mod_secure should be disabled

Hello,



I've downloaded the CSC Ultimate version and installed it on MAMP/Locahost without any problem.

I found this version much better than the professional 2.1.1 version I'm using on my website so I decided to install it on my host server for testing before to buy a licence.



During the first step of installation the Checking requirements fails :

Fail mod_secure enabled

mod_secure should be disabled



I've tried to find a solution on the forums, but couldn't understand what to do…

On my host - infomaniak.ch - mod_security is global and can't be desabled (found that information on the FAQ's)



Is there a way to install this version on my server ?

Generally mod_security does not need to be completely disabled. The are 4-5 rules that need to be disabled and that can be done per domain.



Sent from my EVO using Tapatalk 2


[quote name='tletourneau' timestamp='1376313920' post='166683']

Generally mod_security does not need to be completely disabled. The are 4-5 rules that need to be disabled and that can be done per domain.



Sent from my EVO using Tapatalk 2

[/quote]



Can you tell me how to do that on my host ?

[quote name='tletourneau' timestamp='1376313920' post='166683']

Generally mod_security does not need to be completely disabled. The are 4-5 rules that need to be disabled and that can be done per domain.



Sent from my EVO using Tapatalk 2

[/quote]



Sorry : 1st → thank you for the answer !

The rules to ignore are:

950904

950906

959007

950107



There are a few ways to do it depending on how your host is setup. They should be able to disable the requested rules for just your domain on request. If they can't google “disable mod_security rules by ID” to see if one of those options work for you. If they do not then you may want to consider changing hosting companies. Any of the hosts listed in the Marketplace → Third party Solutions ->Compatible Hosting will work with CS-Cart without issue. I personally like RangeHosting.

I had a different issue with Globals and was able to resolve it and install it by changing the Globals report to false in validator.php. Check in install/app/installer/validator.php. Line 387 /**

* Check if ModeSecurity is disabled. PS Mine was reporting Register Globals wrong since the Register Globals were already disabled in the Server

@tletourneau : I asked my hosting companie, but there is no way to ignore rules ! They don't want to do it.



I had no problem with previous version of CSC, and don't want to change my hosting companie just because of an upgrade. Will try to look for other people hosted on Infomaniak servers and using CSC. I' can't be the only one in switzerland…

[quote name='zeero6' timestamp='1376425494' post='166767']

I had a different issue with Globals and was able to resolve it and install it by changing the Globals report to false in validator.php. Check in install/app/installer/validator.php. Line 387 /**

* Check if ModeSecurity is disabled. PS Mine was reporting Register Globals wrong since the Register Globals were already disabled in the Server

[/quote]



@zeero6 : Thank you. I will try the workaround with Line 387 in validator.php and tell you soon if it works for me.

The workaround with line 387 worked fine. I could install CSC on my server !



I'm still a little bit woried about the fact that the mod_secure isn't disabled → can I take the risk to use CSC with this configuration ? Have I to test something before buying a licence ?

[quote name='ymul' timestamp='1377593512' post='167425']

The workaround with line 387 worked fine. I could install CSC on my server !



I'm still a little bit woried about the fact that the mod_secure isn't disabled → can I take the risk to use CSC with this configuration ? Have I to test something before buying a licence ?

[/quote]



I'm working since 2-3 days on my future version, without any problem.



But I would like to be sure about the mod_secure setting of my server ?

I found this. Can be disabled per domain in htaccess [url=“Turn off mod_security for a site | Web Hosting Talk”]Turn off mod_security for a site | Web Hosting Talk

[quote name='zeero6' timestamp='1377797585' post='167566']

I found this. Can be disabled per domain in htaccess http://www.webhostin…ad.php?t=888019

[/quote]

Thanks @zeero6, I'll try it.

I'm still working on my new version, without any problem. Since I don't know the risks when disabling mod_secure, I will not try to do it if everything is working well… Thanks for the answers.

I installed the 4.0.2 alpha and noticed that the installer didn't complain about mod_secure like it did with 4.0.1.

Hi guys, I'm also having the same problem. I cannot get past this mod_secure thing!



I tried editing the php as suggested but I'm not sure I'm making the right changes, because it hasn't worked for me. I tried changing anything mod_secure from “true” to “false” individually with no luck.



Could someone help me find the right spot in this code?



_______________________________________________________



/**

* Check if ModeSecurity is disabled

*

* @return bool true if disabled

*/

public function isModeSecurityDisabled()

{

$checking_result = true;

ob_start();

phpinfo(INFO_MODULES);

$_info = ob_get_contents();

ob_end_clean();

if (strpos($_info, 'mod_security') !== false) {

App::instance()->setNotification('E', App::instance()->t('error'), App::instance()->t('text_mod_security'), true, 'validator');

$checking_result = false;

}

return $checking_result;

}



___________________________________________________________________





I also tried adding the code to htaccess as suggested with no luck.



Also, my hosting company said that they disabled the mod_secure for my domain and don't know how else how to help me.



As you can see I've been stuck here a while! I'd really appreciate any help!

I'm running into the same problem, but it seems the code in validator.php has changed. I did remove this snippet of code in there, but still got the warning. How do we bypass this on v4.1.3 fresh install?


/**
* Check if ModeSecurity is disabled
*
* @return bool true if disabled
*/
public function isModeSecurityDisabled()
{
$checking_result = parent::isModeSecurityDisabled();
if (!$checking_result) {
App::instance()->setNotification('E', App::instance()->t('error'), App::instance()->t('text_mod_security'), true, 'validator');
}
return $checking_result;
}

[quote name=‘idslamyou’ timestamp=‘1396453859’ post=‘180777’]

I’m running into the same problem, but it seems the code in validator.php has changed. I did remove this snippet of code in there, but still got the warning. How do we bypass this on v4.1.3 fresh install?

<br />
	/**<br />
	 * Check if ModeSecurity is disabled<br />
	 *<br />
	 * @return bool true if disabled<br />
	 */<br />
	public function isModeSecurityDisabled()<br />
	{<br />
		$checking_result = parent::isModeSecurityDisabled();<br />
		if (!$checking_result) {<br />
			App::instance()->setNotification('E', App::instance()->t('error'), App::instance()->t('text_mod_security'), true, 'validator');<br />
		}<br />
		return $checking_result;<br />
	}<br />

```<br />
[/quote]<br />
<br />
It is similar in 4.2.1 as well, how can we get around the mod_secure check?<br />
<br />
```php
<br />
    /**<br />
	 * Check if ModeSecurity is disabled<br />
	 *<br />
	 * @return bool true if disabled<br />
	 */<br />
    public function isModeSecurityDisabled()<br />
    {<br />
	    $checking_result = parent::isModeSecurityDisabled();<br />
	    return $checking_result;<br />
    }<br />

```<br />
<br />
I've looked into using .htaccess file as well, both by trying things found by Google searching:<br />
<br />
```php
<br />
<LocationMatch .*><br />
<IfModule mod_security2.c><br />
SecRuleRemoveById 950904<br />
SecRuleRemoveById 950906<br />
SecRuleRemoveById 959007<br />
SecRuleRemoveById ​950107<br />
</IfModule><br />
</LocationMatch><br />

```<br />
<br />
and<br />
<br />
```php
<br />
<IfModule mod_security.c><br />
SecFilterEngine Off<br />
SecFilterScanPOST Off<br />
</IfModule><br />

```<br />
<br />
There has to be an easier way to install CS-Cart 4 on my server. We didn't have any of these issues with 3.X. <img src="upload://qv5zppiN69qCk2Y6JzaFYhrff8S.gif" class="bbc_emoticon" alt=":?">