Security offense!! Access denied! after relocating website

[MissyW]

This appears to be a variation on the Security offense!! Access denied!  problem.  Have just ported a site version 2.8.2 from localhost to a remote server.  Everything is working ok, the site displays, I can go into admin and save changes to the template's index.php.  But I am not allowed to save changes to the pages.  I get the Security offense!! Access denied! message even though I am using only one browser session.  It also says:

Code:

Notice: Array to string conversion in .../framework/SecureForm.php on line 163

If I switch to IE, I still get the same error and am not allowed to save changes to pages.  File permissions appear to be correct.  

[DarkViper]

call http://myown.site/wb/install/

Attention: Do not klick on [install]  !!

Only check, if there is an red error message or a warning or anything appears green.

[MissyW]

call http://myown.site/wb/install/

Attention: Do not klick on [install]  !!

Only check, if there is an red error message or a warning or anything appears green.

I don't have a wb or wb/install directory in my site, so when I call http://myown.site/wb/install/ I get a page not found error.    After your message, thanks, I remembered I had created a hidden permiissions-checking page.  I just ran it.  Everything is green. ??

[MissyW]

I am completely stuck trying to send this redeveloped website live for a client after relocating it from my xampp environment to the remote host.

I have tried everything I can think of.  I did a completely fresh WB 2.8.2 install, transferred all my WB files (which were upgraded to 2.8.2) from my desktop to the remote server, then copied the data base to the remote server.  Everything displays correctly, front and back end.  But when I log into the backend and try to save anything (pages or settings or anything), I get

Code:

Security offense!! Access denied!

.

The first time I attempted the relocation, I got locked out only of the pages.  Now, on this second attempt,  I'm locked out of everything.

I have checked my file permissions every which way.  When I run the permissions checking script, everything is green for OK.  I downloaded and ran fix-permissions.php (which is available here http://www.websitebaker2.org/forum/index.php/topic,19268.msg129174.html for good measure, but it reported everything OK with permissions.

I have checked ownership of all my files at the Unix/Linux level.  All ownership is correct.

I have been using Website Baker for this client for many years.  But now I am absolutely stuck and am despairing of being able to resolve this problem.  I have invested weeks of work in redeveloping the website in version 2.8.2 on my localhost.  I am forced to wonder if I am going to have to abandon using Website Baker and redo my entire website in another content management system  .

[dbs]

hi. plz load the install-folder to your remote server an call him like darkviper wrote.
do nothing, we want only to know: is all green or not?

[MissyW]

hi. plz load the install-folder to your remote server an call him like darkviper wrote.
do nothing, we want only to know: is all green or not?

Thanks! Have done this.  Everything is green.  Though it is coming up with a default host name of localhost - I presume that is just the default, as this site is configured correctly in config.php to the remote host.

[avatar8]

I have been getting the "Security offense!! Access denied!" nonstop since upgrading to 2.8.2, and there doesn't seem to be a solution. Even if I set it to Multi tab, no ip check, and no fingerprinting, I will get the message on every browser. However, I have some information that might aid toward a solution.

I only get the "Security offense!! Access denied!" message the first itme I save. If I hit back and then try to save again, it works, and then I can save over and over and never get the message. However, if I wait for just 30 seconds and try to save again, I get the Access denied message. That happens on both Firefox and Google Chrome.

Is there anything I can do to get rid of that message permanently? In my opinion, a CMS site that can be hacked is better than a CMS that doesn't allow you to save your changes

[Luisehahne]

try to do a little changing in the security switcher, maybe with another browser as fireFox. Change the settings to Multitab. Should solve your issues.

Dietmar

[avatar8]

Unfortunately, I already tried all that, and I'm using Firefox. The problem is always the same, and I have always had it set to multi tab. The problem is always the same: the first time saving throws the security offense error, and then saving immediately after that works. 3 different people are experiencing the exact same problem. Whether on Google Chrome or Firefox, it I wait more than 30 seconds (the time I'm using in my test), the error will happen 100% of the time.

[MissyW]

try to do a little changing in the security switcher, maybe with another browser as fireFox. Change the settings to Multitab. Should solve your issues.

Dietmar

Ok, thanks for the suggestion, but I use FireFox by default.  The problem occurs when only one tab is open. And I cannot change the settings from the backend because I cannot save the changes.  So, unless you can tell me how to achieve this by editting a file through the directory or database, I cannot try this.

[MissyW]

Unfortunately, I already tried all that, and I'm using Firefox. The problem is always the same, and I have always had it set to multi tab. The problem is always the same: the first time saving throws the security offense error, and then saving immediately after that works. 3 different people are experiencing the exact same problem. Whether on Google Chrome or Firefox, it I wait more than 30 seconds (the time I'm using in my test), the error will happen 100% of the time.

Thanks for this suggestion.  It's good to hear someone is managing to work around the problem.  I have tried using the back button and saving again as you suggested, but it doesn't work for me.  Not in FireFox.  Not if I do it immediately, and not if I wait any number of seconds, nothing seems to work.

[MissyW]

A correction to what I said earlier - I AM able to save my template files (index.php & css).  But not anything else - not Pages, not Settings, not other Admin tools such as SecureForm Switcher or droplets.

Does anyone know if the warning message Notice: Array to string conversion in .../framework/SecureForm.php on line 163 is significant?

[Luisehahne]

Can you give backend access with group Administor. Send per PM please. I will be going to have a look.

Dietmar

[avatar8]

Just to add a bit more information about the test I was doing...

The testing was done by clicking on the Accept button on the admintools/tool.php?tool=SecureFormSwitcher page. I've found that if I wait just 20 seconds, the save of the page will fail with the security message, but it will then work if I click the Accept button again immediately after, and then will never fail unless I wait again.

From another city, somebody using the same installation of Website Baker made the following observations (independent of my findings):

– first try | I got the security message again "security offense, access denied"
– second try |I clicked back to the pages menu, and clicked the page again to edit, I was able to save
– third try | I edited+saved without going back to pages I was not able to save "security offense, access denied"
– forth try | I went back to the pages menu, and clicked the page again to edit, I was able to save
– I was able to do edit and save four more timesbefore getting the "security message"
– fifth try | I clicked back to the pages menu, was able to edit+save many times
– sixth try | time lag (2 minutes to update this message) got "security messge"
 
Conclusion:
security message seems intermitten, but is triggered by time lag on an open page:
When I get the safety message, I clicked 'Pages' and re-enter to edit. Was able to type 'text' and save many times until I waited to type an email and tried it again. But while the page is open, waiting between edits seems to cause that problem. I seem to be able to leave Baker open as long as the page is not left open in edit mode.

[MissyW]

Thanks, avatar8, for such a detailed summary!  I have just given administrator access to Luisehahne (board member).  So let's hope, wait and see ...

[Luisehahne]

Hello,

i did my best to reproduce the issue. No chance. I test it like written in the post from avatar8. Please try again, i switched to multitab and set default settings. In moment i don't know what to do for helping. No seen error.  Are all your browser updated?

Be sure that we watch the secuirity offense to find a solution.

Dietmar

[MissyW]

Dear Dietmar

Thank you for logging in to the backend of my test site.

You said :

i did my best to reproduce the issue. No chance. I test it like written in the post from avatar8.

I did not have the identical situation to avatar8.  avatar8 could sometimes save (it sounded like a timing issue). My problem was I could NEVER save anything except the template files in the backend.  I could not change the Multitab SecureForm settings because I could not save.

Please try again, i switched to multitab and set default settings.

How did you manage to switch to multitab I tried to do this many times, but it would not let me save.   Now everything is fixed, and I am able to save everything in the backend with no problems.  Did you do something magic?  If not, I am suspecting a time-zone-related problem.  I am in Australia where it is 9pm on Wednesday, my server is in Philadelphia USA where it is now 7am on Wednesday.  But 7 hours ago, it was Wednesday in Australia but Tuesday in the USA.  It is now the same day in both countries.  I wonder if this has anything to do with the problem?  I will test again tomorrow, when there is a date difference, to see if the problem recurs.

Are all your browser updated?

Yes, my browsers are all up-to-date.

In moment i don't know what to do for helping. No seen error.  Are all your browser updated?

Be sure that we watch the secuirity offense to find a solution.

Dietmar

Currently there is no more problem for testing.  Either you fixed my problem, or it disappeared of its own accord - possibly due to the change in date on the server to match my browser date.  I will test it again tomorrow when there is a date difference between the time zones, and will let you know if the problem recurs.

Thank you so much for the support and your patience.

[MissyW]

Is there anything I can do to get rid of that message permanently? In my opinion, a CMS site that can be hacked is better than a CMS that doesn't allow you to save your changes

A valid point!  It will be interesting to see if Dietmar can help us get to the bottom of this.  Thanks for contributing.

[MissyW]

Well, this is all rather strange.  I don't have a problem saving anymore.  Just tested the site on my Thursday morning when it is Wednesday where the server is located, but there is no longer any problem.  I am able to save everything. 

I am really puzzelled, Dietmar, as to what you did to fix the problem?  But many thanks, whatever it was!

Avatar8 - why don't you PM to Luisehahne (alias Dietmar/board member/moderator) and give Dietmar backend access in the Administrator Group, so he can try to duplicate your problems (or better fix them)?

[avatar8]

I'm glad you were able to get your problem solved, MissyW. Unfortunately, I'm still having the same problem with this one site. I have given Dietmar access to the backend to see if he can see it with his own yes, so I'll just wait to hear back from him.

I wonder if it might be a problem with this server now too. It's being hosted on Network Solutions, and I've been noticing another problem. I get the following error in the middle of the file browser when I click on Media:

Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 20234928 bytes) in /data/16/2/114/76/2603728/user/2855845/htdocs/admin/media/browse.php on line 239

Note to Dietmar: you will not see this Fatal error message at the link I gave you because it's happening on another site on the same server that has an extremely large number of files in the media folder.

[MissyW]

All my conjecture about time-zone differences and server-related problems was pure guesswork based on Dietmar saying he found no problem in the backend of my website.  But now I have tested the site when times are on different dates at the server v. my browser, but still there is no error.

There absolutely were consistent errors for weeks before Dietmar logged in.  I can only conclude that he did something to fix the problem, but is not saying! 

I hope you get your problem fixed, avatar8.  Keep us posted.

[avatar8]

No, I was never able to solve my problem, so I had to disable those core functions.

Actually, I just notice something when trying to install a new Website Baker on the server. The install checklist has on item in red:

PHP Session Support Disabled

I hadn't noticed that before because I had only transferred the site from another server to this one.

Everything else seems to work fine, though, and the phpinfo file seems to have all the correct settings for the Sessions. There were only 2 differences that I could find:

On the server where it works:
session.save_path is /temp
session.use_only_co okies is On

Server with problems:
session.save_path is /data/16/2/114/76/2603728/user/2855855/cgi-bin/.php/sessions
session.use_only_co okies is Off

Other than that, the discrepancies in Website Baker functionality remain a mystery.