Forums

Chronoforms_J1.6_V4_RC1.7

Trying to create a database table produced this:

Forbidden
You don't have permission to access /administrator/index.php on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

I seem to be able to write this file in other circumstances - could this be a Chronoforms-specific problem or not?

Nick

and I was having such fun … 😀

Hi nicholashg,

I don't remember seeing that reported for index.php - we have seen it for index2.php and then usually it's a mod_security rule being tripped. Not sure if that helps here?

Bob

Bob, thanks for getting back.

Unfortunately I don't know anything about mod_security rules. The error is produced on clicking the 'create_table' button, ie. before any database is actually created. (I notice that J1.5 calls index2.php but that just seems to include index.php). There isn't an index2.php in the J1.6 installation.

I produced the simplest of forms and got the same error, so it doesn't seem to be anything to do with forms themselves.

I assume that I'm accessing /administrator/index.php pretty well all the time, so why the problem here?
If it works for other people, perhaps it's an extensions conflict.

Is there a chance you could look at this again?

Nick

Hi Nick,

I believe its a mod_security issue, try adding the following 2 lines to your .htaccess:

SecFilterEngine Off
SecFilterScanPOST Off

Let us know!🙂

Regards,
Max

Hi Max,

Adding the code produced an Internal Server Error.
Perhaps I put it in the wrong place? - I never changed the .htaccess file before.

Nick

Hi Nick,

The .htaccess file is at your website's root (Joomla root), if it doesn't work then I suggest contacting your hosting admin, and tell him about the .htaccess suggested solution, maybe they will have some better ideas.

Regards,
Max

Thanks, I'll do that.

Hi Max,

Well I raised a ticket with my host (JoomlaWired) and received this response.

We have found in the past Mod Security interfers with Chrono Forms. We have disabled it for you, but would like you to advise you that without Mod Security you might be vunrable to SQL Injection attacks and Joomla Controller attacks.

Now I'm worried - one of the reasons for using Chronoforms was that it didn't appear on the Joomla vulnerable extensions list.

Will other people experience this problem I wonder?

Nick

Hi Nick,

To be more strictly correct some of the default mod_security rules can cause problems with ChronoForms - even though what ChronoForms is doing is by itself safe. Default mod_security bolts everything down very tight. Removing it completely is an easy but rather unhelpful response (though I understand it from the host's point of view).

To be secure you should make sure that any data submitted by your form or passed in URLs is validated and sanitized to to remove any potentially dangerous inputs. But that is true whether or not mod_security is enabled.

Bob

Thank you.
JoomlaWired's fix did seem a bit agricultural.
I'll take the precautions you suggest.
I really don't want to be attacked by the Joomla Controller and given an SQL injection - I was hoping for a pleasant weekend.
Nick

Hi Nick,

If they can tell us which mod sec rule was broken with that page (create table page) then I may try to find a workaround, I believe this would be stored in the Log.

Regards,
Max

Hi Max, I'll ask and get back to you.
Thanks for running with this, I really do appreciate the support.
Nick

Hi.
After having a similar problem (create table gives a Forbidden error) I searched around everywhere for a solution with no luck. There is no .htaccess to edit on my shared hosting and disabling mod_security altogether seems like a bad idea anyway so I submitted a ticket to my host to disable only the rule based on my error log:

[Thu Aug 25 01:00:56 2011] [error] [client xx.xx.x.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:(\\w+)and(\\w+)char\\([0-9]+\\)|(?:execute|convert)\\(|(?:\\;delete.*;(?:insert|declare|varchar)|(?:and .* \\(select |(?:drop|create)(\\w+)table|declare .* varchar\\())|convert\\(varchar|null,(?:null,(?:null|accesslevel|user_name),|concat\\()|union select |uni ..." at ARGS:task. [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "770"] [id "340159"] [rev "23"] [msg "Atomicorp.com - FREE UNSUPPORTED DELAYED FEED - WAF Rules: Generic SQL inline command protection (MM)"] [data ".php?"] [severity "CRITICAL"] [hostname "xxxxxxxxxx.pt"] [uri "/administrator/index.php"] [unique_id "H3niH38AAAEAADeysewAAAAI"]

Hope this helps you come up with a workaround.

Paulo

Hi Paulo,

Thank you!

I think there is a rule in there which blocks SQL "create" statements, not sure how the component installation works then, because it has a create statement as well :?

Can you ask your host support for any clues ? maybe check if this rule runs all the time or if there is someway to bypass it to create tables ?

Regards,
Max

I am also getting this error when using my favourite hosting company ventraip.com.au.

Not sure what to do except create the table manually.

I am trying really hard to like ChronoForms v4!

Neil.

OK,

I logged a call with ventraip.com.au and they were very quick to "whitelist" the particular rule for me and everything is working OK now.

Neil.