PROBLEM Forbidden You don't have permission to access this resource - Printable Version +- GetSimple Support Forum (http://get-simple.info/forums) +-- Forum: GetSimple (http://get-simple.info/forums/forumdisplay.php?fid=3) +--- Forum: General Questions and Problems (http://get-simple.info/forums/forumdisplay.php?fid=16) +--- Thread: PROBLEM Forbidden You don't have permission to access this resource (/showthread.php?tid=15871) |
Forbidden You don't have permission to access this resource - ericraap - 2021-01-16 Hi, I'm setting up a pretty straight forward website with version 3.3.16 but as soon as I want to include an image or a link to a website or internal page the CMS says 'Forbidden You don't have permission to access this resource'. I talked to my Webhosting party and they said their firewall blocks it because it's unsecure....I think its nonsense because I have a similar site on another domain and that's running fine....any idea what the problem might be ??? Thx, Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-16 Hello Eric, Welcome to GS 3.3.16 Would you like to mention something more about your website, we are there to help and share experience. The -- Forbidden You don't have permission to access this resource -- error is most probably the mod_security setting on your hosting Disable mod_security in the CPanel of your hosting or disable it in the .htaccess file in the root of your website If the error disappears then contact your hosting support and let them adjust the mod_security settings for your website. ====================================== Just let us know it that solved the issue. If not we can further diagnose the case. F. RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-16 Hi Felix, Thanks for your welcome! The site is http://ja21flevoland.nl/ I checked my '.htaccess' which was in the 'public_html' folder but don't see any mod_security I can disable. The hosting party told me that 'GetSimple' needs to solve the issue so they are not really willing to change anything on their firewall. I have another website at the same hosting provider which I also maintain with CMS version 3.3.16 and here I do not have any problem with adding images and links. The website is https://flevoland2020.nl/ Thanks in advance for your help, it's making me nuts this error message.... Regards, Eric PS I wanted to attach the .htaccess but apparently it's not allowed...below is the content # # GetSimple CMS htaccess ROOT file # apache 2.4 # # The following require certain allow overrides, if getting 500 error comment them out one by one # can be resolved in apache httpd.conf to ensure security alternatives # override charset AddDefaultCharset UTF-8 # prevent directory listings Options -Indexes # Follow symbolink links, This is required for rewrites on some hosts Options +FollowSymLinks # Set the default handler. DirectoryIndex index.php # blocks direct access to the XML files - they hold all the data! <Files ~ "\.xml$"> <IfModule !mod_authz_core.c> Deny from all </IfModule> <IfModule mod_access_compat.c> Deny from all </IfModule> <IfModule mod_authz_core.c> <IfModule !mod_access_compat.c> Require all denied </IfModule> </IfModule> </Files> <Files sitemap.xml> <IfModule !mod_authz_core.c> Allow from all </IfModule> <IfModule mod_access_compat.c> Allow from all </IfModule> <IfModule mod_authz_core.c> <IfModule !mod_access_compat.c> Require all granted </IfModule> </IfModule> </Files> # handle rewrites for fancy urls <IfModule mod_rewrite.c> RewriteEngine on # Usually RewriteBase is just '/', but # replace it with your subdirectory path RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule /?([A-Za-z0-9_-]+)/?$ index.php?id=$1 [QSA,L] </IfModule> RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-17 Hi Eric, Did you check if your index.php or .htaccess files are for some reason corrupted ? Try to install a new 3.3.16 setup somewhere in a subdomain and see how that works. ====================================== Looks like your website is hosted on argeweb.nl Their online support does not bring up much: https://www.argeweb.nl/zoeken/security ====================================== Try the following: Go to your argeweb CPanel and look for the mod_sequrity setting Turn off mod_sequrity for your website and check if the error disappears. Here is an example where to find mod_sequrity inside CPanel https://www.interserver.net/tips/kb/how-to-disable-mod_security-and-why-it-is-not-recommended/ Of course this CPanel might look different but it gives you an idea where to look in your argeweb CPanel ====================================== If the above doesn't work you can try to put these lines of code in your .htaccess file <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> Check if that makes the error go away ====================================== If the error still does not go away you have to contact your hosting support and let them check the Apache error log for your website. You mentioned that they do not want to change their firewall rules, ok that is understandable, but they can at least check the Apache error log for your website and inform you what exactly is the reason for the error. Just let us know if any of the above works out. If all of the above does not work you can try to use