Forum Topic: 5G Blacklist and Magento

Forum: .htaccess Forum : Security • Posted by Stuart Wheeler • Post Date:

I am trying to tighten up the security on my Magento website. I’ve stumbled on a minor problem when attempting to implement the 5G Blacklist.

I kept getting a 403 forbidden pages when trying to do things like add an item to the shopping cart or an item to a product comparison. After some head-scratching, I narrowed it down to the request URI that Magento is creating, which can contain one or more commas.

As it stands, the 5G Blacklist produces a 403 when it encounters a comma in the Request URI. I did consider using a negative lookbehind in my regular expression to rule out those occasions when Magento might spit out a comma, but there’s a chance I could miss one or more of those occasions and inadvertently disable some of the site’s functionality.

Would it make sense to allow commas only if the referrer is the website itself and block when the referrer is something else?

Can this be done with RedirectMatch, or should I use mod_rewrite?

2 Replies to “5G Blacklist and Magento”

Posted by Stuart Wheeler •

I just took out the check for the comma \,| in

RedirectMatch 403 (\,|//|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")

and then added the following to my htaccess file:

<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_URI} (,)
	RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
	RewriteRule .* - [F,L]
</IfModule>

with example.com being switched for my site’s domain name. So far this seems to be working.

Posted by Jeff Starr

That’s one way to do it; although an even easier method is to just remove the check for commas and allow them to go through, depending on how plagued your site is with malicious requests that include commas. Keep in mind that 5G/6G provide cumulative protection, such that it’s totally fine to disable a few of the rules and still enjoy strong protection. Thanks for the follow-up post.