403 Error with PERL in textarea

JakeSee · April 24th, 2007, 10:32 PM

I have a peculiar problem...

I have a back-end system for me to update announcements plus formatting using HTML code. Below is the text in a TEXTAREA The POST gets processed by PHP. Both the processing and the output (admin view) is handled by a single script (ie. news.php)

Code:

 
<h3>Updated Software versions</h3>
<p>Please note that this list of software versions only reflect the last updated status.</p>
<ul>
<li>CPanel 10.9.0 STABLE 9966</li>
<li>PERL 5.8.4</li>
<li>PHP 4.4.2 (default)</li>
<li>PHP 5.1.4</li>
<li>MySQL 4.1.21 standard</li>
</ul>

when i SUBMIT the above text, I get 403 forbidden. And it only happens to the above text.

In the script, I do some blank field check and then MySQL UPDATE that's all.

Then I removed line by line and found that the culprit is this line:

Code:

 
<li>PERL 5.8.4</li>

Can any one enlighten me what exactly is the problem?

**puckchaser** · April 24th, 2007, 10:47 PM

Could be mod_security.

Try adding this to your htaccess

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

PC

H · April 24th, 2007, 11:02 PM

Hmm. Does mod_security have any way of notifying a script that it encountered a problem with the input? If it doesn't, they really need to consider that.. it's terrible seeing people puzzled over a problem to have it revealed as a mod_security filter.

JakeSee · April 24th, 2007, 11:06 PM

Quote:

Originally Posted by puckchaser

Could be mod_security.

Try adding this to your htaccess

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

PC

Thanks! that helps! can you cite an example how this is a security problem?

And yes, it will be very helpful if it just say it's to do with mod security rather than 403 =(

**puckchaser** · April 24th, 2007, 11:09 PM

You know, I can honestly say, I dont know.

I would recommend opening a ticket and seeing if they could see exactly what in your script is triggering the filter.

I just have a troubleshooting mentality and remember seeing this in the last few months, and was also a victim of it.

PC

**puckchaser** · April 24th, 2007, 11:11 PM

Quote:

Originally Posted by H

Hmm. Does mod_security have any way of notifying a script that it encountered a problem with the input? If it doesn't, they really need to consider that.. it's terrible seeing people puzzled over a problem to have it revealed as a mod_security filter.

H -
I agree, what turned me onto the mod_security is that Jake said it only happened with the specific text, otherwise it worked.

I dont know if Surpass shares the settings of mod_security, so it could be kind of hit or miss.

PC

JakeSee · April 24th, 2007, 11:18 PM

Well.. knowing how i can inject PERL code into PHP would help.. but that's fine. I'm happy that I can now post the word PERL.. but I also don't want to risk myself just because of the convenience of posting one word in a million others... =/

H · April 24th, 2007, 11:50 PM

Quote:

Originally Posted by puckchaser

H -
I agree, what turned me onto the mod_security is that Jake said it only happened with the specific text, otherwise it worked.

I dont know if Surpass shares the settings of mod_security, so it could be kind of hit or miss.

PC

True... but there's some flawed logic here. When you're doing filtering based on keywords, it's absolutely necessary to at least notify someone of the problem. I'd imagine it's likely logged into a log file, but the script should also have access to it. In other words, allow the script to determine there's a possible problem, but let it determine how to handle it. I don't know how many times I've seen people have problems with curl, which can be used in normal English conversation.

**puckchaser** · April 25th, 2007, 12:50 AM

Quote:

Originally Posted by H

True... but there's some flawed logic here. When you're doing filtering based on keywords, it's absolutely necessary to at least notify someone of the problem. I'd imagine it's likely logged into a log file, but the script should also have access to it. In other words, allow the script to determine there's a possible problem, but let it determine how to handle it. I don't know how many times I've seen people have problems with curl, which can be used in normal English conversation.

I agree.

However, after a little googling,

it appears that mod_security doesnt use logic. It appears to be a pretty black-and-white filter. From what I have found, it does get logged to :

/var/log/httpd/audit_log

However, us mere mortals on shared servers have no such access to that log. But I am sure a ticket to the helpdesk could get them to view/confirm.

Here's a link with more info.

PC

April 24th, 2007, 10:32 PM	#1 (permalink)
JakeSee Registered User Comfy Contributor Joined in Jun 2005 Lives in Singapore Hosted on Pass15 120 posts Gave thanks: 2 Thanked 0 times	403 Error with PERL in textarea I have a peculiar problem... I have a back-end system for me to update announcements plus formatting using HTML code. Below is the text in a TEXTAREA The POST gets processed by PHP. Both the processing and the output (admin view) is handled by a single script (ie. news.php) Code: <h3>Updated Software versions</h3> <p>Please note that this list of software versions only reflect the last updated status.</p> <ul> <li>CPanel 10.9.0 STABLE 9966</li> <li>PERL 5.8.4</li> <li>PHP 4.4.2 (default)</li> <li>PHP 5.1.4</li> <li>MySQL 4.1.21 standard</li> </ul> when i SUBMIT the above text, I get 403 forbidden. And it only happens to the above text. In the script, I do some blank field check and then MySQL UPDATE that's all. Then I removed line by line and found that the culprit is this line: Code: <li>PERL 5.8.4</li> Can any one enlighten me what exactly is the problem? __________________ Regards, Jake See Pass15: http://www.vuox.com

April 24th, 2007, 10:47 PM	#2 (permalink)
puckchaser He shoots.. He scores! Super #1 Joined in Feb 2007 Lives in A room with no windows. Hosted on SH110 1,442 posts Gave thanks: 46 Thanked 140 times	Could be mod_security. Try adding this to your htaccess <IfModule mod_security.c> SecFilterEngine Off SecFilterScanPOST Off </IfModule> PC __________________ SH110

April 24th, 2007, 11:09 PM	#5 (permalink)
puckchaser He shoots.. He scores! Super #1 Joined in Feb 2007 Lives in A room with no windows. Hosted on SH110 1,442 posts Gave thanks: 46 Thanked 140 times	You know, I can honestly say, I dont know. I would recommend opening a ticket and seeing if they could see exactly what in your script is triggering the filter. I just have a troubleshooting mentality and remember seeing this in the last few months, and was also a victim of it. PC __________________ SH110

April 24th, 2007, 11:18 PM	#7 (permalink)
JakeSee Registered User Comfy Contributor Joined in Jun 2005 Lives in Singapore Hosted on Pass15 120 posts Gave thanks: 2 Thanked 0 times	Well.. knowing how i can inject PERL code into PHP would help.. but that's fine. I'm happy that I can now post the word PERL.. but I also don't want to risk myself just because of the convenience of posting one word in a million others... =/ __________________ Regards, Jake See Pass15: http://www.vuox.com

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread:

April 24th, 2007, 11:02 PM	#3 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,058 posts Gave thanks: 48 Thanked 129 times	Hmm. Does mod_security have any way of notifying a script that it encountered a problem with the input? If it doesn't, they really need to consider that.. it's terrible seeing people puzzled over a problem to have it revealed as a mod_security filter.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)