PHP action scripts cause text dumps

[cmidkiff]

In Firefox, IE, and Edge, most of the time when a submit button is clicked (ex. catagory, board, and post creation and deletion), a text dump appears on the screen.  On the server side, the action goes through, and refreshing the page redirects to the proper place.

In Chrome, index.php is always downloaded.  On the server side, the action still goes through, but refresh doesn't redirect you anymore.

Also (probably unrelated) clicking profile > account settings redirects you to '/', and in Cpanel, it shows an error

[Fri Feb 24 16:02:22.321430 2017] [authz_core:error] [pid 6444] [client 66.208.234.34:55665] AH01630: client denied by server configuration: <linux web dir>/.htaccess, referer: <url string>/index.php?action=profile

The website is: test . nicusergroup . org

Here's a sample text dump

0

HTTP/1.1 200 OK
Date: Mon, 27 Feb 2017 16:32:54 GMT
Server: Apache/2.4.23 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4
X-Powered-By: PHP/5.6.28
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1
X-Content-Type-Options: nosniff
Pragma: no-cache
Cache-Control: private
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Last-Modified: Mon, 27 Feb 2017 16:32:54 GMT
Keep-Alive: timeout=5, max=92
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=ISO-8859-1

1212
‹������ÝksÛ6ò³ó+Ý\ÓÞÅ¢iÚD²:®"^rc·¾Ø×ÜM§£HHdC*@ZÑÜõ¿ß.�R %Q6%'¹|H,'Àbw±Ø],Ûü꧋Û_¿&~...äúŸß_¾½ CÇyzá8¯n_'½¹½º$ÇÝ#r+h,ƒ$à1
çõÒñ"dúÒqf³YwvÚåbâܾs>"¬c¬l~&VÍ®—xÁ£¾jðcÆòl˜ã/^èÚª,£ÞàÑA?âD°ð¬#"yȤÏXÒ!É|ÊÎ:   û˜8®"â6Îa&L&Ý8pSÉÄDðtª±ôYĤã±1MCUÍ   b}ì¯ïÆA|rÔ!¶(]L»‰ßèÕo;D
÷a
éŠÒüíþ–56è›W{l3Á×ušôÇ!‡‡ðó—‹Wç·ç¿<:8¸£,Èh<T€‡©ÉyfžļÛ
° ¢&k@qtÍ0Í...ûÀÒ"4õ§Ed$ºT²á˜‡^O�̘†'Ùe\Ÿ
ÉláíÍO‡ß~ûõ‹Ãã
ý~Æ<   ÆKq
±‹°ð%§²ÛíVviì²0¯s¡±<t鯿ä b   %Hã!û=
îÎ:<NXœÞ,dtˆ«ŸŒˆàèìƒú™...·:
VL#(é&�ȍÙä{N...'   =rA6á"€Ð0'    Ù ª`ßÑeŠ
>≴ڊ¹êv¡G|Nï¥1ò¾ýŽºHÇ™®Y'®_`V·Ґp?½¶À2&LÄÀ¶L_Òé44â)ÿ
ª>!/¡gæä,GQÉœ'w77$I5
P{†¶®,^fV...<ÀЋÞú*]
è*�ÐtßÑf¤?âÞþxÁjf&€L€fE|à9ðÿ%yqôçâ›ÃÊPj ^¸!•`·Æ¤
K-Š%|:"LQ­>ôýã¼8i¤X¬?ôéÃ:u`wLß¡º
Ç?Ö?,h¢pH§ÒÀæÆBë?'ƒÐÆ"
Ù9ëü%—Žõ‰pAØÇ)ŽFÐÙD³§›sÑä4¤ó—$æ1ëé¾·P¥ò   ¯¡
`!xDӐ'+êúAÌ$ù
¹½@zõW...V߁Þ+ôbŠ'÷cÖQày!C!5]k‰âœõjfoÕh^£ègï'¤wgð†...!'}   Œ(yuŒ¿ûN,ê
()™NIc
ýÒÜø|Fô™r™H"°°IÈ]�¾YÅi—
ú¹n;f3bސ,,"9O...FdU»?°'H©˜""ož'"£cøÿèÙËÓ"—_?#×W‹Â}'
Í0XèhS,ø‰u_Ög}...'–A¥p‡ø"¤q¯¥³O:lÏ
&Ò,,À\6M3ÓhÛôŒÌ ž¦¶ÃÕ1–+³w4Lá1—=U~¨K:ƒ/â'œöV€'é(
ÀÌ"
vc`£4IÀ=È
9«PóAäYœÁ£Þ:^Q¹É}Yh¸ëŸ~¾¿$ –NÌ»éàæê°#OAÚÞÆ2¡aȼÇ}gZì½Å'ȐtC@:§µÜTåñ+Äo"Žºå"   h,3%"2r‡úÅ—ÿQÈŽôÓ똎�Ç—$){ª¿\¤B€%ç<éTâgåÉéïôf†«¡ÓÍ1
løE3õIA£<Q/µê½UZ-/®q98o¡'™6~ò4{-Ü×Jõ"
%‡÷¯äIA}ç•`,*=©Râv;­
"[²ªU7¥«üa3,,+ÿ"r%†£J¦>Ü°U§´ûæ@êâ?,˜B‹®i}¨[É"7LJ(õ3Pˆ}í>vÂ^—(®ÆGG.ýfLŸ{ô›g£"Ñó®{|ô­ûìëÓ#ƨFýƒóç,•Hë/Q9ú¥A7ïßG9/þø
G÷'ƒ¾°PØ0bqjLÑÂæx,OÕ]~
cz—i?°AøÚŒ}ŸG,WI4÷S!ÁhÞÁ,áþ‰�eÎ2hÊÆX o QcåLËÆ"9°T{   Ot¶w†gÁ..._‰s
