HTTP 406 Error
Some work I've been doing recently has involved debugging a Mambo installation. The website had developed the curious ability to block the editing of certain articles, but allowed other ones through. These blocked attempts to save articles were resulting in a '406 Not Acceptable' error.
According to the W3 specification, this means:
The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.
Say what?
After a lot of hair-pulling I tracked the problem down to a few words, such as '<script' and '&', which when included caused the error. This made me very suspicious - why would Mambo only block this HTML code? I explored further by inserting debug code into Mambo and then waited for the result... nothing. Mambo wasn't even being called.
This meant the problem must be before Mambo, and there was only one thing that could be responsible: Apache.
Some Googling later and I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall - it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you 'save' something on a website'), and displays a 406 error for anything controversial. Bingo!
The reason I'm documenting these frustrating few hours of my life is in the hope that it may prove useful to someone else. It appears that mod_security, if configured aggressively, can cause a lot of problems and these may manifest themselves in Mambo, WordPress, or any piece of web software.
The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Naturally you loose any benefits that mod_security might bring, but that's better than a non-functioning website, and you can always ask for the security configuration to be toned down to a more acceptable level.
58 Comments
Oct 24, 2005 11:25 pm |
Just wanted to let you know that this fixed my odd problems with the stat tracker Mint as well - it was throwing up 406 errors in debug mode when viewing articles.
Thanks for the code! Saved my bacon.
Nov 20, 2005 9:23 am |
Thank You!
Nov 23, 2005 8:20 pm |
Finaly I have found the answer to this frustrating problem. Thanks........
Nov 28, 2005 10:22 am |
many thanks,
this also fixed a problem with my cutenews installation (aj-fork 1.67) that really had me baffled. my host (cyberultra.net) has a track record of messing with apache configuration.
again, much apprecitated.
lyndon.
Nov 29, 2005 1:53 pm |
It is good but can do something to modify the htaccess of one folder to fix the problem?
Nov 29, 2005 4:11 pm |
I'm not sure I understand you fully Omid. If you want to have only a certain folder affected by the htaccess file then you need only place it in the that folder, and anything in a higher directory should not be affected.
Dec 13, 2005 11:34 am |
Saving the Day...
Thanx my friend... It was very helpful.
I´m using Mambo in some site and since last week my site http://www.marketing-internet.net was showing a 406 error everytime I turn On the Search Engine Friendly Mode. Now with your tip everything is right again...
Thanks
Eduardo
Dec 18, 2005 5:14 am |
Call me stupid, but i can't find a .htaccess file to edit in my joomla installation. Can anyone telle me where it is located?
Dec 18, 2005 7:10 am |
Create one if it doesn't already exist, it's entirely optional.
Dec 18, 2005 2:12 pm |
Hey, great!
.htaccess in the root and the problem is solved.
Dec 31, 2005 6:32 am |
Larry Page and Sergie Brin deserve more thanks than you. It is Google who send me to your page.
Thanks for saving my hairs.
Feb 7, 2006 2:52 am |
YES!!!! Thankyou, thankyou, thankyou! Was beating my head on a wall before I found this post, so thanks for helping me out!!
Feb 10, 2006 3:04 am |
Here also a huge thanx. I had the mysterious problem within the phpwcms system.
Feb 22, 2006 3:25 pm |
Well Done! Thanksssssssssssssssssssssssssssssssssssssssss man!
Mar 4, 2006 7:59 pm |
Thanks a lot! It solved the problem. I'm a Web designer and no idea what was that error... a quick googling resolved hours of frustration
Regards
Jun 27, 2006 5:52 am |
Very good! I'm using Joomla! 1.0.9 and I want to let you know that this fixed my problem too.
Thanks a lot ,
from Rio de Janeiro - Brazil!
Aug 11, 2006 3:17 am |
Thank you so much! Was getting ready to explode with slight stress!
Aug 11, 2006 6:35 pm |
10x a lot !!!! Realy helped !!!
Aug 22, 2006 3:28 am |
Thank you so much for sharing this fix. It immediately solved an issue I had where Joomla Blog was not allowing me to post full lenght articles over a certain character max, atleast I thought it was Joomla. Thanks again.
Aug 31, 2006 7:35 am |
Thank you, solved my ocs_inventory install problem
Sep 1, 2006 7:14 pm |
I too was tearing my hair out with "A mysterious 406 error". This was a problem with a request from an XMLHttpRequest object. I'm not sure if the request in question in this article was made with an XMLHttpRequest object but the solution that I found may be relevant.
The problem was that when using the POST method instead of GET the data has to be sent in a different way.
Using the POST method of XMLHttpRequest means that you have to set the 'Content-type' request header:
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded')
and send the data as a parameter of the send method like so:
req.send('var1=123&var2=456')
But using the GET method means that you don't have to set the 'Content-type' request header and the data is sent in the url. Eg:
url = 'webpage.php?var1=123&var2=456';
And the send method sends null:
req.send(null);
This may not solve the problem described in the article but it may help somebody.
Cheers
Sep 23, 2006 10:33 pm |
Just wanted to say you are the man and I would have never figured this out. Thanks a lot. Saved my hair. I would have looked like a skin head by morning.
Brandon Buttars
Nov 29, 2006 9:15 am |
Brilliant! solved my problem with forms and Joomla!
Dec 16, 2006 6:41 pm |
Hey man.
I want to thank you for this fix... It worked perfectly. So much time was saved...
Feb 2, 2007 5:46 pm |
Dude thank you!, I was wondering why the heck my script wasnt working on the server right.
Feb 6, 2007 10:08 pm |
Thanx very much! It saved my day (night). Was dealing with 406's on Mambo 4.6.1, only when trying to install a component/module/whatever. You solution works fine! Will discuss any security later, for now, it works!
Feb 14, 2007 8:48 am |
Mate! You saved ma back! I spent 2 days on google, hosting desk support, re-reading mod_rewrite docs numerous times looking for any clue... Many thanks!
Feb 24, 2007 7:02 am |
This solved my problem too. Thanks.
Apr 8, 2007 3:32 pm |
Thank you very much. You saved me
May 14, 2007 5:10 am |
Thanks for this, totally solved a problem I was having with the word "from" in certain situations. Still don't know what was causing it, but at least I have a functioning website now.
May 27, 2007 1:56 pm |
thanks a lot man, you have help me a lot!
Jun 6, 2007 10:22 pm |
Saved my bacon! This is exactly what I needed to add google analytics to my Wordpress Blog. Brilliant! Thank you for sharing with us.
Jul 19, 2007 11:30 am |
My forms were getting 406 error messages after my host upgraded the CPanel.
After a whole day of tearing my hair out trying to fix this, your solution worked the first time I ran it.
THANKS!
Aug 3, 2007 1:13 am |
Thanks, this helped me.
Sep 5, 2007 11:56 am |
This is great. I get my head of before this article.
And after it, a get admins head of
Tnx again dude
Sep 9, 2007 10:45 pm |
thanks a lot man! i've encountered this problem uploading a long post from blogdesk to wordpress. short post will pass with no problem but the long post always had this error. your detailed solution saved my day! this post rocks!
Sep 14, 2007 10:53 am |
I moved a site to a new server and got this error when running a simple script.
While waiting for support to help, I found your solution and it did the trick.
Thanks.
Oct 19, 2007 7:51 pm |
ho there,
i am experience the 406 problem, modifying the htaccess file didn´t work.
what can it be?
The error occurs when users want to save their image in communitybuilder.
many thanks.
M
Oct 23, 2007 4:10 pm |
Moved to a new host and was presented with all kinds of stuff that didn't work anymore, including this 406 error while posting stuff. Glad I found your solution. Works for me!!
Thanks!
Nov 20, 2007 7:43 pm |
I have to thank you, i've had this problem for a week now and after reading this it's fixed.
Thanks
Nov 20, 2007 9:54 pm |
incredible! thank you vey much for this post! u cant image how u have helped!!!
Jan 9, 2008 12:12 pm |
I just wanted to thank you because I was getting really frustrated with a similar issue dealing with wordpress and couldn't find a single acceptable solution until I applied what you wrote in your post.
Feb 2, 2008 1:16 pm |
Thanks, when I saw the description of the 406 error I was like "How the hell I am going to fix that". Your solution works perfectly. To limit the damage you can place the htaccess file in the subdirectory where you need it. It will not affect the rest of website
Feb 12, 2008 10:21 am |
MANY MANY THANKS for posting the solutions here! I was pulling my hair out and have been struggling with the for the last couple of hours when I came across your post. It fixed my problem. Thanks again!
Feb 19, 2008 7:28 pm |
Excellent! I had wasted a lot of my time before this post was found!
Thank you!
Feb 26, 2008 4:40 pm |
Hi. I just contacted my hosing company. There was a setting in mod_security which they were able to adjust so that it allowed the specific requests generated by Joomla! to pass through. It took about a second for them to do it, so evidently it is a known problem. Now everything works perfectly. They didn't have to disable the rest of the security features provided by mod_security and I didn't have to add anything to my .htaccess file. Hope this helps.
Mar 26, 2008 1:42 pm |
I have to say, your "solution" leaves a lot to be desired IMHO. Mod_security is doing it's job correctly. Rather than simply turning it off perhaps editing the regex/config and or mambo to not trigger the reactions of mod_security would be a much better (i.e. correct) way of dealing with it.
Mambo is fairly well known for not having the most secure code, you may have just allowed a malicious user to execute arbitary code/post data/view the filesystem or any one of a number of exploits. Whilst it may be useful in testing to turn off mod_security, I'm disappointed that the method has been given as a default response to solve another issue. Just MHO.
I do appreciate that this article is very old now and the poster may well do things differently presented with the same situation again. I just felt that explaining the pitfalls of doing this was worthwhile.
Mar 27, 2008 2:07 am |
While I understand your point Lewis I would actually say that mod_security is doing its job incorrectly. Mambo is not, as far as I'm aware, doing anything that is technically wrong. Should mod_security force applications to be rewritten to suit its particular requirements? In my opinion, no, and if it can't tell the difference between a valid request and a hack attempt then it should err on the side of caution and allow it. Up-to-date software is a much better path to take than relying on a brute-force 'bouncer'.
At the end of the day, not everyone has the necessary skills to fine-tune mod_security to allow their (valid) applications to work again. Getting a website working may be more important than worrying about an exploit that may or may not exist. This post is indeed old now, but it does point out the disadvantages of undertaking such a global change, and does suggest that you try and tone down mod_security (a topic far outside the scope of this post).
May 1, 2008 12:51 pm |
Hey John,
With Mod security 2, this is no longer valid. I've written about it and a workaround at
http://tech.shantanugoel.com/2008/05/01/http-406-errors-galore.html
May 19, 2008 3:02 am |
Hello
I see this error in admin panel of my site!
how can i disable this error in my server?
what where i had to chang this?
Thanks
Aug 28, 2008 2:34 pm |
Thank you so much for this! I've been having the same problem with Movable Type not being able to find my mt-static directory. After hours of troubleshooting, this finally helped solve the problem.
Sep 9, 2008 12:22 pm |
It worked for my Joomla site which is version 1.5.2
Jan 11, 2009 3:13 pm |
I am having a hosting server (linux based) for my PHP-MySql websites, but the response provided by this server is not digestible, Some times it works fine but maximum time it shows the 406 error, how to get rid of this problem. I have tried mod_security also, but of no use....Please suggest me some solutions....
Jan 30, 2009 1:22 am |
Thanks for a quick solution to what could have been hours of investigating. All praise the Googles for putting this site high in the ranks..
Mar 7, 2009 11:14 am |
Did not fix my 406 error still pulling hair
host claims they are not using mod security...when htaccess is modified I get an htaccess error of mod security not found on server. Host claims they have no problem accessing my site ..yet everyone else does.
Pings & Trackbacks
blogcarta.com, okaw.wordpress.com, stellify.net, techmalaya.com, yeungus.com, yeungus.com, namepros.com,
Leave a Reply