500 Internal Server Error due to mod_security

[Angie on Dialysis]

A friend of mine posted on one gaming forum a link .. and got this error. I was able to reproduce it on my own medical forums. Then just yesterday a member of my forums was posting plain text of a medical article and got the same error. I was able to reproduce it.

The error is:
500 Internal Server Error
on my medical forums and
the error is
Internal Server Error
on his gaming forums.

Happened 3 different instances so far in the first 150 posts.

If you want to reproduce the error with just text then copy the contents of this txt file to a post in this thread:

TXT LINK

[Sandmansa]

I am getting that same error on my SMF 1.1.4 boards as well.  I first noticed a problem when trying to copy and paste a url.  But in that instance, changing the http:// to www appeared to work around the problem there.  Now i'm noticing it's just simple text causing the error.

[Angie on Dialysis]

seems to be an issue with v1.1.4 but not SMF 2.0 Beta 3 Public

Also I was told there is an issue with another post as well .. and that being this (again only one 1.1.4 as far as we know). Why would plain text cause this error??:

This TXT LINK

The URL to mine is http://angieskidney.com/smfbb/

and the error does not report in the logs

but here is the phpinfo.php file

[steighan]

I call bull** on this one!

maybe your post is some bizarre version of the old 'chain letter'?

[H]

Have you seen this thread?

Having problems with mod_security?

[karlbenson]

Yeah this is almost certainly caused by the host enabling mod security.

[Angie on Dialysis]

I call bull** on this one!

maybe your post is some bizarre version of the old 'chain letter'?

BULL you say? I can PROVE it! GO ahead and see for yourself! If you do NOT believe me you are MORE than welcome to go ahead and post the text on my guest section.

As for the other 2, thank you I will check that out right now and be back with my findings.

Edit:

Have you seen this thread?

Having problems with mod_security?

This thread was very helpful thank you!

Create a phpinfo.php file.  What is phpinfo.php?  If it contains "mod_security" anywhere in it, you have it.

Contact your host, then, and tell them of your problems.  Point them to this topic.  Perhaps they can create the file for you.

-[Unknown]

I have it:

Loaded Modules    mod_security, mod_ssl, mod_php4, mod_perl, mod_frontpage, mod_setenvif, mod_so, mod_headers, mod_expires, mod_auth_anon, mod_auth, mod_access, mod_rewrite, mod_alias, mod_userdir, mod_actions, mod_imap, mod_asis, mod_cgi, mod_dir, mod_autoindex, mod_include, mod_info, mod_status, mod_negotiation, mod_mime, mod_log_referer, mod_log_agent, mod_log_config, mod_env, mod_vhost_alias, http_core

So is it safe to take it out? What is it used for? IF we take it out will it make other things not work?? I am new to SMF so any help is appreciated (before this I was using Proboards .. yeah I know .. pretty bad lol).

[steighan]

lol...you got me!

ok, here's your problem.

You dont need to turn of MOD SECURITY, but you need to disable the SQL INJECTION rule  (or spend some time to modify it) as it is VERY POORLY implemented!

part of it is that the core rules are making assumptions ostensibly valid for a simple APPLICATION (i.e. like Quicken or Checkbook manager where generally the input is going to be stuff like name, address, age, cost, etc.)

FORUM type applications are data that similarly take input, but it is free form text that could contain all kinds of words, some of it key words that are SQL commands!

For instance, for an address book, or mailing list, I would hardly have the mySQL reserved words like CREATE, AND, mathematical expressions which occur in your case

Age-related kidney changes create more risks for fluid and electrolyte imbalance and renal damage from <table>medications or diagnostic contrast materials.

So you can now see in your example, it is attacking a benign post because it seems to have an embedded SQL query in it.

(looking at the post body)

[Angie on Dialysis]

lol...you got me!

ok, here's your problem.

You dont need to turn of MOD SECURITY, but you need to disable the SQL INJECTION rule  (or spend some time to modify it) as it is VERY POORLY implemented!

part of it is that the core rules are making assumptions ostensibly valid for a simple APPLICATION (i.e. like Quicken or Checkbook manager where generally the input is going to be stuff like name, address, age, cost, etc.)

