|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
One of my members gets a 404 Error when trying to preview a post:
"Forbidden You don't have permission to access /XXXXX/ubbthreads.php on this server."
Now I don't have this person's IP in my .htaccess (which is uaually why one would get this error). Rick, any idea what might cause this when he tries to preview?
Basil
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Does everything else work ok? To see if it's some sort of AJAX issue with the user, have him try to edit his profile and preview his signature and see if that works for him.
|
|
|
|
Joined: Aug 2006
Posts: 1,649 Likes: 1
Pooh-Bah
|
Pooh-Bah
Joined: Aug 2006
Posts: 1,649 Likes: 1 |
That is the exact error I get when the server I'm on rejects a keyword deemed dangerous, such as the word lynx (with a space after it). Perhaps your server has that same anti-hacking utility (or whatever it is) scanning your webforms, and it's rejecting a specific word being typed. Just a possibility. If you have them email the exact text to you, you could try it yourself to see if the server is rejecting something. You can also preview it here, as I don't think any utility like that is running (since I can use the work "lynx " here).
GangsterBB.NET (Ver. 7.6.1.1) PHP Version 5.6.40 / MySQL 5.7.23-23 (was 5.6.41-84.1) / Apache 2.4.54 2007 Content Rulez Contest - Hon Mention UBB.classic 6.7.2 - RIP
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
it's called mod_security; and it's quite millitant... You should ask your host to check your error_log to see what keyword is triggering it.
|
|
|
|
Joined: Aug 2006
Posts: 1,649 Likes: 1
Pooh-Bah
|
Pooh-Bah
Joined: Aug 2006
Posts: 1,649 Likes: 1 |
it's called mod_security; and it's quite millitant... You should ask your host to check your error_log to see what keyword is triggering it. Thanks, I keep forgetting what it's called, and I think I've mentioned this at least 3 different times already on this bb
GangsterBB.NET (Ver. 7.6.1.1) PHP Version 5.6.40 / MySQL 5.7.23-23 (was 5.6.41-84.1) / Apache 2.4.54 2007 Content Rulez Contest - Hon Mention UBB.classic 6.7.2 - RIP
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Yeah, this is one of the things that had me stumped when working on a board. It wouldn't allow anything with a @ and a : on the same line.
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Thanks, I keep forgetting what it's called, and I think I've mentioned this at least 3 different times already on this bb And I think I've said its name 3 differant times already lol ... Yeah, this is one of the things that had me stumped when working on a board. It wouldn't allow anything with a @ and a : on the same line. We used it at "the webhost" when i was there, took some getting used to, and a lot of configuration to get running right... It is quite nice, but ships way too anal retentive...
|
|
|
|
Joined: Aug 2006
Posts: 1,649 Likes: 1
Pooh-Bah
|
Pooh-Bah
Joined: Aug 2006
Posts: 1,649 Likes: 1 |
And I think I've said its name 3 differant times already lol ... Next time I'll just search for the word "lynx" here and find it.
GangsterBB.NET (Ver. 7.6.1.1) PHP Version 5.6.40 / MySQL 5.7.23-23 (was 5.6.41-84.1) / Apache 2.4.54 2007 Content Rulez Contest - Hon Mention UBB.classic 6.7.2 - RIP
|
|
|
|
Joined: Nov 2006
Posts: 3,095 Likes: 1
Carpal Tunnel
|
Carpal Tunnel
Joined: Nov 2006
Posts: 3,095 Likes: 1 |
now searching for "anal retentive...lynx" waiting waiting....
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Hehe one hopes ... I did a bunch of research on the module, it is really quite nice, but the rules themselves can toatally trash some scripts, not to mention leave the admin's of the sites going "what the hell?" when they're trying for legit use... If you have access to your error logs you should be able to find it, in a section 509 error code i think; it's been a while since i've played with it.
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
Does everything else work ok? To see if it's some sort of AJAX issue with the user, have him try to edit his profile and preview his signature and see if that works for him. Rick, he gets the same error when previewing his sig, so sounds like an AJAX issue, yes? The next question is what to do about it. I know that AJAX is related to Javascript so could it be that he has an outdated JRE? Or some setting not set right in his Netscape? He is on an older MAC with Netscape 7 if that helps. Basil
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
The JRE should only effect Java applets and not javascript (java and javascript aren't the same, just fyi)
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
I wonder why when I updated I stopped having problems with Previews. I was having Previews hang on me all the time, and when I upgraded to JRE 1.5.0_10 all of the sudden I stopped having any issues with Previews. Coincidence?
