Can't submit Template 'Forbidden, don't have permission'

brentnl · Post by **brentnl** » Thu Oct 31, 2019 10:50 am

I've got a weird problem. I made a small change on a template which worked fine before (it was a dashboard to show google analytics stats on a TV screen). I only changed some Analytics ID's, but suddenly the template wouldn't save any more if I press 'submit'. I got this error

Code: Select all

Forbidden
You don't have permission to access this resource.

First I thought it had anything to do with the code itself, so I stripped most of it, till only some small snippet was left:

Code: Select all

{strip}
{process_pagedata}
{/strip}<!DOCTYPE html>
<__html>
<head>
<title>{sitename}</title>
<meta http-equiv="refresh" content="3600" />
<meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1" />
<meta name="robots" content="noindex" />
{metadata}
{cms_stylesheet}
</head>
	
</__body>

<__body>
</__html>

When I remove <meta http-equiv="refresh" content="3600" />the code will submit, so I thought I figured it out. But when I try to delete this row in the original template the same problem occurs.

Then I tried to submit the whole code in another CMSMS website (2.2.12), and it submitted! So it wasn't the code in my opinion, but now I upgraded the 'error-website' and all of it's modules and even PHP version (7.2) the problem still exists.

I tried debug-mode, but can't make anything of it.

Website info

Code: Select all

----------------------------------------------

Cms Version: 2.2.12

Installed Modules:

AceEditor2: 1.05
AdminSearch: 1.0.4
CGBetterForms: 1.9
CGExtensions: 1.64.10
CGSimpleSmarty: 2.2.1
CGSmartImage: 1.22.7
CMSContentManager: 1.1.8
CmsJobManager: 0.1.3
DesignManager: 1.1.6
FileManager: 1.6.9.1
FilePicker: 1.0.4.1
Gallery: 2.3.2
JQueryTools: 1.4.2
LISE: 1.3.1
LISEAgenda: 1.3.1
LISEShowcase: 1.3.1
MenuManager: 1.50.3
MicroTiny: 2.2.4
ModuleManager: 2.1.7
Navigator: 1.0.9
News: 2.51.6
Search: 1.51.7
SitemapMgr: 1.5.3

Config Information:

php_memory_limit:
max_upload_size: 32000000
url_rewriting: mod_rewrite
page_extension:
query_var: page
auto_alias_content: true
locale:
set_names: true
timezone: Europe/Amsterdam
permissive_smarty: true

Php Information:

phpversion: 7.2.23
md5_function: Aan (Waar)
json_function: Aan (Waar)
gd_version: 2
tempnam_function: Aan (Waar)
magic_quotes_runtime: Uit (Onwaar)
E_ALL: 0
E_STRICT: 0
E_DEPRECATED: 0
test_file_timedifference: Geen tijdsverschillen gevonden
test_db_timedifference: Geen tijdsverschillen gevonden
create_dir_and_file: 1
memory_limit: 128M
max_execution_time: 30
register_globals: Uit (Onwaar)
output_buffering: 4096
disable_functions:
open_basedir:
test_remote_url: Succes
file_uploads: Aan (Waar)
post_max_size: 32M
upload_max_filesize: 32M
session_save_path: /opt/alt/php72/var/lib/php/session (0700)
session_use_cookies: Aan (Waar)
xml_function: Aan (Waar)
xmlreader_class: Aan (Waar)
check_ini_set: Aan (Waar)
curl: Aan

Performance Information:

allow_browser_cache: Aan (Waar)
browser_cache_expiry: 60
php_opcache: Aan (Waar)
smarty_cache: Uit (Onwaar)
smarty_compilecheck: Uit (Onwaar)
auto_clear_cache_age: Aan (Waar)
Server Information:

Server Software: Apache/2
Server Api: litespeed
Server Os: Linux 3.10.0-962.3.2.lve1.5.26.5.el7.x86_64 Aan x86_64
Server Db Type: MySQL (mysqli)
Server Db Version: 5.5.62
Server Db Grants: Er is een "GRAND ALL" permissie gevonden, alles lijkt in orde.

