CAKE PHP v2 - Access Denied - 400 Bad Request, our browser sent a request that this server could not understand

Question

I was called to give maintenance on a project in cake php. The customer had the project running perfectly on his hosting, and accidentally deleted the entire contents, then I was called to redo the deploy into a new hosting.

I did the standard procedure, I copied all files to an FTP directory, and fix new connection links with the database in database.php files and wordpresscomponent.php (since the project has an integration with a page on wordpress) and also in the wp-config.php own folder that runs the other application in wordpress.

At first I was quite open issues on the site, broken images and forms not working. I realized I was missing permissions on the temp folder (after uploading the files in the new FTP new provider), then gave permission 755 in the temp folder in the core of the internal folder and the "files" folder in \ app \ webroot \ files also realized my Filezilla corrupted files and images to upload, then had to redo the whole upload new files. And the site has returned to work.

But I have a problem in the design of the administrative panel. There is a tab that register objects of type "products" and "newspaper" which are text with images (representing products that are going on the site page).

Whenever I edit an information of that page, I get the error mentioned in this topic. " 400 Bad Request

Your browser sent a request that this server could not understand."

UPDATE: I noticed that the error is related to a table that is loaded in the product object information. If I edit a product, and exclude this table, or create a new product, the error shows different, which seems to be related only to a function that loads images:

Fatal error: Class 'imagick' not found in /home/serramar.coop.br/public_html/app/Plugin/upload/Model/Behavior/UploadBehavior.php on line 829

nutrition atribute from log

#

HOSTING SERVER ERROR LOG:

[Tue Mar 22 03:35:19 2016] [error] [client 189.110.14.241] ModSecurity:      Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:data[Product][nutrition]. [id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "serramar.coop.br"] [uri "/admin/products/edit/7"] [unique_id "aqC917rtAAIAAENAEKkAAAA2"]

[Tue Mar 22 03:35:19 2016] [error] [client 189.110.14.241] ModSecurity: Audit log: Failed to lock global mutex: Bad file descriptor [hostname "serramar.coop.br"] [uri "/admin/products/edit/7"] [unique_id "aqC917rtAAIAAENAEKkAAAA2"]

[Tue Mar 22 03:35:19 2016] [error] [client 189.110.14.241] ModSecurity: Audit log: Failed to unlock global mutex: Bad file descriptor [hostname "serramar.coop.br"] [uri "/admin/products/edit/7"] [unique_id "aqC917rtAAIAAENAEKkAAAA2"]

#

/public_html htaccess:

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteRule    ^$ app/webroot/    [L]
 RewriteRule    (.*) app/webroot/$1 [L]
</IfModule>

#

/public_html/app htaccess:

<IfModule mod_rewrite.c>
 RewriteEngine on
 #RewriteBase /webroot/
 RewriteRule    ^$    webroot/    [L]
 RewriteRule    (.*) webroot/$1    [L]
</IfModule>

#

/public_html/app/webroot htaccess:

<IfModule mod_rewrite.c>
 RewriteEngine on
 #RewriteBase /app/webroot/
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^(.*)$ index.php [QSA,L]
</IfModule>

#

Product Controller.php in public_html/app/Controller/ProductsController.php

<?php
App::uses('AppController', 'Controller');
/**
 * Products Controller
 *
 * @property Product $Product
 */
class ProductsController extends AppController {

    public function beforeFilter() {
        $directory = $this->webroot . 'files' . DS . 'product' . DS . 'picture' . DS;
        $this->set('directory', $directory);
        $this->set('tabelanutricional', $this->Product->getTabelaNutricional());
        return parent::beforeFilter();
    }

/**
 *  Layout
 *
 * @var string
 */
    public $layout = 'bootstrap';

/**
 * 
 *
 * @var array
 */
    public $helpers = array('TwitterBootstrap.BootstrapHtml', 'TwitterBootstrap.BootstrapForm', 'TwitterBootstrap.BootstrapPaginator');
/**
 * Components
 *
 * @var array
 */
    public $components = array('Session');

    public function index($line = null){
        $this->layout = 'default';
        $this->Product->recursive = 0;
        $this->redirect('/#produtos');
    }

    public function serramar(){
        $this->layout = 'default';
        $this->Product->recursive = 0;
        $products = $this->Product->find('all', array('conditions'=>array('Product.line'=>'serramar')));
        $this->set('products', $products);
        $this->set('page', 'produtos');
        $this->set('subtitle', 'Conheça a linha de produtos feitos com o mais delicioso leite das fazendas, um privilégio que você pode ter todos os dias em sua casa');
    }

    public function maringa(){
        $this->layout = 'default';
        $this->Product->recursive = 0;
        $products = $this->Product->find('all', array('conditions'=>array('Product.line'=>'maringa')));
        $this->set('products', $products);
        $this->set('page', 'produtos');
        $this->set('subtitle', 'A tradição que põe um sabor especial na sua mesa.');
    }

    public function milkmix(){
        $this->layout = 'default';
        $this->Product->recursive = 0;
        $products = $this->Product->find('all', array('conditions'=>array('Product.line'=>'milkmix')));
        $this->set('products', $products);
        $this->set('page', 'produtos');
        $this->set('subtitle', 'A saborosa bebida láctea da Serramar em novos e deliciosos sabores: ameixa e laranja. Saiba mais!');
    }

    public function serramar_all($id = null){
        $this->layout = 'ajax';
        $products = $this->Product->find('all', array('conditions'=>array('Product.line'=>'serramar')));
        $this->set('products', $products);
        $this->set('id', $id);
    }
    public function milkmix_all($id = null){
        $this->layout = 'ajax';
        $products = $this->Product->find('all', array('conditions'=>array('Product.line'=>'milkmix')));
        $this->set('products', $products);
        $this->set('id', $id);

