406 Not Acceptable

Status
Not open for further replies.
Fred04

Fred04

Member
Hello,
I got the "An appropriate representation of the requested resource /administrator/index.php could not be found on this server" error message when I try to save a list for instance. After this error the only way to go back to my admin joomla site is to close my browser and reopen it otherwise I continue to see the same error message.

Reading through the forum I read this may be a mod_security issue so I already asked my hosting provider to disable it. They did it but I continue to have the same issue.

Is there anything else I should be aware?

My configuration is:
Joomla 1.7
Apache version 2.2.17
PHP version 5.2.16
MySQL version 5.0.92-community
 
no apparently its a mod_security thing. I'd double check that it is actually off but looking at
site->system information -> PHP information

I'd also see if your hosts can tell you what exactly caused the error, it would be safer for us to fix that rather than advising people to turn off mod_secuirty

-Rob
 
Thank you Rob,
I contacted m'y provider and they suggested the following:
Please try to add these lines to your .htaccess file:
SecFilterEngine Off
SecFilterScanPOST Off

After doing that it still did not work. However I discovered a few new things:
1) the problem is only when I try to create a new 'list'. No problem with forms, group..
2) the problem is not when you try to save but when you load the page after clicking on'+new'. If you click on cancel just after I have the same issue
3) when I connect using Safari, the browser does not load the icon of the different buttons. That may be a clue. When trying to create a new group, form... I see all the icons and do not have the problem.
Hope this may help
 
from your point 3 it sounds like you are using the 3.0a2 release? Try updating from github, we are making daily changes at the moment and that is one of the things that have been fixed.

For the mod_security thing, it should log the issues somewhere, I'd really need to see the logged issues to be able to find a solution

-Rob
 
Helo Rob,
point #3 is fixed. I installed and uninstalled Fabrick several times in a effort to fix my problem and got confused. You're right I was not using the latest version when I did my first post. I apologize for that.
I updated today with the latest version from github.

I still have the issue with new 'list'.
Here is the error message I can see in my log:

[Tue Sep 20 10:27:28 2011] [error] [client 62.160.76.25] File does not exist: /home/busin123/public_html/406.shtml, referer: http://mysite.com/administrator/index.php?option=com_fabrik&view=list&layout=edit

focus on the end of the statement:
index.php?option=com_fabrik&view=list&layout=edit

this error message repeated several time
I can see the file index.php in the directory
Hope this will help.
 
Hi

You should have a specific log for mod_security, or should be able to set up mod_security to enable logging.

The general error message is just a 404 stating that the server can't find the page 406.shtml. I'm guessing that mod_security is trying to redirect to that page after it has failed one of its security tests.

To fix anything I need to know what test it was that failed in mod_security. Hence why I'm asking for that log and not the general error log

thx
Rob
 
Having had much the same problem but only on one server and not others I have finally got the server admins to track the problem. I dont know if this will help you Rob or not.
[FONT=Verdana, Arial, Helvetica][Thu Dec 22 11:00:55 2011] [error] [client 216.246.6.167] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\'\\"](\\\\w+)[\\\'\\"] ?= ?[\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "101"] [id "959901"] [msg "SQL Injection Attack"] [data "0=0"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "travelling-planet.com"] [uri "/administrator/index.php"] [unique_id "TvMN51mRWDIAAG38abIAAAAM"]
Regards,[/FONT]
 
hi thanks for that.
Is there any more information, we'd need to know the request data sent that triggered the issue.
 
Hi Rob, in my case it was as soon as I tried to create a list a cookie for jpanelsliders_list-sliders- was created and this caused the mod_security problem. When I tried to create a list there was no option to link to table, it was truncated and empty,if I changed the default J admin template from blue stork to hathor then the option to link to table worked but as soon as I tried to save the mod security kicked in. I cant tell you any more now as the server admins have fixed the issue with mod security and now it all works.
 
I have just installed fabrikar on a different site on the same server and the problem exists on this site. I can pm you access to this site if it helps?
 