Permission Information:

tmp: /home/user5/domains/domain.nl/public_html/tmp (0755)
tmp_cache: /home/user5/domains/domain.nl/public_html/tmp/cache (0755)
templates_c: /home/user5/domains/domain.nl/public_html/tmp/templates_c (0755)
modules: /home/user5/domains/domain.nl/public_html/modules (0755)
uploads: /home/user5/domains/domain.nl/public_html/uploads (0755)
Bestandscreatiemasker (umask): /home/user5/domains/domain.nl/public_html/tmp/cache (0755)
config_file: 0777
----------------------------------------------

Post by **DIGI3** » Thu Oct 31, 2019 2:54 pm

This sort of thing is usually mod_security. Some hosts let you disable it via cPanel, for others you'll need to ask your host to either disable it or whitelist the rule causing this issue.

There's no reliable test to see if mod_security is active, you'll have to ask your host if you don't know.

brentnl · Post by **brentnl** » Wed Nov 06, 2019 11:03 am

I've asked my host like you said. Mod Security is indeed active on my server, but they won't shut it off and are trying to naildown the problem but no luck so far.

brentnl · Post by **brentnl** » Fri Nov 08, 2019 3:04 pm

My host replied and are stating a leak in the CMS is the cause of my problem.

"The 'Comodo WAF' rule is being triggered at the moment of submitting the template, giving the following errorcode:"

[Fri Nov 08 15:05:18.729970 2019] [:error] [pid 1306674:tid 140344072292096] [client redacted:11422] [client redacted] ModSecurity: Access denied with code 403 (phase 2). Pattern match "<meta.{0,}?http-equiv\\\\/{0,}?=\\\\/{0,}?[\\\\x22'`]{0,1}(?:c|r|s|&#?x?0{0,}?(?:67|43|99|63|82|52|114|72|83|53|115|73);?)" at ARGS_POST:m1_contents. [file "/usr/local/cwaf/rules/07_XSS_XSS.conf"] [line "130"] [id "212960"] [rev "5"] [msg "COMODO WAF: IE XSS Filters - Attack Detected.||www.domein.nl|F|2"] [data "Matched Data: <metahttp-equiv=\\x22x-ua-compatible\\x22content=\\x22ie=edge\\x22/><metaname=\\x22viewport\\x22content=\\x22width=device-width,initial-scale=1.0,maximum-scale=1\\x22/><metahttp-equiv=\\x22r found within ARGS_POST:m1_contents: {strip}{process_pagedata}{/strip}<!doctypehtml><__html><head><title>{sitename}</title><metahttp-equiv=\\x22x-ua-compatible\\x22content=\\x22ie=edge\\x22/><metaname=\\x22viewport\\x22content=\\x22width=device-width,initial-scale=1.0,maximum-scale=1\\x22/><metahttp-equiv=\\x22refresh\\x22co..."] [severity "CRITICAL"] [tag "CWAF"] [tag "XSS"] [hostname "www.domein.nl"] [uri "/inloggen/moduleinterface.php"] [unique_id "XcV2HmqvZg83GXszGaxkSAAAAAs"], referer: https://www.domein.nl/

But I never had any problems so far with this host and this website, which is running on CMS Made Simple since 2010.

Post by **velden** » Fri Nov 08, 2019 3:54 pm

Well, in general such request could be considered as suspicious. But when using a CMS and submitting templates those are perfectly valid.

I'd really try to convince the host that this is a valid and expected (POST) request which should not be blocked.

That said, you could also consider using file based templates which can be edited using the hosting provider's file editor (hey: they do allow it from their editor probably!). It also allows you to use your favorite editor and use a file transfer program.

brentnl · Post by **brentnl** » Wed Nov 13, 2019 2:20 pm

The host doesn't want to cooperate, so I've tried the second solution mentioned; the file-based method; and this worked!

So for now I'm set, but I'm considering to move to another host eventually.

CMS Made Simple Forums

Can't submit Template 'Forbidden, don't have permission'

Can't submit Template 'Forbidden, don't have permission'

Re: Can't submit Template 'Forbidden, don't have permission'

Re: Can't submit Template 'Forbidden, don't have permission'

Re: Can't submit Template 'Forbidden, don't have permission'

Re: Can't submit Template 'Forbidden, don't have permission'

Re: Can't submit Template 'Forbidden, don't have permission'