Jump to content

[Resolved] 403 Forbidden Admin


Dirty Butter

Recommended Posts

The front end works just fine, but last night I suddenly got a 403 on an attempt to login to both our site admins. All I see is 403 Forbidden. I've contacted our host, but could it be something I accidentally did yesterday? I've checked the file permissions for my admin (renamed) folders, and they're both 755. I also tried the default .htacess files, in case I'd messed that up, but no joy. Is there anything else I can check?

Link to comment
Share on other sites

I think you would get a PHP error about not being able to read a file for inclusion if it was the file permissions that got changed.

On the other hand, I have seen two instances where the CKEditor javascript files triggered a 403 response - but probably not because of file permission settings.

A 403 is by and large a web server response. Somewhere, a web server setting got changed (.htaccess rules can do this), or a server security appliance got new rules, that is triggering on something.

I have to believe your hosting provider has access to the fault log and can determine what triggered the 403.

Link to comment
Share on other sites

I've contacted the host provider and they've kicked this up to a higher tech level. They will hopefully be able to use a recent backup to get me in again. Very disconcerting to say the least. I haven't changed the .htaccess recently and the file permissions all appear normal.

Thanks for your input - makes me feel like it has to be on the server end, not something I did accidentally.

Link to comment
Share on other sites

I was just thinking.... rather than have someone order, and then my host restore yesterday morning's backup and lose their info, I took my store Offline via editing the config file in cpanel. I made a copy first, just in case, though.

Edited by Dirty Butter
Link to comment
Share on other sites

The database data and the files/folders are separate. I cannot comprehend how any data in the database would cause PHP to malfunction in any way that would, in turn, cause the web server to issue a 403.

So, don't restore the database. There is (99.9999999999999999999999999% chance) no way the database is the cause.

And, technically, yes, you can edit the 'config' array.

Link to comment
Share on other sites

I'm sure you're right, but we'll be gone today and I didn't want to spend the day fretting about orders being created and then messed up with whatever they do to fix this. I do have a recent local backup of the whole sites. Since it happened on both stores, it must be a server setting that changed last night.

Link to comment
Share on other sites

A 403 error can be caused by mod_security rules being tripped and that can change if data in the database has changed that then trips a rule or the rules themselves have been updated which then causes a trip that didnt happen before. If it is mod_security then it easy to check but I would also have expected a good host to have checked that immediately you reported the error

Ian

Link to comment
Share on other sites

Can you give an example of a mod_security rule that would get tripped which was caused by certain data queried from the database and being used by Cubecart?

I do not understand how an Apache module would be aware of what PHP is doing within PHP's own memory space.

Link to comment
Share on other sites

Havent seen it for a little while but as I said, it is often where product descriptions are written by a store owner in Word and then simply copy and pasted into CubeCart - never a good idea.  However DB's hosting company should really have been checking that and it is trivial to see whether mod_security rules have been tripped by a specific account which would either confirm or disprove that this is the cause in this case

Ian

Link to comment
Share on other sites

Ok, I see your general observation where POSTing previously unforeseen/unanticipated form data (hence, not sanitized by javascript prior to POSTing) from perhaps a text entry field, could trigger the mod_security firewall.

So, along these lines, we can have the admin login form be suspect: maybe the security token or a cookie value. (Certainly not the username or password???)

But still not something that is already in the database, populating a web page, and being delivered out to the client.

Link to comment
Share on other sites

Ian can explain this better than I can, but this turned out to be some kind of issue with the CC Security mod and my setup. I'm not saying anything is wrong with the mod, but disabling it and moving the folder out of my modules directory finally got me back into admin on both stores.

I am SO relieved to be able to mark this thread as RESOLVED!! Thank you beyond belief to Havenswift-Hosting!!

  • Like 1
Link to comment
Share on other sites

No in depth explanation required !  A single IP address had been added using the plugin which then excluded all other IP addresses from accessing admin - DBs IP address was not fixed and had changed blocking her (as well as everyone else except the new user of that dynamic IP !) out from her own admin !

Ian

Link to comment
Share on other sites

I had used that same IP address the whole time we've had cable, so I really did think I had a Dedicated IP. Obviously not!

Anyway, I would suggest the wording on the CC Security Mod popup when the security settings are checked where it says to "Please add your IP address", and you do NOT have a Dedicated IP address, to please uncheck to "Only allow trusted IP addresses to login".

Just tried to add my current IP address and UNCHECK only allow trusted IP address to login. I figured I'd leave the email warning that someone other had logged in, but when I uncheck the box, if there is an IP address in my Trusted list, the box checks itself back on Save! I tried this on both stores, with same behavior.

That doesn't seem right to me - is this a bug???

I always seem to know just enough to get myself into trouble. LOL

Edited by Dirty Butter
Link to comment
Share on other sites

  • 3 months later...

Hi DB, Happy holidays,

Just like you, I took the holiday time to improve my security with this plugin and found after one very frustrating week of no admin page, I made the same observations you have made. see above.

I seriously suggest that Al and his CC  team provide some better help information and thoroughness to this plugin so you, me, Ian and Brian could spend our valuable time not pulling our hair out.

There are many questions to be answered. The designer of this plugin should provide these before I take my chances again.

PS there is a revision available 1.0.6 - Fixed error with creation of CubeCart_ccss_ip_addresses with database prefix

Edited by harrisorganic
Link to comment
Share on other sites

I seriously suggest that Al and his CC  team provide some better help information and thoroughness to this plugin so you, me, Ian and Brian could spend our valuable time not pulling our hair out.

There are many questions to be answered. The designer of this plugin should provide these before I take my chances again.

PS there is a revision available 1.0.6 - Fixed error with creation of CubeCart_ccss_ip_addresses with database prefix

It can be frustrating to have errors but that is the nature of software - the versions of core software, skin and ALL extensions should always be regularly checked and updated.  This is a manual task (for extensions) checking against the marketplace and while it would be much better to have a notification in the store (there is an open git issue requesting this enhancement) it isn't a big task to check this.  WordPress has a great system for this but even then, the vast majority of users don't update these often or at all which shows that regardless of how much help is provided, many users don't help themselves.

Glad you finally found the cause and have fixed the issue

Ian

Link to comment
Share on other sites

  • 1 year later...

Hi DB et al , I think I have repeated the same issue again, I clicked on Dedicated IP button within the  CubeCart Security Suite, when I try to enter the admin page, I get 403 Forbidden.

I went to the cubecart database and changed the ip address in  CubeCart_ccss_ip_addresses with

 my dedicated ip address which was different to what was there.  However , I was not able to solve the "403  Forbidden  

".

Any suggestions please.

Duncan.

Link to comment
Share on other sites

403 errors are most often caused by tripping a mod_security rule (assuming you gave that installed and enabled on your hosting server).  Ask your hosting company to check for rules being tripped by your IP address around the approximate times you have been getting the 403 errors.  Mod_security can give false positives and these can be whitelisted but this can also be due to older or poorly written software being run

Ian

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...