403 error on preview or save

[John_6x6]

Hi everyone,
Just upgraded to Pro, all worked well last night. I could edit, save, preview, etc. Today, login to make changes and when Previewing or Saving, I get a 'Error 403 Forbidden' message. I double checked my file permissions, even removed my .htacces file and retried - no luck. Anyone have suggestions what to try next? I've tried the admin and user logins and neither work.

[John_6x6]

I've also tried to 777 all folder permissions just to see if I could isolate something, no luck. Wierd. Everything works just fine. Just can preview or save. Anyone run into this??

[admin]

An error 403 forbidden is one that is generated by your web hosting provider.

Since it *was* working, and now it is not.. I think the best solution is to contact your web hosting provider and ask them what is the cause of the 403 error.  They should have some log files on the server that give a reason for this error.

[John_6x6]

OK, here's the error log message:
[Thu Jan 29 09:05:39 2009] [error] [client 64.40.148.2] mod_security: Access denied with code 403. Pattern match "<( |\\\\n)*script" at POST_PAYLOAD [severity "EMERGENCY"] [hostname "www.merchantservices-help.com"] [uri "/CMS/index.php"]

The hosting support gave me an .htaccess security switch to try: 'SecFilterEngine on' (or off). I'll try this next. If no lluck, I'll re-install it and try again. Keep you posted.

[admin]

Yes, from the error log message, I can see that the reason the error is displayed is because your web hosting provider is blocking the page from being displayed because it thinks there is a security problem or something.

(In other words, your hosting provider has "over tightened" their security setup.)

They will need to fix this for you...

[John_6x6]

OK, working now. What i did:
1. reinstalled Lite then upgraded to Pro - no change, same problem obviously, server security is the issue not the script.
2. Updated the .htacces file with 'SecFilterEngine on' to .htaccess file as the hosting support suggested - no change, same problem.
3. Tried changed the .htacces SecFilterEngine setting to 'off' (SecFilterEngine off) and now preview and save work without 403 error message - the original problem fixed.

Now, I have a new concern. The security of the file permissions to the html files I want editable is 606 - the most secure I can make it and still be editable. Why is the script running 'World' writable instead of 'Group' writable? Wouldn't this be more secure? Is there a way I can change this to be more secure? I'm not a guru with this stuff but even I can see vulnerability with this. Anybody have a suggestion or can teach me what to do better?

Thank you so much for your help so far. At least the original problem is resolved. Great support Henri!

[admin]

Hello,

The permissions required to edit a file on your server or really nothing to do with Snippetmaster.  

It has only to do with how your web hosting provider has configured their server...

For example, all the server we run for my own hosting company use PHP running as "CGI", which means that permission of 666 or only needed, and not 777, since PHP runs as the actual user.  The setting for the group bit, also depends on how the server is configured, but in most cases at least read permissions are needed due to how the "user" running the apache web server software is set up to work.  It really depends on your web host's setup.

All that being said.. The snippetmaster script itself has no security problems, so that is not an issue.  However, I do agree that if your host is configured to require permissions of 777, then it is recommended to switch to a different provider that doesn't require this.  (Use a host that runs PHP in "CGI" mode...)

I hope that helps.  Let me know if you'd like a recommendation for a good hosting provider where you can get Snippetmaster PRO rebrandabel version for free.