After a sucessful installation of NopCommerce 4.2 on a VPS - Windows - IIS.
I cannot write changes to some sections (two) in Admin-Configuration-Settings.
In Admin - Configuration - Settings:
When making changes and saving them to:
General Settings - Request URL: (https://www.xxxxxx.com/Admin/Setting/GeneralCommon)
or
Catalog Settings - Request URL: (https://www.xxxxxx.com/Admin/Setting/Catalog)
I get the following answer:
403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
In Admin - Configuration - Settings - Other sections:
By making changes and saving them to all other sections under the directory https://www.xxxxxx.com/Admin/Setting/*
Customer settings
Order Settings
Shipping settings
Tax settings
Shopping cart settings
Reward points
etc...
I have no problem and can save all the changes.
Permissions have been set as described in the manual.
In addition, to trying to solve the problem, "Modify" permission was given at ".\ Areas \ Admin \ Views \ Setting" for application pool identity. But it did not work.
I request guidance that could help me resolve the issue.
Admin Configuration Settings - (403 - Forbidden: Access is denied) - General and Catalog Settings only.
- 4
- 80
- 3/5/2018
- Brazil
Anton, thanks for your suggestion, but it doesn't apply in that situation.
The customer role that I am using is Administrators and it is mapped to the Admin area. Manage Settings.
I can save changes to all but two configuration sections:
General Settings and Catalog Settings.
I can't make changes to them.
The customer role that I am using is Administrators and it is mapped to the Admin area. Manage Settings.
I can save changes to all but two configuration sections:
General Settings and Catalog Settings.
I can't make changes to them.
- 4
- 80
- 3/5/2018
- Brazil
A Web Application Firewall installed on the server, ModSecurity, was generating response status: 403 - Forbidden: Access is denied.
I set ModSecurity with the "detect only" option, which resolves temporarily, but eliminates any automatic reaction from this firewall.
I will search to find out the relevance and reason of the block.
It presents the following message for these events:
Access denied with code 403 (phase 2).
Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS:__RequestVerificationToken.
[file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "1057"]
[id "942440"]
[rev "2"]
[msg "SQL Comment Sequence Detected."]
[data "Matched Data: --0HWM2- found within ARGS:__RequestVerificationToken: CfDJ8CsY44DAK4ZLuuWe5MWqDP5UEiY9qobREJ_OKkSaskSYNOm6IQI9TadZjzJw-xM2--0HWM2-qAfMLLfOanPiz5SeTIHJ7w8AoJPFwnYgOICYhKe3TnuHWKUCo2hnjE1IKQitlsuItvOVwq_nXvyJB2mXC1_XyT5Cu87C2_BP6Ffpw_52JpN-p5RSATn-qoiasg"]
[severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"]
[maturity "8"]
[accuracy "8"]
[tag "application-multi"]
[tag "language-multi"]
[tag "platform-multi"]
[tag "attack-sqli"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
[tag "paranoia-level/2"]
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1574447484908645 76081 (- - -)
Stopwatch2: 1574447484908645 76081; combined=62474, p1=0, p2=62474, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
If anyone has any suggestions I would appreciate it.
I set ModSecurity with the "detect only" option, which resolves temporarily, but eliminates any automatic reaction from this firewall.
I will search to find out the relevance and reason of the block.
It presents the following message for these events:
Access denied with code 403 (phase 2).
Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS:__RequestVerificationToken.
[file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "1057"]
[id "942440"]
[rev "2"]
[msg "SQL Comment Sequence Detected."]
[data "Matched Data: --0HWM2- found within ARGS:__RequestVerificationToken: CfDJ8CsY44DAK4ZLuuWe5MWqDP5UEiY9qobREJ_OKkSaskSYNOm6IQI9TadZjzJw-xM2--0HWM2-qAfMLLfOanPiz5SeTIHJ7w8AoJPFwnYgOICYhKe3TnuHWKUCo2hnjE1IKQitlsuItvOVwq_nXvyJB2mXC1_XyT5Cu87C2_BP6Ffpw_52JpN-p5RSATn-qoiasg"]
[severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"]
[maturity "8"]
[accuracy "8"]
[tag "application-multi"]
[tag "language-multi"]
[tag "platform-multi"]
[tag "attack-sqli"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
[tag "paranoia-level/2"]
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1574447484908645 76081 (- - -)
Stopwatch2: 1574447484908645 76081; combined=62474, p1=0, p2=62474, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
If anyone has any suggestions I would appreciate it.