another hosting https://www.hostinger.nl/ (i am not affiliated) F. RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-17 Hi Felix, Regarding corruption of the index.php or .htaccess files...I reinstalled it from scratch a few times so they should be fine... ====================================== My website is hosted on argeweb.nl and their online support does indeed not bring up much ====================================== I do not have access to the argeweb CPanel (at least I do not know where and how to access) ====================================== I added the lines in my .htaccess file in the public_html folder but it doesn't change anything, still cannot add images and links. Do I need to stop-start the server to activate the new .htaccess file or is it realtime? ====================================== I will contact the hosting support and ask them to check the Apache error log for my website. Thx again for your feedback ! Regards, Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-17 Hi Eric, This page seems to be the login for your argeweb cpanel https://www.argeweb.nl/argecs/ When you have time you can post a few screenshots of the error you get. A picture usually says more. F. RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-17 Quote:CMS says 'Forbidden You don't have permission to access this resource'. Check if you have a permission problem with the location inside GS 3.3.16 where you store the pictures e.g. http://ja21flevoland.nl/data/uploads/ ? http://ja21flevoland.nl/theme/your_theme/assets/ ? Also check if you have a permission problem with how you link to the pictures in your pages. F. RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-18 Hi Felix, I tried to attach a document with a lot of screencaptures regarding the CMS (editing a page , adding an image and the error) and the FTP view of the different folders. Also part of the menu of the https://www.argeweb.nl/argecs/. However got an error, probably too big (size is 1.800 kb). Can I upload it somewhere else ? Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-18 Quote:Can I upload it somewhere else ? Sure: https://imgbb.com/ you can even choose auto remove after a few days RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-18 OK, I've uploaded 9 pictures: https://ibb.co/JsM4JfM https://ibb.co/pPhTsxR https://ibb.co/dPJwzQH https://ibb.co/Wk3TcVr https://ibb.co/88D0Xj7 https://ibb.co/WDC3FnT https://ibb.co/XJQch1D https://ibb.co/XJNfgnn https://ibb.co/3kgD7nX They have the following names: 1. Main menu GetSimple CMS 2. Editing a page 3. Adding a picture which has already been uploaded using the Files tab 4. Picture is visible in the editor 5. Source code of the page 6. When clicking on Save Updates the Forbidden error appears 7. public_html FTP view of the website 8. data uploads FTP view of the website 9. theme innovation assets FTP view of the website 10. Argeweb portal Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-19 Hi, I forgot to mention that the GS cms has an inbuild error reporter. Just turn it on and maybe it will show helpful information about the error. Go to the webroot of your GS cms installation and look for the file gsconfig.php Open it in your favorite editor and uncomment the following line: #define('GSDEBUG', TRUE); so it looks like this define('GSDEBUG', TRUE); Then save the gsconfig.php file again and reload your webpages to see any error report. here are 3 pics to show what I mean: https://ibb.co/ZfzQ9TH https://ibb.co/6tkJjHz https://ibb.co/6vFQ5Dy RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-19 Hi, I copied the gsconfig.php to my local drive and uncommented the following line: #define('GSDEBUG', TRUE); so it looked like this define('GSDEBUG', TRUE); Then saved the gsconfig.php file and uploaded it again via FTP. I do see a Debug Console box now in the page so I tried to change a page again by linking to an external URL or to insert an image but still the same error message'Forbidden You don't have permission to access this resource' I do not see any information in the Debug Console because after clicking on Save Updates the whole page dissapears and in the left top of the page the 'Forbidden...' message appears. However, when I upload an image in the Files section I do get Debug information: Max file size: Notice: A non well formed numeric value encountered in /home/ja21flevo/domains/ja21flevoland.nl/public_html/admin/inc/basic.php on line 1198 32MB Warning: count(): Parameter must be an array or an object that implements Countable in /home/ja21flevo/domains/ja21flevoland.nl/public_html/admin/upload.php on line 235 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; ImageManipulation has a deprecated constructor in /home/ja21flevo/domains/ja21flevoland.nl/public_html/admin/inc/imagemanipulation.php on line 104 See the Debug information in the Files section on https://ibb.co/XJP206n I don't understand the warnings, it are normal images... When I type in for example http://ja21flevoland.nl/data/uploads/ja21-logo.png in my browser I see the image appearing so it looks like it's stored without any issues... And the same images do appear without any problem in this website https://flevoland2020.nl/index.php?id=onze-mensen which is similar as the http://ja21flevoland.nl/ Anyway I also get the same 'Forbidden..' message when I try to put a URL in the page.... Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-19 Hi The GS cms error reporter did not show anything usable to solve the problem. Make sure you comment it again: #define('GSDEBUG', TRUE); = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = About flevoland2020.nl Your domain flevoland2020.nl where the pictures work normally uses a ssl certificate from Sectigo and all website content resolves correctly to https:// = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = About ja21flevoland.nl It looks like your domain ja21flevoland.nl uses a ssl certificate from Let's Encrypt but I am not sure but the domain does not resolve to https:// The hostname ja21flevoland.nl does NOT match the Common Name in the certificate If a Let's Encrypt certificate or another certificate is used for that domain then you should check if it is setup correctly or contact your hosting support = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = After you solved the ssl certificate with ja21flevoland.nl check the image urls inside the CKEditor http://ja21flevoland.nl/data/uploads/ja21-logo.png Yes the image shows up with the above url directly in the browser. The GS cms uses the CKEditor for editing text and including images. Check the image urls how they are linked in the the CKEditor. RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-19 Hi To find out if the error comes from the GS-3.3.16 or from something else, I uploaded a simple test case on a simple shared hosting: http://ja21flevoland.showme.zone/ Everything works as it should and pictures show up normally F. RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-19 Hi I commented the Debug line again: #define('GSDEBUG', TRUE); The Hosting party promised me to send the Apache logs. It was turned of but they turned it on now and I generated a few times the error. = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = I forwarded your feedback about the Certificates to the Hosting party = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = I added the image http://ja21flevoland.nl/data/uploads/ja21-logo.png using the CKEditor and below is the source code <p><img alt="" src="http://ja21flevoland.nl/data/uploads/ja21-logo.png" style="width: 150px; height: 150px;" /></p> Regards, Eric RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-19 (2021-01-19, 06:59:21)Felix Wrote: Hi I see that all the images are shown normally....this is driving me nuts....let's wait for the Apache logs RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-20 Hi, Please find below the feedback of the Hosting party: = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = I checked the logging for your website and retrieved the following error message in our Comodo Web Application Firewall. The issue is the following: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355). Because this might be a false positive I want to advise you to create a case at Comodo Support via the following URL, so they can modify it: - https://support.comodo.com/ Below is the log: 11087:{"transaction":{"time":"18/Jan/2021:22:06:26 +0100","transaction_id":"YAX4UiEc4VqWzf9MEidzsAAAAHM","remote_address":"2001:984:310d:1:801e:3fbd:d0b4:de56","remote_port":55048,"local_address":"2001:678:76c:3401::146","local_port":80},"request":{"request_line":"POST /admin/changedata.php HTTP/1.1","headers":{"Host":"ja21flevoland.nl","Connection":"keep-alive","Content-Length":"874","Cache-Control":"max-age=0","Upgrade-Insecure-Requests":"1","Origin":"http://ja21flevoland.nl","Content-Type":"application/x-www-form-urlencoded","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Referer":"http://ja21flevoland.nl/admin/edit.php?id=nieuws","Accept-Encoding":"gzip, deflate","Accept-Language":"nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6","Cookie":"GS_ADMIN_USERNAME=3yx51g; 319d8cb82dfa64e821a8dbbdb4adee80de1992cc=2d2258b9521180ff0f54e1cd047054c3ee2a8e11; __atuvc=39%7C2%2C49%7C3; __atuvs=6005f41f861aa273002"},"body":["nonce=e6309a704039f3fc95bd11dad3b6b356286fbe1a&post-author=3yx51g&post-title=Nieuws&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Nieuws&post-menu-order=2&post-id=nieuws&post-metak=&post-metad=&post-content=%3Cp%3EJA21+Flevoland+op+Social+Media%3C%2Fp%3E%0D%0A%0D%0A%3Cul%3E%0D%0A%09%3Cli%3ELike+en+deel+onze+Twitter+pagina+op%26nbsp%3Bhttps%3A%2F%2Ftwitter.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%09%3Cli%3Een+onze+Facebook+pagina+op%26nbsp%3Bhttps%3A%2F%2Fwww.facebook.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%3C%2Ful%3E%0D%0A%0D%0A%3Cp%3E%3Cimg+alt%3D%22%22+src%3D%22https%3A%2F%2Fja21flevoland.nl%2Fdata%2Fuploads%2Fja21-logo.png%22+style%3D%22width%3A+150px%3B+height%3A+150px%3B%22+%2F%3E%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A&existing-url=nieuws&redirectto=&submitted=Save+Updates"]},"response":{"protocol":"HTTP/1.1","status":403,"headers":{"Content-Length":"199","Keep-Alive":"timeout=2, max=100","Connection":"Keep-Alive","Content-Type":"text/html; charset=iso-8859-1"},"body":""},"audit_data":{"messages":["Access denied with code 403 (phase 2). Pattern match \"\\\\x22\" at ARGS_POST:post-content. [file \"/usr/local/cwaf/rules/30_Apps_OtherApps.conf\"] [line \"635\"] [id \"240710\"] [rev \"1\"] [msg \"COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||ja21flevoland.nl|F|2\"] [severity \"CRITICAL\"] [tag \"CWAF\"] [tag \"OtherApps\"]"],"action":{"intercepted":true,"phase":2,"message":"Pattern match \"\\\\x22\" at ARGS_POST:post-content."