403 Forbidden error when updating product

I just started getting an error under one of my cart's categories when I try to update the desciptions of a product under that category. It doesn't give the error under any other categories that I have found yet.

I receive the error:
Forbidden
You don't have permission to access /admin/product.php on this server.

The site is http://www.2griffins.com and it only does it for any products under Products - Desk Accessories > Pens and Pencils > Mont Blanc Pens and Pencils.

I was getting the same error under the Define Page Editor section after installing the SSL certificate on the site. I changed the following back to false for the admin and catalog and that fixed the problem there.

Code:

---

define('HTTP_SERVER', 'http://www.2griffins.com');
  define('HTTPS_SERVER', 'https://www.2griffins.com');
  define('HTTP_CATALOG_SERVER', 'http://www.2griffins.com');
  define('HTTPS_CATALOG_SERVER', 'https://www.2griffins.com');

  // Use secure webserver for catalog module and/or admin areas?
  define('ENABLE_SSL_CATALOG', 'false');
  define('ENABLE_SSL_ADMIN', 'false');

---

Any ideas?

- Karen

what is the exact description that you are trying to change .... both "from" and "to" ?

I suspect your server may have a mod_security setting active which is trying to protect against the use of any "reserved words". Knowing what you're trying to enter may help...

It does it for all products under the category Mont Blanc Pens and Pencils. I don't know exactly what the client was trying to change but I have tried anything for testing.

For example I will try to change the description on http://www.2griffins.com/index.php?m...products_id=47
from "Burl Wood Mont Blanc Pen" to "Burl Wood Pen"

What type of words are blocked? The only words that are in this category that are not in the others is "Mont Blanc"

You have a .htaccess file in /admin, right?


So ... try an experiment.

1. make a backup copy of your /admin/.htaccess file. Store it in a safe place.
2. edit the /admin/.htaccess file, and add this to the very bottom:

Code:

---

  SecFilterEngine Off

---

3. Save the file and upload it to the server ... again, this is ONLY the /admin/.htaccess file
(only in the ADMIN folder ... not in any other place)

Now do your edits work?

If so, then it's a configuration issue related to mod_security that's causing your problems.

THANK YOU!!! That did the trick!

I wish I had asked earlier!

Just wanted to chime in and say you saved the day. As of today i was getting the same problem but that code fixed it. Thanks!

thanks for posting this fix !

Heres another curly one - I only get the error in IE and not in Firefox........so it also would appear it has something to do with the way the browsers are interpreting the code!

Just read this thread and it's what I've been looking for.......worked like a dream, Thanks Dr Byte:yes:

Remember that using the method described by DrByte is temporary.

It allows you to finish what you were doing but then the Hoster should be contacted about the problem. Between the two of you, an exact solution can be worked out and the line can removed from your .htaccess file. Whille that line is there, you are losing the security provided by the Server Firewall, for anything within your Admin dir.

I am getting this error when trying to update an existing product, saying I dint have permission to access /catalog/adm1n/product.php BUT.. it only happens from the office PC. When logged in at home, there's no problem.

I am using the very same admin login on both PCs. I temporarily renamed the .htaccess to .htaccessBAK and still the problem persisits.

There is one thing about this though. Its only happening for products whose prices are linked, using the Better Together mod.

I guess the simple answer is to use my home PC, or ditch the Better Together mod :no: but I need to be able to offer discounts when buying linked products.

If any code is needed, please let me know and I'll add it to the post.

Thanks,

Johnny

Despite - the Better Together 'red herring' above, this problem WAS to do with the SecFilterEngine. I added that line of code, problem gone.

Has anyone found out what needed changing with their host to resolve this?

Johnny

johnny_e, from what you have described it sounds like the Office IP is being blocked; either by you in one of your .htaccess files or by your Hoster for some reason. You don't mention though, if you can access the front end of the Store from your Office?

I would first check your .htaccess files to see if you have blocked the Office IP.

My .htaccess file was unchanged from the shipped version - so this must be down to something my hoster is doing. I guess that the fact that disabling the SecFilterEngine cured this - further reinforces the idea.

BTW - the front end was ok from the office. In fact, I could add a new product OK from the office. It was only when editing said product, that the 403 error occured. Strange... Thanks for the reply.

Johnny

If you can access the front end from your Office computer then the IP is not being blocked; by you nor your Hoster.

