Forbidden Error w/More Than 3 URL Tags

stevemci · May 16, 2012, 12:20:40 PM

Whenever anybody on our forum tries to post a message that contains more than three url tags they get an error that says Forbidden, you don't have permission to access index.php. We're running SMF 2.0.2 with only two mods: Enhanced Dropdown and Simple Audio Video Embedder. Three or fewer url tags work fine.

MrPhil · May 16, 2012, 12:38:38 PM

Is mod security turned off? Sometimes that can forbid access.

stevemci · May 16, 2012, 12:40:43 PM

Where in the admin panel would I check the mod security setting?

stevemci · May 16, 2012, 12:43:32 PM

In Security And Moderation --> General --> Disable administration security is unchecked.

MrPhil · May 16, 2012, 01:25:44 PM

Uh, no. Mod security is a "feechur" your host would have turned on to look for certain words and characteristics that might indicate someone trying to hack your forum. It's unnecessary with SMF and usually causes more problems than it's worth. Usually you can disable it in your .htaccess file (search for mod security for instructions).

IchBin™ · May 16, 2012, 02:24:25 PM

Here's a link for more information.
http://www.simplemachines.org/community/index.php?topic=34270.0

stevemci · May 20, 2012, 06:21:29 PM

I modified my .htaccess file as indicated in the linked thread and the problem persists. What should I try next?

IchBin™ · May 20, 2012, 06:35:35 PM

Contact your host. It could be that your host is not allowing .htaccess files to disable it.

MrPhil · May 20, 2012, 06:49:13 PM

I saw one post that said if you haven't successfully turned off mod_security, the string mod_security will be found in the phpinfo() output. Is that statement still true?

Assuming you have successfully turned off mod_security, you mention 3 [url] tags being the limit per post. I'm wondering if that's some sort of anti-spam filter by your host? Is it just the grand total of URL tags being more than 3, or do they have to be in some pattern? I would guess that it's not the URL tag itself, but the presence of http: that's being totaled up. Have you asked your host about this? A filter of this sort would usually be in mod_security, but it's possible your host has put it somewhere else, or is even denying that they have such a filter! SMF automatically promotes www.domain.TLD to a URL link -- would that be sufficient for your purposes, to get around the filter? If not, and your host is not helpful, you'll have to start thinking about moving to another host.

Arantor · May 20, 2012, 06:53:18 PM

Considering how many http instances there are in a typical page, I'd be willing to bet it's a problem with the links themselves, e.g. a link containing ?id= or &id= which is a typical mod_security rule.

MrPhil · May 20, 2012, 08:01:06 PM

Possibly. Although, wouldn't only the message data be coming in on POST data, and thus examined by mod_security? I wouldn't think the other links output all over the page would be seen by mod_security. Would they?

Arantor · May 20, 2012, 08:05:28 PM

Well, the original message says 'when anyone tries to post', so from that I take it to mean that it is during posting, and not after the fact.

The one (really poor) host I used to use had the same problem where it vetted incoming POST data, and failed where they contained that item.

MrPhil · May 20, 2012, 09:38:18 PM

Eh? I don't quite follow. Aren't we in agreement that it is during posting, when the member submits their post and their text is in the (incoming) POST data and that's when mod_security disallows the operation? Is someone seeing something else?

Arantor · May 20, 2012, 09:40:22 PM

I thought you were saying that there was a problem with the number of links in the post (and that the problem was when it was displayed after, hence the issue with the variety of http in content) but I think we are in agreement that it is mod_security causing it - but it's almost certainly the links themselves, not the number of links being posted.

stevemci · May 23, 2012, 04:10:13 PM

The problem presented itself when a post had more than three <url> tags in it. It didn't matter where the links went to. You could use three of the tags but when you put in a fourth, blooey. You got the same failure when you tried to preview a post with more than three tags. I didn't test it with more than three "naked" urls.

The problem is now resolved. This is the response from the hosting company:

QuoteHello,

I have added modsecurity ID 300079 to the whitelist which was causing issues for your site.

Please test the forum and let us know if you encounter any issues further.

I don't know anything about modsecurity, hopefully that makes some sense to you.

Thanks for all your help.

Arantor · May 23, 2012, 04:29:05 PM

Well, if it works, it's all good. What I presume that means is that mod_security is now turned off for you.

IchBin™ · May 23, 2012, 05:46:39 PM

From a quick google it looks like 300079 is a rule they have just disabled. It's an anti-spam features from the looks of it that keeps people from posting too many links.

If you look in your server or error log you'd probably find something like this when you get the error.

Quote[error] [client xxx.xx.xx.xx] ModSecurity: Access denied with code 403 (phase 2). Pattern match "\\[ ?(url|link) ?= ?"? ?https?://.*\\[ ?(url|link) ?
= ?"? ?https?://.*\\[ ?(url|link) ?= ?"? ?https?://.*\\[ ?(url|link) ?= ?"? ?https?:/" at ARGS:message. [file "/etc/httpd/modsecurity.d/asl/30_asl_antispam.conf"] [line "467"] [id
"300079"] [rev "17"] [msg " - WAF Rules: Possible Spam: Multiple embedded urls in argument (Disable if you wish to allow 4 or more UR
Ls in a post)"] [data ""] [severity "ERROR"] [hostname "forum.scubatoys.com"] [uri "/editpost.php"] [unique_id "5RZf3kD7wT4AAAiVc9MAAAAp"]

News:

Forbidden Error w/More Than 3 URL Tags

MrPhil

MrPhil

MrPhil

MrPhil

MrPhil