Piwigo.org

todd · 2019-10-27 01:57:29

Hello/Hi/Greetings,

I am not able to turn on "Allow Rating" under Administration > Configurations > Options > General > Permissions. I get 403 Forbidden - Access to this resource on the server is denied!

My Piwigo install runs on Litespeed Web Server. I went to the Admin.php permission properties via FTP and see that it's at 755.

Any suggestions?

Thanks,
Todd

Piwigo 2.10.1 Check for upgrade
Operating system: Linux
PHP: 5.6.40 (Show info) [2019-10-26 18:51:39]
MySQL: 5.5.5-10.0.38-MariaDB-cll-lve [2019-10-26 18:51:39]
Graphics Library: External ImageMagick 6.7.2-7

wayne_bu · 2019-10-31 18:32:51

Hello Todd

I have the same problem and it's been a problem with my current host, even when I've tried to install earlier versions of Piwigo. That said, it hasn't been an issue with other hosting in the past. I've just contacted my hosting provider with the following:
________________________________
Hello WHC
I have installed Piwigo 2.10.1 at subdomain gallery.saltfish.ca
When I go to the Admin panel of Piwigo and select >Configuration >Options and select most of the settings (such as Default Photos Order or Permissions >Allow User Ratings) I get the following error page when I apply Save Settings:

403
Forbidden
Access to this resource on the server is denied!

Can you suggest any permissions setting that I need to change? Thanks in advance,
Wayne
__________________________________

The folks at WHC have always been extremely helpful, resolving all issues promptly. I'll post an answer here as soon as I hear back! Stay tuned...

Last edited by wayne_bu (2019-11-01 15:36:48)

todd · 2019-10-31 18:45:57

Good idea. My host has always been good about this kind of thing too.. Will try it. Thanks

todd · 2019-10-31 22:03:16

They had me do a temporary .htaccess mod to disable mod_security and that worked. ;)

wayne_bu · 2019-11-01 15:44:36

Thanks, Todd. I heard back but I gave them the wrong subdomain for the site and had to resubmit my request. I flagged the issue as low priority so may not hear back immediately. Meanwhile, yes, it probably is a .htaccess issue; I've read up on it somewhat but am not skilled enough to understand or action same. I'll post when I hear something just in case others happen to drop in on the conversation and this thread is of assistance. Thanks for the reply and best regards,
Wayne

todd · 2019-11-02 17:37:17

If you want to try this, you can put this in your .htaccess in your public_html directory, make changes, then remove..

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

wayne_bu · 2019-11-03 18:22:23

Hi Todd
Thanks for your latest reply. Here's the latest reply from my host. I'm not sure what to make of it, I'd certainly welcome some input from yourself or other users who are well versed on this topic. I'm not feeling a measure of comfort here, mainly due to my lack of knowledge in security issues.

reply from my host:
***************************
Hello Wayne,

Thank you for your patience.

The admin panel works correctly now.

Mod security installed on the server was blocking access to identification.php due to security vulnerability so I have temporarily turned it off. I will recommend searching for an alternative CMS and avoid using Piwigo. More information about this vulnerability can be found here https://www.wizlynxgroup.com/security-r … X-2017-007

Don’t hesitate to reach out if you need anything else!

Regards,
****************************

I went to the link included in the above reply and in the Vulnerability Details section it says Status: Fixed

So, I have no idea why they block access to my Admin functions when ModSecurity for the domain in ON. In my host CPanel, under Security, when I click on the ModSecurity icon the switch for the domain in question is selected OFF (which the support tech performed, as noted in the above reply). I guess I can switch it ON - OFF, depending on if I want to access and use the Admin functions or not. But that seems silly if the support tech refers me to an issue that says: Status:Fixed

At the bottom of the page on said referenced link is a GitHub discussion:

[Github] Piwigo issue #706

I'll have to leave it at that, but this would seem to be a nuisance to switch ModSecurity ON/OFF constantly . As well, if I want Users to register on my site, would this impact them?

Eventually I'll abandon Piwigo if I'm not comfortable due to my lack of knowledge in security issues. I'll have to leave it there for now.

Thanks so much for your input!

erAck · 2019-11-03 20:49:18

Note that the Apache mod_security module and the ModSecurity Web Application Firewall are different things. Pointing to WLX-2017-007 (CVE-2017-9464) of Piwigo 2.9.0 and saying "I will recommend searching for an alternative CMS and avoid using Piwigo" shows the hoster is rather clueless. That bug is fixed since 2.9.1, see [Github] Piwigo issue #706 you also gave.

wayne_bu · 2019-11-03 20:54:28

@erAck Thanks!

PolyWogg · 2019-11-29 03:39:16

I'm having the same problem on a WHC server after they migrated servers. But I went into my Security area, and MOD was already off. I played with it to ensure it truly was OFF (i.e. on then off), but still getting the 403 error.

Any other solutions with WHC?

P.

Piwigo.org

Announcement

#1 2019-10-27 01:57:29

Can't turn on 'Allow Rating'

#2 2019-10-31 18:32:51

Re: Can't turn on 'Allow Rating'

#3 2019-10-31 18:45:57

Re: Can't turn on 'Allow Rating'

#4 2019-10-31 22:03:16

Re: Can't turn on 'Allow Rating'

#5 2019-11-01 15:44:36

Re: Can't turn on 'Allow Rating'

#6 2019-11-02 17:37:17

Re: Can't turn on 'Allow Rating'

#7 2019-11-03 18:22:23

Re: Can't turn on 'Allow Rating'

#8 2019-11-03 20:49:18

Re: Can't turn on 'Allow Rating'

#9 2019-11-03 20:54:28

Re: Can't turn on 'Allow Rating'

#10 2019-11-29 03:39:16

Re: Can't turn on 'Allow Rating'

Board footer