Access Denied when editing PHP/HTML code block

Permalink
So we've installed the PHP/HTML code block into our Concrete5 installation. I've narrowed the cause of the Access Denied (2x windows) error message to when I am using the PHP arrays ($_GET, $_SESSION, $_POST, etc).
I've looked at the setting for the PHP code block. Since there were only two, it wasn't apparent to me that those settings were the cause.
We had the same installation active on another server where these arrays worked without issue. Ever since the move, I have always gotten the access denied error messages. I resorted to editing the code directly in the DB. This led me to believe that it wasn't actually causing the code block to error out in any way. The code works fine with no issues at all when I change it in the DB.
Another step that I took was to ensure that all of the PHP settings (and version) on cPanel were the same, as well as making sure that the admin privilege on the area was set to admin, as it was on our previous installation.

Does anyone have any other ideas as to what might be causing an Access Denied error message when editing the PHP code blocks? We have the ability to change most of the common server settings if need be.

Any help would be greatly appreciated!

View Replies:
mesuva replied on at Permalink Reply
mesuva
The main reason I see either access denied or not found errors when making edits to do with inputting code is because Mod Security has kicked in and denied the request, assuming it is malicious. Occasionally Mod Security will pick up some keywords from a normal content block, but it will get much more protective if what you are posting actually _is_ code.

I'd have a look to see Mod Security is installed/enabled, whether any rules are being triggered and either whitelist the rules if they are (or temporarily turn of mod security for this single task).
zachyarid replied on at Permalink Reply
It was the ModSecurity plugin in cPanel. I disabled it, and away went the errors.

One question now. Where/How can I whitelist the rules that are causing the Access Denied error to be thrown?
mesuva replied on at Permalink Reply
mesuva
Normally that can't be done directly in cPanel, you need to get your host to do it for you.

They should be able to look at their modsec logs and spot the error against your domain, especially if you let them know the URL that it would have posted the data to.

Interestingly this is a problem I've tried (and hopefully succeeded) to work around with a block I recently submitted to the marketplace:http://www.concrete5.org/marketplace/addons/code-display/...

In that block I base64 encode the submitted data on the browser side and un-encode it on the server side, so mod security just sees a bunch of random text.
If you're prepared to hack the block you are using, you might be able to look how I've done that and apply the same approach.
zachyarid replied on at Permalink Reply
Awesome. I'll get in touch with the hosting provider and see if we can work something out. Thanks so much for the help!