Jan 01, 2022 5:47 am

Post by nonnedelectari » Sat Jan 11, 2025 8:44 am

Joe1234 wrote:
Sat Jan 11, 2025 7:47 am
You were right modsecurity ID 211190. I don't understand why, because from what I was able to read about it, that's supposed to detect remote file access. I don't understand how that affects the local website inserting the info into the database. Either way, I guess I should leave that enabled and just save and retrieve the info the way I initially didn't want to do it. Thanks.
mod_security deals with threat patterns in requests like any other WAF, and .htaccess is in that pattern of 211190.
and

Code: Select all

$this->request->post['guardian_g_htaccess_path']
indicates you are sending paths via a request.

Code: Select all

SecRule ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|XML:/*|!ARGS:/body/|!ARGS:code|!ARGS:/content/|!ARGS:/description/|!ARGS:/install\[values\]\[\w+\]\[fileDenyPattern\]/|!ARGS:/message/|!ARGS:Post|!ARGS:desc|!ARGS:text|!REQUEST_COOKIES:/__utm/|!REQUEST_COOKIES:/_pk_ref/|!ARGS:wpTextbox1 "(?:(?<!\w)(?:\.(?:ht(?:access|group|passwd)|www_{0,1}acl)|boot\.ini|global\.asa|httpd\.conf)\b|/etc/)" \
	"id:211190,msg:'COMODO WAF: Remote File Access Attempt||%{tx.domain}|%{tx.mode}|2',phase:2,capture,block,setvar:'tx.points=+%{tx.points_limit4}',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',ctl:'auditLogParts=+E',t:'none',t:'cmdLine',rev:8,severity:2"
for example, if I put ".htaccess" in an input field of a form to be ajax posted (a postcode in this case), I get this in the error logs and the ajax call fails (gracefully):

Code: Select all

ModSecurity: Access denied with code 404 (phase 2). Pattern match "(?:(?<!\\\\w)(?:\\\\.(?:ht(?:access|passwd|group)|www_?acl)|global\\\\.asa|httpd\\\\.conf|boot\\\\.ini)\\\\b|\\\\/etc\\\\/)" at ARGS:postcode. [file "security-crs/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "205"] [id "950005"] [rev "3"] [msg "Remote File Access Attempt"] [data "Matched Data: .htaccess found within ARGS:postcode: .htaccess"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "9"] [tag "OWASP_CRS/WEB_ATTACK/FILE_INJECTION"].............
My ModSecurity is different from your host but you get the picture.

Active Member

Posts

Joined
Thu Mar 04, 2021 6:34 pm
Who is online

Users browsing this forum: pprmkr and 26 guests