Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2010-12-22 10:05:16

litespeed
Member
From: Essex, UK
Registered: 2010-12-10
Posts: 24

mod_security - 403 Forbidden

I'm posting this fix in case anyone else has a similar problem.

I was receiving a 403 Forbidden message from my host's webserver when trying to access the Administration menu options at this URI:

.../profile.php?section=admin&id=2&action=foo

My web hoster provided this as the fix:

mod_security helps protect you against various Perl, PHP and Ruby exploits but it can have false positives depending on the URL the user is visiting.  If you're receiving a 403 forbidden on a page it is most likely mod_security.  You can disable mod_security by adding the following to your .htaccess file:

SecFilterEngine Off
SecFilterScanPOST Off

The mod_security rule seems to dislike the variable 'foo' in the URI. I added these directives to .htaccess and the page works fine now.

Offline

#2 2010-12-22 10:30:46

Reines
Administrator
From: Scotland
Registered: 2008-05-11
Posts: 3,197
Website

Re: mod_security - 403 Forbidden

I'm not sure if this is the same one, but a while ago we had some issues with mod security, but IIRC the rule causing the problems was removed from their rule list a long time ago. It's probably also worth (if you can, I know how hard it can be to make some hosts do anything...) making sure the mod_security rules they are using are up-to-date.

Offline

#3 2010-12-22 12:21:32

adaur
Developer
From: France
Registered: 2010-01-07
Posts: 843
Website

Re: mod_security - 403 Forbidden

It happened to me a long time ago, when I was searching a word with é or à, etc (on 1.2.22)

Last edited by adaur (2010-12-22 12:21:39)


FeatherBB - A simple and lightweight new generation forum system
Based on FluxBB, written in PHP, using Slim Framework for a proper OOP-MVC architecture.

Offline

#4 2013-05-19 21:27:04

Gil
Member
From: France
Registered: 2008-05-10
Posts: 183

Re: mod_security - 403 Forbidden

I added mod_security in my site

Almost all is OK, except admin_users searches in fluxBB forum which is detected as SQL injection attack and result in a

Forbidden
You don't have permission to access /admin_users.php on this server.

Here is an example of request:

82.xxx.yyy.zzz forums.mysite.net - [19/May/2013:22:28:55 +0200] "GET /admin_users.php?form%5Busername%5D=&form%5Bemail%5D=&form%5Btitle%5D=&form%5Brealname%5D=&form%5Burl%5D=&form%5Bjabber%5D=&form%5Bicq%5D=&form%5Bmsn%5D=&form%5Baim%5D=&form%5Byahoo%5D=&form%5Blocation%5D=&form%5Bsignature%5D=&form%5Badmin_note%5D=&posts_greater=&posts_less=&last_post_after=&last_post_before=&last_visit_after=&last_visit_before=&registered_after=&registered_before=&order_by=username&direction=ASC&user_group=0&find_user=Lancer+la+recherche HTTP/1.1" 403 186 "http://forums.mysite.net/admin_users.php" "Mozilla/5.0 (Windows NT 6.0; rv:22.0) Gecko/20100101 Firefox/22.0"

And mod_security log:

[Sun May 19 22:28:55 2013] [error] [client 82.xxx.yyy.zzz] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\buser_group\\b" at ARGS_NAMES:user_group. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "215"] [id "959915"] [rev "2.1.1"] [msg "Blind SQL Injection Attack"] [data "user_group"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"] [hostname "forums.mysite.net"] [uri "/admin_users.php"] [unique_id "UZk2BwoAc4EAAH6@P7AAAADo"]

Offline

#5 2013-05-21 22:40:10

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,744
Website

Re: mod_security - 403 Forbidden

I don't really know much about mod_security, but apparently it has a problem with the name of the field being "user_group".

Can you test whether this change would fix the problem?


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#6 2013-05-22 21:31:56

Gil
Member
From: France
Registered: 2008-05-10
Posts: 183

Re: mod_security - 403 Forbidden

Franz wrote:

I don't really know much about mod_security, but apparently it has a problem with the name of the field being "user_group".

Can you test whether this change would fix the problem?

It works! (it's ok too with 'usergroup' in place of 'user_group').
I don't think it is a real bug, fluxBB can keep current code. mod_security module is based on a number of rules. Rules can be added, deleted, modified.... It doesn't work.. with OVH rules.
But I agree that it can be difficult for me to request a rule modification... So I will keep this modification, thanks!

