Mod_security: Access Denied With Code 406. Pattern Match
Feb 22, 2008
Taken from apache error logs, are these below legit or false alarms per se? This same customer is having issues with php sendmail (server uses php 5 w/ phpsuexec enabled)
[Thu Feb 21 17:02:02 2008] [error] [client 216.9.250.112] mod_security: Access denied with code 406. Pattern match "!^[0-9a-z]*$" at COOKIE("PHPSESSID") [hostname "www.clientdomain.com"] [uri "/%23URL.ImagURL%23"]
[Fri Feb 22 10:13:18 2008] [error] [client 189.24.155.203] mod_security: Access denied with code 406. Pattern match "',''));" at POST_PAYLOAD [hostname "clientdomain.com"] [uri "/xmlrpc.php"] ....
mod_security: Access denied with code 406. Pattern match "<[[pace:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[pace:]]*>" at POST_PAYLOAD [hostname "domain.us"] [uri "/_vti_bin/_vti_aut/author.exe"]
# Only accept request encodings we know how to handle # we exclude GET requests from this because some (automated) # clients supply "text/html" as Content-Type SecFilterSelective REQUEST_METHOD "!^(GET|HEAD|POST|PUT|PROPFIND|OPTIONS)$" "chain,id:340001,rev:1,severity:2,msg:'Restricted HTTP function'" SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
#Generic rule for allowed characters, very broken at the moment, dont use it unless you can fix it #Then post your fix eh! #SecFilterSelective REQUEST_URI "!^[-a-zA-z0-9.+_/-?=]+$" "chain,id:340002,rev:1,severity:2,msg:'Restricted HTTP character set'"
# Require Content-Length to be provided with # every POST request SecFilterSelective REQUEST_METHOD "^POST$" "chain,id:340003,rev:1,severity:2,msg:'Content Length not provided with POST'" SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle # (and you don't need it anyway) SecFilterSelective HTTP_Transfer-Encoding "!^$" "id:340004,rev:1,severity:2,msg:'Dis-allowed Transfer Encoding'"
#XSS insertion into Content-Type SecFilterSelective THE_REQUEST "Content-Type:.*(<[[:space:]]*(script|about|applet|activex|chrome)*>.*(script|about|applet|activex|chrome)[[:space:]]*>|onmouseover=|javascript:)" "id:300002,rev:1,severity:2,msg:'XSS attack in Content-type header'"
#Don't accept chunked encodings #modsecurity can not look at these, so this is a hole #that can bypass your rules, the rule before this one #should cover this, but hey paranoia is cheap SecFilterSelective HTTP_Transfer-Encoding "chunked" "id:300003,rev:1,severity:2,msg:'Chunked Transfer Encoding denied'"
#Code injection via content length SecFilterSelective HTTP_Content-Length ";(system|passthru|exec)(" "id:330003,rev:1,severity:2,msg:'Code Injection in Content-Length header'"
#broad cross site scripting rule #False alarms are a problem with this, use with caution #SecFilterSelective THE_REQUEST "<(.| )+>"
We have a small Hosting reseller account at eNom. We have a new customer that moved his website from another hosting company to ours. The website is on a shared IP. Enom also uses a internal IP for internal use associated to the domain.
The problem we have is that AOL users can not see the website. As far as we can tell no other ISP's are having this problem. Everyone can see it except AOL users.
When AOL users go to the site they get "Page can not be found". After several calls to eNom support and them triple checking the DNS we still have the problem.
I looked at the error log for the website this morning. I found several errors. I looked up the IP's with the errors and they all pointed back to AOL.. See below for two examples of the errors....
Is this a server problem or DNS?
What do these errors mean and what do I do about it?
The domain is http://2hotlicks.com . They sell Hot Sauce.. Would AOL block it because of the keywords in the Domain name?
[Wed Oct 17 08:11:56 2007] [error] [client 207.200.116.7] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/"] [unique_id "uPWvAgoHAlYAAA25N5AAAAAI"]
[Tue Oct 16 13:11:20 2007] [error] [client 207.200.116.137] ModSecurity: Access denied with code 400 (phase 2). Pattern match "(?:\bhttp.(?:0\.9|1\.[01])|<(?:html|meta)\b)" at REQUEST_HEADERS:Via. [id "950911"] [msg "HTTP Response Splitting Attack. Matched signature <http/1.1>"] [severity "ALERT"] [hostname "www.2hotlicks.com"] [uri "/combos.htm"] [unique_id "yddhwAoHAlYAAEEfgyEAAAAi"]
I am installing a .NET application on a client's server but they don't know much about IIS and neither do I.
