Message "Forbidden You don't have permission to access this resource"

I am currently no longer able to edit my Typo3 site (version 6.1.7) at STRATO. The browser message “Forbidden You don’t have permission to access this resource” always appears in the backend. The message has been appearing in different browsers (Firefox and Edge) since today.

I can log into the backend and see all the content. However, I cannot make any changes. If I want to change something, the above message appears.

What could be the cause?

Currently, several of my customers who host with Strato have this problem. The TYPO3 version does not matter. I therefore recommend contacting support.

Thank you for the hint

I got the following answer from Strato


The cause seems to be a security update on July 1, 2024 in Apache Server 2.4.59, which no longer allows rewrite rules for the ‘?’ (%3F):
CVE Website
To allow rewriting, you can set the rewrite flag UnsafeAllow3F.

But i do not realy know what to do now. Any hints for me ?

The answer from STRATO:

"You contacted us because you encountered an error message (“403 Forbidden”) when using your Typo3 instance.

This is due to the fact that an insecure vulnerability was closed by a software update in the infrastructure. This would have allowed attackers to penetrate your web space and execute malicious code. This prevents the communication of Typo3 and its used method with the web server in some areas of the Typo3 instance.

We refer to vulnerability description CVE-2024-38474 (CVE Website). This update will generally be installed on all current Apache instances.

For security reasons, we will not release the insecure method used by Typo3 on the host systems. We kindly ask you to contact the developer of Typo3 and inform him about the vulnerability. We expressly recommend that you do not implement any modifications that circumvent this vulnerability, as this would make you vulnerable."

What can I do? I am only a user and not an expert

Same here … I can’t imagine how many TYPO3 installations are affected by this as Strato claims hosting 4 million websites. Quite a few of them might use TYPO3.
As you can see, there is nothing to be expected from the Strato Tech-“Support” …

We have some customers that are affected by this as well.
I find it interesting that @albertbrons was told to add UnsafeAllow3F to their rewrite rules because this does not work with the apache Version (2.4.59) which is currently installed on strato servers (at least with the customers I have seen).

Trying to add this flag in the .htaccess file currently leads to a Server-Error.

The problematic Parameter seems to be returnUrl. Removing that parameter allows one to edit the record, but that is very tedious to get some actual work done. There does not seem to be a “quick fix” so far and if other hosters follow suit this will become a bigger problem.

1 Like

Strato has now withdrawn the recommendation.

This problem will also occur with other providers in the near future, as they will certainly also install this Apache update

According to a comment in this Forge issue Strato is blocking all URLs that contain %3f at the moment, which is causing the issue, so it’s not related to the Apache security update, which works as expected without even requiring the AllowUnsafe3F flag.

So it’s probably on Strato to roll out the proper security patches and remove that mitigation they have on their hosting.

1 Like

Hello everyone,

my Typo3 customers were also affected by the problem described here. Here is a possible solution that worked for my customers:

  1. Log in to Strato

  2. Security → Guestbook spam settings

  3. Deactivate filter

DONE!

Please give me feedback on whether it worked for you too. Thank you.

2 Likes

worked for me too!
phanf***ingtastic … Thanks for sharing the find- helps a lot!

Great, it actually worked. Many thanks for the information.

It seems that Strato fixed the issue. Saving is now possible without changing the settings for guestbook-spam.

I would never have thought of doing this, but it seems to work!