Forbidden – You don’t have permission to access this resource.

  • Hi all,

    Weird one. We’ve recently migrated our Multisite to a new server internally and now get this error when publishing edits to pages that have expanders on:

    Forbidden

    You don’t have permission to access this resource.
    Apache/2.4.29 (Ubuntu) Server at elearning.bmh.manchester.ac.uk Port 443

    I remove the expand tags with find and replace in textpad and it publishes fine.

    Suspect we’ve got a security setting wound up too tight but I’ve no idea what.

    Any clues?

    Thanks.

    The page I need help with: [log in to see the link]

Viewing 6 replies - 1 through 6 (of 6 total)
  • Plugin Author twinpictures

    (@twinpictures)

    woah, that’s very strange. Can you link me to an example page that has the expand tag that shoes this error?

    Update: Ah, it’s happening when you try and publish the page!
    are you using the gutenberg block editor, the classic WP editor, or some other page builder?

    • This reply was modified 4 years, 9 months ago by twinpictures.
    Thread Starter echamings

    (@echamings)

    We’re using the classic editor.

    Plugin Author twinpictures

    (@twinpictures)

    ok, is the plugin activated globally from the super-admin dashboard, or from the site’s plugin dashboard? Also, is there any additional information as to which resource is being requested?

    Thread Starter echamings

    (@echamings)

    just tried both activation methods with the same issue, it was previously on site specific activation but global produced the same result when I actiavted it.

    I did also try deleting the plugin and reinstalling it, but this was just via the plugin page and perhaps not much of a deep clean.

    No more additional information on the page I’m afraid, its a very simple error as above.

    I’ve asked our IT depertment if there is any log showing more, will get back to you with their response.

    Thread Starter echamings

    (@echamings)

    Reponse from our IT dept.

    “It took me a while to track this down, but our web application firewall is flagging this as a remote execution attack. There does seem to be some indication that this plugin had an XSS vulnerability on <1.6.9, but you have the latest.

    Looking at what triggered it:

    “Matched Data: \\x0d\\x0a\\x0d\\x0a[/expand found within ARGS:content: We are putting together our Autumn and Winter Training Schdule!\\x0d\\x0a\\x0d\\x0a\\x0d\\x0aThe eLearning Team run a set of courses and workshops to help familiarise you with different pieces of software that will enable you to deliver your courses. Please see below for our course list and links for booking; details for the courses can be found further down this page.\\x0d\\x0a\\x0d\\x0aClick on a course title to learn …”

    0d 0a 0d 0a is CRLF CRLF so that would indicate a couple of blank lines so may be innocent, but can be used in an attack: see e.g. https://www.netsparker.com/blog/web-security/crlf-http-header/

    I can’t see that in any of the plugin code – the only thing close is the PSD header code in arrows.psd. Are you putting those newlines in yourself, and of so can you leave them out and see what happens?”

    Any thoughts? I’m not putting new lines in in any different way than a normal WP page with paragraphs so not sure why this is happening.

    Plugin Author twinpictures

    (@twinpictures)

    just wanted to touch base and see if you managed to resolved this issue.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Forbidden – You don’t have permission to access this resource.’ is closed to new replies.