Comments on: HTTP 406 Error

By: Hiren Santilal

Hiren Santilal — Tue, 09 Sep 2008 17:22:12 +0000

It worked for my Joomla site which is version 1.5.2

By: Steph

Steph — Thu, 28 Aug 2008 19:34:11 +0000

Thank you so much for this! I've been having the same problem with Movable Type not being able to find my mt-static directory. After hours of troubleshooting, this finally helped solve the problem.

By: Eftekhar

Eftekhar — Mon, 19 May 2008 08:02:19 +0000

Hello
I see this error in admin panel of my site!
how can i disable this error in my server?
what where i had to chang this?
Thanks

By: Shantanu Goel

Shantanu Goel — Thu, 01 May 2008 17:51:54 +0000

Hey John,
With Mod security 2, this is no longer valid. I've written about it and a workaround at
http://tech.shantanugoel.com/2008/05/01/http-406-errors-galore.html

By: John

John — Thu, 27 Mar 2008 07:07:44 +0000

While I understand your point Lewis I would actually say that mod_security is doing its job incorrectly. Mambo is not, as far as I'm aware, doing anything that is technically wrong. Should mod_security force applications to be rewritten to suit its particular requirements? In my opinion, no, and if it can't tell the difference between a valid request and a hack attempt then it should err on the side of caution and allow it. Up-to-date software is a much better path to take than relying on a brute-force 'bouncer'.

At the end of the day, not everyone has the necessary skills to fine-tune mod_security to allow their (valid) applications to work again. Getting a website working may be more important than worrying about an exploit that may or may not exist. This post is indeed old now, but it does point out the disadvantages of undertaking such a global change, and does suggest that you try and tone down mod_security (a topic far outside the scope of this post).

By: Lewis

Lewis — Wed, 26 Mar 2008 18:42:01 +0000

I have to say, your "solution" leaves a lot to be desired IMHO. Mod_security is doing it's job correctly. Rather than simply turning it off perhaps editing the regex/config and or mambo to not trigger the reactions of mod_security would be a much better (i.e. correct) way of dealing with it.
Mambo is fairly well known for not having the most secure code, you may have just allowed a malicious user to execute arbitary code/post data/view the filesystem or any one of a number of exploits. Whilst it may be useful in testing to turn off mod_security, I'm disappointed that the method has been given as a default response to solve another issue. Just MHO.
I do appreciate that this article is very old now and the poster may well do things differently presented with the same situation again. I just felt that explaining the pitfalls of doing this was worthwhile.

By: Chris Mitchell

Chris Mitchell — Tue, 26 Feb 2008 21:40:41 +0000

Hi. I just contacted my hosing company. There was a setting in mod_security which they were able to adjust so that it allowed the specific requests generated by Joomla! to pass through. It took about a second for them to do it, so evidently it is a known problem. Now everything works perfectly. They didn't have to disable the rest of the security features provided by mod_security and I didn't have to add anything to my .htaccess file. Hope this helps.

By: Kela

Kela — Wed, 20 Feb 2008 00:28:46 +0000

Excellent! I had wasted a lot of my time before this post was found!

Thank you!

By: Mada

Mada — Tue, 12 Feb 2008 15:21:08 +0000

MANY MANY THANKS for posting the solutions here! I was pulling my hair out and have been struggling with the for the last couple of hours when I came across your post. It fixed my problem. Thanks again!

By: taher

taher — Sat, 02 Feb 2008 18:16:22 +0000

Thanks, when I saw the description of the 406 error I was like "How the hell I am going to fix that". Your solution works perfectly. To limit the damage you can place the htaccess file in the subdirectory where you need it. It will not affect the rest of website