xenium
asked on
Error: Not Acceptable! An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security
hi
I'm getting the following error on my bluehost server when i use a certain script.
I think it has something to do with the .htaccess file, if so how can I edit it to remove this issue ?
Here is my htaccess file from the public_html folder (some URLs replaced with 'mydomain'):
Thanks a lot
I'm getting the following error on my bluehost server when i use a certain script.
Not Acceptable! An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.
I think it has something to do with the .htaccess file, if so how can I edit it to remove this issue ?
Here is my htaccess file from the public_html folder (some URLs replaced with 'mydomain'):
RewriteEngine on
# Use PHP5.6 as default
# AddHandler application/x-httpd-php56 .php
RewriteCond %{HTTP_HOST} ^mydomain\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.mydomain\.net$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^/?$ "http\:\/\/www\mydomain\.com\/" [R=302,L]
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
AddType application/x-httpd-ea-php56 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
Thanks a lot
ASKER
The htaccess file in the question does not have those tags. If I should add them, where should they be inserted?
Thanks a lot
Thanks a lot
Sorry, I assumed you were using Wordpress - that's typically where it shows up.
Basically, that error is a "file not found" type of error. So you're requesting something that doesn't exist.
I don't quite understand the purpose of the htaccess rules you have in place right now. It looks like it reads:
1. When the HTTP host is either mydomain.net or www.mydomain.net
2. And when the URI being requested does NOT look like /12345.abcdef.cpaneldcv
3. And when the URI being requested does NOT look like /.well-known/pki-validatio n/ABCDEF01 23456789AB CDEF012345 6789.txt (optionally ending with " Comodo DCV"
...then redirect any empty requests (e.g. "http://www.mydomain.net/") to http://www.mydomain.net.
The last RewriteRule seems wrong:
RewriteRule ^/?$ "http\:\/\/www\mydomain\.c om\/" [R=302,L]
If all domains mentioned are actually the same domain, then this seems like it would create an infinite loop in some circumstances, so I'm assuming you're redirecting from one domain to another.
Can you provide an example of a URL that generates the error?
Basically, that error is a "file not found" type of error. So you're requesting something that doesn't exist.
I don't quite understand the purpose of the htaccess rules you have in place right now. It looks like it reads:
1. When the HTTP host is either mydomain.net or www.mydomain.net
2. And when the URI being requested does NOT look like /12345.abcdef.cpaneldcv
3. And when the URI being requested does NOT look like /.well-known/pki-validatio
...then redirect any empty requests (e.g. "http://www.mydomain.net/") to http://www.mydomain.net.
The last RewriteRule seems wrong:
RewriteRule ^/?$ "http\:\/\/www\mydomain\.c
If all domains mentioned are actually the same domain, then this seems like it would create an infinite loop in some circumstances, so I'm assuming you're redirecting from one domain to another.
Can you provide an example of a URL that generates the error?
ASKER
Yes there is a redirect.
Example URL:
https://www.enex.net/autorecon/MagicURL.htm?input=%3Ca%20href%3D%22https%3A%2F%2Fwww.google.com%2Fsearch%3F%26q%3Dapples%22%3EClick%20for%20apples%3C%2Fa%3E%0A%3CBR%3E%0A%3Ca%20href%3D%22https%3A%2F%2Fwww.bing.com%2Fsearch%3F%26q%3Doranges%22%3EOr%20for%20oranges%3C%2Fa%3E%0A
Example URL:
https://www.enex.net/autorecon/MagicURL.htm?input=%3Ca%20href%3D%22https%3A%2F%2Fwww.google.com%2Fsearch%3F%26q%3Dapples%22%3EClick%20for%20apples%3C%2Fa%3E%0A%3CBR%3E%0A%3Ca%20href%3D%22https%3A%2F%2Fwww.bing.com%2Fsearch%3F%26q%3Doranges%22%3EOr%20for%20oranges%3C%2Fa%3E%0A
ASKER
original htaccess file
RewriteEngine on
# Use PHP5.6 as default
# AddHandler application/x-httpd-php56 .php
RewriteCond %{HTTP_HOST} ^enex\.net$ [OR]
RewriteCond %{HTTP_HOST} ^www\.enex\.net$
RewriteCond %{REQUEST_URI} !^/[0-9]+\..+\.cpaneldcv$
RewriteCond %{REQUEST_URI} !^/\.well-known/pki-validation/[A-F0-9]{32}\.txt(?:\ Comodo\ DCV)?$
RewriteRule ^/?$ "http\:\/\/www\.autoreconuk\.com\/" [R=302,L]
# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php56” package as the default “PHP” programming language.
<IfModule mime_module>
AddType application/x-httpd-ea-php56 .php .php5 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot for the info and feedback, very interesting. I'd like to understand these risks better. Is it simply a question of deception (hacker can present a webpage from my domain as if i produced it) or is there a deeper risk of allowing the hacker to make changes on my server? If just the former, then I'd still like to answer the question as is, and then raise a follow-up to manage such risks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again. I'll see if i can do the nginx.conf test to validate that.
Is there a way to ensure only HTML can be processed? no php or server side processes
Or..
The page is not intended for the public, so if there's a way to validate the source of the request would that be one safeguard option?
What other options might there be? Apart from not allowing the script.
Thanks
Is there a way to ensure only HTML can be processed? no php or server side processes
Or..
The page is not intended for the public, so if there's a way to validate the source of the request would that be one safeguard option?
What other options might there be? Apart from not allowing the script.
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot for all the great info and advice. As there's quite a lot to it, I'll close off this question and link to any branching follow-ups as and when needed.
Thanks again.
Thanks again.
https://www.tipsandtricks-hq.com/apache-mod-security-update-how-to-fix-error-406-or-not-acceptable-issue-259
Backup your .htaccess file if you have one in the public_html directory.
Open the .htaccess file with any text editor and observe the lines between the “# BEGIN WordPress” and “# END WordPress” tags. Make sure the lines look somewhat like the following. If not then update the file with the following content and upload it to the ‘public_html’ directory.
Open in new window