Something else is doing the blocking but not sure what. If, as you say, disabling the SecFilterEngine solves the problem then it could be a Server Firewall setting; using a word(s) not allowed. You can test by first recording whatever Edit you are trying to do from the Office then, if that is not allowed, try to make the same Edit from Home.

You could also try Editting from a third computer in different location to see what results you get. Might help to pin down if problem is with a specific Module.

I'll try that. Mind you - what confuses this even further ...

We added a new product. No problem. Then we went back in to add just an image - and got the 403 error! How does that get hit by a word filter?

Johnny

Good question.

You definitely have an oddball situation on your hands and will take some effort to sort out. Have a look at your Hosting account Error logs to see what info they are providing. Might be helpful.

I have this same issue. On ANY (apparently) add OR update of a product or category, and in attempting to reset the admin password from the back end (and perhaps other submissions; I haven't tried every feature in the admin section) results in the 403 not found and no permission page indicated in this thread.

Modsec successfully alleviated the issue, so I submitted a ticket to my host.

They replied with the error that is showing on their end in the apache server - everything in <pointy> brackets is me replacing (possibly) sensitive information with a tag:

[Wed Sep 17 09:26:03 2008] [error] [client <IP>] mod_security: Access denied with code 403. read_post_payload: Failed to c reate file "/home/<BADUSER>/tmp/20080917-092603-<IP>-request_body-GqdtBU" because 13("Permission denied") [severity "EMERGE NCY"] [hostname "www.<mydomain>.com"] [uri "/<admin folder>/categories.php?action=insert_category&cPath="]
[Wed Sep 17 09:26:03 2008] [error] [client <IP>] File does not exist: /home/<MYUSER>/public_html/403.shtml

What is very important is that <BADUSER> in the first error is NOT my account. It is some other user (if the name is relevant, I can post that one, but I assume the only relevant fact is that it's not mine). <MYUSER> in the second error is the proper account (I'm talking about my web host user account which is in the apache root path to my site).

This is distressing. I know for a FACT that the site worked yesterday. I have (as my host's support staff suggested, and as I would have done anyway) checked both the entire admin folder (downloading and searching in files) and the configuration file in the store includes and both indicate the proper username (there is no reference to <BADUSER> in any file. I also searched the database in phpmyadmin and there is no reference to <BADUSER> in there either. I also used the Developer's Tool Kit in the admin area to search all files for <BADUSER> and get no results.

I'm going to let the support staff know about the result, but I was wondering if anyone here might recognize an issue they've seen before. I haven't updated anything since it worked yesterday, so I'm feeling like making my host company did some work on the server and they are the cause... I'm assuming that attempting to create a "tmp/20080917-092603-<IP>-request_body-GqdtBU" is normal? I've never known the store to create files when updating SQL, but I've never really looked into that area.

I actually just got the idea to check my OLD store (which is still up on the site, but is in maintainance mode - the above issue was with a new store on the same account, but in a different folder). My old store has the same issue right now, so it seems server-side; I'm just not sure what it is.

Quote:

---

[Wed Sep 17 09:26:03 2008] [error] [client <IP>] mod_security: Access denied with code 403. read_post_payload: Failed to c reate file "/home/<BADUSER>/tmp/20080917-092603-72.12.208.111-request_body-GqdtBU" because 13("Permission denied") [severity "EMERGE NCY"] [hostname "www.<mydomain>.com"] [uri "/<admin folder>/categories.php?action=insert_category&cPath="]

---

The above states that someone tried to create a file within a dir. that does not belong to you. If the [client <IP>] used is your IP (as provided by your ISP) then things have changed and you need to find out more.


This error is simply stating you have no 403.shtml page.

Quote:

---

[Wed Sep 17 09:26:03 2008] [error] [client <IP>] File does not exist: /home/<MYUSER>/public_html/403.shtml

---

You should confirm that your two config files have not changed and/or could be mySQL related as in something changed within your database; possibly a mySQL Injection hack. All good reasons to discuss the situation further with your Hoster.

Quote:

---

Originally Posted by Website Rob

The above states that someone tried to create a file within a dir. that does not belong to you. If the [client <IP>] used is your IP (as provided by your ISP) then things have changed and you need to find out more.

---

I believe the IP is that of my the hosting company support guy who I'm sure had to test it for himself to confirm that I'm not incompetent in clicking submit buttons. It is not my IP.

My question is that the error says "Failed to c reate file "/home/<BADUSER>/tmp/20080917-092603-<IP>-request_body-GqdtBU" - is the creation of such a file something zencart would normally do (but on my site's path)? Or should it not be trying to create a file at all? IE: should I be looking for why it's trying the wrong path, or in why it's even trying to create a file?

