Mautic upgrade to 4.3.1 produces 403 http error unless .htaccess security lines are removed

My PHP version is : 7.4.29
My MySQL/MariaDB version is (delete as applicable): 10.3.34-MariaDB, pdo_mysql

Updating/Installing Errors
I am (delete as applicable): Installing / Updating
Upgrading/installing via (delete as applicable) : Command Line

After another painful three week upgrade, my installation now seems to be working OK again on version 4.3.1, but only if I remove this entire block from .htaccess:


# Apache 2.4+
<IfModule authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Require all denied
    </FilesMatch>

    # Deny access via HTTP requests to composer files.
    <FilesMatch "^(composer\.json|composer\.lock)$">
        Require all denied
    </FilesMatch>

    # Except those allowed below.
    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
        Require all granted
    </If>
</IfModule>

# Fallback for Apache < 2.4
<IfModule !authz_core_module>
    # Deny access via HTTP requests to all PHP files.
    <FilesMatch "\.php$">
        Order deny,allow
        Deny from all
    </FilesMatch>

    # Deny access via HTTP requests to composer files
    <FilesMatch "^(composer\.json|composer\.lock)$">
        Order deny,allow
        Deny from all
    </FilesMatch>

    # Except those allowed below.
    <If "%{REQUEST_URI} =~ m#^/(index|index_dev|upgrade/upgrade)\.php#">
        Order allow,deny
        Allow from all
    </If>
</IfModule>


If I leave this in, I get a white screen and 403 redirect. This issue was also found here and the solution (?) came from @rcheesley here.

I was not able to get it working by editing out one line, I had to remove the entire block. Either way, I am probably opening up big security holes?

How can I fix this?

My Mautic installation is on a subdomain โ†’ mywebsite.com/mautic . I remember seeing that was a problem for recent upgrades that you had to work around by changing a line in .htaccess. Is it related to that mess?

1 Like

I updated and also experienced the same problem, I had to modify .htaccess to get out of the 403. :face_with_peeking_eye:

1 Like

Hey folks,

Please check the release notes where we made a security fix to the htaccess file:

Removing that entire block is really a very bad idea for security reasons.

You could compare the differences between your pre-upgrade htaccess with the one in the release and focus specifically on that part - the fix for subfolders was provided in the issue here:

If you cannot figure out the changes you need to make to support your current Mautic setup in a subfolder (eg the regex to use) then maybe consider hiring someone to help with that - it should be a relatively simple job.

1 Like

How about you figure out your upgrade process @rcheesley.

We are already working on improving the upgrade process, however sometimes we do have to make changes to files like the htaccess as part of a security fix - as was the case in this release.

The fix could have been better implemented and communicated at the time, however we are extremely short handed when it comes to people helping us to test fixes and releases (especially within the security team), so sometimes things are missed. In this case, the volunteer contributing the fix and everyone testing did not think to test with a sub-folder, as all of us use a subdomain and when we test we are always testing in a subdomain. You can be sure we will learn from this going forward when making changes to the htaccess file and make sure we do factor into the equation that folks may be using a subdirectory.

Once the problem became apparent, suggestions for working around this were provided, as you will see in the issue. This should give sufficient information on how to address this if you happen to be using Mautic in a subfolder.

Ultimately, before updating you must read the release notes to check for any important messages about the release. A link is provided with every release notification to the release notes for that release. There will always be times, especially with minor (4.2, 4.3) or major (4.0, 5.0) and sometimes with security fixes, where you will have to take action to amend or tweak your configuration due to changes introduced.

If you feel this can be better managed and communicated then you are warmly invited to be a part of the solution and join the community as an active contributor. You can get involved with the product team to help with reviewing/testing, with the release team who work through making the actual releases, with the marketing or community team - lots of ways to help us to improve the release and upgrade process and help to make Mautic better.

2 Likes

Hi @rcheesley :slight_smile:

I would be happy to volunteer to be part of the release testing team for different settings, etc. :hugs:

Regards!

1 Like

Awesome! Please do join us on Slack in #t-product - that is where we share what is being targeted for consideration, and what we need help with testing. You can get an invite at Mautic Community On Slack :slight_smile:

1 Like