](õ@tß9ÂE¸ëQÖŠþH+ïcglúŽ'mQ/@_ù¹å•GÏëçþƒèB=
®ÊÙ˜Q˜ß£«¦KŽ¥Áüý]M=Í/àhci1x×xN©ûA...'Ê^ëDO"E¸3.{'ž1!¸€‡Îù—}_É%Ÿ´Â>&¢@é÷%Úºª3¸^¼ž¹º~pEìξw®ʐ׏­+S²'á•¡¥Y®?ɶ¿S...˜G®qb°+ÎOá_¼žï׺`#l/#•
¼›4Š`FÕØ°3xèÞ‡éOãd   ©sýžd];Ø©¨Ì¾TÅȪîÜF>£=ˆftm0'Wàí¢=iF2£¥þ‡á
ˆVa²W   ˆÐXI{Õ]~%ÍðÛ™5™ìÁØ`+zžE#˜›6c
(eÿs�SoœF
,ÓXÏ+Œtçœé5ݏe0XHVqmÀàeºÐp{ÖäölÓDöžÓ¶Kyä"£|C(GÎ
å"Z³Ö± o¶«IðR¥GÅ( ½&àˆ¢ò™çòôàH¼äb<Þné€|ñ§ão¿é=*p¦fS¥   "±œø�r,Ôú
¹�ús·¯h"©yÆH­Ç=PÔ4þz)o3ÂÅѸì%>×:T€CŒçd‰›
3 rQoû^¢"œ#Š‹YÙzŒ
éõ×d–ŽëÓxÂTlª¸|ähæä£W¯ïe1¬µ,|òøL—šºYžX«4ÿdúh¥ý£Ö*K¦Àr«g™˜í;K}«%[ªg¶ëZPÝI06}±XAÐÿoÒ&™²/,ÒìŒG®`^ÔÓ#;à'L§8í¬`ύ.¡7hdc®aµÅl»,-¸Ì£x,?B˜ÂwÔív—Xc{"nWìÁ¨tJmV!þËXüÎ}á
Ê;,,™¯vƒëco¸ßYÜ´ú¥¹ÿ:ÜõÞ†Z]mk¸eíW¹Rœ·éÑ–s:}$øL²zΟªJ1MK­M,,ù=aIÿÕ!æx&!§Þ§@N-­×¢$_˜ÿHÁX}½'øC,l-EðÛ ,륢Zd—™¤­m1ÖÔ¯®·|Áãq0IµoؐÛìr¨oÝÚRÇ6*ùŠ'l°1·°´bُîÁŸUk§MÛ­2·Ð|Q¸µØö73AÆÕÊ
B:x¤OÓp©ª¶O,&õœÆ`¯q»'¹©'yÛc1ãj"kŠ¨±hVƒ12Ððp\âHÂDªÿ£¹Š
@ ªEÂyœ‡7Pû "Ê£nP"­vš›!'i›sºŠQy™—ix.¸c"(µ¸ô*'œ††å·@õêM|Î=/' Mü?"8
¼c¢}sˆXTC,ï=iÞ¸ôjË4x4¡àZ׋½2••{rM¿im²L«¶i×¢FïðÖó³­ü ‡º~MrÔÁ©Ië`¬­žRÁ³²ä{
*×ÝLHzRt.èýÄ?;n-Ü¡·èó×Uñ]Ž(XâùrÏ3‡ÿ‡A¢Å6Ð2Q¿k‰y
‹*OWVº@Ͻ›67%>mÅ0s‰11ㆵÂ21jOWZTÇ"7 ¶G‡
Ôëµ,,Hî6Þ?!µ§fO0u•tŠfÉm»¸²Êá¯R>WV¹Öü]›_[:»WtYvœñt/$k<U­"¨Íá÷]ÉvDú\âéÚ¶·ãí@uëR¨wÉ5.vMìõÛ·z-³Œæzn<ÀKnÙÉîP™·LÌgõP—´lô...
ÛGÔÍè·Ýòià6><'æ¹³'¶¼¶2£Q½...ÄïÓ0ÄK@´N!Ük:úX¦Äe±ä¢ž^QU™GÞóæõc™ŽDIw½ù�V½¯d5 V´¶ÔGUÚ¥bë•¡TU ÓnX½>cÁį©OÞ뺭˜Âú™š†PTºRZ&ã3±è2
B6oo