Quote:

---

You should confirm that your two config files have not changed and/or could be mySQL related as in something changed within your database;

---

I see no evidence of change in these files. I should note that my new site is still under construction; it is in a path I have not publicized, and I have used .htaccess to block all access from all but my IP, so no one should even know it is there to hack, let alone have access. Also, as mentioned, it has occured on my live store (which is down for maintainance, as my new one was SUPPOSED to be ready to launch today or tomorrow). A new development is that I've also got a simliar issue now occuring on my blog on the same site (when attempting to upload an image, I get the same forbidden message).

Quote:

---

possibly a mySQL Injection hack. All good reasons to discuss the situation further with your Hoster.

---

I am still in connection with them; their initial (and stubborn) reaction is that it has all the earmarks of a Coding error, yet I have done a search and found no reference to <BADUSER> in any files or any database.

I'm not familiar with the mySQL injection type of hack, but I assume that simply means someone has put some bad data in my database? I would assume it would have to include the bad user's path which I searched for in my database and did not find any evidence of.

If someone did hack my site, They would have to have hacked my old store, new store and blog - all three have separate databases with unique access name and passwords, plus the aforementioned protection on my new store's directory. It seems unlikely to me. No files indicate having been modified in the last week either. Everywhere where my Proper User path should be in zencart (based on the copies on my hard drive) are set the same online.

Verdict came back from tech support... "This was due to a problem with the way Apache works on this server. I've corrected it..."

Yeah, when they admit it's their fault, all of a sudden they are far less specific... I'm going to see if I can get any more information, but whatever "it" was, it's fixed.

It would seem that the problems were due to incorrect paths being used. Probably due to a previous and recent change or software upgrade by your Hoster, since the problems started without any changes by yourself.

Would also seem your Hoster created the problems and presumably, they have now corrected them. If all is well once again then that is good.

How do I get to the ".htaccess file?
I am getting this message when I try to add a product.

The webpage cannot be found
HTTP 404
Most likely causes:
There might be a typing error in the address.
If you clicked on a link, it may be out of date.

What you can try:
Retype the address.

Go back to the previous page.

Go to and look for the information you want.

More information

This error (HTTP 404 Not Found) means that Internet Explorer was able to connect to the website, but the page you wanted was not found. It's possible that the webpage is temporarily unavailable. Alternatively, the website might have changed or removed the webpage.

For more information about HTTP errors, see Help.

Quote:

---

Originally Posted by TheHYPO

Verdict came back from tech support... "This was due to a problem with the way Apache works on this server. I've corrected it..."

Yeah, when they admit it's their fault, all of a sudden they are far less specific... I'm going to see if I can get any more information, but whatever "it" was, it's fixed.

---

Same thing here, today. Unfortunately, DrByte's excellent suggestion no longer works so I need to wait for webhost's support to answer the ticket I opened.

But in the webhost support forum, they already admitted that they have been experimenting with some mod_security rules... this is a production server, business account... Unbelievable.

Quote:

---

Originally Posted by DrByte

I suspect your server may have a mod_security setting active which is trying to protect against the use of any "reserved words".

---

Yesterday I began getting the forbidden access message while entering a new product. I suspected a word filter someplace as I've seen this before on a wiki. In posting the same new product as little information as possible was used to get the record started and saved. Then, updating the record, adding in the rest of the information one sentence at a time until the message reappeared - which it did on this sentence:

There are hundreds of selected quotes from the Cayce materials too.

All the sentences before and after the above words were accepted without error. I do not understand why any of these words would trigger or trip a filter. Anyone got any ideas?

The word "SELECT" is commonly used in attempted SQL Injections. Maybe the mod_security rules are flagging that?

It is very strange but i also have the 403 Forbidden error when updating product, appeared yesterday...
And Dr Byte's solution doesn't seem to work for me :cry:

I was having this same problem! Sporadically on different websites when I tried to update an ezpage or product listing....it would error out. After trying several things and talking to website hosting support. I figured out that the word SELECT or SELECTION was indeed the culprit! When I deleted those words....it would update correctly when added back in, the error page.

I sent off the problem to support and hopefully it will all get fixed up now!

Many thanks to Dr. Byte....I would have NEVER thought that it was one word that was the problem!

=0)

I tried change it. Now i happy because I have overcome 403 Forbidden error when updating product