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
:shrug: interesting to say the least lol... My friend Pat is a java programmer, he went off on me for like an hour for assuming they're the same thing (or at least related) lol.
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
Ok, so getting back to the original problem - I have a member who gets "404 Forbidden" if he tried to preview ANY post or if he tries to preview his signature in the profile. He is using NS7 on a MAC. Any ideas what might be gong on?
Basil
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Ask him to copy the URL he's browsing when a 404 comes up.
|
|
|
|
Joined: Jun 2006
Posts: 9,242 Likes: 1
Former Developer
|
Former Developer
Joined: Jun 2006
Posts: 9,242 Likes: 1 |
Also, you may be able to get some more info in the webserver error log. You'd need to know his IP and have him give you the time he gets the error, then you can scan the webserver error log to see if there are any details.
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
yeh, if it's a mod security issue it'll show in the error log as well, along with the offending string used.
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
Ok, I'll call him and have him try to preview a post then I'll go right in and see what is in the error log for his IP.
|
|
|
|
Joined: Dec 2006
Posts: 184
member
|
member
Joined: Dec 2006
Posts: 184 |
I had a similar issue, turned out it was mod_security...contacted my hosts, explained issue, they fixed it, I'm happy !
Gizzy is right though :
"it's quite millitant
Two words were the cause...one understandable
insert
the other, just weird
from
Hmmmmmm
Weird !
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
If you get the chance to view the words list you should jump on it, you can't really respect it as much until you do lol... Most of them have a comment that states what they're there to block.
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
I have Mod Security installed, but where/how do I view the words that might be blocked?
On the other hand, I "Became" the member having the problem and did a preview of his signature and had no 404 Error (his sig is just an image tag with a single image) but when HE previews his sig (or previews ANY post) he gets the 404 error, so in his case at least I don't think its a Mod Security issue.
Basil
Last edited by Basil; 01/12/2007 12:40 AM.
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Basil, if this is the case with the user, it's likely something with his computer vs your server.
As for the mod_security keywords, I'm not sure where it stores it, i'll have to look it up (you will have to be rot on the server to view it)
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Ok, the exact location shoudl be in your httpd.conf, it should be a line indicating to include something similar to: /etc/httpd/conf/modsecurity.conf The default rules are: # Only accept request encodings we know how to handle
# we exclude GET requests from this because some (automated)
# clients supply "text/html" as Content-Type
SecFilterSelective REQUEST_METHOD "!^GET$" chain
SecFilterSelective HTTP_Content-Type "!(^$|^application/x-www-form-urlencoded$|^multipart/form-data)"
# Require Content-Length to be provided with
# every POST request
SecFilterSelective REQUEST_METHOD "^POST$" chain
SecFilterSelective HTTP_Content-Length "^$"
# Don't accept transfer encodings we know we don't handle
# (and you don't need it anyway)
SecFilterSelective HTTP_Transfer-Encoding "!^$"
# WEB-ATTACKS /bin/sh command attempt
SecFilter "/bin/sh"
# WEB-ATTACKS ps command attempt
SecFilterSelective THE_REQUEST "/bin/ps"
# WEB-ATTACKS /bin/ps command attempt
# SecFilterSelective THE_REQUEST "ps\x20"
# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"
