Jump to content

Template e-Trend (by WebCity) issue with style.css


Mec4D

Recommended Posts

I have issue with the e-Trend Template, I updated it today but still the server blocked my IP again

they send me the 2 logs files bellow

===
[Thu Jul 02 17:08:16.951118 2020] [:error] [pid 4676:tid 46936274851584] [client 172.58.236.124:36832] [client 172.58.236.124] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "-h" at MATCHED_VAR. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/22_PHP_PHPGen.conf"] [line "19"] [id "220030"] [rev "4"] [msg "COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||mec4d.net|F|2"] [severity "CRITICAL"] [hostname "mec4d.net"] [uri "/store/skins/e-trend/icomoon/fonts/icomoon.woff"] [unique_id "Xv5MwGohopEy8ddQqPnNsQAAAAY"], referer: http://mec4d.net/store/skins/e-trend/icomoon/style.css
===
  Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 69.126.218.76] ModSecurity: Access denied with code 403 (phase 1). Matched phrase "-h" at MATCHED_VAR. [file "/etc/apache2/conf.d/modsec_vendor_configs/comodo_apache/22_PHP_PHPGen.conf"] [line "19"] [id "220030"] [rev "4"] [msg "COMODO WAF: Vulnerability in PHP before 5.3.12 and 5.4.x before 5.4.2 (CVE-2012-1823)||www.mec4d.net|F|2"] [severity "CRITICAL"] [hostname "www.mec4d.net"] [uri "/store/skins/e-trend/icomoon/fonts/icomoon.ttf"] [unique_id "Xv9fxOSSnojUdKRt3klPbQAAAFI"]
 
===
The IP was blocked with the code 403. Mod Security scans for violations of the rules it has set. If an action occurs that violates one of these rules, the server will throw a 406 error and the IP address will be blocked if there is continuous request in an interval. The rule ID 220030 was triggered for your account and then the IP address is blocked in the server firewall. Since these Modsecurity rules are human made, there will be some faults with it and block such genuine requests, which matches the pattern in the URL.

 

the problem is that my IP address is blocked for the error code 403. Mod Security scans for violations of the rules it has set. If an action occurs that violates one of these rules, the server will throw a 403 error and the IP address will be blocked if there is continuous request in an interval.And the URL with which it got triggered is the style.css from the e-Trend Template

the style.css code

@font-face {
font-family : 'icomoon';
src : url("fonts/icomoon.eot?-hwvopr");
src : url("fonts/icomoon.eot?#iefix-hwvopr") format('embedded-opentype'), url("fonts/icomoon.woff?-hwvopr") format('woff'), url("fonts/icomoon.ttf?-hwvopr") format('truetype'), url("fonts/icomoon.svg?-hwvopr#icomoon") format('svg');
font-weight : normal;
font-style : normal;
}
.icon {
font-family : 'icomoon';
font-style : normal;
font-weight : normal;
font-variant : normal;
text-transform : none;
line-height : 1;
}
.icon-basket:before {
content : "\e600";
}
.icon-open:before {
content : "\e601";
}
.icon-sale:before {
content : "\e602";
}
.icon-envelope:before {
content : "\e628";
}
.icon-phone:before {
content : "\e603";
}
.icon-mobile:before {
content : "\e61f";
}
.icon-directions:before {
content : "\e604";
}
.icon-paperplane:before {
content : "\e605";
}
.icon-house:before {
content : "\e606";
}
.icon-search:before {
content : "\e607";
}
.icon-cog:before {
content : "\e608";
}
.icon-tag:before {
content : "\e609";
}
.icon-newspaper:before {
content : "\e620";
}
.icon-creditcard:before {
content : "\e60a";
}
.icon-cart:before {
content : "\e60b";
}
.icon-box:before {
content : "\e60c";
}
.icon-lock:before {
content : "\e60d";
}
.icon-lock-open:before {
content : "\e60e";
}
.icon-logout:before {
content : "\e60f";
}
.icon-login:before {
content : "\e610";
}
.icon-tick:before {
content : "\e611";
}
.icon-cross:before {
content : "\e612";
}
.icon-minus:before {
content : "\e613";
}
.icon-plus:before {
content : "\e614";
}
.icon-cross2:before {
content : "\e615";
}
.icon-info:before {
content : "\e616";
}
.icon-help:before {
content : "\e617";
}
.icon-warning:before {
content : "\e618";
}
.icon-cycle:before {
content : "\e619";
}
.icon-list:before {
content : "\e61a";
}
.icon-arrow-left:before {
content : "\e61b";
}
.icon-arrow-down:before {
content : "\e61c";
}
.icon-arrow-up:before {
content : "\e61d";
}
.icon-arrow-right:before {
content : "\e61e";
}
.icon-gift:before {
content : "\e624";
}
.icon-star:before {
content : "\e625";
}
.icon-star2:before {
content : "\e626";
}
.icon-star3:before {
content : "\e627";
}

