Cannot save admin settings - file permission error

[ces]

Script URL: cesewcensus.org.uk/helpdesk/admin/admin_settings_save.php
Version of script: 2.6.5
Hosting company: UK2
URL of phpinfo.php: http://www.cesewcensus.org.uk/phpinfo.php
URL of session_test.php: http://www.cesewcensus.org.uk/session_test.php
What terms did you try when SEARCHING for a solution: admin_settings_save.php

Write your message below:
I installed Hesk yesterday. Everything works fine, ie creating tickets and new users. However, when I tried to change the website title in the admin settings I got this error:

You don't have permission to access /helpdesk/admin/admin_settings_save.php on this server.
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

I changed the permissions of the script admin_settings_save.php to 775 but that didn't solve it. I couldn't find the error handler script.

There are other php/MySql sites on the same host and they all work with no issues. I therefore think it must be a simple permissions problem with one of the hesk scripts.

Any pointers much appreciated. I am keen to use HESK because it looks like it will help a lot when I usually get lots of phonecalls from schools in january and february.

[Klemen]

This is probably "Mod Security" blocking access on the server.

Some mod_security rules are way to broad to be used in real life (too many false alarms).

Contact your hosting company and ask them to:

1. verify this is the case by examining mod_security audit logs

2. disable the following rules (at least locally for HESK folder) that have been known to trigger false alerts with HESK (and any other script accepting similar data):

Code: Select all

# Host is an IP address
SecRuleRemoveById 960017

# Error because of "IP whois" URL in settings
SecRuleRemoveById 950120

# Error when saving URLs with many special chars
SecRuleRemoveById 981173

# Error because the HESK spam subject setting contains "Repetative Non-Word Characters"
SecRuleRemoveById 960024

Examining audit logs may reveal additional rules that cause problems.

[ces]

Thanks for the quick reply. I will try these out and post an update.

I did try the rules changes without waiting for a reply from the hosting company. I put them in .htaccess and uploaded it to the helpdesk folder. Unfortunately I then got a 500 Internal Server error so I removed the file.

[Klemen]

Support for .htaccess was removed from Mod security 2.x (unless specifically enabled in compile options), so it will have to be setup by the host.

[ces]

The hosting company have changed the mod security settings and the original error has gone. However, there is a new one which UK2 thinks may be caused by the php script. The error is that the maximum 10 redirections is being exceeded. The actual error I get is this:

[Fri Nov 27 15:27:22.383391 2015] [core:error] [pid 1017722] [client 69.36.160.253:62673] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://cesewcensus.org.uk/helpdesk/admi ... ttings.php
[Fri Nov 27 15:27:22.587150 2015] [core:error] [pid 1017703] [client 69.36.160.253:62675] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://cesewcensus.org.uk/helpdesk/admi ... s_save.php
[Fri Nov 27 15:27:22.587187 2015] [core:error] [pid 1017703] [client 69.36.160.253:62675] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace., referer: http://cesewcensus.org.uk/helpdesk/admi ... s_save.php

Should I ask UK2 to change any more settings?

Thanks

[Klemen]

HESK does only a single redirect (that works fine on thousands of servers with HESK installed).

I am not sure what the cause is, but it's definitely related to server setup. Two things that come to mind:

1. Are any other Mod security rules being triggered for admin_settings.php or admin_settings_save.php?

2. Do you have any mod_rewrite rules setup (if so, disable them for the HESK folder)?

[ces]

It's all working now. The redirect error went away, I don't know how, and was replaced with a 500 error. This was tracked down to the permissions on admin_settings.php which had write permission for users. When changed to 644 the error went.