C5_5ê4~z1_ŸO$oݶ×dŒ2Ó~èþš]¯à òm<P¾ à3^=&i'P׏ðúÀÖ¡ä(T@Yà©ÄùüŽ&´ùÓËLÛÉFgÜ'ÚŽi)'²­8,º©-ß{5YZZê'¤ê~Rä`ˆ"a1^´VôÕHû[ˆ‹G§÷½yø.`³mÔì"2«›¯ŠÉš
k8›78rÂzXu~ÿ<ÉšžÝó°)Q±Åìhíùþ6M·BD•mY€5¥ØkÚXÛl'ÛµU;ØlRš¶%J¶ÙÇf'Ñ2Ÿ‰#m]ÖZXwBUp×*Õt\×âÑV#ÑlckóøV'µLQÿ†‹O‡s¿U=V
Ò\{Õ2Ÿ‰Vlâª[ÚÒ)9å›,nhX¥,¤vÅ "5™õÎTVkžÚ<6,ÂZ(^ýŽs½-ˆ1÷tœg Ú¤w,‰;æááµG%yg ¼¹iS ç3Q0#ÚÚfHhºjÉ%ÈpÓ
²ÍFÁï†eÓ ½Í"�õ`ßâÛGO'ñ·"˜Lš3d2ÃëRU"Ãkí4ßqüm}0pO18ì»ÕjñÓ~ÕÁtu™«ÅšæWÐŠòG½qòN×m<t½À~'§~ZÄ›hq;Pûmw»|ÞŠt}æ¥!ó*?´·âžaQµèž•!·ˆjãKíEFaï×æX‰"¦—ÜWRR×Ô"umíÎ-_ø{ÊÒzÊp7¦/¬
Ùãçæ-áÉN< ¨æî,,,ÏdŽ¨Rv´u1´]u'oþ,,ÊÊ&õ⥥,'Ý&À³ËâýÎYö...x&`_¨OEð®y2yB®uý]Lõ³¹qºtÛ²¹,½|IºK"¡ºÀôýSëõhb.\¶'—
{nR«'qÈ)Ì3ǘ¯31—f(þ2{b†ú€H‡ðØ
÷¦ÒLRÁ~Ä_&~ »ØÚW½<Ÿ¡N絕rBÚŸ¶"Ó•é7#ÝÅ,, ú*몼ĺ?Tg"Oÿt`Ý>ÍÀÍ€|6šÏJ'Œ5Ôš‹Êáæ0Uš1Äg,uUDŠD@@€ÉMÍÍ=\@IIú,|ñ{Ê"RŽñYýô"¬zÛw x—�c˜Ø(¸#F²2˜G3!&§«J)...Wû;0‡ ®>TDUFE...ßS¢zMåxÀ"^
Ó©ºªDôS_ó*PÝõƒÐ#|Œ?Í1sM²¹   é\˜˜ðšŒŒŸJ"ÞNð¢p,..."™ÏbæÜÆb
V{a:°'€ì©˜PIfÉ
–n"Ïc0ŒÚØCv´ÝžX["
jã...õ«¨Ü#yõϲ­¼¬rãñ¶–ÈÜÆe\áo¥¹2ëÀš‹$¶ÂUµ-Ë Ò'ç¶Á6ꚇ'T)Mw°:%¯mgÖYšÝ¸ëEö£ˆÁ¿³"Î (t@öÚÚ—êöü++SŠæÏ,A:!±ºÓ¥w/hL˜¡Øî´ÌFe½fË$K   šžåSÇþ£ËÛý¿p?Œ7¯ó¾˜þžäùÕ_ñ‹ÑُŽþÜËkZŽ_à1žd'ìù`uvd"½8·L›R"WåD¶txãÀ^$[·Iá§ÍâO6°ØJ l21çŽÆª¡¿"oyM6ž1牕}]2ž•ÙέK\>«~YáHʈ†:9÷RÞø 1"®²",0HàúÂË1ÈÑá˜FAofÂáJÎE@Cph,aÜã^m§Ô$¥Ø">>¡b,Ãg8
iü!#{ÃfëÁ¼×'Ý£îñ©R5ÿ}´¤mf³YW*à'­¢#ž&˜äÞÁ®%SY‡2l.õ»ûµÿv@ó¨?G$žÞ...u¤ß£Ñb......m2r[\Ѳrb}ô"¨lzaDú´ÝÙ©âŒë3÷Ãw©Îð~fÁÄF,,2B~FPä_on¯.Éq÷èq6 ÔːV`(¤¬çt?FaO©¢Ì2³'ss³b¤"N3:=y RºÊj$ÞŸ_Ÿ¬À¢èQ˜¹eögĽ9¼ÄîüG:}SŠ��

[Sir Osis of Liver]

Submit buttons available to guest (login, search, registration aggreement) are working ok in IE11.  What's in your .htaccess?

[cmidkiff]

Ok, very strange.  None of the issues above (except the profile > account settings) are happening from a different ip.  I'll check the .htaccess tomorrow.

[vbgamer45]

Do you have any PHP compression/zlib compression enabled or other compression setup on the web server?

[cmidkiff]

@vbgamer45, It was compression, but it was the compression option (gzip output) given by the installer for SMF.  I just reinstalled it without the compression option, and it works perfectly. 
The weird thing is, the installer gave me the option to test it beforehand, and it passed.

I still have the profile > account summary problem where it redirects back to root (the home page).  What's funny is, I originally had the test for SMF on it's own domain (test.local), but since I've moved it to a subdomain, I no longer get the error I showed in the first post.

there's no htaccess in root (and the default one in the SMF install just denies everything)

there are two htaccess files, both with the same content
../Packages/.htaccess
../Packages/backups/.htaccess

Code Select Expand


<Files *>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>


[Sir Osis of Liver]

There's a third .htaccess in /attachments, they belong there.  SMF does not install a root .htaccess.  What is the error referring to?

Code Select Expand



<linux web dir>/.htaccess



[cmidkiff]

I installed SMF under a new domain (test . nicusergroup . net, was previously test . local), and now the error message no longer appears in the logs.  The domain nicusergroup . net has no .htaccess file in it's web directory

[cmidkiff]

I just added gobbledygook to the top of ./Sources/Profile.php, and both profile > summary and profile > forum profile show an error at line 14, but profile > account settings redirects back to root.

What's weird is all action routing is done by the same function call, so the issue only happens when "area=account".  But it's not a php thing, because Profile.php is running successfully (or with intentional errors) with "area=forumprofile" or no area at all.

No other protocol errors are displayed, no logs show anything, and no http codes higher than 399

here's the last 3 entries in the apache logs for two devices

[EDIT]
each request for "area=account" is being sent a redirect code 302 it looks like

Code Select Expand


166.137.244.114 - - [01/Mar/2017:10:48:44 -0500] "GET /index.php?action=profile HTTP/1.1" 200 15641 "http://test.nicusergroup.org/index.php?action=profile" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MTC19X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36"
166.137.244.114 - - [01/Mar/2017:10:48:49 -0500] "GET /index.php?action=profile;area=account HTTP/1.1" 302 336 "http://test.nicusergroup.org/index.php?action=profile" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MTC19X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36"
166.137.244.114 - - [01/Mar/2017:10:48:49 -0500] "GET / HTTP/1.1" 200 14683 "http://test.nicusergroup.org/index.php?action=profile" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 6P Build/MTC19X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mobile Safari/537.36"

66.208.234.34 - - [01/Mar/2017:10:46:52 -0500] "GET / HTTP/1.1" 200 14580 "http://test.nicusergroup.org/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
66.208.234.34 - - [01/Mar/2017:10:46:53 -0500] "GET /index.php?action=profile;area=account HTTP/1.1" 302 336 "http://test.nicusergroup.org/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"
66.208.234.34 - - [01/Mar/2017:10:46:53 -0500] "GET / HTTP/1.1" 200 14580 "http://test.nicusergroup.org/" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0"



[Kindred]

this is almost definitely due to your host having a poorly configured mod_security installed...

[cmidkiff]

That was exactly it, In cpanel I disabled ModSecurity on that specific subdomain, and the link now works.
Thank you.

I will try to find the specific reason ModSecurity failed and re-enable it if possible, but that's no longer a SMF problem

[cmidkiff]

Just as a reply to anyone else with the same problem

Cpanel ModSecurity logs show

Code Select Expand


Pattern match "(?i:([\\s'\"`\\(\\)]*?)([\\d\\w]++)([\\s'\"`\\(\\)]*?)(?:(?:=|<=>|r?like|sounds\\s+like|regexp)([\\s'\"`\\(\\)]*?)\\2|(?:!=|<=|>=|<>|<|>|\\^|is\\s+not|not\\s+like|not\\s+regexp)([\\s'\"`\\(\\)]*?)(?!\\2)([\\d\\w]+)))" at ARGS:action. [file "/usr/local/apache/conf/modsec_vendor_configs/OWASP/rules/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"] [line "53"] [id "950901"] [rev "2"] [msg "SQL Injection Attack: SQL Tautology Detected."] [data "Matched Data: a=a found within ARGS:action: profile;area=account"] [severity "CRITICAL"] [ver "OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag "Host: test.nicusergroup.org"] [tag "application-multi"] [tag "language-mutli"] [tag "platform-multi"] [tag "attack-sqli"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag "PCI/6.5.2"]


And adding "950901" (no quotes) to the domain rule whitelist disables that rule and allows the link to work
it seems to detect "area=account" as an SQL attack

[Kindred]

mod_security, over all is almost always poorly configured.
Quite honestly, good scripts should protect against and avoid those sort of attacks anyway.

Heck, I've seen mod_security chock on a message/post because it contained the county I live in (Middlesex) -- yes, the stupid thing chocked on the three letters s-e-x in a perfectly valid work