XF 2.3 Upgrade to 2.2.17 ok. to 2.3.4 fails + Forbidden (solution)

[TheLaw]

Hope this helps others trying to upgrade from 2.2.x to 2.3.x.

First warning. You may want to upgrade sucessfully to 2.2.17 and then take a backup/snapshot of your entire server first. If you try to go to 2.3.x you may end up with errors as it seems to work differently than 2.2.x with regard to security. This is what I eventually did.

I upgraded from 2.2.16 to 2.2.17 flawlessly. All addons off. Style off and set to default. Make sure to replace your existing .htaccess using the default .htaccess in the upgrade or you might get an unauthorized URL detected error. Going from 2.2.17 to 2.3.4 resulted in the following:

Forbidden​

You don't have permission to access this resource.

I've set all the php.ini settings to accommodate huge file sizes (128MB, etc.) but there is a permissions based error and it appears to be ModSecurity per below. I had to turn off Mod Security entirely to get the upgrade to work. Then I ended up moving my upgrade to command line because I was warned of a large installation. Once I ran it from there, it took only about 2 minutes for the entire upgrade to complete (without anything response or feedback in the terminal for at least 305 seconds or more, so don't panic.)

[Fri Dec 27 21:01:36.538810 2024] [:error] [pid 2496473:tid 2496553] [client 71.190.143.38:51385] [client 71.190.143.38] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "/configuration.php" at ARGS:state. [file "/usr/local/apache/modsecurity-cwaf/rules/08_Global_Other.conf"] [line "57"] [id "210580"] [rev "2"] [msg "COMODO WAF: OS File Access Attempt||www.mysite.com|F|2"] [data "Matched Data: /configuration.php found within ARGS:state: {\\x22changes\\x22:{\\x22admin.php\\x22:\\x22update\\x22,\\x22cmd.php\\x22:\\x22update\\x22,\\x22connected_account.php\\x22:\\x22update\\x22,\\x22css.php\\x22:\\x22update\\x22,\\x22index.php\\x22:\\x22update\\x22,\\x22install/index.php\\x22:\\x22update\\x22,\\x22install/install.css\\x22:\\x22update\\x22,\\x22install/oc-upgrader.php\\x22:\\x22update\\x22,\\x22job.php\\x22:\\x22update\\x22,\\x22js/devjs.php\\x22:\\x22update\\x22,\\x22js/vendor/autosize/autosize.js\\x22:\\x22update\\x22,\\x22js/v..."] [severity "CRITICAL"] [tag "CWAF"] [tag "Other"] [hostname "www.mysite.com"] [uri "/install/oc-upgrader.php"] [unique_id "Z29b_2nR-MqEiaVLgyoRCgAAAFg"], referer: https://www.mysite.com/install/oc-upgrader.php

 

[thaisnack]

Hope this helps others trying to upgrade from 2.2.x to 2.3.x.

First warning. You may want to upgrade sucessfully to 2.2.17 and then take a backup/snapshot of your entire server first. If you try to go to 2.3.x you may end up with errors as it seems to work differently than 2.2.x with regard to security. This is what I eventually did.

I upgraded from 2.2.16 to 2.2.17 flawlessly. All addons off. Style off and set to default. Make sure to replace your existing .htaccess using the default .htaccess in the upgrade or you might get an unauthorized URL detected error. Going from 2.2.17 to 2.3.4 resulted in the following:

Forbidden​

You don't have permission to access this resource.

I've set all the php.ini settings to accommodate huge file sizes (128MB, etc.) but there is a permissions based error and it appears to be ModSecurity per below. I had to turn off Mod Security entirely to get the upgrade to work. Then I ended up moving my upgrade to command line because I was warned of a large installation. Once I ran it from there, it took only about 2 minutes for the entire upgrade to complete (without anything response or feedback in the terminal for at least 305 seconds or more, so don't panic.)

Do you have the exakt names of the php setting you adjusted beacuse I cannot find ModSecurity? What version of php are you running?

 

[TheLaw]

I'll provide the variables to you, but I'm facing many permissions based problems with mod_security enabled, such as being unable to edit certain pages (in nodes) on the back end (getting no permission errors), files not uploading, etc. I'm not sure if 2.3.4 has improved security and exposed more potential vulnerabilities that are causing these problems as I've noticed some of these pages include calls to other scripts running on the site.

upload_max_filesize, post_max_size, memory_limit set at 100M, 128M, and 256M. Some of this may be above what is necessary but I upped the limits just to be sure. I'm running php 8.2 if I recall correctly.