|
SĂ©bastien
|
January 19, 2015 at 4:19 pm
I’m trying out the decaf version to see if event espresso is the ticketing system we need but I already notice a bump in the road đ
I have set up an event but when I test it out and want to register I get a 403 error.
What am I doing wrong
|
|
Dean
|
January 20, 2015 at 1:25 am
403 is a Forbidden error, so most likely it is down to the server and specifically the read/write access.
Did the error provide any more information?
Can you check your sites file permissions to make sure they are accessible (http://codex.wordpress.org/Changing_File_Permissions)?
Can you provide a link to the sites event registration page?
|
|
SĂ©bastien
|
January 20, 2015 at 11:58 am
This the page http://thocc.sebastienkalonji.com/events/klantcontact-met-impact-2/ I can’t see any problems with the server.
|
|
Tony
|
January 20, 2015 at 12:26 pm
Hi SĂ©bastien,
Can you check with your host if they block base64 encoded objects/urls?
You can also look within the sites error log to find this, check for any ModSecurity error relating to the events pages.
If so you’ll need to contact your host to have them add an exception for your site to prevent mod security blocking those requests.
|
|
SĂ©bastien
|
January 20, 2015 at 12:53 pm
I got this reply from my host
“Hi SĂ©bastien
Seems to be an issue with the plugin itself, please consider contacting their developers and make sure it’s installed correctly.
Regards,”
|
|
Tony
|
January 20, 2015 at 1:07 pm
If this was an issue with Event Espresso we would expect to see this from many more users although we have seen a similar issue when the host blocked base64 encoded urls.
Did you ask the host if the block base64 encoded objects and or url’s or checked within the servers error log for any signs of ModSecurity errors?
You could try re-installing Event Espresso.
Start by making a full site backup, this includes all files and the database (just to be safe), there are numerous plugins available to make this quick and easy. Here is one I use BackupWordPress although there are many to choose from.
Then simply de-activate and delete Event Espresso Decaf and reinstall the plugin from the repo, although I doubt this will fix the problem.
You could then also ‘flush’ your permalinks. Go to Dashboard -> Settings -> Permalinks. Make no changes and click save. Although again I also do not think this is the issue.
Have you modified any of the core code?
|
|
SĂ©bastien
|
January 20, 2015 at 1:27 pm
Yes I asked the host if they block base64 encoded objects and url’s. I haven’t found any Modsecurity errors in the logs as well.
I haven’t modified the core. I’ll try reinstalling the plugin but I doubt as well this will fix the problem.
Are there other measures my host (ezpz) could have taken that could be responsible?
I must say it’s the first time I run into an issue with a WP plugin.
|
|
SĂ©bastien
|
January 20, 2015 at 2:07 pm
reinstalling and flushing permalinks didn’t work đ
|
|
Tony
|
January 20, 2015 at 2:19 pm
Next is a full troubleshoot.
This involves disabling all non-EE plugins and switching to a default theme such as TwentyFourteen.
However to note, when selecting tickets and clicking to register you are taken to a 403 Forbidden page. This page is not within WordPress (and therefore not within Event Espresso), WordPress isn’t event loading on that page request. This is before WP, it is your LiteSpeed server returning that page. We have seeen a very similar situation to this before and it turned out to be the host blocking base64 encoding.
I would once again recommend contacting your host and have them check their ModSecurity errors and see if the ticket selector is being blocked.
|
|
SĂ©bastien
|
January 20, 2015 at 2:22 pm
I’m gonna contact my host again because I did that full troubleshoot before I made this topic.
|
|
Tony
|
January 20, 2015 at 3:21 pm
I just wanted to add some of the previous threads we have showing similar situations for reference:
https://eventespresso.com/topic/apache-modsecurity-access-denied-on-booking-form-submission/
https://eventespresso.com/topic/ee4-4-4-4-p-and-dreamhost-mod_security-rule-interference/
|
|
SĂ©bastien
|
January 20, 2015 at 3:26 pm
My host gave me the following reply which fixed the problem
|
|
SĂ©bastien
|
January 20, 2015 at 3:27 pm
Oops forgot to paste the reply of my host đ
“Hi SĂ©bastien
The plugin is blocked by our web-server security module due to possible XSS attack.
Please contact plugin developer with this issue or disable security module for your site by adding the next lines to .htaccess file:
SecFilterEngine Off
SecFilterScanPOST Off”
|
|
Lorenzo Orlando Caum
|
January 20, 2015 at 3:45 pm
Hi Sebastien, thanks for sharing those notes. Those appear to be options for mod security.
If you need help with anything else, just create a new support post in our support forums:
https://eventespresso.com/support/forums/
—
Lorenzo
|
|
SĂ©bastien
|
January 20, 2015 at 3:46 pm
Hi Tony, after reading the topics you referred to I wanted to know what the consequences are of using the .htaccess trick regarding security?
I’m running event espresso in a test environment so at the moment it’s not really an issue but after evaluating some ticket systems Event Espresso comes out as the best option for the project where it is intended for but security is one of my big concerns.
The website where EE is for intended runs with another host than mine so chances are I will not run in to this problem but if it occurs is that .httaccess trick safe to implement?
|
|
Tony
|
January 20, 2015 at 4:41 pm
That code disables mod_security on your site.
Security can be complex and simply saying Yes or No wouldn’t really help you.
mod_security is only as secure as it is set up to be, so enabling mod_security that doesn’t protect you against specific attacks that are happening on your site is almost the same as not having it enabled at all.
I’m not a security consultant nor or a sysadmin so I can’t provide a definitive answer as to what you will need to do. Some host’s will be able to provide better alternatives than to simply disabling mod_security all together, but you will need to contact the host to see what they can do for you.
Also, this:
The plugin is blocked by our web-server security module due to possible XSS attack.
Please contact plugin developer with this issue…
Does not explain what is actually causing the error, what is the possible XSS attack? We can’t fix anything without specific details.
|
