Pages with ; separated query string values give me a 404 ...

Yorlik · March 23, 2017, 11:27:06 AM

As the title tells:

When I try to go to the package manager or other pages which have a ";" separated list of values in the query string I receive a 404.

Manually changing the URL and replacing the ";" with "&" works though.

How can I fix this?

Thanks!

Arantor · March 23, 2017, 11:51:20 AM

Did you remove the index.php part of the URL, or using Pretty URLs?

SMF has used the ; for the last 13 years without too many snarl ups...

Yorlik · March 23, 2017, 11:59:22 AM

I have not done any modifications.
This URL gives me a 404 (different domain, ofc)
hxxp:www.server.tld/smf/index.php?action=admin;area=packages [nonactive]

Arantor · March 23, 2017, 12:15:25 PM

Running any other software on the site, e.g. WordPress?

Yorlik · March 23, 2017, 12:26:37 PM

Yes, Drupal 7.

Arantor · March 23, 2017, 12:42:34 PM

Hmm, I thought Drupal still played nicely with SMF but maybe not any more since I would speculate this is part of the problem. Hard to know since I'm not exactly a Drupal specialist, it's been a while.

Short of replacing every link by hand in SMF, you're not going to be able to fix it from SMF itself, I think.

Yorlik · March 23, 2017, 12:53:42 PM

I did a quick test by moving away the drupal tree - no success - the error remains.
I guess something is might be irritating it in my my server configuration.

Arantor · March 23, 2017, 12:57:07 PM

Even moving the .htaccess file that would be in the root?

Yorlik · March 23, 2017, 01:03:20 PM

Yes. Root was entirely empty and only the SMF alias was active.
Even a reinstall didn't fix it.
I guess it's something in my config, either php or apache2.

Illori · March 23, 2017, 01:10:16 PM

do you have mod_security enabled?

Yorlik · March 23, 2017, 01:21:47 PM

Quote from: Illori on March 23, 2017, 01:10:16 PM
do you have mod_security enabled?

Removing it fixed it!
Thanks for the hint.
Though - why don't they play nicely with each other?
I had mod_security2 running only in audit mode.
Drupal never complained - is there some way configuration wise to run mod_security2 with SMF?

Illori · March 23, 2017, 01:32:42 PM

if you can figure out which rule is being triggered then maybe in a future patch this may be able to fixed.

Yorlik · March 23, 2017, 01:49:03 PM

It seems some rule concerning SQL injection gets triggered. It seems the ";" is interpreted as a part of an injected SQL statement.

Arantor · March 23, 2017, 02:01:14 PM

SMF comes pre-hardened against SQL injections, it's actually really hard to inject something actually dangerous in to SMF.

Yorlik · March 23, 2017, 07:01:12 PM

Quote from: Arantor on March 23, 2017, 02:01:14 PM
SMF comes pre-hardened against SQL injections, it's actually really hard to inject something actually dangerous in to SMF.

Now you just have to tell that mod_security

News:

Pages with ; separated query string values give me a 404 ...