Recent Topics

1 Feb 15, 2007 03:02    

I tried to install the "Live Hits" plugin. It installed fine and it looks okay. I went to put in the Google Maps API code and it keeps taking me to a page that says "Forbidden" (403).

I checked the server's error log and found this:

[Wed Feb 14 16:05:51 2007] [error] [client xx.xx.xx.xx] mod_security: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"] [rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "www.jeffsstuff.com"] [uri "/blogs/admin.php"]

Any idea what I might be doing wrong? (I'm assuming I did something to cause this!)

Thanks,
-Jeff

2 Feb 15, 2007 04:22

Okay, I made a little progress (if you can call it that).

apparently, I get a similar error any time I try to set the settings on a plug in.

I looked in the database in both the evo_pluginsettings and evo_pluginusersettings have no rows in them. I am therefore assuming this is some sort of database permission problem.

I don't understand that since, everything else works. I would assume all the permissions are created at the same time.

3 Feb 15, 2007 16:33

You need to check with your web host or server admin. It looks like you have something like mod_security set up with some very zealous / paranoid security settings.

4 Feb 20, 2007 01:22

wouldn't be at all surprised. Of course, I left two messages with tech support, and I've not heard anything back.

Any idea how I can research this myself? Besides, I know what they are going to say. They are going to say that they don't support this particular version of b2e (they support a very old version).

It would be much better if I knew specifically what to tell them to look for. Everything works fine except for plug-ins. I can't change the settings on any of them.

5 Feb 20, 2007 02:35

if that plugin is relying on google to alter your mysql tables, thats why. thats actually pretty normal, if thats the case.
as far as the backend goes, you can turn off mod_security on a per directory basis, so you _can_ disable it for just the admin area.

1. create a blank .htaccess, drop this into it :

SecFilterEngine Off

Upload that .htaccess to the directory you wish to disable mod_security for.

You can, also, do that for your entire site, by adding that to your upper most .htaccess. I never recommend it, since the benefit outweighs the risk (for me atleast), but it can be done, and its entirely up to you.

6 Feb 20, 2007 02:37

Showing them the error from your log is your best bet. It's too bad they haven't got back with you sooner. I can give you a coupon code for Dreamhost if you're thinking about switching. I've been with them for a couple of years now and so far I've been very pleased.

7 Feb 20, 2007 03:19

okay, I'm beginning to understand how this works but I'm a little confused still. I looked up the posting on mod_security. I was able to put an entry into a .htaccess file. This allowed the plug-in to work properly.

I want to be clear that, no plug-in would allow me to change its settings. It wasn't just the Google plug-in.

My question now is, in your posting regarding mod_security, he referred to the admin directory. I don't have an admin directory. At least I can't find one. Admin.php is in the root for b2e (ie /blogs/admin.php). Is the admin directory hidden somewhere that I haven't found, or my missing something?

My other option of course is to configure my plug-ins the way I want them, and then remove the.htaccess file.

Thanks,
-Jeff

8 Feb 20, 2007 03:20

The Google maps part of the plugin is optional and it doesn't affect the db at all. He said he gets the same error when trying to save any plugin settings.

9 Feb 20, 2007 03:22

Whoo was probably having flashbacks. ;) You're right, there is no admin directory. If there's a way to make it only apply to admin.php, then Whoo can tell you. She's an .htaccess expert.

10 Feb 20, 2007 03:31

im very confused, who is "he" thats being referred to?

and I missed where my nifty version that shows what version is being used (since it was suggested it wasnt needed in this AREA) form was filled out, or I wouldnt have had a flashback :P

if you ONLY want to turn off mod_security for one file, do this:


<Files admin.php>
SecFilterInheritance Off
</Files>

The above assumes you have removed the 1 line I described in my first post -- dont use both, use one or the other.

ps: and "do this" means add the following to your topmost .htaccess

nm on the he bit, I get it.

11 Feb 20, 2007 04:17

Great, now I'm in business.

I think its time to add a bit of light reading on .htaccess to a list that already includes php. (I've not touched any sort of coding in years due to injury).

Thanks to both "he" (aka whoo) and personman for all your help.

-Jeff

12 Feb 20, 2007 06:07

female, but you're welcome :)

13 Feb 20, 2007 06:17

And now I get the joke too.


Form is loading...