HTTP 406 Error
Some work I've been doing recently has involved debugging a Mambo installation. The website had developed the curious ability to block the editing of certain articles, but allowed other ones through. These blocked attempts to save articles were resulting in a '406 Not Acceptable' error.
According to the W3 specification, this means:
The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.
Say what?
After a lot of hair-pulling I tracked the problem down to a few words, such as '<script' and '&', which when included caused the error. This made me very suspicious - why would Mambo only block this HTML code? I explored further by inserting debug code into Mambo and then waited for the result... nothing. Mambo wasn't even being called.
This meant the problem must be before Mambo, and there was only one thing that could be responsible: Apache.
Some Googling later and I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall - it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you 'save' something on a website'), and displays a 406 error for anything controversial. Bingo!
The reason I'm documenting these frustrating few hours of my life is in the hope that it may prove useful to someone else. It appears that mod_security, if configured aggressively, can cause a lot of problems and these may manifest themselves in Mambo, WordPress, or any piece of web software.
The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Naturally you loose any benefits that mod_security might bring, but that's better than a non-functioning website, and you can always ask for the security configuration to be toned down to a more acceptable level.
Comments (page 3 of 6)
May 14, 2007 5:10 am
Thanks for this, totally solved a problem I was having with the word "from" in certain situations. Still don't know what was causing it, but at least I have a functioning website now.
Apr 8, 2007 3:32 pm
Thank you very much. You saved me
Feb 24, 2007 7:02 am
This solved my problem too. Thanks.
Feb 14, 2007 8:48 am
Mate! You saved ma back! I spent 2 days on google, hosting desk support, re-reading mod_rewrite docs numerous times looking for any clue... Many thanks!
Feb 6, 2007 10:08 pm
Thanx very much! It saved my day (night). Was dealing with 406's on Mambo 4.6.1, only when trying to install a component/module/whatever. You solution works fine! Will discuss any security later, for now, it works!
Feb 2, 2007 5:46 pm
Dude thank you!, I was wondering why the heck my script wasnt working on the server right.
Dec 16, 2006 6:41 pm
Hey man.
I want to thank you for this fix... It worked perfectly. So much time was saved...
Nov 29, 2006 9:15 am
Brilliant! solved my problem with forms and Joomla!
Sep 23, 2006 10:33 pm
Just wanted to say you are the man and I would have never figured this out. Thanks a lot. Saved my hair. I would have looked like a skin head by morning.
Brandon Buttars
Sep 1, 2006 7:14 pm
I too was tearing my hair out with "A mysterious 406 error". This was a problem with a request from an XMLHttpRequest object. I'm not sure if the request in question in this article was made with an XMLHttpRequest object but the solution that I found may be relevant.
The problem was that when using the POST method instead of GET the data has to be sent in a different way.
Using the POST method of XMLHttpRequest means that you have to set the 'Content-type' request header:
req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded')
and send the data as a parameter of the send method like so:
req.send('var1=123&var2=456')
But using the GET method means that you don't have to set the 'Content-type' request header and the data is sent in the url. Eg:
url = 'webpage.php?var1=123&var2=456';
And the send method sends null:
req.send(null);
This may not solve the problem described in the article but it may help somebody.
Cheers
Leave a comment