Posts: 10
Threads: 1
Joined: Jan 2021
Hi, I'm setting up a pretty straight forward website with version 3.3.16 but as soon as I want to include an image or a link to a website or internal page the CMS says 'Forbidden You don't have permission to access this resource'.
I talked to my Webhosting party and they said their firewall blocks it because it's unsecure....I think its nonsense because I have a similar site on another domain and that's running fine....any idea what the problem might be ???
Thx, Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Hello Eric,
Welcome to GS 3.3.16
Would you like to mention something more about your website,
we are there to help and share experience.
The -- Forbidden You don't have permission to access this resource -- error
is most probably the mod_security setting on your hosting
Disable mod_security in the CPanel of your hosting
or disable it in the .htaccess file in the root of your website
If the error disappears then contact your hosting support
and let them adjust the mod_security settings for your website.
======================================
Just let us know it that solved the issue.
If not we can further diagnose the case.
F.
Posts: 10
Threads: 1
Joined: Jan 2021
2021-01-16, 18:38:32
(This post was last modified: 2021-01-16, 18:41:05 by ericraap.)
Hi Felix,
Thanks for your welcome! The site is http://ja21flevoland.nl/
I checked my '.htaccess' which was in the 'public_html' folder but don't see any mod_security I can disable.
The hosting party told me that 'GetSimple' needs to solve the issue so they are not really willing to change anything on their firewall. I have another website at the same hosting provider which I also maintain with CMS version 3.3.16 and here I do not have any problem with adding images and links. The website is https://flevoland2020.nl/
Thanks in advance for your help, it's making me nuts this error message....
Regards, Eric
PS I wanted to attach the .htaccess but apparently it's not allowed...below is the content
#
# GetSimple CMS htaccess ROOT file
# apache 2.4
#
# The following require certain allow overrides, if getting 500 error comment them out one by one
# can be resolved in apache httpd.conf to ensure security alternatives
# override charset
AddDefaultCharset UTF-8
# prevent directory listings
Options -Indexes
# Follow symbolink links, This is required for rewrites on some hosts
Options +FollowSymLinks
# Set the default handler.
DirectoryIndex index.php
# blocks direct access to the XML files - they hold all the data!
<Files ~ "\.xml$">
<IfModule !mod_authz_core.c>
Deny from all
</IfModule>
<IfModule mod_access_compat.c>
Deny from all
</IfModule>
<IfModule mod_authz_core.c>
<IfModule !mod_access_compat.c>
Require all denied
</IfModule>
</IfModule>
</Files>
<Files sitemap.xml>
<IfModule !mod_authz_core.c>
Allow from all
</IfModule>
<IfModule mod_access_compat.c>
Allow from all
</IfModule>
<IfModule mod_authz_core.c>
<IfModule !mod_access_compat.c>
Require all granted
</IfModule>
</IfModule>
</Files>
# handle rewrites for fancy urls
<IfModule mod_rewrite.c>
RewriteEngine on
# Usually RewriteBase is just '/', but
# replace it with your subdirectory path
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule /?([A-Za-z0-9_-]+)/?$ index.php?id=$1 [QSA,L]
</IfModule>
Posts: 515
Threads: 21
Joined: Feb 2019
Hi Eric,
Did you check if your index.php or .htaccess files are for some reason corrupted ?
Try to install a new 3.3.16 setup somewhere in a subdomain and see how that works.
======================================
Looks like your website is hosted on argeweb.nl
Their online support does not bring up much:
https://www.argeweb.nl/zoeken/security
======================================
Try the following:
Go to your argeweb CPanel and look for the mod_sequrity setting
Turn off mod_sequrity for your website and check if the error
disappears.
Here is an example where to find mod_sequrity inside CPanel
https://www.interserver.net/tips/kb/how-...commended/
Of course this CPanel might look different but it gives you an idea where to look
in your argeweb CPanel
======================================
If the above doesn't work you can try to put these lines of code in your .htaccess file
<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>
Check if that makes the error go away
======================================
If the error still does not go away you have to contact your hosting support
and let them check the Apache error log for your website. You mentioned that
they do not want to change their firewall rules, ok that is understandable,
but they can at least check the Apache error log for your website and inform
you what exactly is the reason for the error.
