Access Denied for all users as of yesterday evening

rainecc
Contributor
Contributor

Am getting an Access Denied message for all users as of yesterday evening. Have tweeted, asked customer support, sent emails and had no responses. My site is unable to trade.

 

Access Denied

You don't have permission to access "http://www.paypal.com/cgi-bin/webscr" on this server.

Reference #18.388b1bb8.1492603726.f43ed62

 

Can someone confirm that this is a current paypal issue? The page I am trying to access is https://www.paypal.com/cgi-bin/webscr, not the http version, so the error message is incorrect. I note that the reference number is an Akamai error code.

 

Regards

David

 

Login to Me Too
13 REPLIES 13

jperaita
Contributor
Contributor

@hohtech wrote:

I understand that this is a block, but it is blocking ALL of our customers. I can't go out to 5000+ customers and request that they get new IP addresses to access paypal.com! We have reports from users across the UK who are seeing the same issue. 

 

 


Hi hohtech,

 

I don't know if your problem got solved...

 

Were having the exact same issue at https://agenciaisbn.es/web/solicitud_ae.php (the Spanish ISBN Agency), where our customers can buy ISBN ranges or isolated numbers.

On the night of April 7th all our customers started receiving the Access denied message, which seems to be generated by Akamai. We've tried the process from a very varied range of IPs all over the World (via VPN) to no avail.

 

The few messages we've got from PayPal are a carbon copy of the ones you got. I guess that PayPal support share both the same ignorance of the origin of the problem, of the processes run by Akamai, and the same set of "pre-written" replies to the users.

 

I's clear that this is a blocking by Akamai and that it seems to be independent of the IP of the buyer _except_ if said buyer is a member of PayPal support. In our case, of the several hundreds attemps since April 7th, only those originated by PayPal seem to have gone past the Access denied page.

 

PayPal's answer has been the same: "It's worked on our tests so it's a problem of your IP. Change it..."
What? Any and all of the potential cutomers of the Spanish ISBN Agency must change their IPs?

 

The fact that you have the exact same symptoms (down to the low-level trace of the HTTP interchages) means that this is not a problem of your site or of our site. There is clearly a problem on PayPal's side which either 1) they're _unable_ to diagnose and solve or/and 2) they're _unwilling_ to diagnose and solve...

 

Good luck!

Login to Me Too

MTS_Ciaran
Moderator
Moderator

Hey, 

 

Can you post the exact error message you are seeing, and PM me a couple of the affected IP addresses please. 

Login to Me Too

jperaita
Contributor
Contributor

Thanks for jumping in!


All the messages are like:

 

Access Denied

You don't have permission to access "http://www.paypal.com/cgi-bin/webscr" on this server.

Reference #18.77171602.1496070447.16ce2427

 

The Reference number changes from call to call but it always starts with 18.

Although the message mentions "http://www.paypal.com..." the POST is sent to "https://..."


The IP of the merchant site is 82.223.249.123. However, the actual POST requests to PayPal are sent from each customers 'IP.

 

Most of my trials are from 213.27.238.102, but the rest of my team have been testing from other environments. But the call fails from any IP we've tried (among many others, and those of our customers):

- 83.48.63.17, 

- 176.82.37.36,

- 188.172.194.164

-  ...

We've tried Chrome, Firefox, Explorer 11, Edge, from Widows 7 (32), Windows 7 (64), Windows 10. We've also tried from iPhones, iPads and various Android environments...

 

Please note that the online shop at the ISBN Agency has been operating for over a year with no problems. It all started on April 7th night. No code changes involved... We don't have any scripts that might be sending (or that has sent) a large number of requests. The average transactions / month is around 150.


Login to Me Too

jperaita
Contributor
Contributor

Thanks to hohtech, who initiated this thread, we've been able to solve this issue.

 

The problem lies in Akamai's Web Application Firewall (WAF) which PayPal uses to filter the requests before accepting them.

Akamai's WAF does an analysis of the content of each POST request and either accepts it (and passes it to PayPal) or rejects it, with the Access denied message.

 

In early April the rules of Akamai's WAF for PayPal were made stricter, and POST requests which were OK in the past stopped from being accepted.

In our case, once the problem was identified, all it required was removing POST parameters with empty values and changing some URL's which included double dots ("/../../")

 

If you happen to have POST requests which already fit this new set of WAF's stricter rules, you wont't be hit by this problem.

If you get "Access denied" messages and you're not accessing PayPal via POST requests from a merchant site, I fear that this fix won't solve your problem.

 

Best to all.

Login to Me Too

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.