HTTP 406 Error

Some work I’ve been doing recently has involved debugging a Mambo installation. The website had developed the curious ability to block the editing of certain articles, but allowed other ones through. These blocked attempts to save articles were resulting in a ‘406 Not Acceptable’ error.

According to the W3 specification, this means:

The resource identified by the request is only capable of generating response entities which have content characteristics not acceptable according to the accept headers sent in the request.

Say what?

After a lot of hair-pulling I tracked the problem down to a few words, such as ‘<script‘ and ‘&amp;‘, which when included caused the error. This made me very suspicious – why would Mambo only block this HTML code? I explored further by inserting debug code into Mambo and then waited for the result… nothing. Mambo wasn’t even being called.

This meant the problem must be before Mambo, and there was only one thing that could be responsible: Apache.

Some Googling later and I found information about an optional Apache module called mod_security. This is a very nice module that acts as an Apache firewall – it blocks a lot of the usual routes that people use to hack websites. In particular it scans POST requests (sent when you ‘save’ something on a website’), and displays a 406 error for anything controversial. Bingo!

The reason I’m documenting these frustrating few hours of my life is in the hope that it may prove useful to someone else. It appears that mod_security, if configured aggressively, can cause a lot of problems and these may manifest themselves in Mambo, WordPress, or any piece of web software.

The solution was very simple. The following lines were added to the .htaccess file to disable mod_security:

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

Naturally you loose any benefits that mod_security might bring, but that’s better than a non-functioning website, and you can always ask for the security configuration to be toned down to a more acceptable level.

72 comments

  1. Just wanted to let you know that this fixed my odd problems with the stat tracker Mint as well – it was throwing up 406 errors in debug mode when viewing articles.

    Thanks for the code! Saved my bacon. ๐Ÿ™‚

  2. many thanks,
    this also fixed a problem with my cutenews installation (aj-fork 1.67) that really had me baffled. my host (cyberultra.net) has a track record of messing with apache configuration.

    again, much apprecitated.
    lyndon.

  3. I’m not sure I understand you fully Omid. If you want to have only a certain folder affected by the htaccess file then you need only place it in the that folder, and anything in a higher directory should not be affected.

  4. Call me stupid, but i can’t find a .htaccess file to edit in my joomla installation. Can anyone telle me where it is located?

  5. Thanks a lot! It solved the problem. I’m a Web designer and no idea what was that error… a quick googling resolved hours of frustration

    Regards

  6. […] All posts except one were categorized before I went to bed… I kept getting a “406 not acceptable” error response when trying to recategorize and save this particular post. Today, I found another WordPress user that experienced a similar problem. He figured out that it was caused mod_security, an Apache mod that’s meant to make a server safer. The solution was to disable mod_security by adding the following codes to the .htaccess file: […]

  7. Thank you so much for sharing this fix. It immediately solved an issue I had where Joomla Blog was not allowing me to post full lenght articles over a certain character max, atleast I thought it was Joomla. Thanks again.

  8. I too was tearing my hair out with “A mysterious 406 error”. This was a problem with a request from an XMLHttpRequest object. I’m not sure if the request in question in this article was made with an XMLHttpRequest object but the solution that I found may be relevant.

    The problem was that when using the POST method instead of GET the data has to be sent in a different way.

    Using the POST method of XMLHttpRequest means that you have to set the ‘Content-type’ request header:
    req.setRequestHeader(‘Content-type’, ‘application/x-www-form-urlencoded’)

    and send the data as a parameter of the send method like so:
    req.send(‘var1=123&var2=456’)

    But using the GET method means that you don’t have to set the ‘Content-type’ request header and the data is sent in the url. Eg:
    url = ‘webpage.php?var1=123&var2=456’;

    And the send method sends null:
    req.send(null);

    This may not solve the problem described in the article but it may help somebody.

    Cheers

  9. Thanx very much! It saved my day (night). Was dealing with 406’s on Mambo 4.6.1, only when trying to install a component/module/whatever. You solution works fine! Will discuss any security later, for now, it works! ๐Ÿ™‚

  10. Mate! You saved ma back! I spent 2 days on google, hosting desk support, re-reading mod_rewrite docs numerous times looking for any clue… Many thanks!

  11. Thanks for this, totally solved a problem I was having with the word “from” in certain situations. Still don’t know what was causing it, but at least I have a functioning website now.

  12. Saved my bacon! This is exactly what I needed to add google analytics to my WordPress Blog. Brilliant! Thank you for sharing with us.

  13. My forms were getting 406 error messages after my host upgraded the CPanel.

    After a whole day of tearing my hair out trying to fix this, your solution worked the first time I ran it.

    THANKS!

  14. thanks a lot man! i’ve encountered this problem uploading a long post from blogdesk to wordpress. short post will pass with no problem but the long post always had this error. your detailed solution saved my day! this post rocks!

  15. I moved a site to a new server and got this error when running a simple script.
    While waiting for support to help, I found your solution and it did the trick.
    Thanks.

  16. ho there,

    i am experience the 406 problem, modifying the htaccess file didnร‚ยดt work.
    what can it be?
    The error occurs when users want to save their image in communitybuilder.

    many thanks.
    M

    1. you have to enable htaccess files to run on your server in the apache config httpd.conf, or in your VirtualHost config. In its simplest form, the directive AllowOverride will enable the use of .htaccess files. Something like this should work for you. There are other options besides ALL you can use, check the apache docs.

