Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Pages: 1
403 Forbidden [Solved]
Round 2 with this hosting, after the disabled function story: http://forum.textpattern.com/viewtopic.php?id=45717 now come the Forbidden access!!
the 403 error code happens when posting page code, but not when posting article even if i put the same code on article!!
The hosting confirms that it s the mod security that throw those errors! but why? i havent access to those détails but if someone tells me wich question to send to hosting maybe they can give information to solve that!
Thanks
Here are the detail log:
Version de Textpattern CMS: 4.5.7 (r5900)
Dernière mise à jour: 2015-06-11 14:58:16/2014-09-21 07:22:08
Document racine: /home/XXXXX/
$path_to_site: /home/XXXXX/testxy
Chemin d’accès à Textpattern CMS: /home/XXXXX/testxy/textpattern
Format des URL: id_title
Chemin du répertoire temporaire: /home/XXXXX/testxy/textpattern/tmp
URL du site: XXXXXX.xx/testxy
Version de PHP: 5.5.19
GD Graphics Library: bundled (2.1.0 compatible) formats supportés : GIF, JPG, PNG.
Serveur TZ: UTC
Date et heure du serveur: 2015-06-15 15:41:43
Mises à jour des heures d’été utilisées ?: 0
Ajuster automatiquement les heures été / hiver ?: 0
Fuseau horaire GMT: Africa/Algiers (3600)
MySQL: 5.5.42-cll
Locale: fr_FR.UTF-8
Serveur: Apache
API PHP du serveur: cgi-fcgi
Entêtes RFC 2616: 0
Système d’exploitation du serveur:
Thème de l’interface d’administration: hive 4.5.7
Vérifications:
------------------------
Certaines fonctions PHP (pouvant être nécessaires) sont désactivées sur le serveur: he_get_modules, apache_child_terminate, apache_setenv, posix_uname, posix_access, posix_setuid, posix_setsid, posix_setpgid, posix_setgid, posix_seteuid, posix_setegid, highlight_file, show_source, posix_mknod, posix_mkfifo, posix_kill, posix_getuid, posix_getsid, posix_getpwuid, posix_getpwnam, posix_getgrnam, posix_getgrgid, posix_getgid, posix_geteuid, posix_getegid, posix_getegid, php_uname, syslog, mysqli_set_local_infile_handler, mysqli_options, pfsockopen, session_save_path, mysqli_set_local_infile_handler, mysqli_options, pfsockopen
------------------------
Contenu du fichier .htaccess:
------------------------
#DirectoryIndex index.php index.html
#Options +FollowSymLinks
#Options -Indexes
#ErrorDocument 403 default
<IfModule mod_rewrite.c>
RewriteEngine On
#RewriteBase /relative/web/path/
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*) index.php
RewriteCond %{HTTP:Authorization} !^$
RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}]
</IfModule>
#php_value register_globals 0
# SVG
AddType image/svg+xml svg svgz
AddEncoding gzip svgz
------------------------
p.Offline
Re: 403 Forbidden [Solved]
Try creating a .htaccess file in your /textpattern directory containing:
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>Or view the webserver error logs to find out why mod_security is blocking this, so you can fine-tune its settings.
Offline
Re: 403 Forbidden [Solved]
Hi ruud thanks for help
I tryed your code but not succeeded, i also tryed putting
SecFilterSelective REMOTE_ADDR ^XX.XXX.XXX.XXX$ nolog,allowin the code but got error 500, maybe they disabled the ability to set off the mod security using htaccess, i have sended a mail to them and called them they answered that they will look into this to see what they can do.
What bug me is when i take the page code that throw the error and past it into an article and save it it works!!
I will be back here when the hosting answer me.
Cheers
Offline
Re: 403 Forbidden [Solved]
After emails, the hosting agrred to disable the security_mod rule that make problem during few houres, i managed to make the most of work
After they enabled it again i maked some testing to see whats making it happen: i found 2 words: script and iframe that make it prompt! then i used a workaround
here it is:
modify the world script to s|cript ans iframe to i|frame after that install plugin rss_admin_db_manager, and with sql remove “|” into page or forms
for forms here is the code:
UPDATE txp_form SET Form = REPLACE(Form,'|','')The hosting told me that in normal way they is no alarm about posting forms but only injection are prompted! i dont know how the system make the difference between submitting a form and injection!
Offline
Pages: 1