Since our server was updated with latest security modules the current login page will always fail - gives a 406 error
The problem as been identified as "The application is infringing on mod-security rules."
From the infomation in the mod_sec logs it appears the [color=#FF0000]script contains Urls with the word "passwd" in them. Mod-security looks upon this as an attempted hack.[/color]
This will result in our IP address being sent to the server's firewall effectively locking us out from the server - all together - ie ALL our accounts' FTP, email and web browsing until the data centre techs clear this.
It appears that the word "passwd" must be replaced by another for this application to work under the new PHP / Apache rules.
PS - see my own update of this post
CMSimpleforum.com
Welcome To The CMSimple - Community!
login page fails on 'passwd' - 406
5 posts • Page 1 of 1
login page fails on 'passwd' - 406
by AVIP on Tue Sep 29, 2009 2:54 am
Last edited by AVIP on Tue Sep 29, 2009 5:30 am, edited 1 time in total.
Hans Stammelwebmaster 'down-under' since 1994
- AVIP
- Posts: 2
- Joined: Tue Sep 29, 2009 2:42 am
- Location: San Remo, Western Australia
Re: login page fails on 'passwd' - 406
by AVIP on Tue Sep 29, 2009 5:29 am
OK - I have fixed the problem with a work around
I have modified the login.php page by doing a "search & replace" edit
I have replace all 'passwd' with the word 'keycut'.
This has now made the mod_security on the server system happy.
I strongly recommend that the current version that is available for download is changed with this fix or similar as it will eventually effect others too when their hosting companies (or the data centre techs) upgrade their systems to later (more secure) versions of PHP & Apache etc.
Our servers now run php 5.2.10 & Apache version 2.2.13
This did also effect a couple of our other installs - a php shopping cart system and an older installation of Joomla 1.5.x
All of the other security problems were fixed by uploading the 3rd party updates.
I hope the above information will help the developers of this great little application.
I have modified the login.php page by doing a "search & replace" edit
I have replace all 'passwd' with the word 'keycut'.
This has now made the mod_security on the server system happy.
I strongly recommend that the current version that is available for download is changed with this fix or similar as it will eventually effect others too when their hosting companies (or the data centre techs) upgrade their systems to later (more secure) versions of PHP & Apache etc.
Our servers now run php 5.2.10 & Apache version 2.2.13
This did also effect a couple of our other installs - a php shopping cart system and an older installation of Joomla 1.5.x
All of the other security problems were fixed by uploading the 3rd party updates.
I hope the above information will help the developers of this great little application.
Hans Stammelwebmaster 'down-under' since 1994
- AVIP
- Posts: 2
- Joined: Tue Sep 29, 2009 2:42 am
- Location: San Remo, Western Australia
Re: login page fails on 'passwd' - 406
by beate_r on Sun Nov 29, 2009 8:50 pm
Thanks for the information.
Beate
Beate
- beate_r
- Posts: 93
- Joined: Thu May 22, 2008 11:44 pm
- Location: Hessen / Germany
Re: login page fails on 'passwd' - 406
by sagittaep on Mon Jan 25, 2010 9:17 pm
Oh I had hoped so this would help me as I get that error message, but I changed the login.php passwd to keycut... are there other restricted words that should change? I saw things like password etc???
I am at a loss at this new host, never had the problem with my old host, I am desperate....
I am at a loss at this new host, never had the problem with my old host, I am desperate....
- sagittaep
- Posts: 7
- Joined: Mon Jan 25, 2010 6:56 pm
Re: login page fails on 'passwd' - 406
by sagittaep on Mon Feb 01, 2010 5:11 am
See also my story and adventure under 403 error!
ALL of the occurences of passwd have to be changed, following the protocol here I changed them all to keycut, in login.php and also in cms.php
even $onload = ' onLoad="self.focus();document.login.keycut.focus()"'; .. where keycut was passwd
Hope this helps!
please change this on those new servers. It has cost me a lot of frustration.
Thanks so much for finding this out AVIP!!!
ALL of the occurences of passwd have to be changed, following the protocol here I changed them all to keycut, in login.php and also in cms.php
even $onload = ' onLoad="self.focus();document.login.keycut.focus()"'; .. where keycut was passwd
Hope this helps!
please change this on those new servers. It has cost me a lot of frustration.
Thanks so much for finding this out AVIP!!!
- sagittaep
- Posts: 7
- Joined: Mon Jan 25, 2010 6:56 pm
5 posts • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 1 guest