AFAICT that's looking for something like 2="foo"=

It would REALLY help if we could somehow get a dump of the query string and post vars when that error happens. Can you ask your provider if that is possible? Explain that the developers of the software are trying to help, but as we can't replicate the problem, we need some kind of clue.

BTW, if you've put ...

SecFilterEngine Off
SecFilterScanPOST Off

... in your htaccess and are still getting mod_security errors, sounds like your htaccess isn't getting used, or you don't have permissions to modify those variables, as that should disable mod_security pretty much entirely.

-- hugh
 
We crossed in the post!

Your info about the jpanelslider cookie and the templates is a good clue, and gives me something to work on. I'm going to install mod_security on my local Apache test server, and see if I can replicate any of these issues.

-- hugh
 
Hi Cheesegrits, putting:- SecFilterEngine Off
SecFilterScanPOST Off
in my htaccess caused a 500 error.
I will contact the server admins and ask what they can do,probably need to be after the xmas hols.I will keep you informed.
 
Strange. That wouldn't be triggering the rule that you quoted earlier, must be hitting another one. And I don't see anything "suspect" about our query string on that AJAX call, except maybe the "." in task=plugin.pluginAjax, but that would have to be an ultra paranoid (and poorly written) rule to object to a period that isn't part of an attempt to access the file system with ../foo in a query string arg.

Can you find out from your host what rule is being broken this time?

-- hugh
 
Hi Hugh, this is what I got back from the server admins, not sure if it is much help to you.
[FONT=Verdana, Arial, Helvetica]Hello G W Styles.

Below is the error message for the gadsolutions.co.uk site and it looks pretty much the same as the one for the other domain.

[Sat Dec 24 07:01:55 2011] [error] [client 86.141.172.161] ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\'\\"](\\\\w+)[\\\'\\"] ?= ?[\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "101"] [id "959901"] [msg "SQL Injection Attack"] [data "0=0"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "www.gadsolutions.co.uk"] [uri "/administrator"] [unique_id "TvV441mRWDIAAEKX1OUAAAAA"]

The last two http requests for the administrator page, before the modsec error message, are:

86.141.172.161 - - [24/Dec/2011:07:01:46 +0000] "GET /administrator/index.php?option=com_fabrik&format=raw&task=plugin.pluginAjax&g=element&plugin=field&method=ajax_tables&cid=1 HTTP/1.1" 404 - "http://www.gadsolutions.co.uk/administrator/index.php?option=com_fabrik&view=list&layout=edit" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0"
86.141.172.161 - - [24/Dec/2011:07:01:55 +0000] "GET /administrator HTTP/1.1" 404 - "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0"



If you cannot find the cause of this issue, we could disable this mod security rule for the gadsolutions.co.uk domain but the best solution would be to find which part of the script is causing it.


[/FONT]
 
I just can't see anything in those two actions which would trigger a mod_security problem. They are both GET requests, not POST, so there are no hidden form variables or POST data, what you see on that query string is what mod_security is seeing. And I simply can't see anything in that URL which would trigger an SQL injection tripwire in mod_security. And certainly nothing that would trigger that rule quoted in the security log.

-- hugh
 
I am getting the same thing at gsales.strafstar.com Here is the error from the log that I got back from our admin:

ModSecurity: Access denied with code 406 (phase 2). Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\'\\"](\\\\w+)[\\\'\\"] ?= ?[\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "102"] [id "959901"] [msg "SQL Injection Attack"] [data "0=0"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "gsales.strafstar.com"] [uri "/"] [unique_id "Ty8L0UYn@YgAAFTXBDEAAAiV"]
 
As with any modsecurity problem, really the only fix is for your admin to work out what URL is triggering it, and whitelist it.

The modsec2 rules on any given site are outside our scope. Obviously we're not performing SQL injection attacks, but the Fabrik back end is a very complex beast, and a generic and aggressive modsecurity ruleset may well have a hissy fit. But that's why modsec2 has whitelists.

-- hugh
 
Status
Not open for further replies.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    Total: 20 (members: 1, guests: 19)
    Back
    Top