Just let us know if any of the above works out.
If all of the above does not work you can try to use another hosting
https://www.hostinger.nl/ (i am not affiliated)
F.
Posts: 10
Threads: 1
Joined: Jan 2021
Hi Felix,
Regarding corruption of the index.php or .htaccess files...I reinstalled it from scratch a few times so they should be fine...
======================================
My website is hosted on argeweb.nl and their online support does indeed not bring up much
======================================
I do not have access to the argeweb CPanel (at least I do not know where and how to access)
======================================
I added the lines in my .htaccess file in the public_html folder but it doesn't change anything, still cannot add images and links. Do I need to stop-start the server to activate the new .htaccess file or is it realtime?
======================================
I will contact the hosting support and ask them to check the Apache error log for my website.
Thx again for your feedback !
Regards, Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Hi Eric,
This page seems to be the login for your argeweb cpanel
https://www.argeweb.nl/argecs/
When you have time you can post a few screenshots
of the error you get. A picture usually says more.
F.
Posts: 515
Threads: 21
Joined: Feb 2019
Quote:CMS says 'Forbidden You don't have permission to access this resource'.
Check if you have a permission problem with the location inside GS 3.3.16 where you store the pictures
e.g.
http://ja21flevoland.nl/data/uploads/ ?
http://ja21flevoland.nl/theme/your_theme/assets/ ?
Also check if you have a permission problem with how you link to the pictures in your pages.
F.
Posts: 10
Threads: 1
Joined: Jan 2021
2021-01-18, 07:42:08
(This post was last modified: 2021-01-18, 07:46:37 by ericraap.)
Hi Felix,
I tried to attach a document with a lot of screencaptures regarding the CMS (editing a page , adding an image and the error) and the FTP view of the different folders. Also part of the menu of the https://www.argeweb.nl/argecs/.
However got an error, probably too big (size is 1.800 kb). Can I upload it somewhere else ?
Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Quote:Can I upload it somewhere else ?
Sure:
https://imgbb.com/
you can even choose auto remove after a few days
Posts: 10
Threads: 1
Joined: Jan 2021
OK, I've uploaded 9 pictures:
https://ibb.co/JsM4JfM
https://ibb.co/pPhTsxR
https://ibb.co/dPJwzQH
https://ibb.co/Wk3TcVr
https://ibb.co/88D0Xj7
https://ibb.co/WDC3FnT
https://ibb.co/XJQch1D
https://ibb.co/XJNfgnn
https://ibb.co/3kgD7nX
They have the following names:
1. Main menu GetSimple CMS
2. Editing a page
3. Adding a picture which has already been uploaded using the Files tab
4. Picture is visible in the editor
5. Source code of the page
6. When clicking on Save Updates the Forbidden error appears
7. public_html FTP view of the website
8. data uploads FTP view of the website
9. theme innovation assets FTP view of the website
10. Argeweb portal
Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Hi,
I forgot to mention that the GS cms has an inbuild error reporter.
Just turn it on and maybe it will show helpful information
about the error.
Go to the webroot of your GS cms installation and look for the file gsconfig.php
Open it in your favorite editor and uncomment the following line:
#define('GSDEBUG', TRUE);
so it looks like this
define('GSDEBUG', TRUE);
Then save the gsconfig.php file again and reload your webpages
to see any error report.
here are 3 pics to show what I mean:
https://ibb.co/ZfzQ9TH
https://ibb.co/6tkJjHz
https://ibb.co/6vFQ5Dy
Posts: 10
Threads: 1
Joined: Jan 2021
2021-01-19, 00:51:39
(This post was last modified: 2021-01-19, 02:14:19 by ericraap.)
