WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Upgrade to 2.2 - Dashboard not working (56 posts)

  1. pacq
    Member
    Posted 6 years ago #

    My blog is running on MySQL 4.0, phpMyAdmin 2.7.0.

    Hello,

    after the upgrade from 2.1.3 to 2.2, the dashboard doesn't show the 'Other WordPress News', 'WordPress Development Blog',
    and the 'Incoming Links', but a 'Forbidden' message.

    The server error log shows the following:

    mod_security: Access denied with code 403.
    Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type")
    [severity "EMERGENCY"] [uri "/wordpress/wp-admin/index-extra.php?jax=incominglinks"]
    (...) [uri "/wordpress/wp-admin/index-extra.php?jax=devnews"]
    (...) [uri "/wordpress/wp-admin/index-extra.php?jax=planetnews"]

    My server is running MySQL 4.1.20 and phpMyAdmin 2.8.2.4.

    Any ideas? Thanks.

  2. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    Hey, I got the same access denied error. When I enter the 'forbidden' uri in my browser, the page shows up just fine.

  3. Jamie
    Member
    Posted 6 years ago #

    The problem is how the mod_security rules are set up. If it's your own server then go in to http.conf and change the rule

    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some(automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;|^text/xml;)"

    to

    `
    # Only accept request encodings we know how to handle
    # we exclude GET requests from this because some (automated)
    # clients supply "text/html" as Content-Type
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded;|^multipart/form-data;|^text/xml;)"

    The problem is that WP is adding a content encoding after the type and the mod_sec rules are expecting nothing after the type.


    Content-Type: application/x-www-form-urlencoded; charset=UTF-8

    Replace the $ with a ;.

    If it's not your server then contact the administrator so they can change the rule to let the request through.

    Specks

  4. Jamie
    Member
    Posted 6 years ago #

    I need to change what I said before. Instead of changing the rule to add just a ; at the end of application/x-www-form-urlendcoded you need to add ;? this will match zero or 1 ; as adding the ; at the end will block all posts that don't have a ; in the Content-Type field.

  5. Righton
    Member
    Posted 6 years ago #

    Well isn't that convenient :) I hate having to contact the support dept.

    Thank you though.

  6. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    Why did WordPress change that in the first place? In all previous versions the dashboard was OK to me.
    Any tweaking of the source files to prevent this behavior?

  7. Righton
    Member
    Posted 6 years ago #

    My host says I need to make the changes in my .htaccess file

    How would I go about this?

  8. Deerhunter04
    Member
    Posted 6 years ago #

    I don't have access to my http.conf, so .htaccess is all i can get. I put this in, but i still have the same error. Any other ideas on what to try?

  9. Righton
    Member
    Posted 6 years ago #

    Same here...

    One thing to note, I'm not getting the same error.

    I'm getting:

    Forbidden
    You don't have permission to access /wp-admin/index-extra.php on this server.

    I too put the code into .htaccess and got nothing.

    Why was this a vital change in the way WordPress works... it seems like more of a pain in the ass than it's worth.

  10. whooami
    Member
    Posted 6 years ago #

    bleh, just turn off mod_security for the wp-admin area:

    IF YOU DO NOT HAVE an .htaccess in your wp-admin/ directory:

    create a text file on your desktop:

    put the following inside it:

    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>

    save the file.

    Upload the file to your wp-admin directory.

    Rename the uploaded file to .htaccess (with the .)

    IF YOU DO HAVE an .htaccess in your wp-admin/ directory:

    Edit it:

    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>

    save the new .htaccess

    Post back if that helps. and if you do what I say, delete all that other crap.

  11. Deerhunter04
    Member
    Posted 6 years ago #

    My error was the same as Righton's. I went ahead and edited my .htaccess in my root directory and added this:

    <Files index-extra.php>
    SecFilterInheritance Off
    </Files>

    That fixed my problem. I didn't want to turn off mod_security for the entire wp-admin folder, so this way just turns it off for index-extra.php file.

  12. whooami
    Member
    Posted 6 years ago #

    there you go.

  13. ju1ie
    Member
    Posted 6 years ago #

    i just talked to my hosting company and they told me that they are getting this error: [Thu May 17 13:41:39 2007] [error] [client 72.12.208.4] mod_security: Access denied with code 403. Pattern match "!(^application/x-www-form-urlencoded$|^multipart/form-data;)" at HEADER("Content-Type") [severity "EMERGENCY"] [hostname "loveju1ie.com"] [uri "/wp-admin/index-extra.php?jax=devnews"]

    how can this be fixed????

  14. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Why did WordPress change that in the first place? In all previous versions the dashboard was OK to me.
    Any tweaking of the source files to prevent this behavior?

    WordPress has changed nothing in this area. The 2.2 version of the index-extra.php file is identical to the 2.1.3 version of the same file.

