Access denied - security.limit_extensions error

fidel · September 11, 2020, 12:09pm

Hello, I’d like to use InvoicePlane for my invoicing, however I ran into some trouble when I tried to install it on my VPS running Apache2. I want to stress out that I am already running couple of other websites on the VPS and they all work fine.

InvoicePlane version: 1.5.11
OS: Debian Jessie 8.11
Webserver: Apache/2.4.10 with PHP version: 7.1.33

So after entering the address into my browser, I get single line saying “Access denied”. I’ve set the address right in ipconfig.php. I’ve googled, read posts, read FAQ and wiki. Maybe I overlooked something, though

I tried running it in a subdomain inv.mydomain.cz and in subfolder mydomain.cz/inv, it always ends up the same.

This is my apache error log:

 [client xxx.xxx.xxx.xxx:xx] AH02545: fcgi: has determined UDS as /run/php/php7.1-fpm.sock
[Fri Sep 11 13:56:39.384261 2020] [proxy:debug] [pid 16644] proxy_util.c(2382): [client xxx.xxx.xxx.xxx:xx] AH00947: connected /var/www/inv.mydomain.cz/index.php to httpd-UDS:0
[Fri Sep 11 13:56:39.384438 2020] [authz_core:debug] [pid 16644] mod_authz_core.c(809): [client xxx.xxx.xxx.xxx:xx] AH01626: authorization result of Require all granted: granted
[Fri Sep 11 13:56:39.384454 2020] [authz_core:debug] [pid 16644] mod_authz_core.c(809): [client xxx.xxx.xxx.xxx:xx] AH01626: authorization result of <RequireAny>: granted
[Fri Sep 11 13:56:39.384704 2020] [proxy_fcgi:error] [pid 16644] [client xxx.xxx.xxx.xxx:xx] AH01071: Got error 'Access to the script '/var/www/inv.mydomain.cz/welcome' has been denied (see security.limit_extensions)\n'
[Fri Sep 11 13:56:39.384779 2020] [proxy:debug] [pid 16644] proxy_util.c(2143): AH00943: FCGI: has released connection for (*)

security limit extensions that I’ve tried are (googled this):

security.limit_extensions =
security.limit_extensions = .php
security.limit_extensions = .php .php3 .php4 .php5

this line was not in my conf by default.

I would really appreciate if anyone is able and willing to help.
Thank you!

M4rt1n · September 11, 2020, 10:53pm

security.limit_extensions = .php
or
security.limit_extensions = (insecure)

Should do the trick, please reload/restart your php-fpm after you saved it and you should be good to go.

Also: please update your PHP to the latest possible version (PHP 7.4 is already supported)
Before changing security.limit_extensions I would check if cgi.fix_pathinfo=0 is set.

Additional Infos where you are hosted at would be good and if you use any kind of Admin-Panel (Serveradmin Panel)

fidel · September 12, 2020, 6:16am

Hello, thanks for your reply.

Unfortunately, neither does the trick - I’ve tried all three options stated in first post before. I reloaded the webserver each time.

the pathinfo parameter is currently set to 0, I’ve also tried setting it to 1.

The website is hosted on my debian VPS. There are other websites (mostly CMS) running on it without any issues.

M4rt1n · September 12, 2020, 10:18am

Who is your hoster?
IONOS? HostEurope? Vultr? AMazon?

I dont think so. If you set security.limit_extensions = it accepts ALL extensions and the error will 100% go away, but its not very secure.

I think you edited the wrong config file, and not the one related to the PHP 7.1 version you use.

fidel · September 12, 2020, 9:29pm

My VPS is hosted at hukot.net

I’ve been setting security.limit_extensions in file /etc/php/7.1/fpm/php-fpm.conf

cgi.fix_pathinfo = 0 is set in /etc/php/7.1/fpm/php.ini

any other ideas where the problem could be?

I appreciate your help!

fidel · September 12, 2020, 10:38pm

Okay, so I really wanted to try this out so I decided to give it a go on my localhost. I got one step further on my Ubuntu running Apache2 & PHP7.1

I made it into the setup, but after typing in MySQL details and having the setup daemon upgrade the tables, it told me the setup has finished the login form shows up - but there was no option to create a user during the setup

I googled this: https://community2.invoiceplane.com/t/topic/4485/3 so now I am in the dashboard. I am getting random logouts though. For one, I cannot change the user password. When I click the button “change password” it either logs me out straight away or waits for me to enter new password twice and kicks me out when I hit the Save button.

But hey, I can live with default password. So I decided to create a new invoice group and create an invoice. But it kicks me out when hitting the save button again.

What is there I am doing wrong? Any logs I should paste?

Thanks.