After updating to 3.0.6 I notice I cannot access the ACP no matter what I do. I just get a 403 every time.
I finally found that editing adm/index.php and changing:
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : './../';
to
$phpbb_root_path = (defined('PHPBB_ROOT_PATH')) ? PHPBB_ROOT_PATH : '../';
Will fix the issue.
I did some searching on the forum after noticing a user in the irc channel with my same problem and found viewtopic.php?f=46&t=1859985 among a couple of other threads.
Typo
Bug tracker
Unable to access ACP after upgrade to 3.0.6 - 403 You do not have permission ... (fix completed in vcs)
Comments / History
Posted by djazman85 on Nov 19th 2009, 13:43
I've got a similar problem when I update the phpBB-3.0.5 to 3.0.6-RC4.
@ Typos: thank you for the instructions. now I can login as admin.
@ Typos: thank you for the instructions. now I can login as admin.
Posted by Typo (Former Team Member) on Nov 19th 2009, 14:34
Some info for whoever works on this.
I went ahead and tried a fresh install to see if this problem had anything to do with the forum I upgraded and its doing the same exact thing and the same work around fixed it.
Again......
I have confirmed this problem and the temp fix I found on both an update from 3.0.5 to 3.0.6 and on a fresh, brand new 3.0.6 install.
Typo
I went ahead and tried a fresh install to see if this problem had anything to do with the forum I upgraded and its doing the same exact thing and the same work around fixed it.
Again......
I have confirmed this problem and the temp fix I found on both an update from 3.0.5 to 3.0.6 and on a fresh, brand new 3.0.6 install.
Typo
Posted by DavidIQ (MOD Team Leader) on Nov 19th 2009, 14:54
This doesn't seem to be a common issue. Maybe something with the server setup. Can you provide more info on your server and configuration?
Marked ticket #54175 as duplicate of this ticket
Action performed by DavidIQ (MOD Team Leader) on Nov 19th 2009, 14:58
Posted by navbeacon on Nov 19th 2009, 15:43
I'll give you a dump of what my mod_security log says regarding this.
Hope it helps.
Hope it helps.
mod_security.log..txt (1.65 KB)
Posted by Shamisen on Nov 19th 2009, 16:13
I let my ISP try accessing a dummy admin account
they returned with this comment
"This is working correctly now. One of the scripts to access the control panel was triggering the php security module. I've disabled this for your account."
My ACP now functions correctly... it looks like Mod_Security (??) might be the culprit...
This just in from my ISP
[Thu Nov 19 10:15:52 2009] [error] [client xxxxxxxxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\\/))(?:%(?:u2024|2e)|\\.){2}(?:\\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\\/))" at REQUEST_URI. [file "/usr/local/apache/conf/modsecurity.d/10_asl_rules.conf"] [line "112"] [id "340007"] [rev "18"] [msg "Generic Path Recursion denied"] [severity "CRITICAL"] [hostname "xxxxxxxxxxxx"] [uri "/phpBBxx/adm/index.php"] [unique_id "SwVhKM-SaUwAADtHRG8AAAAR"]
they returned with this comment
"This is working correctly now. One of the scripts to access the control panel was triggering the php security module. I've disabled this for your account."
My ACP now functions correctly... it looks like Mod_Security (??) might be the culprit...
This just in from my ISP
[Thu Nov 19 10:15:52 2009] [error] [client xxxxxxxxx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\\/))(?:%(?:u2024|2e)|\\.){2}(?:\\x5c|(?:%(?:c(?:0%(?:9v|af)|1%1c)|2(?:5(?:2f|5c)|f)|u221[56]|1u|5c)|\\/))" at REQUEST_URI. [file "/usr/local/apache/conf/modsecurity.d/10_asl_rules.conf"] [line "112"] [id "340007"] [rev "18"] [msg "Generic Path Recursion denied"] [severity "CRITICAL"] [hostname "xxxxxxxxxxxx"] [uri "/phpBBxx/adm/index.php"] [unique_id "SwVhKM-SaUwAADtHRG8AAAAR"]
Changed ticket status from "New" to "Not a bug"
Action performed by bantu (3.0 Release Manager) on Nov 19th 2009, 18:11
Posted by bantu (3.0 Release Manager) on Nov 19th 2009, 18:11
When using mod_security make sure it is properly configured. "./../" is as valid as "../" is.
Posted by Typo (Former Team Member) on Nov 20th 2009, 08:28
Since this has been closed as a non bug I would like to ask a question or two and would greatly appreciate an answer.
Can you please explain how the same line of code that works in 3.0.5 and 3.0.6 but causes an error in ONLY in 3.0.6 is not a 3.0.6 bug and could you also explain how its possible that one version causes the error and the other doesn't?
Thanks a ton.
Typo
Can you please explain how the same line of code that works in 3.0.5 and 3.0.6 but causes an error in ONLY in 3.0.6 is not a 3.0.6 bug and could you also explain how its possible that one version causes the error and the other doesn't?
Thanks a ton.
Typo
Posted by Eelke (QA Team) on Nov 20th 2009, 09:39
That's quite simple; there must be some change in phpBB that triggered the error. However, I don't really see the point in someone trying to find the specific change for you if we already determined that the other factor in this matter, the server configuration, is actually at fault. The fact that, apparently, phpBB was doing something differently before doesn't matter; as long as its current behaviour is "correct", there is no ground for considering the change a bug. It's unfortunate that it is now colliding with a server configuration, but if that server configuration is incorrect, than that's what should be fixed.