For information (useless I think), here is some strange requests (on the forum) detected by this module:

Mon May 20 01:09:47 2013] [error] [client 178.151.216.90] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=5): IE XSS Filters - Attack Detected"] [hostname "forums.mysite.net"] [uri "/index.php++++++++++++++++++++++++++++++++++Result:+\\xe8\\xf1\\xef\\xee\\xeb\\xfc\\xe7\\xee\\xe2\\xe0\\xed+\\xed\\xe8\\xea\\xed\\xe5\\xe9\\xec+\\"quequeCoidgip\\";+\\xe7\\xe0\\xf0\\xe5\\xe3\\xe8\\xf1\\xf2\\xf0\\xe8\\xf0\\xee\\xe2\\xe0\\xeb\\xe8\\xf1\\xfc+(\\xe2\\xea\\xeb\\xfe\\xf7\\xe5\\xed+\\xf0\\xe5\\xe6\\xe8\\xec+\\xf2\\xee\\xeb\\xfc\\xea\\xee+\\xf0\\xe5\\xe3\\xe8\\xf1\\xf2\\xf0\\xe0\\xf6\\xe8\\xe8);+Result:+\\xe8\\xf1\\xef\\xee\\xeb\\xfc\\xe7\\xee\\xe2\\xe0\\xed+\\xed\\xe8\\xea\\xed\\xe5\\xe9\\xec+\\"Exexiaker\\";+\\xe7\\xe0\\xf0\\xe5\\xe3\\xe8\\xf1\\xf2\\xf0\\xe8\\xf0\\xee\\xe2\\xe0\\xeb\\xe8\\xf1\\xfc+(\\xe2\\xea\\xeb\\xfe\\xf7\\xe5\\xed+\\xf0\\xe5\\xe6\\xe8\\xec+\\xf2\\xee\\xeb\\xfc\\xea\\xee+\\xf0\\xe5\\xe3\\xe8\\xf1\\xf2\\xf0\\xe0\\xf6\\xe8\\xe8);"] [unique_id "UZlbuwoAmxgAAESFI80AAADN"]

[Mon May 20 05:43:29 2013] [error] [client 199.83.95.106] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=5): IE XSS Filters - Attack Detected"] [hostname "forums.mysite.net"] [uri "/index.php++++++++++++++++++++++++++++++++++Result:+chosen+nickname+\\"Blariboralast\\";+registered+(registering+only+mode+is+ON);"] [unique_id "UZmb4QoAS8AAADs17KsAAAAb"]

[Tue May 21 15:14:50 2013] [error] [client 218.188.13.237] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=5): IE XSS Filters - Attack Detected"] [hostname "forums.mysite.net"] [uri "/index.php+++++++++++++++++++++++++++++++++++++++++++++++++Result:+it+is+not+a+forum+/+guestbook+(or+no+connection+to+internet)+Result:+it+is+not+a+forum+/+guestbook+(or+no+connection+to+internet)+Result:+GET-timeouts+2;+chosen+nickname+\\"ByncCorndoosy\\";+registered;+logged+in;+no+post+sending+forms+are+found;+probably,+registration+failed+(activation+code+was+sent+/+there+are+additional+protection+used+on+forum+/+forum+SQL-error+/+...);+Result:+chosen+nickname+\\"ByncCorndoosy\\";+registered;+logged+in;+probably,+registration+failed+(activation+code+was+sent+/+there+are+additional+protection+used+on+forum+/+forum+SQL-error+/+...);+Result:+chosen+nickname+\\"ByncCorndoosy\\";+registered;+logged+in;+probably,+registration+failed+(activation+code+was+sent+/+there+are+additional+protection+used+on+forum+/+forum+SQL-error+/+...);"] [unique_id "UZtzSgoAXxUAABLoJIcAAAFW"]

[Wed May 22 00:35:58 2013] [error] [client 91.121.25.119] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=5): IE XSS Filters - Attack Detected"] [hostname "forums.mysite.net"] [uri "/index.php++++++++++++++++++++++++++++++++++Result:+used+self-learning+system+data;+chosen+nickname+\\"Oblilkita\\";+registered+(registering+only+mode+is+ON);"] [unique_id "UZv2zgoAcw0AACSXGAkAAAEd"]

Or others I don't understand :

[Tue May 21 21:28:50 2013] [error] [client 198.50.153.33] ModSecurity: Warning. Operator LT matched 20 at TX:inbound_anomaly_score. [file "/usr/local/apache2/conf/modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "32"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=5): IE XSS Filters - Attack Detected"] [hostname "www.mysite.net"] [uri "/forums/viewtopic.php"] [unique_id "UZvK8goAS10AAE805EEAAADW"]

Offline

#7 2013-05-22 22:43:44

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,744
Website

Re: mod_security - 403 Forbidden

Okay, I won't merge this into core then.

Regarding the other errors: they're hard to understand, but some of the URIs really look strange, they might be real attacks.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

Board footer

Powered by FluxBB