403 Error only on configuration.php in Admin

[clam_man]

We are using Zen Cart 1.5.6b and recently switched to a new host a couple months ago. The admin has been working fine but today I tried to access the 'Images' settings in the configuration and I got an Error 403. I know this has to do with the permissions, and the permissions for this file are '644'. Is this the correct setting? I'm pretty sure every file has the same permissions as the files on the server we used before this one and it worked fine on that server. Thank you in advance to whoever can help!

[DrByte]

Ask your hosting company to inspect false rejections caused by server-imposed security rules. Perhaps in SELinux.

[clam_man]

I have reached out to them but now I'm wondering if it is a .htaccess issue. Is there a clean .htaccess file anyone has for the admin directory that I can test with the site?

[clam_man]

Code:

#

# @copyright Copyright 2003-2016 Zen Cart Development Team

# @license http://www.zen-cart.com/license/2_0.txt GNU Public License V2.0

# @version $Id: .htaccess 19328 Modified in v1.6.0 $

#

# This is used with Apache WebServers

#

# The following blocks direct HTTP requests to all filetypes in this directory recursively, except certain approved exceptions

# It also prevents the ability of any scripts to run. No type of script, be it PHP, PERL or whatever, can normally be executed if ExecCGI is disabled.

# Will also prevent people from seeing what is in the dir. and any sub-directories

#

# For this to work, you must include either 'All' or at least: 'Limit' and 'Indexes' parameters to the AllowOverride configuration in your apache/conf/httpd.conf file.

# Additionally, if you want the added protection offered by the OPTIONS directive below, you'll need to add 'Options' to the AllowOverride list, if 'All' is not specified.

# Example:

#<Directory "/usr/local/apache/htdocs">

#  AllowOverride Limit Options Indexes

#</Directory>

###############################

DirectoryIndex index.php

<FilesMatch "^stamps\.php$">
Allow From All
</FilesMatch>

# deny *everything*

<FilesMatch ".*\..*">

  <IfModule mod_authz_core.c>

    Require all denied

  </IfModule>

  <IfModule !mod_authz_core.c>

    Order Allow,Deny

    Deny from all

  </IfModule>

</FilesMatch>



# allow access to the root

<FilesMatch "^$">

  <IfModule mod_authz_core.c>

    Require all granted

  </IfModule>

  <IfModule !mod_authz_core.c>

    Order Allow,Deny

    Allow from all

  </IfModule>

</FilesMatch>



# but now allow just *certain* necessary files:

<FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">

  <IfModule mod_authz_core.c>

    Require all granted

  </IfModule>

  <IfModule !mod_authz_core.c>

    Order Allow,Deny

    Allow from all

  </IfModule>

</FilesMatch>



IndexIgnore */*



<limit POST PUT>

  <IfModule mod_authz_core.c>

    Require all denied

  </IfModule>

  <IfModule !mod_authz_core.c>

    Order Allow,Deny

    Deny from all

  </IfModule>

</limit>





## NOTE: If you want even greater security to prevent hackers from running scripts in this folder, uncomment the following line (if your hosting company will allow you to use OPTIONS):

# OPTIONS -Indexes -ExecCGI







##################

## Optional caching improvements

## Requires mod_header and mod_deflate to be enabled within Apache

##################

<IfModule mod_headers.c>

  Header unset Pragma

  FileETag None

  Header unset ETag

  #Header set Cache-Control "no-transform"

  <FilesMatch "(?i).*\.(ico|jpe?g|gif|otf|webp|png|swf|flv|svg|svgz)$">

    Header set Cache-control "max-age=864000, public, must-revalidate"

    Header unset Last-Modified

  </FilesMatch>

  <FilesMatch "(?i).*\.(html|htm|xml|txt|xsl)$">

    Header set Cache-control "max-age=7200, must-revalidate"

  </FilesMatch>

</IfModule>

<IfModule mod_deflate.c>

  <FilesMatch "(?i)\.(js|css)$">

    SetOutputFilter DEFLATE

  </FilesMatch>

</IfModule>



##################

## Optional improvements

## Requires mod_expires to be enabled within Apache

##################

<ifmodule mod_expires.c>

  ExpiresActive On

  ExpiresDefault A300

  ExpiresByType application/x-javascript A3600

  ExpiresByType text/css A3600

  ExpiresByType image/gif A604800

  ExpiresByType video/x-flv A604800

  ExpiresByType application/pdf A604800

  ExpiresByType text/html A300

  ExpiresByType image/x-icon A86400

  ExpiresByType image/jpeg A2592000

  ExpiresByType image/png A2592000

  ExpiresByType text/cache-manifest "access plus 0 seconds"



</ifmodule>





#turn off X-PHP-Originating-Script header when sending emails from admin

#uncomment to activate:

# php_flag mail.add_x_header Off

This is the current .htaccess settings for the admin directory. Is this denying php somehow? I'm not familiar with .htaccess well at all.

[mc12345678]

I have reached out to them but now I'm wondering if it is a .htaccess issue. Is there a clean .htaccess file anyone has for the admin directory that I can test with the site?

Every download of the zen cart software has a fresh, clean, unaltered version of every file that supports operation of that version...

Check the main page of the forum, there is a link to get older versions. Of course, the other question is how did this version get installed? Isn't there a copy of the file in your original fileset used to upload the store?

[mc12345678]

What about generated error log files in your logs folder? Don't you possibly have any myDEbug-adm logs? Not guaranteed for a 403, just asking...

Nothing in the above posted copy specifically stops the configuration.php file especially if able to access other menu options. Now there is I think it was a possibility that the database server has been upgraded and now items in the configuration table are no longer as they should be to support the expected operation and so therefore coming across this issue... just guessing though in large part.

[clam_man]

It happened after changing server hosts. I asked them about it but they won't go through the htaccess file to check it. I don't have any error logs. This htaccess file is the same as the one we used before with a different server host.

[mc12345678]

It happened after changing server hosts. I asked them about it but they won't go through the htaccess file to check it. I don't have any error logs. This htaccess file is the same as the one we used before with a different server host.

Sounds like possibly in the transition from one host to another that this file may have gotten "lost". A 403 is a file not found response. If the file is not present, then that sort of response will be given. Also, if the file is present but attempts to redirect to somewhere else, then that might cause the issue.

What has been the method to attempt to get to configuration.php? Has it been by use of the navigation menu on screen or have you tried to manually type in the browser address?

There could be something wrong with a component of the database direction for that menu. After logging in then in the browser's web address window if you replace say index.php with configuration.php (again, this is not replacing or moving files, we are just talking about a web address change.), do you still get the 403?

Considering how long it has been since access was available, what configuration(s) are trying to change so that some direction may be given to update those specific items if they still need to be.

[clam_man]

this file may have gotten "lost". A 403 is a file not found response. If the file is not present, then that sort of response will be given.

It says 403 Forbidden, not not-found.

I can see the file as present when I FTP into the admin section, that's how I was able to make sure the permissions were correct. Using configuration.php in place of index.php in the admin section still throws the 403 Forbidden error. I did manually change some settings in the configuration table in the database so I was able to get it to do what I needed but I still would like to be able to access. I really appreciate you spending the time to help me out with this!