Blog Documentation Try Vanilla Cloud
Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.
Options

403 mod_security errors in Vanilla.

flegfleg
edited November 2008 in Vanilla 1.0 Help
I seem to have similar problem - i have 403 error whenever i try to change something on /settings.php?PostBackAction=RegistrationChange or when i log out (/people.php?PostBackAction=SignOutNow&FormPostBackKey=****). That's what I'm seeing in my logs: [Tue Oct 21 13:46:31 2008] [error] [client 83.4.59.**] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\'(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/|<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|activexobject|(?:\\.add|\\@)import|asfunction\\:|background-image\\:|e(?:cma|exec)script|\\.fromcharcode|get( ..." at REQUEST_HEADERS:Referer. [file "/etc/modsecurity2/modsec/10_asl_rules.conf"] [line "804"] [id "340158"] [rev "5"] [msg "XSS in referrer"] [severity "CRITICAL"] [hostname "*******.eu"] [uri "/settings.php"] [unique_id "*******"] [Tue Oct 21 13:47:51 2008] [error] [client 83.4.59.**] ModSecurity: Access denied with code 403 (phase 2). Pattern match "(?:\\'(?:ogg|gopher|zlib|(?:ht|f)tps?)\\:/|<[[:space:]]*(?:script|about|applet|activex|chrome)*>.*(?:script|about|applet|activex|chrome)[[:space:]]*>|activexobject|(?:\\.add|\\@)import|asfunction\\:|background-image\\:|e(?:cma|exec)script|\\.fromcharcode|get( ..." at REQUEST_HEADERS:Referer. [file "/etc/modsecurity2/modsec/10_asl_rules.conf"] [line "804"] [id "340158"] [rev "5"] [msg "XSS in referrer"] [severity "CRITICAL"] [hostname "******.eu"] [uri "/people.php"] [unique_id "********"] I don't know, whether it's a problem with misconfigured Vanilla install, or should I blame my host provider. I see that someone had that problem before ( http://lussumo.com/community/discussion/7061/returnuri-and-modsecurity/ ), but that thread was old, and I can't find menu.php in 1.1.5a (and even if I'd find it, i guess it would be already patched to work)

Comments

  • Options
    WallPhoneWallPhone
    Mod_security is just being a bit too cautious in this case, but it's easy to disable it for those two files.

    Try adding this to the .htaccess file in the top level Vanilla folder:<FilesMatch "^(settings|people)\.php$"> SecFilterEngine Off </Files>

    Menu.php is in the /themes/ folder, but the issue described in that discussion has been fixed in 1.1.5
  • Options
    dookiedookie
    WallPhone, I'm pretty sure your .htaccess file would cause a server error.

    You gotta close the <FilesMatch> tag with </FilesMatch> not </Files>.
This discussion has been closed.