Hi,
I copied the gsconfig.php to my local drive and uncommented the following line:
#define('GSDEBUG', TRUE);
so it looked like this
define('GSDEBUG', TRUE);
Then saved the gsconfig.php file and uploaded it again via FTP.
I do see a Debug Console box now in the page so I tried to change a page again by linking to an external URL or to insert an image but still the same error message'Forbidden You don't have permission to access this resource'
I do not see any information in the Debug Console because after clicking on Save Updates the whole page dissapears and in the left top of the page the 'Forbidden...' message appears.
However, when I upload an image in the Files section I do get Debug information:
Max file size:
Notice: A non well formed numeric value encountered in /home/ja21flevo/domains/ja21flevoland.nl/public_html/admin/inc/basic.php on line 1198
32MB
Warning: count(): Parameter must be an array or an object that implements Countable in /home/ja21flevo/domains/ja21flevoland.nl/public_html/admin/upload.php on line 235
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; ImageManipulation has a deprecated constructor in /home/ja21flevo/domains/ja21flevoland.nl/public_html/admin/inc/imagemanipulation.php on line 104
See the Debug information in the Files section on https://ibb.co/XJP206n
I don't understand the warnings, it are normal images...
When I type in for example http://ja21flevoland.nl/data/uploads/ja21-logo.png in my browser I see the image appearing so it looks like it's stored without any issues...
And the same images do appear without any problem in this website https://flevoland2020.nl/index.php?id=onze-mensen which is similar as the http://ja21flevoland.nl/
Anyway I also get the same 'Forbidden..' message when I try to put a URL in the page....
Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Hi
The GS cms error reporter did not show anything usable to solve the problem.
Make sure you comment it again: #define('GSDEBUG', TRUE);
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
About flevoland2020.nl
Your domain flevoland2020.nl where the pictures work normally uses a ssl certificate from Sectigo
and all website content resolves correctly to https://
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
About ja21flevoland.nl
It looks like your domain ja21flevoland.nl uses a ssl certificate from Let's Encrypt but I am not sure
but the domain does not resolve to https://
The hostname ja21flevoland.nl does NOT match the Common Name in the certificate
If a Let's Encrypt certificate or another certificate is used for that domain
then you should check if it is setup correctly or contact your hosting support
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
After you solved the ssl certificate with ja21flevoland.nl
check the image urls inside the CKEditor
http://ja21flevoland.nl/data/uploads/ja21-logo.png
Yes the image shows up with the above url directly in the browser.
The GS cms uses the CKEditor for editing text and including images.
Check the image urls how they are linked in the the CKEditor.
Posts: 515
Threads: 21
Joined: Feb 2019
Hi
To find out if the error comes from the GS-3.3.16 or from something else,
I uploaded a simple test case on a simple shared hosting:
http://ja21flevoland.showme.zone/
Everything works as it should and pictures show up normally
F.
Posts: 10
Threads: 1
Joined: Jan 2021
Hi
I commented the Debug line again: #define('GSDEBUG', TRUE);
The Hosting party promised me to send the Apache logs. It was turned of but they turned it on now and I generated a few times the error.
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
I forwarded your feedback about the Certificates to the Hosting party
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
I added the image http://ja21flevoland.nl/data/uploads/ja21-logo.png using the CKEditor and below is the source code
<p><img alt="" src="http://ja21flevoland.nl/data/uploads/ja21-logo.png" style="width: 150px; height: 150px;" /></p>
Regards, Eric
Posts: 10
Threads: 1
Joined: Jan 2021
(2021-01-19, 06:59:21)Felix Wrote: Hi
To find out if the error comes from the GS-3.3.16 or from something else,
I uploaded a simple test case on a simple shared hosting:
http://ja21flevoland.showme.zone/
Everything works as it should and pictures show up normally
F.