},"handler":"application/x-httpd-lsphp","stopwatch":{"p1":323,"p2":2461,"p3":0,"p4":0,"p5":4,"sr":0,"sw":0,"l":0,"gc":0},"response_body_dechunked":true,"producer":["ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/)","CWAF_Apache"],"server":"Apache/2","engine_mode":"ENABLED"}} = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Does this help ? Regards, Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-20 Hi, From your argeweb hoster: Quote:Because this might be a false positive I want to advise you to create a case at Comodo Support Looks like argeweb hosting cannot white list files by them selves, nor do they mention anything about mod_security settings in your CPanel ..... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - So let's take it from the top to the bottom: 1) Permission settings for the data folder and subfolders (uploads etc.) Do a quick recursive change (to get all the subfolders as well) to 777 to test and check if that works, then sort out the proper owner/permission settings. 2) I noticed that the domain https://flevoland2020.nl/ now has a green padlock and now the Certificate Name matches flevoland2020.nl But the domain ja21flevoland.nl does not resolve to https There is some Certificate detected but the Certificate does not match name ja21flevoland.nl Most hosters these days provide a free Let's Encrypt Certificate, I assume that argeweb does also ? 3) Some simple steps you can do by your self to detect mod_security block are as follows: a) You get one of the specified errors on your website frontend or backend when performing certain actions/requests: 403 Forbidden, 500 Internal Server Error, 404 Not Found. b) The way to reproduce the error is usually the same all the time (as far as mod_security blocks a certain activity only). c) The other functionality on your website frontend/backend remains normal. So check: does it matter what you write in the content ? Can you change other things in page options without any error issue ? 4) Check your browser console for any changedata.php related issues Here is an example how that could look like: http://ja21flevoland.nl/admin/changedata.php [HTTP/1.1 403 Forbidden 199ms] And here is a possible example that could be the cause: (and could point to a solution direction) Content written with a single quote (') can be saved or created. Content written with a double quote ('') can not and will result in a error message "Forbidden You don't have permission to access changedata.php on this server." So check your content for possible wrong formatted characters such as ", <, >, &, ' Are you copying text from e.g. Word and paste it in the CKEditor ? Such actions could bring in none html formatting or unsafe characters that are not visible, somewhere hiding in CKEditor content creating false mod_security flags Any decent IDE has the option to show any hidden characters, for example in Notepad++ Menu => View => Show Symbol => Show all characters .... F. RE: Forbidden You don't have permission to access this resource - ericraap - 2021-01-20 Hi Felix, I was able to solve the problem by checking the old tickets of the flevoland2020 website. Apparantly we had exactly the same issue in november 2020 but they 'forgot' to tell me. I had to find it out myself. The ticket stated: ============================================== It seems that the blocking is caused by a security rule in the firewall: "COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||www.flevoland2020.nl|F|2\" I see that version 3.3.16 of the CMS is used. The firewall blocks this based on the filename "changedata.php" and "filebrowser.php" which have not been changed in the newer versions of GetSimple. ============================================== I did the same manipulations as they did in november 2020 for the flevoland2020 website: in ja21flevoland.nl/admin rename "changedata.php" to "changedata1.php" rename "filebrowser.php" to "filebrowser1.php" change in "filebrowser.php" text "filebrowser.php" to "filebrowser1.php" change in "edit.php" text "filebrowser.php" to "filebrowser1.php" change in "edit.php" text "changedata.php" to "changedata1.php" And now everything works fine, I can add images and links.... I want to thank you very very much for all your help! Regards, Eric RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-21 Hi Eric, So it was a hosting mod_security case after all. Your post helps out very nice. I tried the edits you provided and they really work ! Thanks for sharing your solution with the forum. F. RE: Forbidden You don't have permission to access this resource - Felix - 2021-01-21 Did you know that the GS cms has 2 cool features ? 1) Edit GS cms files directly inside the cms (no ftp needed) https://ibb.co/wKdydWK 2) Diagnose a GS cms "health check" directly inside the cms https://ibb.co/bPXXnJq ===================================== F. RE: Forbidden You don't have permission to access this resource - Felix - 2021-05-15 davidbeckham12 post => flagged as spam |