FORUM type applications are data that similarly take input, but it is free form text that could contain all kinds of words, some of it key words that are SQL commands!

For instance, for an address book, or mailing list, I would hardly have the mySQL reserved words like CREATE, AND, mathematical expressions which occur in your case

Age-related kidney changes create more risks for fluid and electrolyte imbalance and renal damage from <table>medications or diagnostic contrast materials.

So you can now see in your example, it is attacking a benign post because it seems to have an embedded SQL query in it.

(looking at the post body)

It does seem like you are onto something as one of my team noticed the word Create was a problem yet not by itself. Only in this context.

Learning as I go along, I hope to be able to fix this with all your guys help

Would the problem be rectified if we update from 1.1.4 to the 2.0 beta 3? Or would we have this problem with any version? Is this not an issue just for 1.1.4 but specifically with our host?

We don't know if our server URLDownload will disable the SQL INJECTION rule  (or spend some time to modify it) just for us

[steighan]

well, its iffy, the rule is poorly written - as you may see from the many test posts I made, If I insert newlines in the troublesome post, it passes scrutiny (note that that would not stop it from being a valid SQL command though, so you are really NOT being protected at all!)

In one of the posts /threads linked to earlier, there is an htaccess command to disable that function... its worth a try, I guess.. maybe you could talk to your host company in more detail, their responsiveness is something you may want to think of when it comes time to renew!

good luck!

[Angie on Dialysis]

well, its iffy, the rule is poorly written - as you may see from the many test posts I made, If I insert newlines in the troublesome post, it passes scrutiny (note that that would not stop it from being a valid SQL command though, so you are really NOT being protected at all!)

In one of the posts /threads linked to earlier, there is an htaccess command to disable that function... its worth a try, I guess.. maybe you could talk to your host company in more detail, their responsiveness is something you may want to think of when it comes time to renew!

good luck!

Okay we submitted a Support Ticket to URLDownload so hopefully they can do something about this Thank you for your help. We haven't gotten a reply yet but I am hoping they can tell us tomorrow ..  since it is late now.

So no matter what version of SMF we would get this error under our current host?

[steighan]

I would tentatively say yes, since it is mod-security applying poor heuristics (rules) to the posted data.
They intercept the data before SMF even sees it.

[karlbenson]

Indeed. You'd get this with every smf version. And probably ANY software you attempted to use.

[steighan]

you know what?

SMF could probably capture the user's configuration by examining the output from PhPInfo(), detecting that MOD security is enabled and display appropriate messages to the admin console, warning of a potential for problems?

[karlbenson]

I like that idea.

On a daily basis people report 500/404 errors that are down to mod_security.

[Angie on Dialysis]

That would be really cool.
So far we have not gotten a reply from our host administrator on this issue

[steighan]

the only thing I can think of doing is trying a custom error page (for 500 errors)
1. At least so you can put up a sensible error message (instead of the stupid 500 error)

2. It may be possible (depending on what ModSecurity does with the post body) to write the post anyway
( 500 error script catches the error and inserts the post for you)

gimme a day or so and I'll whip something up.....OR.. you can try turning it off (one of the SMF posts linked to above had details on that)

[Angie on Dialysis]

the only thing I can think of doing is trying a custom error page (for 500 errors)
1. At least so you can put up a sensible error message (instead of the stupid 500 error)

2. It may be possible (depending on what ModSecurity does with the post body) to write the post anyway
( 500 error script catches the error and inserts the post for you)
gimme a day or so and I'll whip something up.....OR.. you can try turning it off (one of the SMF posts linked to above had details on that)

Actually that is a custom error page but yes I agree I need to make a better one Thanks for the advice. Still .. to get that error with certain posts .. what would I say in an error page that would make it better? Nothing

[karlbenson]

Any news from your host yet?

[Angie on Dialysis]

Any news from your host yet?

SandmanSA was the one who put in the support ticket as he is my fiance but if we don't hear back from the host admin yet then I am going to email him directly. If that doesn't work then I will be contacting Sandman's and my mutual friend who was the one who set us up with this host as he always seems to be able to get that host admin more motivated ...  I am kinda getting discouraged .. and we had just renewed for the year 2 months ago ...