Noobie Question: 403 on "Check & Save" configuration

[Stosh]

Hi,

I selected your software from within my hosting service's control-panel and installed it from there. The install went fine, but now I am unable to use the Admin screens to change configuration:

Serendipity Administration Suite-->Administration-->Configure

I get an expandable list That includes:

Database
paths
permalinks
General
Appearance...
Image...


If alter any of these (house offset from server-time for example) and then hit "Check & Save", it gives me a 403 (permission denied) error.

Following what I've been able to find here at your site, I have changed the chmod settings to 777 for the following files and directories:

serendipity_config_local.inc.php
.htaccess
templates/
templates_c/
uploads/
archives/

I also thought I might be able to change the serendipity_config_local.inc.php file directly, but the only variables that seems to contain are those needed to get a session with the SQL database (this seems to work, since I can operate most of the remaining functions in the blog).

I tried asking my hosting service (bulkregister) but only got that it's not their product and not their problem.

Sorry for the lack of understanding. The issues are extra opaque for me because I used their cp to install it.

Thank you for any help you can provide.

-jr

[garvinhicking]

Hi!

Can you ask your provider to inspect the error log? Do you have FTP access to the s9y installation? Usually we can only provide support for a usual Serendipity installation, since we never know what specific things a provider changes for their offered hosted solutions.

A 403 error actually means that the webserver denied access; my bet is that they are using apache mod_security which detects a Path in your HTTP POST query, and denies access. Of course, in this case, the path is required and the the server should not deny access. Can you ask the provider if they use this, which should be contained in the apache logfile.

Best regards,
Garvin

[Stosh]

Garvin,

Thanks for the quick response. I will put in a ticket.

Some background: They are primarily a DNS provider and --while their hosting service is very good (fast, etc.)-- I have gotten the distinct impression that their support staff is primarily trained to provide DNS help (which, btw, is excellent). An example: I asked for a list of supported modules in perl, after a few days I got a list of about a half dozen modules, which did not include the module I needed. By that time, I had already determined, through trial-and-error that it was included. I'm quite happy to do the trial and error thing though; now that it's clear it's the most time-efficient way to do things. Unfortunately, I'm not a php programmer.

I did look at the administration form source, and examined the form element. It had: action="?" which may be perfectly fine in a php form, who knows

Finally, I think I can get access to the logs through the CP... What would you like me to try/test/look-for?

OOPS! POST-SCRIPT: Yes, I have ftp access to the installation directories.

Thanks again for the quick response.

-jr

[garvinhicking]

Hi!

Inside the logs, there would bee an entry with that 403 error, saying something like "mod_security: Action forbidden by rule" or something like that...

Alternatively, there are commands that disable mod_security through a .htaccess rule, but I don't have the time right now to look up withone exactly that is...

HTH,
Garvin

[Stosh]

Hi, Thanks again for all your help...

Here's the error, along with the rule that 403s me (with my dns removed)

Code: Select all

[Tue Oct 20 11:10:48 2009] [error] [client ip.ip.ip.ip] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "121"] [id "340009"] [rev "21"] [msg "Atomicorp.com WAF Rules: Protected Path Access denied in URI/ARGS"] [data ""] [severity "CRITICAL"] Access denied with code 403 (phase 2). Pattern match "(?:/(?:etc|proc|var/tmp|usr|opt|s?bin|dev|tmp|kern|[br]oot|sys|windows|winnt)/|(?:\\/|\\\\)+inetpub|localstart\\.asp|boot\\.ini)" at ARGS:convert. [hostname "IMeMine.com"] [uri "/serendipity/serendipity_admin.php"] [unique_id "yBvOmwoHRikAAExMBL4AAAAE"] 

Would I be better off just downloading it and re-installing it manually?

-jr

[garvinhicking]

Hi!

This simply means, mod-security is blocking access, because it detects your Path inside the HTTP request. Of course, this is required to instruct serendipity.

Please ask your hoster on how to exclude serendipity_admin.php from mod_security on your server, or you won't be able to configure anything through HTTP.

A reinstallation will not change anything here, I'm sorry.

Regards,
Garvin

[Stosh]

Garvin,

Got it working without need to go to the hosting service.

The mod_security rule is just a standard reg-X. A big ugly one, but still just a reg-x pattern.

Take care now.

-stosh

Those rules are HARSH, even for regular forum-authors (especially if they're writing about web development. This thread would not have been possible, e.g.). There has to be a better way to keep scum-bags out of the cookie jar.

[viperjason]

I know this post is long long dated and very old, but I recently had the same issue. After tearing apart the form line by line I found the issue for my host.

Under image conversion settings:
Path to convert binary
Full path & name of your ImageMagick convert binary

Turns out the value "/usr/bin/convert" was being blocked by my host. Remove that value and install works great.

Thank you so much for this great weblog. I've found it to be the best and easiest to use with SQLite. Never ever remove that wonderful feature.