Mod Security Patch - Please Read If You Have Problems with Mod Security

Started by Irisado, December 01, 2014, 09:20:53 AM

Previous topic - Next topic

Irisado

Please read the wiki article on mod security before posting in this topic: http://wiki.simplemachines.org/smf/Mod_security_-_Having_problems_with_mod_security

If you are having problems with mod security, and are getting 403 (forbidden) and 406 (not acceptable) errors, please apply the patch attached to this post to see whether it successfully resolves these errors when creating/editing categories.  Please report whether the patch was successful or unsuccessful in fixing these errors in this topic.
Soñando con una playa donde brilla el sol, un arco iris ilumina el cielo, y el mar espejea iridescentemente

v10viper04

This worked for me, 406/403 errors while trying to edit categories. Seems to have fixed that problem as I can get into the edit section now. It did NOT fix the issue I'm having when I try to edit the theme coding. I get this when I try to save the changes.

"An appropriate representation of the requested resource /index.php could not be found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request."


Kindred

As indicated -- this patch ONLY addresses the categories issue.  For anything else, you need to open a different thread.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Illori

just an FYI, user used patch and it solved the problem.

Quote from: baboontester on December 23, 2014, 08:59:10 PM
Thank you for the such quick reply. That worked!

P.S. - I am using GoDaddy. :)

copugetsound

This worked for me on Godaddy after receiving 406 error.  Had to search for install instructions, but otherwise was easy fix! 

Thanks!


irishcoffee

The parch didn't work for my 2.0.11 SMF version.

I did also the change in the .htaccess file as mentioned in the first post:
----------------------------------------------------------------------
<IfModule mod_security.c>
   # Turn off mod_security filtering.
   SecFilterEngine Off

   # The next part below probably is not needed, but better safe than sorry.
   SecFilterScanPOST Off
</IfModule>
<IfModule mod_deflate.c>
    AddOutPutFilterByType DEFLATE text/html text/plain text/xml
    <IfModule mod_setenvif.c>
        # Netscape 4.x has some problems...
        BrowserMatch ^Mozilla/4 gzip-only-text/html
       
        # Netscape 4.06-4.08 have some more problems
        BrowserMatch ^Mozilla/4\.0[678] no-gzip
       
        # MSIE masquerades as Netscape, but it is fine
        # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
       
        # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
        # the above regex won't work. You can use the following
        # workaround to get the desired effect:
        BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html
       
        # Don't compress images
        SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary

    </IfModule>
   
    <IfModule mod_headers.c>
        # Make sure proxies don't deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
    </IfModule>
</IfModule>
----------------------------------------------------------------------------------

Still receiving the error:
403
Forbidden
Access to this resource on the server is denied!

???

margarett

What are you doing when receiving error 403? Are you editing categories? If not, this patch is not for you ;)

As I told you in your other post, you probably need to contact your host.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

irishcoffee

Quote from: margarett on November 10, 2015, 09:47:49 AM
What are you doing when receiving error 403? Are you editing categories? If not, this patch is not for you ;)
As I told you in your other post, you probably need to contact your host.

When Accessing: "Admin"-> "Members"->"View all members" and then when I want to use any of the selectors to sort Members by "Usernam", "Siplay Name", "Email Adress", "Ip Address", "Last Online", "Posts" I receive the 403 error which as mentioned did not occur in previous version of the SMF using the same host.

Thanks for your feedback. I'll check with my host once again.

Ps: To avoid double posting please delete my other message. TX!

irishcoffee

Quote from: irishcoffee on November 10, 2015, 09:54:45 AM
Quote from: margarett on November 10, 2015, 09:47:49 AM
What are you doing when receiving error 403? Are you editing categories? If not, this patch is not for you ;)
As I told you in your other post, you probably need to contact your host.

When Accessing: "Admin"-> "Members"->"View all members" and then when I want to use any of the selectors to sort Members by "Usernam", "Siplay Name", "Email Adress", "Ip Address", "Last Online", "Posts" I receive the 403 error which as mentioned did not occur in previous version of the SMF using the same host.

Thanks for your feedback. I'll check with my host once again.

Ps: To avoid double posting please delete my other message. TX!

Now is working !!! (i.e. actions mentioned above (section members of my forum) and all admin commands!)
My Host changed the permission settings for my forum. Thanks for your feedback!

paddy78

Hi irish,

I am getting the same 403 error. Can you suggest what setting needs to be requested to host for change. I am using hostgator and they are unable to find and fix it yet.


Kindred

They need to disable mod_security, as we stated in the initial post
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

bcv

The patch works!

A lot of thanks. I solve my problem.
;)

José Luis
Spain

Bigguy


huns

I know this is an old topic, but I do have a question.
If the mod works perfect, like the forum loads, I can post, everything is superb... should I still disable it?

It won't give me any security benefits, no matter what?
(With the default ruleset, that is.)

Kindred

mod_security may have some benefits when properly configured (for example, my own host has it enabled, but it does not interfere with my forum in any way)

but, it is generally not required, if the software which you are running is securely built...
Additionally, since hosts refuse to share the configuration with us - we can't make suggestions on what specifically is affecting SMF, and with those hosts, the quickest and easiest answer is to tell them to just disable the darned thing.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

huns

Yeah I mostly meant the default ruleset.
It just sets a few limits, nothing extraordinary.

By the way: What if SMF's team would write a ruleset to deploy an additional line of defense? Nothing extraordinary, and not sure which parts could it protect exactly.

But you can define a ruleset for your own host.
(Nowadays most people rent DigitalOcean servers and similars. We also use a dedicated server with my own community.)

Illori

most of our users on shared servers and dont even know what mod_security is or how to run a web server. even if we made such a list, it would not be useful to most people that use our software.

huns

Well, but dedicated communities that grew big - are the only targets to attackers. Small sites with a few users won't get hacked anyway, unless the admin uses a 12345 password.

Anyway,just brought it up as an idea.

Kindred

except you are incorrect.

It is not only "dedicated communities that grew big" which are targets.
ANYONE is a target, if they have a website
(I once found that a websie which I owned, with 2 users on it, and them inactive, had been hacked because of outdated software that I had left and forgotten)

So no...   we are not hosts.
it is up to the HOST to figure out the CORRECT configuration -- or allow us to HELP them either do so or figure out work-arounds... but, in order to that, the hosts have to communicate with us regarding whatever bizarre configuration they have come up with -- and those hosts are not willing to do that.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: