Home General support

403 error forbidden

seroxatmad Member
in General support
Hi

I am receiving a 403 error when trying to access the full sized images, thumbs work ok and also when selecting "slideshow"

My server logs show the following error (mentions the .jpg.php extension)

[Thu Feb 14 14:21:30 2013] [error] [client 80.229.19.251] ModSecurity: [file "/etc/httpd/modsecurity.d/10_asl_rules.conf"] [line "597"] [id "340035"] [rev "5"] [msg "Atomicorp.com UNSUPPORTED DELAYED Rules: Bogus file extensions"] [severity "CRITICAL"] Access denied with code 403 (phase 2). Matched phrase ".jpg.php" at REQUEST_URI. [hostname "www.thestottfamily.co.uk"] [uri "/caravan-and-camping/crown-prince/fortwilliam1.jpg.php"] [unique_id "@ZrTcAVNIpYAAExqSssAAAAE"]

The zenphoto security logs show

2013-02-14 14:21:14 80.229.19.251 Album access thestottfamily John Stott Blocked /zp-core/admin-edit.php?page=edit&album=rabbits&saved&subpage=1&tagsort=1&tab=imageinfo

I guess this is a server problem but my hosting provider does not seem to have any idea.

Cheers

John

P.S Zenphoto version 1.4.4.1s [bf2e07e8cf] (Official build)

Comments

  • acrylian Administrator, Developer
    "/etc/httpd/modsecurity.d/10_asl_rules.conf"]
    This tells that some server security is involved. Did you check the permissions?
  • seroxatmad Member
    All the directories are 0755 and files 0644 for zenphoto.

    I do not have access to the /etc directories on the server.

    I am still awaiting a response to my second ticket from the hosting company.

    Thanks

    John
  • seroxatmad Member
    Hi

    Just an up-date. The web host sorted the 403 error but now zenphoto setup is asking me to change directory permissions to 0777

    Any ideas?

    John
  • sbillard Member
    Probably your host fixed the problem by settins some folder permissions to 0777. You should not set permissions to 0777 unless Zenphoto will not run otherwise. So do nothing.
  • seroxatmad Member
    Well having the zp-data directory set to 0777 and .log files etc does not make me feel to secure!

    Maybe time to change hosting companies.

    John

    P.S They come across as a UK company but I have traced them to india via there IP adress.
  • acrylian Administrator, Developer
    A lot of bigger companies move certain services to India (and UK of course still has some connection anyway I guess) as they are good at informatics stuff but also cheaper...
  • seroxatmad Member
    The latest reply - they are after my zenphoto login details!
    If you can provide me with an image to upload and your login / password to Zenphoto then I will login and locate the problem. It seems that Zenphoto is using another ID to upload the files instead of your FTP ID, if I can login I will try to get to the bottom of the issue

    Pity its all directories not just albums!
  • acrylian Administrator, Developer
    I would actually say it is not that bad if they want to try to reproduce it themselves. If you fear unwanted access you could setup a test install where it does not matter.
  • sbillard Member
    Well,since it is their site, they should know what user ID that PHP scripts run under for a particular user. If that is not the same as your FTP user, then you will have this sort of issue. They should probably also know your FTP user ID.
  • seroxatmad Member
    Hi

    Thanks for the replies.

    Sorry if I miss understand you but should it matter if my FTP login/password differ from what I created for my database?

    Regards

    John
  • acrylian Administrator, Developer
    The database (on its own server generally anyway) and FTP are not related so that is how it should be.
  • seroxatmad Member
    It get's better...

    The cache directory seems to be mirrored onto another domain i have hosted with this company...werid..

    John
Sign In or Register to comment.