After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Get help with installation and running phpBB 3.0.x here. Please do not post bug reports, feature requests, or MOD-related questions here.
Scam Warning
Forum rules
END OF SUPPORT: 1 January 2017 (announcement)
User avatar
Kellanved
Former Team Member
Posts: 2635
Joined: Wed Jan 26, 2005 2:48 pm
Location: Meta-level

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Kellanved »

soumik wrote:Add this to your .htaccess :

Code: Select all

SecFilterScanPOST Off
Although I don't know if it's recommended.
That won't work in the present case. The reason for the problem is that 3.0.5 used POST to submit the redirect parameter, 3.0.6 uses GET. The above command disables scanning on POST, which won't help. SecFilterScanGET might work, but I am not sure about that.
Regardless, it is an excellent example on why we can't work around mod_sec rules in general: some servers might reject "gonrod", others anything using "<...>" etc - it is a server configuration issue. That doesn't mean that we won't provide a workaround or a patch once we figure out which rules are offending and how often they are used, just that it is impossible to avoid all problems.
Nocando is in Idontwanna county. No support via PM
DoRyN
Registered User
Posts: 41
Joined: Wed Sep 01, 2004 5:03 pm
Location: Romania
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by DoRyN »

For me it is not clear. How can I access the ACP if it say that Access to the Administration Control Panel is not allowed as you do not have administrative permissions. ?
Last edited by DoRyN on Sat Nov 21, 2009 8:40 pm, edited 1 time in total.
narqelion
I've Been Banned!
Posts: 7235
Joined: Sat Dec 13, 2008 5:00 pm
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by narqelion »

Kellanved wrote:Regardless, it is an excellent example on why we can't work around mod_sec rules in general: some servers might reject "gonrod", others anything using "<...>" etc - it is a server configuration issue.
And SecFilterScan POST triggers are typically easily worked around at the host level, as it is merely a word or phrase used in the post that triggers it. Although I must say "gonrod" is an interesting trigger... :? The fact that you are now using GET and passing the recursive directory traversal in the URL is not so easily addressed by the hosts. The oddball mod_sec post trigger is not a very prevalent problem if you go by the # of support topics but the change to GET blocking access to the ACP is at least IMO far more severe. :)
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Eelke »

@doryn: your problem is unrelated to the problem being discussed in this thread. Please open your own support topic.
DoRyN
Registered User
Posts: 41
Joined: Wed Sep 01, 2004 5:03 pm
Location: Romania
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by DoRyN »

Eelke wrote:@doryn: your problem is unrelated to the problem being discussed in this thread. Please open your own support topic.
I solve this error by using Suport Toolkit.

Thank you.
Lyrijan
Registered User
Posts: 2
Joined: Mon Nov 23, 2009 5:17 pm

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Lyrijan »

I have the same problem... 403


Forbidden

You don't have permission to access /sabor/adm/index.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.



I tried to change that line in adm/index.php but nothing happens....

Have you find the solution?
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Eelke »

You will have to check with your provider why exactly the URL is being blocked. Most likely, it will also be a mod_security rule.
Lyrijan
Registered User
Posts: 2
Joined: Mon Nov 23, 2009 5:17 pm

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Lyrijan »

hey... now it's working!

I did nothing....
User avatar
dan1dyoung
Registered User
Posts: 35
Joined: Sun Jun 29, 2008 5:13 pm
Location: Royston, England
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by dan1dyoung »

Kellanved wrote:
Eelke wrote:Do we know what change in 3.0.6 caused this (revision in SVN)?
We do. The redirect variable was moved to GET to fix a bug. The problem encountered here is not a bug in phpBB, nor an issue in mod_security. The problem is a faulty mod_security configuration, specifically using a rule contrary to the recommendations in the mod_security documentation.

https://www.modsecurity.org/fisheye/bro ... urity.conf

Hi Kellanved,

Is the config you linked to above the correct setting or the one that is not working, i have asked my provider to make the changes and they will but should it be set as the link (shows #SecRule REQUEST_FILENAME "\.\.[/\x5c]") but what about ./..??

Thanks

Dan
My phpBB Modifications & Tips are here: http://www.dysolutions.co.uk/phpbb
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Eelke »

What is important to note is the comments made in the configuration file linked to by kelanved. It says that the config may result in many false positives (FP) and if used, it should not be allowed to block URLs, but only issue a warning to the system administrator. This rule, or one like it, would be causing the problems accessing the ACP.
User avatar
dan1dyoung
Registered User
Posts: 35
Joined: Sun Jun 29, 2008 5:13 pm
Location: Royston, England
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by dan1dyoung »

Hi,

Still working with my host to solve this (They advised mod_security is now turned off for me to test so another new install but same problem) but any news on a phpbb change/workaround as posted??

Thanks

Dan
My phpBB Modifications & Tips are here: http://www.dysolutions.co.uk/phpbb
narqelion
I've Been Banned!
Posts: 7235
Joined: Sat Dec 13, 2008 5:00 pm
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by narqelion »

dan1dyoung wrote:but any news on a phpbb change/workaround as posted??
No. Don't hold your breath either. ;)
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Eelke »

dan1dyoung wrote:Still working with my host to solve this (They advised mod_security is now turned off for me to test so another new install but same problem)
Are you sure you are actually experiencing the same problem as discussed here? I.e. do you know it is mod_security blocking access to the ACP URL due to mod_security being configured to block URLs containing '..' ? The outside symptoms may be the same, but that doesn't mean the root cause is also the same.
User avatar
dan1dyoung
Registered User
Posts: 35
Joined: Sun Jun 29, 2008 5:13 pm
Location: Royston, England
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by dan1dyoung »

Hi Eelke,

Not 100% no, i am looking for ways to prove/find out what is going on but just starnge i have never had this issue before with the same host until this last install with 3.0.6 (I will try 3.0.4/5 in a minute) but the host says they disabled mod_security although it still shows as loaded in the PHP info but not sure that is the same as enabled.

I can see the normal forum area, the mcp, ucp but when i go to the acp i get the re-authenticate screen OK but then using the login button that has the &redirect=.%2f..%2fadm%2findex.php and then it failes with error 403.

Just tested tonight (After having logged out and shut down my pc last night) and it is working now so need to test mod_security more now.

Will advise what i find.

Thanks

Dan
My phpBB Modifications & Tips are here: http://www.dysolutions.co.uk/phpbb
User avatar
Eelke
Registered User
Posts: 2903
Joined: Thu Dec 20, 2001 8:00 am
Location: NL, Bussum
Name: Eelke Blok
Contact:

Re: After upgrade to 3.0.6 access to A.C.P. denied (403 Error).

Post by Eelke »

It should be possible to see why your ACP is being blocked, e.g. because mod_security is blocking it. It should then also allow you to see which rule is triggering the block (this is just what I get from the past of this topic, I do not have any experience with it myself).
Locked

Return to “[3.0.x] Support Forum”