- 3
- 15
- 11/1/2014
- Vietnam
davidsim wrote:
After years, is there any solution to resolve this issue without removing WAF rule?
A Web Application Firewall installed on the server, ModSecurity, was generating response status: 403 - Forbidden: Access is denied.
I set ModSecurity with the "detect only" option, which resolves temporarily, but eliminates any automatic reaction from this firewall.
I will search to find out the relevance and reason of the block.
It presents the following message for these events:
Access denied with code 403 (phase 2).
Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS:__RequestVerificationToken.
[file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "1057"]
[id "942440"]
[rev "2"]
[msg "SQL Comment Sequence Detected."]
[data "Matched Data: --0HWM2- found within ARGS:__RequestVerificationToken: CfDJ8CsY44DAK4ZLuuWe5MWqDP5UEiY9qobREJ_OKkSaskSYNOm6IQI9TadZjzJw-xM2--0HWM2-qAfMLLfOanPiz5SeTIHJ7w8AoJPFwnYgOICYhKe3TnuHWKUCo2hnjE1IKQitlsuItvOVwq_nXvyJB2mXC1_XyT5Cu87C2_BP6Ffpw_52JpN-p5RSATn-qoiasg"]
[severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"]
[maturity "8"]
[accuracy "8"]
[tag "application-multi"]
[tag "language-multi"]
[tag "platform-multi"]
[tag "attack-sqli"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
[tag "paranoia-level/2"]
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1574447484908645 76081 (- - -)
Stopwatch2: 1574447484908645 76081; combined=62474, p1=0, p2=62474, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
If anyone has any suggestions I would appreciate it.
I set ModSecurity with the "detect only" option, which resolves temporarily, but eliminates any automatic reaction from this firewall.
I will search to find out the relevance and reason of the block.
It presents the following message for these events:
Access denied with code 403 (phase 2).
Pattern match "(/\\*!?|\\*/|[';]--|--[\\s\\r\\n\\v\\f]|(?:--[^-]*?-)|([^\\-&])#.*?[\\s\\r\\n\\v\\f]|;?\\x00)" at ARGS:__RequestVerificationToken.
[file "C:\/Program Files (x86)/Plesk/ModSecurity/rules/modsecurity_crs-plesk/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "1057"]
[id "942440"]
[rev "2"]
[msg "SQL Comment Sequence Detected."]
[data "Matched Data: --0HWM2- found within ARGS:__RequestVerificationToken: CfDJ8CsY44DAK4ZLuuWe5MWqDP5UEiY9qobREJ_OKkSaskSYNOm6IQI9TadZjzJw-xM2--0HWM2-qAfMLLfOanPiz5SeTIHJ7w8AoJPFwnYgOICYhKe3TnuHWKUCo2hnjE1IKQitlsuItvOVwq_nXvyJB2mXC1_XyT5Cu87C2_BP6Ffpw_52JpN-p5RSATn-qoiasg"]
[severity "CRITICAL"]
[ver "OWASP_CRS/3.0.0"]
[maturity "8"]
[accuracy "8"]
[tag "application-multi"]
[tag "language-multi"]
[tag "platform-multi"]
[tag "attack-sqli"]
[tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"]
[tag "WASCTC/WASC-19"]
[tag "OWASP_TOP_10/A1"]
[tag "OWASP_AppSensor/CIE1"]
[tag "PCI/6.5.2"]
[tag "paranoia-level/2"]
Action: Intercepted (phase 2)
Apache-Handler: IIS
Stopwatch: 1574447484908645 76081 (- - -)
Stopwatch2: 1574447484908645 76081; combined=62474, p1=0, p2=62474, p3=0, p4=0, p5=0, sr=0, sw=0, l=0, gc=0
Producer: ModSecurity for IIS (STABLE)/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.0.2.
Server: ModSecurity Standalone
Engine-Mode: "ENABLED"
If anyone has any suggestions I would appreciate it.
After years, is there any solution to resolve this issue without removing WAF rule?