Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

Access denied 500 error on settings.php

I recently installed Vanilla for a college project and encountered a strange error. Every time I tried to edit the roles and permissions of the administrator role I got a 500 error (access denied) for the file settings.php. It's the settings.php file in the root folder, not the conf/settings.php file. After scanning through the apache error logs I found out that this is caused by a security filter (300015) of mod_security. You can read more about a similar error in e107 here: http://wiki.e107.org/?title=Security:mod_security The solution in my case was making a .htaccess file and putting it in the main folder of Vanilla. The file should contain the following code: SecFilterRemove 300015 Be warned though that this disables the 300015 security filter for all the files in that folder, so in case you only want it disabled for settings.php you might want to use this: <Location "path/to/settings.php"> SecFilterRemove 300015 </Location> Hope this helps other people who encountered similar problems :)

Comments

  • Options
    JDWJDW New
    edited April 2007
    My problem parallels yours, except I do not get a 500 error. In my case, I get a 403 Forbidden error. And the rest of the error states:

    "You don't have permission to access /forum/settings.php on this server."

    More specifically, I cannot edit and save any Administrator features in Settings/Roles & Permissions because of the silly 403 error.

    But the 403 error about permissions makes no sense because I followed the 3 step process to install Vanilla properly, applying all the correct permissions that the instructions specified. Specifically, "settings.php" has "755" permissions. Since "755" appears to be the correct permission settings according to the 3 step Vanilla installation process, I would assume the trouble lies elsewhere. I believe this to be true because even when I changed the permissions for "settings.php" to "777" I still got a 403 error upon trying to save my changes to the Administrator Role.

    However, upon examining my own Apache error log, I see the following:

    [Wed Apr 4 18:13:53 2007] [error] [client 219.xxx.xxx.xxx] mod_security: Access denied with code 403. Pattern match "((alter|create|drop)[[:space:]]+(column|database|procedure|table)|delete[[:space:]]+from|update.+set.+=)" at POST_PAYLOAD [id "300015"][rev "1"] [msg "Generic SQL injection protection"] [severity "CRITICAL"] [hostname "xxx.com"] [uri "/forum/settings.php"]

    The "mod_security" part indicates that our problem is one in the same. Since I didn't want to disable security for all files in my Vanilla "/forum" directory, I decided to go with the following code in my .htaccess file:

    <Location "path/to/settings.php">
    SecFilterRemove 300015
    </Location>

    But I get an "Internal Server Error" upon trying to load my forum. And here is the apache error log generated after the Internal Server Error:

    [Thu Apr 5 01:59:43 2007] [alert] [client 219.xxx.xxx.xxx] /home/xxx/xxx.com/forum/.htaccess: <Location not allowed here

    Removing the first and third "location" lines works. So it must be the path. But I tried every variation of the path I can think of (with and without the quotes around the path), but I still get the Internal Server Error. I tried the full path "http://www.xxx.com/forum/settings.php" and I tried "/forum/settings.php" and I tried just "settings.php" -- but I get the Internal Server Error each time. I even tried using "LocationMatch" instead of "Location" but that didn't fix the problem. It's only when my .htaccess file contains only "SecFilterRemove 300015" that it works -- and I no longer get the 403 errors when trying to save my Admin prefs either.

    Does anyone know what is causing the Internal Server Error and how to fix the code in .htaccess so I can restrict the security filter removal to only settings.php?

    Many thanks!
  • Options
    you can't use location in a .htaccess file.
    Use file instead.
  • Options
    JDWJDW New
    edited April 2007
    Dinoboff,

    Many thanks for the link to "file" info for Apache.

    Here is what I changed my .htaccess file content to:

    <Files settings.php> SecFilterRemove 300015 </Files>

    It works perfectly.

    I also confirmed that this code works too:

    <Files settings.php> SecFilterEngine Off </Files>

    For those of you who are doing this .htaccess hack in my footsteps, please note that you do NOT need a slash before settings.php. I had the slash in there and couldn't figure out what the problem was until a programmer friend told me. So avoid the slash and keep your .htaccess file in the same root directory as your Vanilla files and it will work.
  • Options
    Thanks for this hack - I had exactly the same 403 error and this fixed it - I just created a .htaccess file and pasted in the above code and uploaded it to the root forum folder. Any idea what's causing this problem and does it affect anything else?
Sign In or Register to comment.