Zen Cart – 403 error

[DivaVocals]

My main site is a WordPress site, and I am adding on a Zen Cart store in a sub-directory to replace my old free downloads page..

Since WordPress is in the site root and the Zen Cart shop is in a sub-directory inside the root, BPS’s .htaccess is blocking my site visitors/customers access to their downloads.. When the file download link is clicked the visitor gets a 403 errors..  (Looks like the BPS 403 page) If I turn off the .htaccess file that BPS creates (which activates the WordPress default .htaccess file), then Zen Cart downloads work fine..

My downloads are configured to use a redirect. The download URL the visitor clicks on look similar to this:

/shop/index.php?main_page=download&order=8&id=11&zenid=uls20j4aj2csnv5uenv9a9f3e0

It redirects to a URL that looks like this:

/shop/pub/.bfruicfujzbwol-1379964743/mydownloadfile.zip

The site visitor never sees the actual download file location.. The settings in the .htaccess in the pub directory are set so that the file will download automatically..

Apache directives are not a strong skillset for me.. So I haven’t a CLUE which one of the BPS directives is interfering with the downloads.. Was hoping I could borrow your eagle eyes to help me sort this out.. PLEASE!!!!!

[AITpro Admin]

The simplest way to handle this would be to create a bypass RewriteRule for the shop folder in BPS Custom Code:

1. Copy this code below to this BPS Custom Code text box:  CUSTOM CODE WP REWRITE LOOP START: Add www to non-www/non-www to www code here 
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note:  If your WordPress site is a subfolder site and NOT a root WordPress site then you would add the subfolder name to the RewriteBase:  Example:  RewriteBase /my-wordpress-subfolder-name/

# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# RewriteRule for Custom Apps outside of WP
RewriteRule ^shop/ - [L]

[DivaVocals]

The site is setup like this:

WordPress – mysite.com
Zen Cart – mysite.com/shop

I added the code as you specified, and I still get the 403 error.. Do I need to clear my browser cache to see the results?

[AITpro Admin]

Did you do all the steps above?  If so, and the bypass rule did not work then an alternative solution is to add a RewriteEngine Off .htaccess file in the /shop folder.

Create a text file in Notepad (Not Microsoft Word – MUST BE NOTEPAD) named securityoff.htaccess.  In that text file add this one line of .htaccess code.

RewriteEngine Off

Upload the securityoff.htaccess file to your /shop folder.   Once you have uploaded the file, rename it to just .htaccess – removing “securityoff” from the file name.

[DivaVocals]

Followed your instructions to the letter:

# CUSTOM CODE WP REWRITE LOOP START
# WP REWRITE LOOP START
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]

# RewriteRule for Custom Apps outside of WP
RewriteRule ^shop/ - [L]

I added the .htaccess file to the /shop folder, and still no dice.

[AITpro Admin]

Ok then there is something additional going on here and this issue is not a straightforward issue.  What I suspect is that you have some sort of link or middleware plugin/software from your WordPress site that is connecting to your /shop site.  If that theory is correct then you would need to whitelist whatever the connection/link is.  Also there should be 403 errors logged in your BPS Security log which will show exactly what is being blocked.  Post those BPS Security Log errors.

 

 

[AITpro Admin]

hmm I wonder if all you need to do is alter/edit this security filter/rule in your root .htaccess file?  Give it a try and remove “order” from this security filter in your root .htaccess file.

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

The security filter/rule after removing “order” from the security rule/filter above.

RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]

[DivaVocals]

I do have a plugin that displays Zen Cart product info and the shopping cart totals in the WordPress site, but it’s unrelated to the downloads functionality.. The plugin doesn’t replicate ANY shopping cart functions in WordPress, it merely displays specific Zen Cart data (product and shopping cart totals) in WordPress.. So I’m not sure if whitelisting it will solve the issue, and I’m not sure what to whitelist either..

I am not getting ANYTHING in my log files, and yes I do have logging turned on..

Regarding the security rule.. I tried making the change you suggest before I posted today.. No dice..

[AITpro Admin]

Ok create a temporary Admin login account and send the login information directly to Ed’s email:  edward[at] ait-pro.com.  Thanks.

[DivaVocals]

You are a doll.. Done.. Let me know if you get the credentials..

[AITpro Admin]

Hello,

This is Ed.  I have received the login info and will be logging in now.  I have some questions I will be sending you to get the overall picture of how Zen Cart is working together with WP on your site and will need to know where to look at and check the download links.  Thanks.

–Ed

[DivaVocals]

Just commented out everything in my BPS .htaccess file and re-activated everything one by one.. this is the line that is causing the issue..

# DENY ACCESS TO PROTECTED SERVER FILES – .htaccess, .htpasswd and all file names starting with dot
RedirectMatch 403 /\..*$

With it disabled, the downloads work as they should (no 403 errors, NO re-directing/exposing the end user to the actual download file location in the Zen Cart pub directory)

I replaced that section with this:

# DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot
#THIS IS A PROBLEM LINE
#RedirectMatch 403 /\..*$
order allow,deny
deny from all
satisfy all

[AITpro Admin]

Good catch.  I totally spaced out and did not even see the dot (.) in the URL path which would match this condition:  “/.”  Was focusing on the wrong things.  LOL

[DivaVocals]

No worries.. Yeah the Zen Cart/WordPress integration usually throws folks off when troubleshooting stuff, but I was pretty confident that the issue was caused by the BPS .htaccess because it would be the controlling .htaccess file for my site because WordPress is the ROOT of my site.

Anyway thanks for helping.. All is good for now.. 🙂

[DivaVocals]

One more question.. In this section of the .htaccess file:

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

I added one line as follows:

# DON'T rewrite URIs beginning with /shop/
RewriteCond %{REQUEST_URI} !^/shop/ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

I need this so that the .htaccess for the blog isn’t interfering with my stores URL re-writer and the supporting shop .htacess file. But it doesn’t seem to be working..

Any ideas??

[Author]

Posts