      Options Indexes FollowSymLinks MultiViews
      AllowOverride ALL
      Order allow,deny
      allow from all

  17. Moved to a new host and was presented with all kinds of stuff that didn’t work anymore, including this 406 error while posting stuff. Glad I found your solution. Works for me!!

    Thanks!

  18. I just wanted to thank you because I was getting really frustrated with a similar issue dealing with wordpress and couldn’t find a single acceptable solution until I applied what you wrote in your post.

  19. Thanks, when I saw the description of the 406 error I was like "How the hell I am going to fix that". Your solution works perfectly. To limit the damage you can place the htaccess file in the subdirectory where you need it. It will not affect the rest of website

  20. MANY MANY THANKS for posting the solutions here! I was pulling my hair out and have been struggling with the for the last couple of hours when I came across your post. It fixed my problem. Thanks again!

  21. Hi. I just contacted my hosing company. There was a setting in mod_security which they were able to adjust so that it allowed the specific requests generated by Joomla! to pass through. It took about a second for them to do it, so evidently it is a known problem. Now everything works perfectly. They didn’t have to disable the rest of the security features provided by mod_security and I didn’t have to add anything to my .htaccess file. Hope this helps.

  22. I have to say, your “solution” leaves a lot to be desired IMHO. Mod_security is doing it’s job correctly. Rather than simply turning it off perhaps editing the regex/config and or mambo to not trigger the reactions of mod_security would be a much better (i.e. correct) way of dealing with it.
    Mambo is fairly well known for not having the most secure code, you may have just allowed a malicious user to execute arbitary code/post data/view the filesystem or any one of a number of exploits. Whilst it may be useful in testing to turn off mod_security, I’m disappointed that the method has been given as a default response to solve another issue. Just MHO.
    I do appreciate that this article is very old now and the poster may well do things differently presented with the same situation again. I just felt that explaining the pitfalls of doing this was worthwhile.

  23. While I understand your point Lewis I would actually say that mod_security is doing its job incorrectly. Mambo is not, as far as I’m aware, doing anything that is technically wrong. Should mod_security force applications to be rewritten to suit its particular requirements? In my opinion, no, and if it can’t tell the difference between a valid request and a hack attempt then it should err on the side of caution and allow it. Up-to-date software is a much better path to take than relying on a brute-force ‘bouncer’.

    At the end of the day, not everyone has the necessary skills to fine-tune mod_security to allow their (valid) applications to work again. Getting a website working may be more important than worrying about an exploit that may or may not exist. This post is indeed old now, but it does point out the disadvantages of undertaking such a global change, and does suggest that you try and tone down mod_security (a topic far outside the scope of this post).

  24. Thank you so much for this! I’ve been having the same problem with Movable Type not being able to find my mt-static directory. After hours of troubleshooting, this finally helped solve the problem.

  25. I am having a hosting server (linux based) for my PHP-MySql websites, but the response provided by this server is not digestible, Some times it works fine but maximum time it shows the 406 error, how to get rid of this problem. I have tried mod_security also, but of no use….Please suggest me some solutions….

  26. Thanks for a quick solution to what could have been hours of investigating. All praise the Googles for putting this site high in the ranks..

  27. Did not fix my 406 error still pulling hair

    host claims they are not using mod security…when htaccess is modified I get an htaccess error of mod security not found on server. Host claims they have no problem accessing my site ..yet everyone else does.

  28. Thanks tons! The webhost didn’t even know their own problem not only joomla or other cms, but this problem can seriously affect SEO rankings and google bot.

    Thanks again!

    Cheers.

  29. This is very helpful. I have had this problem on one of my sites for the past two weeks and the only thing i did was blame my host for that but now I will put the code on the .htaccess once im able to access my cpanel

  30. I know this is a VERY old article… but I thought I would post a little extra…

    You can actually disable mod security to certain files… by enclosing them in the sections the same way you prompt for passwords… IE:

    SecFilterEngine Off
    SecFilterScanPOST Off

    if you only post on a certain file… etc… but then increase security by using the following password protection (in ADDITION to your php code – I tend to just set it to silly values, but it still helps!):

    # FULL System Path To Your .htpasswd File
    AuthUserFile “/full/path/to/.htpasswd”

    # We dont have a Group So Tell The Server That
    # /dev/null = Not Exsistant
    AuthGroupFile /dev/null

    # Give it a name, This should do though
    AuthName “Access Requires Name + Password”

    # Leave This Line As Is
    AuthType Basic

    # Add Usernames Below
    # No spaces In Names, 1 Space Between Each
    require user myname

    … Obviously, .htpasswd files are encoded, but there are loads of scripts online that give you the text for your password
    name:encoded password
    IE: http://www.htaccesstools.com/htpasswd-generator/

  31. Sorry, i didnt remove the greater than and less than signs… obviously, fix the code to use a greaterthan and less than sign

    – IfModule mod_security.c-
    – files “admin.php”-
    SecFilterEngine Off
    SecFilterScanPOST Off
    -/files-
    -/IfModule-

    THIS GOES INSIDE THE FILES SECTIOM:

    # FULL System Path To Your .htpasswd File
    AuthUserFile “/full/path/to/.htpasswd”
    # We dont have a Group So Tell The Server That
    # /dev/null = Not Exsistant
    AuthGroupFile /dev/null
    # Give it a name, This should do though
    AuthName “Access Requires Name + Password”
    # Leave This Line As Is
    AuthType Basic
    # Add Usernames Below
    # No spaces In Names, 1 Space Between Each
    require user myname

Leave a comment

Your email address will not be published. Required fields are marked *