Access Denied when editing PHP/HTML code block
Permalink
So we've installed the PHP/HTML code block into our Concrete5 installation. I've narrowed the cause of the Access Denied (2x windows) error message to when I am using the PHP arrays ($_GET, $_SESSION, $_POST, etc).
I've looked at the setting for the PHP code block. Since there were only two, it wasn't apparent to me that those settings were the cause.
We had the same installation active on another server where these arrays worked without issue. Ever since the move, I have always gotten the access denied error messages. I resorted to editing the code directly in the DB. This led me to believe that it wasn't actually causing the code block to error out in any way. The code works fine with no issues at all when I change it in the DB.
Another step that I took was to ensure that all of the PHP settings (and version) on cPanel were the same, as well as making sure that the admin privilege on the area was set to admin, as it was on our previous installation.
Does anyone have any other ideas as to what might be causing an Access Denied error message when editing the PHP code blocks? We have the ability to change most of the common server settings if need be.
Any help would be greatly appreciated!
I've looked at the setting for the PHP code block. Since there were only two, it wasn't apparent to me that those settings were the cause.
We had the same installation active on another server where these arrays worked without issue. Ever since the move, I have always gotten the access denied error messages. I resorted to editing the code directly in the DB. This led me to believe that it wasn't actually causing the code block to error out in any way. The code works fine with no issues at all when I change it in the DB.
Another step that I took was to ensure that all of the PHP settings (and version) on cPanel were the same, as well as making sure that the admin privilege on the area was set to admin, as it was on our previous installation.
Does anyone have any other ideas as to what might be causing an Access Denied error message when editing the PHP code blocks? We have the ability to change most of the common server settings if need be.
Any help would be greatly appreciated!
It was the ModSecurity plugin in cPanel. I disabled it, and away went the errors.
One question now. Where/How can I whitelist the rules that are causing the Access Denied error to be thrown?
One question now. Where/How can I whitelist the rules that are causing the Access Denied error to be thrown?
Normally that can't be done directly in cPanel, you need to get your host to do it for you.
They should be able to look at their modsec logs and spot the error against your domain, especially if you let them know the URL that it would have posted the data to.
Interestingly this is a problem I've tried (and hopefully succeeded) to work around with a block I recently submitted to the marketplace:http://www.concrete5.org/marketplace/addons/code-display/...
In that block I base64 encode the submitted data on the browser side and un-encode it on the server side, so mod security just sees a bunch of random text.
If you're prepared to hack the block you are using, you might be able to look how I've done that and apply the same approach.
They should be able to look at their modsec logs and spot the error against your domain, especially if you let them know the URL that it would have posted the data to.
Interestingly this is a problem I've tried (and hopefully succeeded) to work around with a block I recently submitted to the marketplace:http://www.concrete5.org/marketplace/addons/code-display/...
In that block I base64 encode the submitted data on the browser side and un-encode it on the server side, so mod security just sees a bunch of random text.
If you're prepared to hack the block you are using, you might be able to look how I've done that and apply the same approach.
Awesome. I'll get in touch with the hosting provider and see if we can work something out. Thanks so much for the help!
I'd have a look to see Mod Security is installed/enabled, whether any rules are being triggered and either whitelist the rules if they are (or temporarily turn of mod security for this single task).