I am having an access denied issue when browsing a recently installed website on a fresh .NET framework. The "%systemroot%Microsoft.NETFrameworkv2.0.50727Temporary ASP.NET Files" folder appears to have the correct rights, I read that incorrect rights could be a reason for this issue. What else could it be ?
Code: Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.IO.FileLoadException: Could not load file or assembly 'Puerto' or one of its dependencies. Access Denied.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Assembly Load Trace: The following information can be helpful to determine why the assembly 'Puerto' could not be loaded.
=== Pre-bind state information === LOG: User = NT AUTHORITYServicio de red LOG: DisplayName = Puerto (Partial) LOG: Appbase = file:///C:/Inetpub/wwwroot/CFDOCS/home/ LOG: Initial PrivatePath = C:InetpubwwwrootCFDOCShomein Calling assembly : (Unknown). === LOG: This bind starts in default load context. LOG: Using application configuration file: C:InetpubwwwrootCFDOCShomeweb.config LOG: Using host configuration file: ?c:windowsmicrosoft.netframeworkv2.0.50727aspnet.config LOG: Using machine configuration file from C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config. LOG: Policy not being applied to reference at this time (private, custom, partial, or location-based assembly bind). LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files/web/13c8581c/98ca4568/Puerto.DLL. LOG: Attempting download of new URL file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/Temporary ASP.NET Files/web/13c8581c/98ca4568/Puerto/Puerto.DLL. LOG: Attempting download of new URL file:///C:/Inetpub/wwwroot/CFDOCS/home/bin/Puerto.DLL. ERR: Failed to complete setup of assembly (hr = 0x80070005). Probing terminated.
Stack Trace:
[FileLoadException: Could not load file or assembly 'Puerto' or one of its dependencies. Acceso denegado.] ....
I have a strange problem that I encounter sometimes. I have 3 websites on my hosting account. About once a week, I will try to access one of those sites and I will get a timeout or connection error in my browser. I will not have any problem viewing any other websites and as soon as I restart my computer, I can view my sites again.
It seems like either my computer, wifi router, isp or webhost decides to block me from accessing any of my 3 sites for no apparent reason. Restarting my computer fixs this. My ip does not change when I restart my computer so I do not know why it would suddenly allow me acces again but it does.
What is this problem likley to be? A bug on my computer, a bug on my server? My isp being retarded? No one else seems to have any problems accessing my site, I would guess it is a local issue. What I can not figure out though, is why it only happens to my own websites on my hosting account. This never happens when trying to view any other websites except my own(on my hosting account). This cannot be a coincidence. It is a big mystery to me.
I've setup a mysql user and assigned a password for it. When I try logging in to it with
Quote:
mysql -u USERNAME -p
and then providing the password I get an error: Quote:
ERROR 1045 (28000): Access denied for user 'USERNAME'@'localhost' (using password: YES)
I don't have trouble logging in as root and when I check the user table there, the password assigned to the user is same as the value the mysql function PASSWORD gives me. Really driving me nuts here, why is it telling me the password is wrong when it's not?
I've tried: Restarting mysql setting new password changing username
I have many accounts on my server, everyone can connect via FTP but when they try to upload something they get "access denied", i get it too, sometimes it works for a few minutes and goes back to giving me access denied. I have not changed any settings since it was working just fine before. I checked the folder permissions, user permissions, used chown command to make sure the folders belonged to the correct users/groups and I disabled the firewall same thing, any ideas what might be going on? do you this I have a virus on the server? it's a linux server
This message has been automatically generated notifying you that the service httpd is currently down and i searched and someone recommend to check using this order in ssh and i got this message Could not open configuration file /etc/httpd/conf/extra/directadmin-vhosts.conf: Permission denied and also i get permission denied for anything related to apache
Recently migrated a customer's website to a new server and transferred their SSL certificate. They are now reporting that some users are getting a "permission denied" error when trying to visit the site. The customer's developer and I are unable to reproduce the error anywhere.
Please click on this site and tell me if you get a "permission denied" error: www.accreditationnow.com/
in last two day we have problem with plesk on windows server 2008 r2 plesk version is 12.we have Access is denied error in some part of plesk like: can not add email address.can not edit email address..can not active on suspend domain..i Conant support team and they are solve problem but after on day. problem came back.in attachment i attach error log file and screenshot on errors.
I've had a tiny VPS with Nynoc for a while, and have been satisfied with it's performance.
