I am using Magento (version 2.2.5) and I seem to need to allow PUT requests for my server (at least for the Magento program).
For specifics, on Magento entering a discount code does not work on the checkout page fails "501 (Not Implemented)". However the discount code section does work in the shopping cart page. The difference seems to be that the shopping cart page uses GET method while the checkout page uses PUT method.
How do I enable PUT method to work for Magento? Is this something which can be done through .htaccess? If it needs to be done for the entire server, is there any security risk to allow PUT requests?
I have seen somewhere that this might be related to Apache's "mod_security". I am new at this and I do not want to expose the server to any potential vulnerabilities.
Thank you in advance.
Apache allows PUT by default, but there are many different way to prohibit said method. ModSecurity (via custom rules or the Core Rule Set) is one of them. However, status code 501 is not used by ModSecurity by default. It can be customized though, but I doubt it.
Under the line, I do not think you can solve this mystery without access to the error-log of the server or communicating with somebody who has access.
Related
I am currently hosting the contents of a site with ProviderA. I have a domain registered with ProviderB. I want users to access the contents (www.providerA.com/sub/content) by visiting www.providerB.com. A domain forward is easy enough and works as intended, however, unless I embed the site in a frame (which is a big no-no), the actual URL reads www.providerA.com/sub/content despite the user inputting www.providerB.com.
I really need a solution for this. A domain masking without the use of a frame. I'm sure this has been done before. An .htaccess domain rewrite?
Your help would be hugely appreciated! I'm going nuts trying to find a solution.
For Apache
Usual way: setup mod_proxy. The apache on providerB becomes a client to providerA's apache. It gets the content and sends it back to the client.
But looks like you only have .htaccess. So no proxy, you need full configuration access for that.
So you cannot, see: How to set up proxy in .htaccess
If you have PHP on providerB
Setup a proxy written in PHP. All requests to providerB are intercepted by that PHP proxy. It gets the content from providerA and sends it back. So it does the same thing as the Apache module. However, depending on the quality of the implementation, it might fail on some requests, types, sizes, timeouts, ...
Search for "php proxy" on the web, you will see a couple available on GitHub and others. YMMV as to how difficult it is to setup, and the reliability.
No PHP but some other server side language
Obviously that could be done in another language, I checked PHP because that is what I use the most.
The best solution would be to transfer the content to providerB :-)
After Apache upgrade on my shared server, I have been having nightmare issues with the form input on all of my reseller hosting accounts. The clients get 403 (or in case of Wordpress install, 404, which has really confused me) after the simplest, most innocent looking form input. For example "he is having a lot of trouble" in a text field results in 403!
It took almost two weeks to figure out what's going on, as the error seemed random and hard to replicate, but after I asked for exact text from the clients that they were not able to enter, we got to the modsec issue. The answer from tech help was "While checking the issue in detail, we found that a mod_security rule was getting triggered on the server while trying to submit the content as "he is having a lot of trouble". We have whitelisted the rule for the website which resolved the issues.".
My question is - how can I deal with this proactively? Is there a list of rules for mod_security that I can check, test some input, ask for additional whitelisting etc? With about a 100 accounts all having problems, it's enough to want to get out of the hosting business all together.
I don't understand your scenario or your question. Are you managing the host or not?
It sounds like you are hosting sites on a shared server so do not have access to the full server but are setting hosts up for clients - is that right?
Running a WAF like ModSecurity requires monitoring log files to identify false positives like this. If you do not have access to the log files then you need to ask your hosting provider what there options are for managing this sort of thing? Or will they do nothing until you raise it?
You can also ask to turn off ModSecurity completely. Most sites get on fine without a WAF - though personally I think they do add value and security.
Finally as to what rules are running on your instance only your tech help can answer that. ModSecurity itself is only an engine and comes with no rules. People can write their own, but some, or use free sets of rules like the OWASP Core Rule Set. So depending what you have would depend how you can test this. Most rules are fairly generic in nature so do result in false positives unless tweaked.
I am doing some reverse engineering on a website.
We are using LAMP stack under CENTOS 5, without any commercial/open source framework (symfony, laravel, etc). Just plain PHP with an in-house framework.
I wonder if there is any way to know which files in the server have been used to produce a request.
For example, let's say I am requesting http://myserver.com/index.php.
Let's assume that 'index.php' calls other PHP scripts (e.g. to connect to the database and retrieve some info), it also includes a couple of other html files, etc
How can I get the list of those accessed files?
I already tried to enable the server-status directive in apache, and although it is working I can't get what I want (I also passed the 'refresh' parameter)
I also used lsof -c httpd, as suggested in other forums, but it is producing a very big output and I can't find what I'm looking for.
I also read the apache logs, but I am only getting the requests that the server handled.
Some other users suggested to add the PHP directives like 'self', but that means I need to know which files I need to modify to include that directive beforehand (which I don't) and which is precisely what I am trying to find out.
Is that actually possible to trace the internal activity of the server and get those file names and locations?
Regards.
Not that I tried this, but it looks like mod_log_config is the answer to my own question
I am new to webhosting and building a very small PHP website as a part of my project. It will not be used for practical purposes for now, but still I want to make sure that it is not TOO insecure.
I have a few files which I don't want users to access by URL(some text and CSV files) but my PHP code should be able to use them. How can I achieve something like this?
If you don't want them accessed by the web server but just by PHP, the best thing is to just keep them outside the webroot.
You can block access using .htaccess, but that will prevent you from using pretty much any other web server than Apache, and it adds un-necessary overhead (and a possible vulnerability if the .htaccess is accidentally removed or configured wrong)
We are putting up a company blog at companyname.com/blog but for now the blog is a Wordpress installation that lives on a different server (blog.companyname.com).
The intention is to have the blog and web site both on the same server in a month or two, but that leaves a problem in the interim.
At the moment I am using mod_rewrite to do the following:
http://companyname.com/blog/article-name redirects to http://blog.companyname.com/article-name
Can I somehow keep the address bar displaying companyname.com/blog even though the content is coming from the latter blog.companyname.com?
I can see how to do this if it is on the same server and vhost, but not across a different server?
Thanks
Rather than using mod_rewrite, you could use mod_proxy to set up a reverse proxy on companyname.com, so that requests to http://companyname.com/blog/article-name are proxied (rather than redirected) to http://blog.companyname.com/article-name.
Here are more instructions and examples.
There is functionality with ZoneEdit called webforwards which could probably do this and hide what you are actually doing (unless someone looked into it).
The only thing that mod_rewrite can do is send HTTP header redirects, and those redirects (across servers) always result in the browser address bar reflecting the reality.
You should instead consider writing a 404 script that 'reflects' the blog. This would essentially be a transparent proxy, and many are already written.
The script would find if the requested page (that was 404'd) started with http://mycompany.com/blog/ . If it did, it would download and then send onto the client the blog page and associated files (probably caching them as well).
So requesting http://mycompany.com/blog/article_xyz would cause the 404 script to download and send http://blog.companyname.com/article_xyz.
It's probably more work than it's worth, but you might be able to design a simple enough 404 script that it's worthwhile.
-Adam