Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

[EMar]

Hmm I was trying to edit the portal module text and after saving got this

Forbidden You don't have permission to access /staff/settings/company/plugins/manage/5/ on this server.

Would it have anything to do with mod security which I enabled the other day on CentOs Panel?

[BeZazz]

It is possible, you would need to look at your logs.

[Paul]

It could be mod_security, sure.. or it could possibly be improper ACL permissions for your staff user. Check your staff group and ensure you have full access. Settings > System > Staff > Staff Groups: Edit

[EMar]

For some reason I created two staff members, but with the same info,

Each assigned to a different department, billing and support.

I've ticked every box at System > Staff > Staff Groups, for both users, but still can't edit that portal module.

EDIT

Actually I disable mod_security in the server and was able to edit the portal module.
So any idea how to fix this when mod_security is enabled?

[BeZazz]

You need to look at the relevant log. There may be a specific mod_sec log or in your Apache etc log.

In there it will list what caused mod_sec to kick in. There will be an ID of the mod_sec rule that caused the false positive.

Disable that ID.

[EMar]

I see some files at /usr/local/apache/logs

error_log, modsec_audit.log, modsec_debug.log 

[austenite]

Could also be permissions, navigate to your docroot and run the following:

find . -type f -exec chmod 644 {} \; && find . -type d -exec chmod 755 {} \;

[EMar]

I tried that command in putty, don't think it did anything.

[EMar]

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log

[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

[Paul]

16 hours ago, EMar said:

I logged into CentOS Control Panel 7 and clicked Mod Security under the Security tab.

Last 20 Lines matching ModSecurity from Error log file: /usr/local/apache/logs/error_log

[Tue Apr 24 01:08:09.218692 2018] [:error] [pid 255567:tid 1402356545764868i24] [client 11.110.113.232:63250] [client 11.110.113.232] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?i:(?:@.+=\\\\s*?\\\\(\\\\s*?select)|(?:\\\\d+\\\\s*?(x?or|div|like|between|and)\\\\s*?\\\\d+\\\\s*?[\\\\-+])|(?:\\\\/\\\\w+;?\\\\s+(?:having|and|x?or|div|like|between|and|select)\\\\W)|(?:\\\\d\\\\s+group\\\\s+by.+\\\\()|(?:(?:;|#|--)\\\\s*?(?:drop|alter))|(?:(?:;|#|--)\\\\s*?(?:update|i ..." at ARGS:content. [file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"] [id "9667848"] [msg "Detects chained SQL injection attempts 1/2"] [data "Matched Data: div class=\\x22 found within ARGS:content:     <div class=\\x22col-md-12\\x22>\\x0d\\x0a        <div class=\\x22thanks\\x22>\\x0d\\x0a\\x0d\\x0a\\x0d\\x0a</div>\\x0d\\x0a    </div>\\x0d\\x0a\\x0d\\x0a    <div class=\\x22col-md-4 col-sm-6 portal-box\\x22>\\x0d\\x0a        <a href=\\x22{client_url}login/\\x22>\\x0d\\x0a            <div class=\\x22well\\x22>\\x0d\\x0a                <i class=\\x22fa fa-cogs fa-4x\\x22></i>\\x0d\\x0a                <h4>My Account</h4>\\x0d\\x0a                <p>Log in here to manage your ac [hostname "clients.domain.com"] [uri "/staff/settings/company/plugins/manage/5/"] [unique_id "%^$%6DeSztztryrrtrggJxJwAAAM8"], referer: https://clients.domain.com/staff/settings/company/plugins/manage/5/

Looks like it is in fact a mod_security rule. You'll need to edit the file, comment out the line, and restart Apache.

Quote

[file "/usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "211"]

nano -w +211 /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

.. to go right to the line

[EMar]

Thanks, I can't find /usr/local/apache/modsecurity-owasp-old/ in my Centos installation, using sftp as root.

[Blesta Addons]

try only to exclude the rules id 9667848 .

SecRuleRemoveById 9667848

 

[EMar]

Sorry no idea what you mean.

[Paul]

On 4/28/2018 at 8:25 PM, EMar said:

Thanks, I can't find /usr/local/apache/modsecurity-owasp-old/ in my Centos installation, using sftp as root.

That's weird since your error mentions the path /usr/local/apache/modsecurity-owasp-old/base_rules/modsecurity_crs_41_sql_injection_attacks.conf

locate injection_attacks.conf

Maybe you'll get a result? If you get a "database" error, unable to search..

yum install mlocate -y
updatedb &

And try again after a few min.

[Blesta Addons]

20 hours ago, EMar said:

Sorry no idea what you mean.

in the exclude rules files add the line i have put it for you. it will deactivate the rule from mod security

[EMar]

[root@me /]# yum install mlocate -y                                                                     

Loaded plugins: fastestmirror                                                                                

Loading mirror speeds from cached hostfile                                                                   

 * base: centos.mirrors.tds.net                                                                              

 * epel: mirror.steadfast.net                                                                                

 * extras: mirrors.gigenet.com                                                                               

 * updates: centos.mirrors.tds.net                                                                           

Package mlocate-0.26-6.el7.x86_64 already installed and latest version                                       

Nothing to do 

[EMar]

I don't know where exclude rules files are.

[EMar]

Ok.. I have those config files now, I can edit them in CentOS Web Panel 7.

There's no disable option for Mod Security, I uninstalled it while editing Blesta pages then installed it again.

Adding 

SecRuleRemoveById 9667848 to all 3 files

Configuration Files:
Main Configuration --> /usr/local/apache/conf.d/mod_security.conf
Rules Configuration --> /usr/local/apache/modsecurity-owasp-old/owasp.conf
Disabled Rules --> /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

I don't have a custom_user.conf

Contents of File: /usr/local/apache/conf.d/mod_security.conf

 

Contents of File: /usr/local/apache/modsecurity-owasp-old/global_disabled_rules.conf

 

Do I need to add it to /usr/local/apache/modsecurity-owasp-old/owasp.conf?