    The problem is that WP is adding a content encoding after the type and the mod_sec rules are expecting nothing after the type.

    Content-Type: application/x-www-form-urlencoded; charset=UTF-8

    Okay, WordPress *should* be sending back a type of "text/html" for these requests. Because in the index-extra file, it's doing this:
    @header('Content-type: ' . get_option('html_type') . '; charset=' . get_option('blog_charset'));

    And in upgrade_schema.php, you have this:
    add_option('html_type', 'text/html');

    The html_type should be text/html. Not form or anything else.

  15. whooami
    Member
    Posted 6 years ago #

    its been discussed, and both I and deerhunter JUST provided solutions. Instead of typing, read.

  16. Righton
    Member
    Posted 6 years ago #

    The latest .htaccess fix works!

    Thanks!

  17. pacq
    Member
    Posted 6 years ago #

    Hello,

    Deerhunter04's solution solved my problem...

    <Files index-extra.php>
    SecFilterInheritance Off
    </Files>

    Many thanks to Specks, Deerhunter and Whooami :)

    Pacq

  18. whooami
    Member
    Posted 6 years ago #

    this is NOT a correct paste:

    <Files index-extra.php>
    SecFilterInheritance Off
    </Files<

    The correct way:

    <Files index-extra.php>
    SecFilterInheritance Off
    </Files>
  19. pacq
    Member
    Posted 6 years ago #

    Oops!..excuse me..:P

    Pacq

  20. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    @Otto42

    WordPress has changed nothing in this area. The 2.2 version of the index-extra.php file is identical to the 2.1.3 version of the same file.

    Well, this problem did not show up in my 2.1.3 install. may be there is a change in the ajax script files...

  21. teseoperu
    Member
    Posted 6 years ago #

    Lo de poner un .htaccess con:

    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>

    me funcionó perfecto!!

  22. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Well, this problem did not show up in my 2.1.3 install. may be there is a change in the ajax script files...

    Yes, the prototype.js was updated from 1.5.0_rc0 to 1.5.0. And I notice that there's this change in there as well:

    setOptions: function(options) {
        this.options = {
          method:       'post',
          asynchronous: true,
          contentType:  'application/x-www-form-urlencoded',
          encoding:     'UTF-8',
          parameters:   ''
        }

    The "encoding: UTF-8" thing was added between versions. This could be some of the cause of the issue.

    You could try removing that line. See if it makes a difference. It's around line number 630. But, in essence, this is still a mod_security issue. It has a bad regex in this case, and needs to be fixed. Or better yet, disabled, as mod_security is completely useless anyway.

  23. Jamie
    Member
    Posted 6 years ago #

    Just for the record I disagree that mod_sec is useless. It's protected my server countless number of times from attacks. It just depends on the rules that you give it. I gave a way to fix the regex. It's not necessary to remove anything from the code. What they have on there now constitutes a well formed header.

    Good job Deerhunter and Whooami.

  24. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    @Otto42, I had removed the line in prototype.js but that didn't help. The .htaccess solution is OK.

  25. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    macbrink: Hmmm.. Oh well, I thought it was worth a shot. I have no way to test/reproduce it at the moment.

  26. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    Today I've found that there is also a problem while deleting posts. I got a 403 error on admin-ajax.php and index.php so I have placed a .htaccess in the wp-admin directory with

    <IfModule mod_security.c>
    SecFilterInheritance Off
    </IfModule>

    So I don't have to run into this with other files in the future
    ..Solved

  27. aeongate
    Member
    Posted 6 years ago #

    Have the same problem but this does not seem to work for me. If I change the .htaccess-file in the wordpress directory or create a new one in /wp-admin the database breaks down.

    The error-message I get in the dashboard goes:

    Forbidden
    You don't have permission to access /main/wp-admin/index-extra.php on this server.
    
    Apache/1.3.33 Server at neurobash.com Port 80

    What to do? (other than possibly start a new thread regarding this) Would appreciate any ideas.

  28. Marcel Brinkkemper
    Member
    Posted 6 years ago #

    maybe there is a typo in the .htaccess file, because this is the error this thread is about. I don't see any database error in the message

  29. whooami
    Member
    Posted 6 years ago #

    mod_security is completely useless anyway

    huh?

    I beg to differ.

    Thats absolute crap. I wonder if you would like to take a quick look at my mod_security audit.log I have it available if you are interested.

    Thats such a nonsensical statement I sat and stared at this post for three minutes before going back and editing it to add this paragraph.

    I honestly cannot see any reason to say that, having used it and seeing the results first hand.

  30. juiceee
    Member
    Posted 6 years ago #

    Unfortunately, nothing works for me :c

    I still get this crap:

    Forbidden
    You don't have permission to access /wp-admin/index-extra.php on this server.

    Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
    Apache/1.3.37 Server at x.headsh0t.org Port 80

Topic Closed

This topic has been closed to new replies.

About this Topic