XF 1.2 Forbidden You don't have permission to access /admin.php on this server.
- Thread starter Jagger433
- Start date
KamelJabber
Member
Aha! It never even reached the XF code because mod_security blacklisted it immediately.
Good to know!
WOW mod_security is being a real pain. It's basically flagging every single Ajax Request due to it's POST data...jeez.
Niekiletta
New member
pain is an understatement. I just lost three hours of my life that I will never get back.. no solution, host blames xenforo blames server setup......
KamelJabber
Member
Here is what I found in my research on the matter.
mod_security has a number of security modules that can be loaded up. One of these module is sql injection attack prevention.
XF IS safe from sql injection.
SO, why is mod_security being such a pain?
The mod_security module inspects incoming requests to apache. Based on a some wicked long and ugly regular expression it analyzes the request for what it thinks are common requests that sql injection hackers would use.
If the regex matches, it kicks out and denies the request even before it actually process the request in apache or executes any of the XF code.
Since we know XF is sql injection safe, you can ask your host to relax or modify the mod_security rules for you XF installation.
mod_security has a number of security modules that can be loaded up. One of these module is sql injection attack prevention.
XF IS safe from sql injection.
SO, why is mod_security being such a pain?
The mod_security module inspects incoming requests to apache. Based on a some wicked long and ugly regular expression it analyzes the request for what it thinks are common requests that sql injection hackers would use.
If the regex matches, it kicks out and denies the request even before it actually process the request in apache or executes any of the XF code.
Since we know XF is sql injection safe, you can ask your host to relax or modify the mod_security rules for you XF installation.
Biker
Well-known member
First of all, you need to stop thinking that the two are related, they aren't. mod_security is there to protect the entire server, not just your XF installation. In a shared environment, hosting companies aren't going to relax the rules for one customer when it's going to affect everyone else on the server. For dedicated servers and VPS installations, it's a bit easier as it's just going to affect one customer. In this case, the customer should be able to go in and fine tune where necessary.
One of the great things about mod_security is the ability to fine tune. Unfortunately, this takes a bit of knowledge and time once a new mod_security installation is put into place. On a new server, it takes me around 2 months to get things fine tuned to where I'm satisfied that mod_security will do its job and won't interfere with the site. You can whitelist specific rules so your server doesn't trigger them. You can ask on the mod_security list for assistance in fine tuning the rule itself.
However, disabling mod_security in its entirety is just plain silly. If you don't have the knowledge to work with it, get someone who does.
One of the great things about mod_security is the ability to fine tune. Unfortunately, this takes a bit of knowledge and time once a new mod_security installation is put into place. On a new server, it takes me around 2 months to get things fine tuned to where I'm satisfied that mod_security will do its job and won't interfere with the site. You can whitelist specific rules so your server doesn't trigger them. You can ask on the mod_security list for assistance in fine tuning the rule itself.
However, disabling mod_security in its entirety is just plain silly. If you don't have the knowledge to work with it, get someone who does.
Niekiletta
New member
dondomainer
Active member
this is new, mod_security disable but " don't have permission to access /admin.php "
but i need
but i need
Code:
<Files admin.php>
Order deny,allow
Deny from all
Allow from MY IP
</Files>
Similar threads
- Question
- Question
- Solved
