X3Photo Gallery Forums

TwoKooL wrote:This is the line that gives me the error message:

Code Select all

document.write("<sc"+"ript type='text/javascript' src='" + scJsHost+"statcounter.com/counter/counter.js'></"+"script>");

x3 wrote:Firewall Detected!
Your server returns "Forbidden" when trying to POST X3 settings to x3_settings.php. This indicates that your server has a firewall, which is blocking the POST. You need to ask your host to disable the firewall (or disable some rules) for the /panel/ directory. There is nothing wrong with having a Firewall, but X3 needs to be able to SAVE settings obviously. The firewall is meant to protect your website from non-verified users (hackers), but your X3 panel is already protected by login for known users.

TwoKooL wrote:Would it be possible to try the code on your side and let me know the outcome?

var sc_project=111000222; 
var sc_invisible=1; 
var sc_security="111222000"; 
var scJsHost = "https:" == document.location.protocol ? "https://secure." : "http://www.";
function x3_load(){
  $.getScript(scJsHost + "statcounter.com/counter/counter.js");
}

TwoKooL wrote:I have contacted my hosting support team and it seem like they are not able to point out any rules or firewall setting that would fix my issue.

mjau-mjau wrote:Hi {HOST},

On behalf of a client {URL}, I would like to let you know that your web firewall is blocking the website’s control panel from saving information. Everything under {URL}/panel/ should not be blocked by Firewall … How is the web editor going to SAVE data if it’s blocked by POSTS made to {URL}/panel/x3_settings.php?

It’s clearly firewall issue, because the script is blocked only when data is set to it by POST method, but not when accessed directly in browser.

{HOST} wrote:Dear Karl,
Firewall is working by blocking\allowing tcp\udp ports, not web content.
If the firewall were blocking the port 80 [http~ web content] than nobody could access the web at all.
It's something with the code\module\plugin\settings of your web.

mjau-mjau wrote:Hi {HOST},

I don’t know where you get the idea that we are trying to access anything through a different PORT than default web. I have several years experience with this exact issue, and it’s always the hosts firewall.

Here are SCREENSHOTS that make the issue very very clear:

When clicking “SAVE” and POST data to the specific URL, we get “403 Forbidden”. This is CLEARLY a firewall issue … why else would it return forbidden? There is nothing in the code that would do that.
http://d.pr/i/PRw1

Of course, when accessing the URL directly in browser {URL}/panel/x3_settings.php, it works fine http://d.pr/i/K16U, because there is no POST method to the URL in mention, and your firewall does not trigger any rules based on data sent in POST.

FURTHERMORE, if I remove several HTML snippets from the settings (data) that is sent by POST, it actually works. This proves that your firewall is triggering rules when certain html tags/content is being sent to script by POST method.

I KNOW this issue, because I have dealt with it a dozen times the last few years. It’s nothing to do with the script.

If the host cannot acknowledge this issue, I will need to explain to the client “Sorry, but you cannot use X3 on this host, because the hosts firewall is blocking the X3 control panel from saving and storing any data. The X3 control panel is already secured by login for admin only, but the sever firewall makes no difference of this”.

{HOST} wrote:Dear Karl,
No, unfortunately thats not about firewall. not this time at least.
I checked the permissions, looks just fine,
Please try again and let me know if there is still problem

mjau-mjau wrote:Hi {HOST},

If this email doesn’t explain it correctly, then I can’t offer anything else:

Let’s try to click “SAVE”. Result “Forbidden”:
http://d.pr/i/Md4M

OK, let’s try to remove the “html” that gets sent with the POST request. Result -> Works! Clearly your server is blocking the post when it contains some/certain html.
http://d.pr/i/9Dpo

Ok, let’s try to re-add the html that gets sent through the POST request. Result “forbidden”
http://d.pr/i/171Fq

For the sake of making the case clear beyond any doubt, let’s EMPTY the x3_settings.php script. This script now is empty and does absolutely NOTHING.
http://d.pr/i/1bdC7
… of course, since this is not related to the script at all, but the firewall blocking the POST itself, it still returns “forbidden:
http://d.pr/i/oads

How can this case be any more clear? Your firewall is blocking POST requests if it contains certain html. I have helped a dozen others with the exact same issue. This is the last email I will bother reply to, and I will just let the client know they can’t save settings because server is blocking POST when certain html is included.

{HOST} wrote:I saw the block at our ModSecurity, I allowed the rule that blocked the POST in your website.
Please check now if it's working.

mjau-mjau wrote:Thanks, it works now.