Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By Zythyr on
I am on Drupal 6.16. I am trying to update few modules and in the long run update the core also, but I am running into a major issue.
Every time I try to run an update I get an error. When I go to /update.php, review the updates, and then click on "Update" button, it results in an error. The error I get is below:
Updating
An unrecoverable error has occurred. You can find the error message below. It is advised to copy it to the clipboard for reference.
Please continue to the error page
An HTTP error 403 occurred. http://example.com/update.php?id=47&op=doDrupal database update
The update process was aborted prematurely while running update #6008 in views.module. All errors have been logged. You may need to check the watchdog database table manually.
This error is independent of the module I am trying to update. If I don't update any modules, and still go to /update.php and click on the Update button, I get the same error.
This issue is only happening on the live server. When I try to update on my local copy of the wbesite, I don't have any issues. My local enviorment is running XAMPP on Windows.
I looked at the watchdog table in the database, and I didn't see any entries related to this event.
Solutions I have tried to troubleshoot but had no success:
- I tried using IE, Firefox, Chrome
- Tried turning SecFilterEngine to off Off: https://www.drupal.org/node/255519#comment-978521
- I tried disabling clean URL: https://www.drupal.org/node/348336
Comments
No longer supported
HTTP error 403 means "forbidden."
Drupal 6 is no longer supported.
You really need to rebuild your site using Drupal 7 or 8.
It is possible to manually download each 6.x module by going to each project's page and clicking on "View All Releases."
"Forbidden"? Could there be
"Forbidden"? Could there be something wrong with permissions? If so what permission do I need to change?
I am trying to move to Drupal 7/8 however I can't do that until I update to latest release of Drupal 6.
Issue is fixed. THe issue was
Issue is fixed. THe issue was related to mod_security.
Adding the following code to the .htaccess did NOT work for me. T
The network admin made some adjustments to the server and mod_security to remove Drupal's update.php filter. I still have no idea what this means or what changes he made. I am unsure why the .htaccess method didn't work for me.
To put it into simple terms,
To put it into simple terms, mod_security is a free security module that can be installed into any remote server.
Online hosting services companies tends to use its latest version to secure their server from infiltration because building your own security blockade cost at lot more than "free stuff". ;)
Since the update 1.6 to mod_security, it's now not possible to turn it off from the content. (.htaccess is still considered as content from the server's point of view. It's the access behavior manager for the content.)
That's why SecFilterEngine Off is not working since about 2 years or less (depending on how long the host company took to update its mod_security).
Since this module was installed in the core of the servers (so out of the website management reach), the only thing anyone can do about it is getting in contact with their network administrator and requesting a specific file (update.php in case of Drupal) from the filter. The filter is literally a huge list of specific files list that can pass "some" security filter from mod_security module.
Think of mod_security as the firewall system of the huge servers that host all their websites data. They are using it to simply prevent anyone from accessing their server databases from unauthorized terminals. Things like text data can be entered through the standard database system authorisation as they are only read if requested, but things such as images or any encrypted things are normally automatically rejected, hence why you can post some text-only blog post, but get an error as soon as images or anything remotely accessible are included within the database new data entry.
The html and php actual display doesn't get affected by mod_security because your html folder on the website is automatically part of the exception since it's public access by default. That's why you can add images and modify your website content as long as it doesn't pass through a database entry.
This problem is quite a big one and have affected every site building application/software around the world.
The only current solution is, as stated, gets the .php file that manage the content into the exception list of the filter which can only be modified by the hosting company.