Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

[EMar]

Hmm I was trying to edit the portal module text and after saving got this

Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

Would it have anything to do with mod security which I enabled the other day on CentOs Panel?

[BeZazz]

It is possible, you would need to look at your logs.

[Paul]

It could be mod_security, sure.. or it could possibly be improper ACL permissions for your staff user. Check your staff group and ensure you have full access. Settings > System > Staff > Staff Groups: Edit

[EMar]

For some reason I created two staff members, but with the same info,

Each assigned to a different department, billing and support.

I've ticked every box at System > Staff > Staff Groups, for both users, but still can't edit that portal module.

EDIT

Actually I disable mod_security in the server and was able to edit the portal module.
So any idea how to fix this when mod_security is enabled?

[BeZazz]

You need to look at the relevant log. There may be a specific mod_sec log or in your Apache etc log.

In there it will list what caused mod_sec to kick in. There will be an ID of the mod_sec rule that caused the false positive.

Disable that ID.

[EMar]

I see some files at /usr/local/apache/logs

error_log, modsec_audit.log, modsec_debug.log 

[austenite]

Could also be permissions, navigate to your docroot and run the following:

find . -type f -exec chmod 644 {} \; && find . -type d -exec chmod 755 {} \;

[EMar]

I tried that command in putty, don't think it did anything.

[EMar]

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log

[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

[Paul]

16 hours ago, EMar said:

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log

[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

Looks like it is in fact a mod_security rule. You'll need to edit the file, comment out the line, and restart Apache.

Quote

[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"]

nano -w +211 /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

.. to go right to the line

[EMar]

Thanks, I can't find /usr/local/apache/modsecurity-owasp-old/ in my Centos installation, using sftp as root.

[Blesta Addons]

try only to exclude the rules id 9667848 .

SecRuleRemoveById 9667848

 

[EMar]

Sorry no idea what you mean.

[Paul]

On 4/28/2018 at 8:25 PM, EMar said:

Thanks, I can't find /usr/local/apache/modsecurity-owasp-old/ in my Centos installation, using sftp as root.

That's weird since your error mentions the path /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

locate injection_attacks.conf

Maybe you'll get a result? If you get a "database" error, unable to search..

yum install mlocate -y
updatedb &

And try again after a few min.

[Blesta Addons]

20 hours ago, EMar said:

Sorry no idea what you mean.

in the exclude rules files add the line i have put it for you. it will deactivate the rule from mod security

[EMar]

[root@me /]# yum install mlocate -y                                                                     

Loaded plugins: fastestmirror                                                                                

Loading mirror speeds from cached hostfile                                                                   

 * base: centos.mirrors.tds.net                                                                              

 * epel: mirror.steadfast.net                                                                                

 * extras: mirrors.gigenet.com                                                                               

 * updates: centos.mirrors.tds.net                                                                           

Package mlocate-0.26-6.el7.x86_64 already installed and latest version                                       

Nothing to do 

[EMar]

I don't know where exclude rules files are.

[Nelsa]

6 hours ago, EMar said:

I don't know where exclude rules files are.

You said you have centos panel..if you look in admin interface..under security--->mod security you will find options to enable/disable mod security..and also there will be conf files locations...if nothing is changed it should be ....

Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-cwaf/cwaf.conf
Disabled Rules --> /usr/local/apache/modsecurity-cwaf/custom_user.conf

 

To edit file use command  vi /usr/local/apache/modsecurity-cwaf/custom_user.conf (to edit other file just change file location after vi) ,after that ...when file is opened click on i (short for insert) and than you can edit content,when you are done first click on ESC ..than press left shift + q ....than enter wq and hit enter .If you are not good with ssh just install WINSCP and than you can download file..edit it and upload again in one minute using GUI

 

[EMar]

Ok.. I have those config files now, I can edit them in CentOS Web Panel 7.

There's no disable option for Mod Security, I uninstalled it while editing Blesta pages then installed it again.

Adding 

SecRuleRemoveById 9667848 to all 3 files

Configuration Files:
Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-owasp-old/owasp.conf
Disabled Rules --> /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

I don't have a custom_user.conf

Contents of File: /usr/local/apache/conf.d/mod_security.conf

 

Contents of File: /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

 

Do I need to add it to /usr/local/apache/modsecurity-owasp-old/owasp.conf?