I see that all the images are shown normally....this is driving me nuts....let's wait for the Apache logs
Posts: 10
Threads: 1
Joined: Jan 2021
Hi,
Please find below the feedback of the Hosting party:
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
I checked the logging for your website and retrieved the following error message in our Comodo Web Application Firewall. The issue is the following: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355). Because this might be a false positive I want to advise you to create a case at Comodo Support via the following URL, so they can modify it:
- https://support.comodo.com/
Below is the log:
11087:{"transaction":{"time":"18/Jan/2021:22:06:26 +0100","transaction_id":"YAX4UiEc4VqWzf9MEidzsAAAAHM","remote_address":"2001:984:310d:1:801e:3fbd:d0b4:de56","remote_port":55048,"local_address":"2001:678:76c:3401::146","local_port":80},"request":{"request_line":"POST /admin/changedata.php HTTP/1.1","headers":{"Host":"ja21flevoland.nl","Connection":"keep-alive","Content-Length":"874","Cache-Control":"max-age=0","Upgrade-Insecure-Requests":"1","Origin":"http://ja21flevoland.nl","Content-Type":"application/x-www-form-urlencoded","User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","Referer":"http://ja21flevoland.nl/admin/edit.php?id=nieuws","Accept-Encoding":"gzip, deflate","Accept-Language":"nl-NL,nl;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6","Cookie":"GS_ADMIN_USERNAME=3yx51g; 319d8cb82dfa64e821a8dbbdb4adee80de1992cc=2d2258b9521180ff0f54e1cd047054c3ee2a8e11; __atuvc=39%7C2%2C49%7C3; __atuvs=6005f41f861aa273002"},"body":["nonce=e6309a704039f3fc95bd11dad3b6b356286fbe1a&post-author=3yx51g&post-title=Nieuws&post-private=&post-parent=&post-template=template.php&post-menu-enable=on&post-menu=Nieuws&post-menu-order=2&post-id=nieuws&post-metak=&post-metad=&post-content=%3Cp%3EJA21+Flevoland+op+Social+Media%3C%2Fp%3E%0D%0A%0D%0A%3Cul%3E%0D%0A%09%3Cli%3ELike+en+deel+onze+Twitter+pagina+op%26nbsp%3Bhttps%3A%2F%2Ftwitter.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%09%3Cli%3Een+onze+Facebook+pagina+op%26nbsp%3Bhttps%3A%2F%2Fwww.facebook.com%2FJA21Flevoland%3C%2Fli%3E%0D%0A%3C%2Ful%3E%0D%0A%0D%0A%3Cp%3E%3Cimg+alt%3D%22%22+src%3D%22https%3A%2F%2Fja21flevoland.nl%2Fdata%2Fuploads%2Fja21-logo.png%22+style%3D%22width%3A+150px%3B+height%3A+150px%3B%22+%2F%3E%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A%0D%0A%3Cp%3E%26nbsp%3B%3C%2Fp%3E%0D%0A&existing-url=nieuws&redirectto=&submitted=Save+Updates"]},"response":{"protocol":"HTTP/1.1","status":403,"headers":{"Content-Length":"199","Keep-Alive":"timeout=2, max=100","Connection":"Keep-Alive","Content-Type":"text/html; charset=iso-8859-1"},"body":""},"audit_data":{"messages":["Access denied with code 403 (phase 2). Pattern match \"\\\\x22\" at ARGS_POST:post-content. [file \"/usr/local/cwaf/rules/30_Apps_OtherApps.conf\"] [line \"635\"] [id \"240710\"] [rev \"1\"] [msg \"COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||ja21flevoland.nl|F|2\"] [severity \"CRITICAL\"] [tag \"CWAF\"] [tag \"OtherApps\"]"],"action":{"intercepted":true,"phase":2,"message":"Pattern match \"\\\\x22\" at ARGS_POST:post-content."},"handler":"application/x-httpd-lsphp","stopwatch":{"p1":323,"p2":2461,"p3":0,"p4":0,"p5":4,"sr":0,"sw":0,"l":0,"gc":0},"response_body_dechunked":true,"producer":["ModSecurity for Apache/2.9.3 ( http://www.modsecurity.org/)","CWAF_Apache"],"server":"Apache/2","engine_mode":"ENABLED"}}
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Does this help ?
Regards, Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Hi,
From your argeweb hoster:
Quote:Because this might be a false positive I want to advise you to create a case at Comodo Support
via the following URL, so they can modify it
Looks like argeweb hosting cannot white list files by them selves, nor do they mention anything
about mod_security settings in your CPanel .....
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
So let's take it from the top to the bottom:
1)
Permission settings for the data folder and subfolders (uploads etc.)
Do a quick recursive change (to get all the subfolders as well) to 777 to test and check if that works,
then sort out the proper owner/permission settings.
2)
I noticed that the domain https://flevoland2020.nl/ now has a green padlock
and now the Certificate Name matches flevoland2020.nl
But the domain ja21flevoland.nl does not resolve to https
There is some Certificate detected but the Certificate does not match name ja21flevoland.nl
Most hosters these days provide a free Let's Encrypt Certificate, I assume that argeweb
does also ?
3)
Some simple steps you can do by your self to detect mod_security block are as follows:
a) You get one of the specified errors on your website frontend or backend when performing certain actions/requests:
403 Forbidden, 500 Internal Server Error, 404 Not Found.
b) The way to reproduce the error is usually the same all the time (as far as mod_security blocks a certain activity only).
c) The other functionality on your website frontend/backend remains normal.
So check: does it matter what you write in the content ?
Can you change other things in page options without any error issue ?
4)
Check your browser console for any changedata.php related issues
Here is an example how that could look like:
http://ja21flevoland.nl/admin/changedata.php [HTTP/1.1 403 Forbidden 199ms]
And here is a possible example that could be the cause: (and could point to a solution direction)
Content written with a single quote (') can be saved or created. Content written with a double quote ('') can not
and will result in a error message "Forbidden You don't have permission to access changedata.php on this server."
So check your content for possible wrong formatted characters such as ", <, >, &, '
Are you copying text from e.g. Word and paste it in the CKEditor ?
Such actions could bring in none html formatting or unsafe characters that are not visible,
somewhere hiding in CKEditor content creating false mod_security flags
Any decent IDE has the option to show any hidden characters, for example in Notepad++
Menu => View => Show Symbol => Show all characters ....
F.
Posts: 10
Threads: 1
Joined: Jan 2021
Hi Felix,
I was able to solve the problem by checking the old tickets of the flevoland2020 website. Apparantly we had exactly the same issue in november 2020 but they 'forgot' to tell me. I had to find it out myself. The ticket stated:
==============================================
It seems that the blocking is caused by a security rule in the firewall:
"COMODO WAF: Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 (CVE-2015-5355)||www.flevoland2020.nl|F|2\"
I see that version 3.3.16 of the CMS is used. The firewall blocks this based on the filename "changedata.php" and "filebrowser.php" which have not been changed in the newer versions of GetSimple.
==============================================
I did the same manipulations as they did in november 2020 for the flevoland2020 website:
in ja21flevoland.nl/admin
rename "changedata.php" to "changedata1.php"
rename "filebrowser.php" to "filebrowser1.php"
change in "filebrowser.php" text "filebrowser.php" to "filebrowser1.php"
change in "edit.php" text "filebrowser.php" to "filebrowser1.php"
change in "edit.php" text "changedata.php" to "changedata1.php"
And now everything works fine, I can add images and links....
I want to thank you very very much for all your help!
Regards, Eric
Posts: 515
Threads: 21
Joined: Feb 2019
Hi Eric,
So it was a hosting mod_security case after all.
Your post helps out very nice.
I tried the edits you provided and they really work !
Thanks for sharing your solution with the forum.
F.
Posts: 515
Threads: 21
Joined: Feb 2019
Did you know that the GS cms has 2 cool features ?
1) Edit GS cms files directly inside the cms (no ftp needed)
https://ibb.co/wKdydWK
2) Diagnose a GS cms "health check" directly inside the cms
https://ibb.co/bPXXnJq
=====================================
F.
Posts: 515
Threads: 21
Joined: Feb 2019
davidbeckham12 post => flagged as spam
|