I validated the code and everything looks fine , I removed 2 errors 

I don't know what else to do with it I am desperate, all my customers get blocked once they visit the store more than once 

it. is frustrating

Thanks for your help in advance

Cath

Link to comment
Share on other sites

Better info follows.

Ignore this post.

=================================

As a work-around, in the style.css file:

Delete:

@font-face {
font-family : 'icomoon';
src : url("fonts/icomoon.eot?-hwvopr");
src : url("fonts/icomoon.eot?#iefix-hwvopr") format('embedded-opentype'), url("fonts/icomoon.woff?-hwvopr") format('woff'), url("fonts/icomoon.ttf?-hwvopr") format('truetype'), url("fonts/icomoon.svg?-hwvopr#icomoon") format('svg');
font-weight : normal;
font-style : normal;
}
.icon {
font-family : 'icomoon';
font-style : normal;
font-weight : normal;
font-variant : normal;
text-transform : none;
line-height : 1;
}

The problem then becomes, what icons will be shown?

Link to comment
Share on other sites

Hi

Thanks for the quick reply, I have no access at this moment to my FTP, waiting for them to whitelist my IP again for 24h so I can get access to the files and edit it.

I think that is a good idea to get rid of the fonts , but if the rest will works? I hope so

the server is triggered everyday with the different fonts, it was fine for 5 years but suddenly it bother it for some reason.

Thanks again and I will let you know how it worked out

Cath

Link to comment
Share on other sites

I would imagine it is this that is triggering:

url("fonts/icomoon.eot?-hwvopr");

Note the -h in the string of characters.

I do not know what the effect would be one were to simply remove the -hwvopr from the statements.

Link to comment
Share on other sites

I will try it, the validation of the css was ok after I removed it

btw the server security is triggered by the 2 lines

url('fonts/icomoon.woff?-hwvopr') format('woff'),
url('fonts/icomoon.ttf?-hwvopr') format('truetype'),

 

Link to comment
Share on other sites

yesterday the server blocked me for that

[severity "CRITICAL"] [hostname "mec4d.net"] [uri "/store/skins/e-trend/icomoon/fonts/icomoon.woff"] 

I need to make a good decision here or I gonna be blocked for another 24h again

maybe better idea to get rid of the fonts

I checked with my css validator after removing the -hwvopr , no errors after

I also removed the lines as it gives me css error, it was not valid

	/* Better Font Rendering =========== */
	-webkit-font-smoothing: antialiased;
	-moz-osx-font-smoothing: grayscale;

 

Link to comment
Share on other sites

Here is what I am coming to understand.

The font files have a certain name, that's all well and good, and the browser will cache them internally.

But what if the font file changes? It has the same name.

Thus, a technique is used called 'cache-busting'. Many browsers will know to fetch a fresh copy when it sees a querystring on the URL. The querystring starts with a question mark - and that's all that is (usually) needed.

This querystring, starting with the question mark,

?-hwvopr

most likely indicates a version code, or a package number from a collection of packages of sets of icons on someone's ICOMoon premium account.

As such, delete as mentioned earlier. It is up to you if you want to keep the cache-busting question mark.

Regarding the message posted above, was there an indication of what triggered it?

