Apache 403 Forbidden When Uploading Files

I'm having a strange apache error when I submit a multipart/form-data form with an input file. It seems that only happens when I upload files 70kb or bigger.

Here are my php.ini settings:

file_uploads = On
upload_max_filesize = 10M
max_execution_time = 90
max_input_time = 90
memory_limit = 196M
post_max_size = 10M

Here is the HTML in test.php:

<form action=""  method="POST" enctype="multipart/form-data">
    <input type="file" name="pdfMagazine" />
    <input type="submit" value="Save" name="saveMagazine" />
</form>

And here is the error:

Forbidden

You don't have permission to access /test.php on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 Server at myserver.com Port 80

Here's some more details about the environment:

• Apache doesn´t have mod_security installed, there´s no .htaccess restricting the file upload
• Logs only points that there was a 403 code
• test.php permissions I tried were 755 and 644
• form submits fine if no file is uploaded.

Can anyone help me please?

Thanks in advance.

[UPDATE]

It appears that server does have mod_security installed, here is apache raw log:

[Wed Jun 12 19:48:01 2013] [error] [client x.x.x.x] mod_security: Access denied with code 403. read_post_payload: Failed to create file "/root/tmp/20130612-194801-190.115.8.74-request_body-deJpho" because 13("Permission denied") [severity "EMERGENCY"] [hostname "myserver.com"] [uri "/test.php"]
[Wed Jun 12 19:48:01 2013] [error] [client x.x.x.x] mod_security: sec_filter_in: Failed to open file "/root/tmp/20130612-194801-190.115.8.74-request_body-deJpho" [hostname "myserver.com"] [uri "/403.shtml"]

Doing research I found this:

**Upload tmpdir issues**

Seeing this?

<source lang='php'> [Fri Nov 18 14:49:50 2011] [error] [client 72.52.142.215] mod_security: Access denied with code 406. read_post_payload: Failed to create file "/root/tmp/20111118-144950-72.52.142.215-request_body-xGPNPd" because 13("Permission denied") [severity "EMERGENCY"] [hostname "lakedonpedro.org"] [uri "/wp-cron.php?doing_wp_cron"] [unique_id "TsbhJkg0jtcAACYIFDk"] </source>

This actually happens because PHP's being set to use /root/tmp and the upload tmp dir. Let's set a few things then! Yay!

Make sure these are all set in /usr/local/lib/php.ini (session.save_path will probably already be set)
upload_tmp_dir = /tmp
session.save_path = /tmp

Make sure these are all set in /usr/local/apache/conf/modsec2.user.conf (or the applicable file for your system)
SecUploadDir /tmp
SecTmpDir /tmp

Restart the apachies.
It also seems it has worked adding the above to modsec.conf corrects this issue. per ~awilson

I did change the php.ini but the modsec configuration file has a big warning that only servers provider can edit it so I'm contacting them.

I'll let you know what happend.

[SOLVED]

Apaches module mod_security has a 60kb upload limit by default so any bigger upload will throw a 403 error code.

As the modsec.conf is only editable by the server provider, I add the following line to every root .htaccess:

SecFilterEngine Off

That turned off the mod_security filter in general.

Note that "[s]upport for .htaccess files was discontinued in 2.x as it raised too many security issues" (Kakawait) and that "this could result in an error 500 (Internal Server Error) if you're not allowed to turn the SecFilterEngine off" (Low).