Can't add products to block after moving to new host

Hi there,

I need help on that one, can’t figure it out.

I recently moved my store to a new host following the procedure found on the CS-Cart website. I did a fresh install then uploaded my database and copied the existing files over the new ones. Set permissions according to CS-Cart.

Everything went fine except 2 problems. I can’t add products to blocks, the popup to choose products don’t load and I get ‘Permission denied’ on the file picker.js

This file already have the permission 755. All folders have permissions 755. var, skins, images, catalog folders, subfolders and files have 777 permissions.

I also frequently get logged out for no reason on the admin side. On the customer side, if I had a product in cart and click checkout, cart come empty…if i do it a second time, item stay in cart.

I don’t know if it is related but I installed the cart in a subfolder instead of the root directory in the previous install.

Thanks for your help!

Ok, I fixed the second problem by moving the store to the root folder. Probably something to do with the URL rewrite in .htaccess.

Still can’t find a solution for the first problem… any idea?

Fixed! For those interested, problem was with mod_security PHP module.

i think i’m having the same problem :sad:

can you share steps you took?


Yes likewise.

Any help would be much appreciated.


Please try to check the Firewall settings on your server, disable the “Suhosin” module and the “mod_security” module in your PHP configuration, contact your server administrator about it.

Isn’t Mod_security rather vital to the security of the server?

Considering i have 10 sites hosted on this server i don’t think removing a big chunk of server security is the best thing?

Is there maybe a more elegant solution that doesn’t involve leaving the server open to possible attack?

Hello Marticus,

Unfortunately, CS-Cart cannot work properly on the server with the “mod_security” and “Safe mode” modules enabled.

The mod_security feature scans all incoming posts for forbidden words or phrases that might indicate someone is trying to hack the system, and if any of them exist then Apache returns the 403 Forbidden error. Common phrases that tend to trigger mod_security include curl, wget, set, file, etc.

The enabled “mod_security” module can cause a problem when you submit any form (for example when you update profile fields information) that contains some inadmissible words like “curl”, “perl”, “set”, etc. Mod_security responses to the data that comes from a page to the server and blocks these inadmissible words.

The words that can be blocked are different on different servers (it depends on the settings, that a server administrator sets up), so there is no ability to develop a uniform solution for this problem and the “mod_security” module should be disabled on the server for proper CS-Cart work.

Note, that CS-Cart is designed to meet the latest security requirements and one of such requirements is PCI compliance. Please refer to the following page of our website to learn more about this security standard:


Also, the following security means are supported in CS-Cart by default:

Full HTTPS/SSL support

Secure HTTPS/SSL administrative access

Secure HTTPS/SSL checkout, login and customer profile pages

Customer passwords are MD5 encrypted in database

Password-protected administrative access

CS-Cart is a secure software by itself if CS-Cart directories and files have correct permissions and there are default CS-Cart .htaccess files in the necessary directories.

You do not need to do anything special to make your CS-Cart store more secure but anyway you should follow general rules of web security - use complicated passwords, change them regularly, use anti-virus software, etc.

Thanks for the reply

My Server admin has managed to resolved this. i think he went through and removed rules individually untill he found the right one. unfortunatelly i dont know what it was.

anyway all sorted for me.

Many thanks

Thank you.


We have also experienced this problem, and with the help of our hosts, United Hosting, we have been able to fix it. The rule ID’s that we had whitelisted to clear this error were:




Once these were done we could add products to our side blocks.

These rules should be disabled from the default mod_security ruleset






Thanks guys thats good to know!

For me, the solution was:

  • Disable “Enable secure connection in the administration panel (SSL certificate is required to be installed on your server)” in General Settings. (I think this is the main fix, I would try this first).

  • Having my hosting company disable these rules from the default mod_security ruleset: (this can be part of the fix but definitely NOT by itself the fix for me)