Support

Hi 

I'm getting an error whilst using Seblod, which goes away when I delet the standard .htaccess created by admintools.
I guess I need to add an exception, but I can't work out what. I've tried adding the seblod template, but that hasn't helped.

Can you help?

Here's the error message:

403 Forbidden



You don't have permission to access the requested ressource. If this error persists, please contact the site administrator or hosting provider including the informations below.

Request Details



GET /bmw/administrator/index.php?option=com_cck&task=box.add&tmpl=component&file=http://mydomain.ch/bmw/templates/seb_one/template_preview.png HTTP/1.1

Host: mydomain.ch

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://mydomain.ch/bmw/administrator/index.php?option=com_cck&view=type&layout=edit&id=500

Connection: keep-alive



HTTP/1.1 403 Forbidden

Date: Mon, 9 Dec 2013 15:05:05 CET

Content-Type: text/html

Server: Apache

Connection: keep-alive

Adding your template folder to the "Allow direct access, including .php files, to these directories" field will usually take care of a template exception. Note that your exception needs to be in the form:

templates/[your_template_folder]

You have to use the forward slash between the folder names and if you are on a Linux server the folder names are case sensitive.

If that doesn't work, you will need to do some detective work using the instructions here: https://www.akeebabackup.com/documentation/troubleshooter/athtaccessexceptions.html.

Hi Dale

I'd already added the template in the format you mentioned but that doesn't do the trick.

i looked at your instructions and I'm afraid I douldn't spot a solution through that.

The error occurs in an iframe popup which is generated whilst in the backend, editing a SEBLOD form. It's supposed to show an image which resides in the frontend templates folder.
I recall Nicholas once commenting on programmes which call up the frontend from the backend, but I cannot find a solution.

More advice?
Regards
David

Usually the problem works the other way around, you get an error when you are working on the front end and you call a program or file located within the /administrator folder tree. The instructions for troubleshooting that are here: https://www.akeebabackup.com/documentation/troubleshooter/athtaccessexceptions.html.

Well, thanks Dale.
As I said, I tried using the instructions without success.
That means, I'm stuck.
Regards
David

Well I've done some experimenting and the problem is being caused by the file injection section, which refers to the GET function, which is mentioned in the error message.

##### File injection protection -- BEGIN

RewriteCond %{REQUEST_METHOD} GET

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]

RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]

RewriteRule .* - [F]

##### File injection protection -- END

I consider this an important part of the htaccess generator. Is there some way to make an exception or do I just have to turn that function off?

You're not stuck, you have just stumped the first level support guy. I'll ask Nicholas to take a look at this and see if he can make sense of it.

David,

I got a reply from Nicholas:

He is correct and the only workaround is disabling the feature. Or asking the developer of the component if they can refrain from using a full URL as a query string parameter, a practice which is considered evil anyway.

Well, I thought that might be the answer.

OK, I'll try and post it on the developers forum.

Thanks for trying and the feedback

Regards
David