If it was a -t then I would expect the trigger to be hit a lot more times - for everything.

Link to comment
Share on other sites

I just posted above, it just hate the fonts icomoon.woff & icomoon.ttf

it is weird but maybe as you suggested removing the -h will fix it as it is not usual 

Link to comment
Share on other sites

Regarding this:

src : url("fonts/icomoon.eot?#iefix-hwvopr"

the #iefix is to fix an issue in Internet Explorer 8 and below with respect to a CSS font-face rule having more than one source location.

So, probably best to keep that. but not the -hwvopr.

Link to comment
Share on other sites

The "better font rendering" rules are valid, but only MacIntosh OSX browsers understand it.

So, the CSS validator may be accepting rules for only a specific browser, or (more likely) only rules that all browsers must know about.

Link to comment
Share on other sites

I also getting warning on that

@font-face {
Rule doesn't have all its properties in alphabetical order.

.icon {
Rule doesn't have all its properties in alphabetical order.

that regarding the 1 line and the 12 line you suggested to remove in the first post

1 minute ago, bsmither said:

The "better font rendering" rules are valid, but only MacIntosh OSX browsers understand it.

So, the CSS validator may be accepting rules for only a specific browser, or (more likely) only rules that all browsers must know about.

I use 2 validators to be sure, one of them did not cared the other did

Link to comment
Share on other sites

Just now, bsmither said:

Ignore what I suggested in my first reply. We have better info now. (I'll edit that post in a few minutes.)

Alphabetical order???? Are they serious?

It was first time I ever saw it , I ignored it

I was able to connect to my server with my mobile data (different IP) and edited the files, the store working fine, finally I can see the little cart icon on top , it was missed for some time could not fix it, I guess the ?-h was the problem , everything working fine, now waiting to see if the server block my mobile IP or we are good

I guess you did this again ! thanks a lot for now, if anything I will let you know

finger crossed 🤞 

Link to comment
Share on other sites

P.S I suggest someone edit the style.css in the e-Trend template here so nobody ever have to deal with this problem again, I did not had any issues for 5 years until they updated the security rules on my sever .

The final edited files of the style.css

@font-face {
font-family : 'icomoon';
src : url("fonts/icomoon.eot");
src : url("fonts/icomoon.eot?#iefix") format('embedded-opentype'), 
url("fonts/icomoon.woff") format('woff'), 
url("fonts/icomoon.ttf") format('truetype'), 
url("fonts/icomoon.svg #icomoon") format('svg');
font-weight : normal;
font-style : normal;

/* Better Font Rendering =========== */
	-webkit-font-smoothing: antialiased;
	-moz-osx-font-smoothing: grayscale;
}

.icon {
	font-family: 'icomoon';
	speak: none;
	font-style: normal;
	font-weight: normal;
	font-variant: normal;
	text-transform: none;
	line-height: 1;


}

.icon-basket:before {
	content: "\e600";
}
.icon-open:before {
	content: "\e601";
}
.icon-sale:before {
	content: "\e602";
}
.icon-envelope:before {
	content: "\e628";
}
.icon-phone:before {
	content: "\e603";
}
.icon-mobile:before {
	content: "\e61f";
}
.icon-directions:before {
	content: "\e604";
}
.icon-paperplane:before {
	content: "\e605";
}
.icon-house:before {
	content: "\e606";
}
.icon-search:before {
	content: "\e607";
}
.icon-cog:before {
	content: "\e608";
}
.icon-tag:before {
	content: "\e609";
}
.icon-newspaper:before {
	content: "\e620";
}
.icon-creditcard:before {
	content: "\e60a";
}
.icon-cart:before {
	content: "\e60b";
}
.icon-box:before {
	content: "\e60c";
}
.icon-lock:before {
	content: "\e60d";
}
.icon-lock-open:before {
	content: "\e60e";
}
.icon-logout:before {
	content: "\e60f";
}
.icon-login:before {
	content: "\e610";
}
.icon-tick:before {
	content: "\e611";
}
.icon-cross:before {
	content: "\e612";
}
.icon-minus:before {
	content: "\e613";
}
.icon-plus:before {
	content: "\e614";
}
.icon-cross2:before {
	content: "\e615";
}
.icon-info:before {
	content: "\e616";
}
.icon-help:before {
	content: "\e617";
}
.icon-warning:before {
	content: "\e618";
}
.icon-cycle:before {
	content: "\e619";
}
.icon-list:before {
	content: "\e61a";
}
.icon-arrow-left:before {
	content: "\e61b";
}
.icon-arrow-down:before {
	content: "\e61c";
}
.icon-arrow-up:before {
	content: "\e61d";
}
.icon-arrow-right:before {
	content: "\e61e";
}
.icon-gift:before {
	content: "\e624";
}
.icon-star:before {
	content: "\e625";
}
.icon-star2:before {
	content: "\e626";
}
.icon-star3:before {
	content: "\e627";
}

 

Link to comment
Share on other sites

I forgot about one more thing, don;t know if this is important 

Sorry! We found the following errors (1)
URI : TextArea
Line 16:	.icon	Value Error : speak none is not a speak value : none

===================================
.icon {
	font-family: 'icomoon';
	speak: none; <-----------------
	font-style: normal;
	font-weight: normal;
	font-variant: normal;
	text-transform: none;
	line-height: 1;
  =================================

Not really know how to handle it, or I just leave it alone 

Link to comment
Share on other sites

Great, thanks for the info.

So far everything working fine, 3 icons that was missed for so long finally appeared , however for some reason my product images and thumbnails reduced in size and quality dramatically 

very interesting but nothing that I can't handle

Link to comment
Share on other sites

I would try to convince the hosting provider to relax these type of security rules.

Here's why:

1. The supposed vulnerability, according to the security message, is for a version of PHP prior to what you are running.
2. The trigger is happening on a request for something other than a PHP script file.
3. CubeCart uses dashes for the friendly URLs, i.e., /name-of-category/name-of-product.html, which may hit some triggers.

Link to comment
Share on other sites

6 minutes ago, bsmither said:

I would try to convince the hosting provider to relax these type of security rules.

Here's why:

1. The supposed vulnerability, according to the security message, is for a version of PHP prior to what you are running.
2. The trigger is happening on a request for something other than a PHP script file.
3. CubeCart uses dashes for the friendly URLs, i.e., /name-of-category/name-of-product.html, which may hit some triggers.

I agree on that, not enough I was blocked and so was my customers and anybody that tried access the store more than once a day , that is not a business , if they continue I may think about changing my hosting provider

Link to comment
Share on other sites

Hi Brian,

I have a good news, everything working fine again . You are the man!

Also got the access to disable the Mood Security on my server while editing files to avoid any IP blocking again ,

and also I have one question to you, I got the option to update the PHP to 7.3 on my server,

you think it is safe to do that? will it affect in any way my current last version of Cubecart store? or I am free to do so?

Just wanna be sure so I don't run in a trouble again

Thanks in advance

Cath

Link to comment
Share on other sites

You will run into a number of minor issues -- all because PHP 7 (7.4 is what I run, so not sure about earlier PHP 7 versions) is more strict about several things. (Another site I manage is running PHP 7.3 with it making no complaints at all. The server environment is commercially hosted by a seriously professional crew, so they wouldn't run PHP 7.3 if it caused issues with CubeCart.)

Much of the above mentioned issues will be fixed in CC6.2.10. These issues are minor because they (nearly all of them) only cause PHP 7.4 to complain, but do the job anyway.

Go for it!

 

Link to comment
Share on other sites

Hi Brian,  

something happen and I can't get access to my store or admin, nobody touched it since my last edit with the template ? the store was fine couple hours ago.

Never have this issue before 

In the browser:

Fatal error: No such file or directory in store/classes/db/mysqli.class.php on line 42

and in the folder on my server are 2 the same files for some reason one bigger than the other 

Can you please take a second to tell me what happening ?

Thanks a lot

Cath

No access _Annotation 2020-07-09 004836.jpg

Never mind it just show up back again , no issues

I just wondering why

Thanks

Cath

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...