Home › Forums › BulletProof Security Free › Zen Cart – 403 error
Tagged: Zen Cart
- This topic has 25 replies, 2 voices, and was last updated 10 years, 6 months ago by DivaVocals.
-
AuthorPosts
-
DivaVocalsParticipant
My main site is a WordPress site, and I am adding on a Zen Cart store in a sub-directory to replace my old free downloads page..
Since WordPress is in the site root and the Zen Cart shop is in a sub-directory inside the root, BPS’s .htaccess is blocking my site visitors/customers access to their downloads.. When the file download link is clicked the visitor gets a 403 errors.. (Looks like the BPS 403 page) If I turn off the .htaccess file that BPS creates (which activates the WordPress default .htaccess file), then Zen Cart downloads work fine..
My downloads are configured to use a redirect. The download URL the visitor clicks on look similar to this:
/shop/index.php?main_page=download&order=8&id=11&zenid=uls20j4aj2csnv5uenv9a9f3e0
It redirects to a URL that looks like this:
/shop/pub/.bfruicfujzbwol-1379964743/mydownloadfile.zip
The site visitor never sees the actual download file location.. The settings in the .htaccess in the pub directory are set so that the file will download automatically..
Apache directives are not a strong skillset for me.. So I haven’t a CLUE which one of the BPS directives is interfering with the downloads.. Was hoping I could borrow your eagle eyes to help me sort this out.. PLEASE!!!!!
AITpro AdminKeymasterThe simplest way to handle this would be to create a bypass RewriteRule for the shop folder in BPS Custom Code:
1. Copy this code below to this BPS Custom Code text box:
2. Click the Save Root Custom Code button.
3. Go to the BPS Security Modes page and click the Root Folder BulletProof Mode Activate button.
Note: If your WordPress site is a subfolder site and NOT a root WordPress site then you would add the subfolder name to the RewriteBase: Example: RewriteBase /my-wordpress-subfolder-name/# WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # RewriteRule for Custom Apps outside of WP RewriteRule ^shop/ - [L]
DivaVocalsParticipantThe site is setup like this:
WordPress – mysite.com
Zen Cart – mysite.com/shopI added the code as you specified, and I still get the 403 error.. Do I need to clear my browser cache to see the results?
AITpro AdminKeymasterDid you do all the steps above? If so, and the bypass rule did not work then an alternative solution is to add a RewriteEngine Off .htaccess file in the /shop folder.
Create a text file in Notepad (Not Microsoft Word – MUST BE NOTEPAD) named securityoff.htaccess. In that text file add this one line of .htaccess code.
RewriteEngine Off
Upload the securityoff.htaccess file to your /shop folder. Once you have uploaded the file, rename it to just .htaccess – removing “securityoff” from the file name.
DivaVocalsParticipantFollowed your instructions to the letter:
# CUSTOM CODE WP REWRITE LOOP START # WP REWRITE LOOP START RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] # RewriteRule for Custom Apps outside of WP RewriteRule ^shop/ - [L]
I added the .htaccess file to the /shop folder, and still no dice.
AITpro AdminKeymasterOk then there is something additional going on here and this issue is not a straightforward issue. What I suspect is that you have some sort of link or middleware plugin/software from your WordPress site that is connecting to your /shop site. If that theory is correct then you would need to whitelist whatever the connection/link is. Also there should be 403 errors logged in your BPS Security log which will show exactly what is being blocked. Post those BPS Security Log errors.
AITpro AdminKeymasterhmm I wonder if all you need to do is alter/edit this security filter/rule in your root .htaccess file? Give it a try and remove “order” from this security filter in your root .htaccess file.
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
The security filter/rule after removing “order” from the security rule/filter above.
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|script|set|md5|benchmark|encode) [NC,OR]
DivaVocalsParticipantI do have a plugin that displays Zen Cart product info and the shopping cart totals in the WordPress site, but it’s unrelated to the downloads functionality.. The plugin doesn’t replicate ANY shopping cart functions in WordPress, it merely displays specific Zen Cart data (product and shopping cart totals) in WordPress.. So I’m not sure if whitelisting it will solve the issue, and I’m not sure what to whitelist either..
I am not getting ANYTHING in my log files, and yes I do have logging turned on..
Regarding the security rule.. I tried making the change you suggest before I posted today.. No dice..
AITpro AdminKeymasterOk create a temporary Admin login account and send the login information directly to Ed’s email: edward[at] ait-pro.com. Thanks.
DivaVocalsParticipantYou are a doll.. Done.. Let me know if you get the credentials..
AITpro AdminKeymasterHello,
This is Ed. I have received the login info and will be logging in now. I have some questions I will be sending you to get the overall picture of how Zen Cart is working together with WP on your site and will need to know where to look at and check the download links. Thanks.
–Ed
DivaVocalsParticipantJust commented out everything in my BPS .htaccess file and re-activated everything one by one.. this is the line that is causing the issue..
# DENY ACCESS TO PROTECTED SERVER FILES – .htaccess, .htpasswd and all file names starting with dot RedirectMatch 403 /\..*$
With it disabled, the downloads work as they should (no 403 errors, NO re-directing/exposing the end user to the actual download file location in the Zen Cart pub directory)
I replaced that section with this:
# DENY ACCESS TO PROTECTED SERVER FILES - .htaccess, .htpasswd and all file names starting with dot #THIS IS A PROBLEM LINE #RedirectMatch 403 /\..*$ order allow,deny deny from all satisfy all
AITpro AdminKeymasterGood catch. I totally spaced out and did not even see the dot (.) in the URL path which would match this condition: “/.” Was focusing on the wrong things. LOL
DivaVocalsParticipantNo worries.. Yeah the Zen Cart/WordPress integration usually throws folks off when troubleshooting stuff, but I was pretty confident that the issue was caused by the BPS .htaccess because it would be the controlling .htaccess file for my site because WordPress is the ROOT of my site.
Anyway thanks for helping.. All is good for now.. 🙂
DivaVocalsParticipantOne more question.. In this section of the .htaccess file:
RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]
I added one line as follows:
# DON'T rewrite URIs beginning with /shop/ RewriteCond %{REQUEST_URI} !^/shop/ [NC] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L]
I need this so that the .htaccess for the blog isn’t interfering with my stores URL re-writer and the supporting shop .htacess file. But it doesn’t seem to be working..
Any ideas??
-
AuthorPosts
- You must be logged in to reply to this topic.