# WEB-ATTACKS uname -a command attempt
SecFilter "uname\x20-a"
# WEB-ATTACKS /usr/bin/id command attempt
SecFilter "/usr/bin/id"
# WEB-ATTACKS id command attempt
SecFilter "\;id"
# WEB-ATTACKS echo command attempt
SecFilter "/bin/echo"
# WEB-ATTACKS kill command attempt
SecFilter "/bin/kill"
# WEB-ATTACKS chmod command attempt
SecFilter "/bin/chmod"
# WEB-ATTACKS chgrp command attempt
SecFilter "/chgrp"
# WEB-ATTACKS chown command attempt
SecFilter "/chown"
# WEB-ATTACKS chsh command attempt
SecFilter "/usr/bin/chsh"
# WEB-ATTACKS tftp command attempt
SecFilter "tftp\x20"
# WEB-ATTACKS gcc command attempt
SecFilter "gcc\x20-o"
# WEB-ATTACKS cc command attempt
#SecFilter "cc\x20"
# WEB-ATTACKS /usr/bin/cpp command attempt
SecFilter "/usr/bin/cpp"
# WEB-ATTACKS cpp command attempt
SecFilter "cpp\x20"
# WEB-ATTACKS /usr/bin/g++ command attempt
SecFilter "/usr/bin/g\+\+"
# WEB-ATTACKS g++ command attempt
SecFilter "g\+\+\x20"
# WEB-ATTACKS bin/python access attempt
SecFilter "bin/python"
# WEB-ATTACKS python access attempt
SecFilter "python\x20"
# WEB-ATTACKS bin/tclsh execution attempt
SecFilter "bin/tclsh"
# WEB-ATTACKS tclsh execution attempt
SecFilter "tclsh8\x20"
# WEB-ATTACKS bin/nasm command attempt
SecFilter "bin/nasm"
# WEB-ATTACKS nasm command attempt
SecFilter "nasm\x20"
# WEB-ATTACKS /usr/bin/perl execution attempt
SecFilter "/usr/bin/perl"
# WEB-ATTACKS perl execution attempt
SecFilter "perl\x20"
# WEB-ATTACKS traceroute command attempt
SecFilter "traceroute\x20"
# WEB-ATTACKS ping command attempt
SecFilter "/bin/ping"
# WEB-ATTACKS netcat command attempt
SecFilter "nc\x20"
# WEB-ATTACKS nmap command attempt
SecFilter "nmap\x20"
# WEB-ATTACKS xterm command attempt
SecFilter "/usr/X11R6/bin/xterm"
# WEB-ATTACKS X application to remote host attempt
SecFilter "\x20-display\x20"
# WEB-ATTACKS lsof command attempt
SecFilter "lsof\x20"
# WEB-ATTACKS rm command attempt
SecFilter "rm\x20"
# WEB-ATTACKS mail command attempt
SecFilter "/bin/mail"
# WEB-ATTACKS /bin/ls command attempt
SecFilterSelective THE_REQUEST "/bin/ls"
# WEB-ATTACKS /etc/inetd.conf access
SecFilter "/etc/inetd\.conf" log,pass
# WEB-ATTACKS /etc/motd access
SecFilter "/etc/motd" log,pass
# WEB-ATTACKS /etc/shadow access
SecFilter "/etc/shadow" log,pass
# WEB-ATTACKS conf/httpd.conf attempt
SecFilter "conf/httpd\.conf" log,pass
# WEB-ATTACKS .htgroup access
SecFilterSelective THE_REQUEST "\.htgroup" log,pass
# WEB-CGI rksh access
SecFilterSelective THE_REQUEST "/rksh"
# WEB-CGI bash access
SecFilterSelective THE_REQUEST "/bash" log,pass
# WEB-CGI perl command attempt
SecFilterSelective THE_REQUEST "/perl\?"
# WEB-CGI zsh access
SecFilterSelective THE_REQUEST "/zsh"
# WEB-CGI csh access
SecFilterSelective THE_REQUEST "/csh"
# WEB-CGI tcsh access
SecFilterSelective THE_REQUEST "/tcsh"
# WEB-CGI rsh access
SecFilterSelective THE_REQUEST "/rsh"
# WEB-CGI ksh access
SecFilterSelective THE_REQUEST "/ksh"
# WEB-CGI icat access
SecFilterSelective THE_REQUEST "/icat" log,pass
# WEB-CGI /cgi-bin/ls access
SecFilterSelective THE_REQUEST "/cgi-bin/ls" log,pass
# WEB-CLIENT Javascript document.domain attempt
SecFilter "document\.domain\("
# WEB-CLIENT Javascript URL host spoofing attempt
SecFilter "javascript\://"
# WEB-MISC cross site scripting \(img src=javascript\) attempt
SecFilter "img src=javascript"
# WEB-MISC .htpasswd access
SecFilter "\.htpasswd"
# WEB-MISC http directory traversal
SecFilter "\.\.\\"
# WEB-MISC http directory traversal
SecFilter "\.\./"
# WEB-MISC ls%20-l
SecFilter "ls\x20-l"
# WEB-MISC /etc/passwd
SecFilter "/etc/passwd"
# WEB-MISC .htaccess access
SecFilter "\.htaccess"
# WEB-MISC cd..
SecFilter "cd\.\."
# WEB-MISC /.... access
SecFilter "/\.\.\.\."