    }
    public function maringa_all($id = null){
        $this->layout = 'ajax';
        $products = $this->Product->find('all', array('conditions'=>array('Product.line'=>'maringa')));
        $this->set('products', $products);
        $this->set('id', $id);

    }

/**
 * index method
 *
 * @return void
 */
    public function admin_index() {
        $this->Product->recursive = 0;
        $this->set('products', $this->paginate());
    }

/**
 * view method
 *
 * @param string $id
 * @return void
 */
    public function admin_view($id = null) {
        $this->Product->id = $id;
        if (!$this->Product->exists()) {
            throw new NotFoundException(__('Invalid %s', __('product')));
        }
        $this->set('product', $this->Product->read(null, $id));
    }

/**
 * add method
 *
 * @return void
 */
    public function admin_add() {
        if ($this->request->is('post')) {
            $this->Product->create();
            if ($this->Product->save($this->request->data)) {
                $this->Session->setFlash(
                    __('The %s has been saved', __('product')),
                    'alert',
                    array(
                        'plugin' => 'TwitterBootstrap',
                        'class' => 'alert-success'
                    )
                );
                $this->redirect(array('action' => 'index'));
            } else {
                $this->Session->setFlash(
                    __('The %s could not be saved. Please, try again.', __('product')),
                    'alert',
                    array(
                        'plugin' => 'TwitterBootstrap',
                        'class' => 'alert-error'
                    )
                );
            }
        }               
    }

/**
 * edit method
 *
 * @param string $id
 * @return void
 */
    public function admin_edit($id = null) {
        $this->Product->id = $id;
        if (!$this->Product->exists()) {
            throw new NotFoundException(__('Invalid %s', __('product')));
        }
        if ($this->request->is('post') || $this->request->is('put')) {
            if ($this->Product->save($this->request->data)) {
                $this->Session->setFlash(
                    __('The %s has been saved', __('product')),
                    'alert',
                    array(
                        'plugin' => 'TwitterBootstrap',
                        'class' => 'alert-success'
                    )
                );
                $this->redirect(array('action' => 'index'));
            } else {
                $this->Session->setFlash(
                    __('The %s could not be saved. Please, try again.', __('product')),
                    'alert',
                    array(
                        'plugin' => 'TwitterBootstrap',
                        'class' => 'alert-error'
                    )
                );
            }
        } else {
            $this->request->data = $this->Product->read(null, $id);
        }

    }

/**
 * delete method
 *
 * @param string $id
 * @return void
 */
    public function admin_delete($id = null) {
        if (!$this->request->is('post')) {
            throw new MethodNotAllowedException();
        }
        $this->Product->id = $id;
        if (!$this->Product->exists()) {
            throw new NotFoundException(__('Invalid %s', __('product')));
        }
        if ($this->Product->delete()) {
            $this->Session->setFlash(
                __('The %s deleted', __('product')),
                'alert',
                array(
                    'plugin' => 'TwitterBootstrap',
                    'class' => 'alert-success'
                )
            );
            $this->redirect(array('action' => 'index'));
        }
        $this->Session->setFlash(
            __('The %s was not deleted', __('product')),
            'alert',
            array(
                'plugin' => 'TwitterBootstrap',
                'class' => 'alert-error'
            )
        );
        $this->redirect(array('action' => 'index'));
    }
}

Answer 1

The problem was solved!!!

After repairing the logs again:

[Tue Mar 22 22:30:26 2016] [error] [client 200.100.30.37] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\% ($ | \\\\ W | [0-9a-fA-F] {2} | u [0-9a-fA-F] {4}!)" At ARGS: date [Product] [nutrition]. [Id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "serramar.coop.br"] [uri "/ admin / products / edit / 7"] [unique_id "RjzfCLrtAAIAAMynquEAAABM" ]

[Tue Mar 22 22:30:46 2016] [error] [client 200.100.30.37] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\% ($ | \\\\ W | [0-9a-fA-F] {2} | u [0-9a-fA-F] {4}!)" At ARGS: date [Product] [nutrition]. [Id "950107"] [msg "URL Encoding Abuse Attack Attempt"] [severity "WARNING"] [hostname "serramar.coop.br"] [uri "/ admin / products / edit / 7"] [unique_id "R3HZ1rrtAAIAAKH1tKEAAABr" ]

I saw what he was denying access of the product nutrition table, the code:

[Product] [nutrition] https://i.stack.imgur.com/yg7q3.png

I deleted that table, and tried to register again a product and gave this error:

[Tue Mar 22 22:31:46 2016] [error] [client 200.100.30.37] PHP Fatal error: Class 'imagick' not found in /home/serramar.coop.br/public_html/app/Plugin/upload/Model/ Behavior / UploadBehavior.php on line 829, referer: http://serramar.coop.br/admin/products/edit/7

Then I realized that the 'imagick' class is a standard class in every host that supports PHP, and I suspected that my client's hosting does not support php.

I upload the whole project again in a php hosting that I have (hostgator), and everything worked without error.

CAUSE: Hosting without support php. SOLUTION: hosting replacement for one with PHP support.