Utilization module PrestaShop Merlin Backoffice » 

[TIPS]Merlin and ModeSecurity - products not listed

Author
Post

Franck B.

Registered on : 12/04/2011

Posts : 484

Posted : 06/06/2018 10:54:52 "Quote"

Hello,

Hosts providers, without asking us, tend to activate ModSecurity function on our servers and this often poses problems ...

Quésaquo? ModeSecurity an anti-hacking or anti-DDOS protection system. It analyzes incoming HTTP requests and filters out those that it deems doubtful.
It is based on a list of more or less strict security rules.
When setting up ModSecurity, the host can choose the rules to activate or not.

The problem that sometimes poses: Some of these rules are so strict that they block some of the SQL queries produced by PrestaPricing or Merlin Backoffice.

For example, at the O2Switch host, the activation of ModSecurity blocks the queries for reading products, when the column "Quantity available for sale" is displayed.
The request is not dangerous, but here you are, your products will not be displayed.

Solutions:

1st solution, if you are on a dedicated server or if your host allows it, ask to disable the rules of ModSecurity known to pose concerns. Here is the list:
340006
340144
340145
350156
340157
340159
350147

2nd solution, if your host allows it, disable ModSecurity. Certainly, some will say that you then create a security breach. This is debatable to me because it is easy to bypass ModeSecurity (see solution 3).
At O2Switch for example, this is feasible for each domain name separately, from the CPanel, "Security" tab.

3rd solution, encrypt the HTTP requests sent by Merlin Backoffice. This is enough to hide the FTP requests contained in it and thus pass the barrier of ModSecurity that sees only a series of numbers (which shows that this system is not very secured).
How to do it: In the first window (connection), in full interface mode, go to the tab "Advanced settings" and check the option "SQL queries encrypted before being send".

Crdlt
Franck