# WEB-MISC cat%20 access
SecFilter "cat\x20"
# WEB-MISC long basic authorization string
SecFilter "Authorization\: Basic "
# WEB-MISC .history access
SecFilterSelective THE_REQUEST "/\.history"
# WEB-MISC .bash_history access
SecFilterSelective THE_REQUEST "/\.bash_history"
# WEB-MISC *%0a.pl access
SecFilterSelective THE_REQUEST "/*\x0a\.pl"
# WEB-MISC apache ?M=D directory list attempt
SecFilterSelective THE_REQUEST "/\?M=D" log,pass
# WEB-MISC server-status access
SecFilterSelective THE_REQUEST "/server-status" log,pass
# WEB-MISC Transfer-Encoding\: chunked
SecFilter "chunked"
# WEB-MISC perl post attempt
SecFilterSelective THE_REQUEST "/perl/" chain
SecFilter "POST"
# WEB-MISC mod_gzip_status access
SecFilterSelective THE_REQUEST "/mod_gzip_status" log,pass
# WEB-PHP squirrel mail spell-check arbitrary command attempt
SecFilterSelective THE_REQUEST "/squirrelspell/modules/check_me\.mod\.php" chain
SecFilter "SQSPELL_APP\["
# WEB-PHP squirrel mail theme arbitrary command attempt
SecFilterSelective THE_REQUEST "/left_main\.php" chain
SecFilter "cmdd="
# WEB-PHP phpbb quick-reply.php arbitrary command attempt
SecFilterSelective THE_REQUEST "/quick-reply\.php" chain
SecFilter "phpbb_root_path="
# WEB-PHP phpbb quick-reply.php access
SecFilterSelective THE_REQUEST "/quick-reply\.php" log,pass
SecFilterSelective THE_REQUEST "\.php" chain
SecFilter "path=http\://"
# WEB-PHP Mambo uploadimage.php upload php file attempt
SecFilterSelective THE_REQUEST "/uploadimage\.php" chain
SecFilter "\.php"
# WEB-PHP Mambo upload.php upload php file attempt
SecFilterSelective THE_REQUEST "/upload\.php" chain
SecFilter "\.php"
# WEB-PHP Mambo uploadimage.php access
SecFilterSelective THE_REQUEST "/uploadimage\.php" log,pass
# WEB-PHP Mambo upload.php access
SecFilterSelective THE_REQUEST "/upload\.php" log,pass
# WEB-PHP phpBB privmsg.php access
SecFilterSelective THE_REQUEST "/privmsg\.php" log,pass
# WEB-PHP test.php access
SecFilterSelective THE_REQUEST "/test\.php" log,pass
# WEB-PHP phpBB viewtopic.php
SecFilterSelective THE_REQUEST "viewtopic.php" chain
SecFilterSelective "THE_REQUEST|ARG_VALUES" "(system|exec|passthru|cmd|fopen|exit|fwrite)" deny,log
# EXTRAS
SecFilter "/boot"
SecFilter "/dev"
SecFilter "/etc"
SecFilter "/initrd"
SecFilter "/lost+found"
SecFilter "/mnt"
SecFilter "/proc"
SecFilter "/root"
SecFilter "/sbin"
SecFilter "/tmp"
SecFilter "/usr/local/apache"
SecFilter "/var/spool"
SecFilter "/bin/cc"
SecFilter "/bin/gcc"
SecFilter "<[[:space:]]*script"
SecFilter "<(.|\n)+>"
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from" But can be updated easily. Additionally a log should be created (should you specify Mod_Security to do so) in a directory similar to (this can be changed in the mod_security configuration file mentioned above): /var/log/httpd/audit_log Theres a whole post on setting it up here which includes some keywords which will conflict with forums and forms in general.
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Oh btw, issues like this is why the "Become this user" option is great, because you can try to replicate things using their account, with instructions provided by them to see if it's an issue on your side, or if the issue exists between the monitor and the chair...
|
|
|
|
Joined: Nov 2006
Posts: 3,095 Likes: 1
Carpal Tunnel
|
Carpal Tunnel
Joined: Nov 2006
Posts: 3,095 Likes: 1 |
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
Indeed... I love wiki lol... I propose a [wiki:term] tag lol...
|
|
|
|
Joined: Aug 2006
Posts: 583
old hand
|
old hand
Joined: Aug 2006
Posts: 583 |
Ok, the exact location shoudl be in your httpd.conf, it should be a line indicating to include something similar to: Thanks for the info. I do suspect that the problem is in his set up, now I just have to figure out what is going on. I am wondering if he has a Firewall instaolled that might be causing a problem.
|
|
|
|
Joined: Jun 2006
Posts: 16,301 Likes: 116
|
Joined: Jun 2006
Posts: 16,301 Likes: 116 |
That is a definate possibilitiy; I've heard of some firewalls and security suites (including virus scanners) which block POST/GET requests, as well as referrer variables... Which would make sense
|
|
|
|
Bots
by Outdoorking - 04/13/2024 5:08 PM
|
|
|
0 members (),
802
guests, and
186
robots. |
Key:
Admin,
Global Mod,
Mod
|
|
|
|