Friday, January 18, 2008

Using mod_security 1.9.x with Zen-Cart (for administrators)

note: This article is intended for a technical audience -- and while it seems to works for the systems i've tried it on since, you should use caution when modifying a production system -- caveat emptor.

I use a combination of the GotRoot mod_security rules, as well as some finer-grained custom rules on a number of Zen-Cart installations I look after, occassionally though -- there are problems with false positives that need to be worked around to allow the shop owners a seamless experience.

The GotRoot rules, for those unaware -- is a collection of rules that protect against over 6000 different web vulnerabilities, covering generic PHP attacks, PHPBB, e-Commerce software and more. It is fairly all-encompassing and I recommend it highly to everyone who asks.

Some of these generic attack signatures cause false positives when applied to Zen-Cart's admin/ directory, as well as the older-style IPN payment processor for PayPal.

To counter these, create a file called zencart-exclusions.conf in your rules directory (most installations use /etc/modsecurity/rules), open that file in a text editor and add:


<LocationMatch "/admin/attributes_controller.php">
SecFilterRemove 300015
</LocationMatch>

<LocationMatch "/admin/newsletters.php">
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>

<LocationMatch "/admin/product.php">
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>

<LocationMatch "/ipn_main_handler.php">
SecFilterRemove 300015
SecFilterRemove 300016
</LocationMatch>


The SecFilterRemove tells mod_security to selectively remove the rules from the specific locations listed in LocationMatch, while the six digit numbers are the GotRoot ID's that will not be parsed.

Save the file and reload your webserver configuration for the changes to take affect.

No comments: