HTTP 406 Error
Some work I've been doing recently has involved debugging a Mambo installation. The website had developed the curious ability to block the editing of certain articles, but allowed other ones through. These blocked attempts to save articles were resulting in a '406 Not Acceptable' error.
According to the W3 specification, this means:
The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.
Say what?
After a lot of hair-pulling I tracked the problem down to a few words, such as '<script' and '&', which when included caused the error. This made me very suspicious - why would Mambo only block this HTML code? I explored further by inserting debug code into Mambo and then waited for the result... nothing. Mambo wasn't even being called.
This meant the problem must be before Mambo, and there was only one thing that could be responsible: Apache.
Some Googling later and I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall - it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you 'save' something on a website'), and displays a 406 error for anything controversial. Bingo!
The reason I'm documenting these frustrating few hours of my life is in the hope that it may prove useful to someone else. It appears that mod_security, if configured aggressively, can cause a lot of problems and these may manifest themselves in Mambo, WordPress, or any piece of web software.
The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:
<IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule>
Naturally you loose any benefits that mod_security might bring, but that's better than a non-functioning website, and you can always ask for the security configuration to be toned down to a more acceptable level.
Comments (page 5 of 6)
May 19, 2008 3:02 am
Hello
I see this error in admin panel of my site!
how can i disable this error in my server?
what where i had to chang this?
Thanks
May 1, 2008 12:51 pm
Hey John,
With Mod security 2, this is no longer valid. I've written about it and a workaround at
http://tech.shantanugoel.com/2008/05/01/http-406-errors-galore.html
Mar 27, 2008 2:07 am
While I understand your point Lewis I would actually say that mod_security is doing its job incorrectly. Mambo is not, as far as I'm aware, doing anything that is technically wrong. Should mod_security force applications to be rewritten to suit its particular requirements? In my opinion, no, and if it can't tell the difference between a valid request and a hack attempt then it should err on the side of caution and allow it. Up-to-date software is a much better path to take than relying on a brute-force 'bouncer'.
At the end of the day, not everyone has the necessary skills to fine-tune mod_security to allow their (valid) applications to work again. Getting a website working may be more important than worrying about an exploit that may or may not exist. This post is indeed old now, but it does point out the disadvantages of undertaking such a global change, and does suggest that you try and tone down mod_security (a topic far outside the scope of this post).
Mar 26, 2008 1:42 pm
I have to say, your "solution" leaves a lot to be desired IMHO. Mod_security is doing it's job correctly. Rather than simply turning it off perhaps editing the regex/config and or mambo to not trigger the reactions of mod_security would be a much better (i.e. correct) way of dealing with it.
Mambo is fairly well known for not having the most secure code, you may have just allowed a malicious user to execute arbitary code/post data/view the filesystem or any one of a number of exploits. Whilst it may be useful in testing to turn off mod_security, I'm disappointed that the method has been given as a default response to solve another issue. Just MHO.
I do appreciate that this article is very old now and the poster may well do things differently presented with the same situation again. I just felt that explaining the pitfalls of doing this was worthwhile.
Feb 26, 2008 4:40 pm
Hi. I just contacted my hosing company. There was a setting in mod_security which they were able to adjust so that it allowed the specific requests generated by Joomla! to pass through. It took about a second for them to do it, so evidently it is a known problem. Now everything works perfectly. They didn't have to disable the rest of the security features provided by mod_security and I didn't have to add anything to my .htaccess file. Hope this helps.
Feb 19, 2008 7:28 pm
Excellent! I had wasted a lot of my time before this post was found!
Thank you!
Feb 12, 2008 10:21 am
MANY MANY THANKS for posting the solutions here! I was pulling my hair out and have been struggling with the for the last couple of hours when I came across your post. It fixed my problem. Thanks again!
Feb 2, 2008 1:16 pm
Thanks, when I saw the description of the 406 error I was like "How the hell I am going to fix that". Your solution works perfectly. To limit the damage you can place the htaccess file in the subdirectory where you need it. It will not affect the rest of website
Jan 9, 2008 12:12 pm
I just wanted to thank you because I was getting really frustrated with a similar issue dealing with wordpress and couldn't find a single acceptable solution until I applied what you wrote in your post.
Nov 20, 2007 9:54 pm
incredible! thank you vey much for this post! u cant image how u have helped!!!
Leave a comment