Today, I just purchased their supervps 3 ($15/mo) and paid 6 months in advance. Although the full amount of the purchase was $90, I was billed only $85 in the invoice. My paypal account showed they had deducted $5 immediately before the order. Anyways, I completed the payment and got confirmation email.
However, few hours later I come to learn via paypal emails that the subscription had been cancelled and the $85 payment refunded!
I tried to login to the client portal, and surprise! Access denied! I tried to reset the password using the "forgotten password" link, now it says my e-mail address doesn't even exist in the database!
I contacted support via e-mail and awaiting a reply.
In the past few months I've received some weird invoices from nynoc. Sometimes they sent me invoice for $0, and then notify me that the invoice was paid in full!
Clearly, their invoice & billing system is having trouble. And now I'm being locked out of my client area. (My old VPS is still running though.) Worse still, there was no word from the nynoc staff.
Has anybody experienced billing errors with nynoc?
I have just installed WHMCS on a dedicated Windows 2003 Server box with Plesk 8.2. I am getting the above error when I try to go to the billing subdirectory (www.mydomain.com/billing), if I don't input a correct username/password. Inputing a username/pass does work, and I did so to install it, but obviously this is not a long term solution.
IUSR has read/execute/list rights to the parent httpdocs directory and inheritable permissions is checked. I have checked the child directories and files, and everything seems to have inherited the correct permissions.
I am able to otherwise access my website, as well as TCadmin.
When I deleted a database, the user apparently was orphaned because when I tried to recreate it, it returned "user already exists". I've never encountered that problem although from Googling, I see others have and they delete the user to get around it.
When I log into mysql using the da_admin@ account and attempt to remove the user with drop user <user_name>; I receive the following error message:
ERROR 1227 (42000): Access denied; you need the CREATE USER privilege for this operation
It seems I don't have rights even as the root user. How can I get remove the orphaned user?
I have apache, php, and mysql setup on CentOS 4.4. I have phpMyAdmin running perfectly in a folder in /var/www/html/phpMyAdmin. I can access phpMyAdmin and use it perfectly. I downloaded Cacti which is a server monitoring application written in php, nothing special. I untar the file and it creates a folder, I simply do a mv command from /home/sys/cacti to /etc/www/html/cacti. Then when I open my browser and attempt to access: [url]I am getting a Access Denied error. It makes no sense though, I have verified the permissions of the files and folders, all good.
The group owner and owner are root, the files are all -rw-r--r-- and the folders are drwxr-xr-x.
A few day ago when i access Windows plesk i receive error Access Denied. [URL]..... Even i made these steps i still receiving Access Denied when i access. I tried use PLesk REconfigurator, put psaadm permissons on all C:, update plesk, windows and still having this issue.
Operation failed The operation you were performing failed. You can retry the operation with or without changing its parameters. You may also want to report this problem to our support.
Error show : Access is denied. ---------------------- Debug Info ------------------------------- Windows 2012 and Mssql 2012 .
I get the following error when let my site connect to my database: Access denied for user 'apache'@'localhost' (using password: NO)
But when im running lil test script which connect to my localhost with the same passwords and it gives the status 'Connection OK' (im running on admin account, made a MySQL account with DA)
Code:
<?php $link = mysql_connect('localhost','admin_removed','removed'); if (!$link) { die('Could not connect to MySQL: ' . mysql_error()); } echo 'Connection OK'; mysql_close($link); ?>
My server is new from SoftLayer when i try to restore Data Base He Give Me this Massege
ERROR 1044 (42000) at line 15: Access denied for user 'mov_uu'@'localhost' to database 'mav2'
i try to restore another data base he give Also A masseges
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near
And i have Upload Center It Was Work 100% Suddenly He give me Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, and inform them of the time the error occurred, and anything you might have done that may have caused the error.
More information about this error may be available in the server error log.
Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request ------------------ also Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
Fatal error: Unknown: Failed opening required '/home/nameofuser/public_html/vb/index.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in Unknown on line 0
I created a new virtual site and cloned an existing to to the new docroot to have content. But when I access it I receive the Access Denied you do not have permission to access . . .I've checked all my entries and unless I'm blind I cannot figure out how to remedy this on my Windows 2003R2 server running apache 2.2.x
I migrate from plesk 9.5 to another server with plesk 12.0.18, and then outlook and mail default from iphone don't work, but tunderbird and webmail work well.
In outlook when i put the same configuration than tunderbird and i try to send mail out from my domain said this error: