Problems with mod_security? - 403 Forbidden / Not Acceptable?

[Dennis Tsang]

Recently, there have been many reports on this forum regarding problems or errors with mod_security, one of the modules loaded into Apache. If you are having problems with error 403 Forbidden or other problems that happen once in a while for quite mysterious reasons, read on and see if mod_security is your problem.

The apparent error that is generated is normally a page saying:

• 500 Internal Server Error
• 403 Forbidden: You don't have permission to access <the file name> on this server.
• Not Acceptable: An appropriate representation of the requested resource <the file name> could not be found on this server.
  

In order to confirm that it is indeed mod_security triggering the error, please take a look at the server error log. This can usually be found either in a "logs" folder in your FTP root, or in your hosting control panel, or by requesting it from your web host (we can't help you on our end with this). In the server error log, an error similar to the one below may show up:

Quote:[Sat Oct 8 16:33:45 2005] [error] [client 123.456.789.123] mod_security: Access denied with code 403. Pattern match "rcp " at THE_REQUEST. [hostname "www.example.com"] [uri "/forum/admin/templates.php?expand=1&group=usercp"]

Known problematic pages
Here are a list of known symptoms

• Admin CP - Version Check
• Admin CP - Templates Manager - Cannot expand the usercp template group
• Front end - Posting/Editing posts - Message with content similar to harmful commands (example: uname -a)
• The above errors occur when specific data is being requested from the server (example: all the other template-groups work except for usercp templates, and other messages are able to be posted)
  

Confirm that mod_security is installed on your server
To confirm that the mod_security module is installed on your server, open your PHP Info page (there is one in your forum's Admin CP). Scroll down and find the heading "Loaded Modules" and see if "mod_security" is in the list.

The Solution - MyBB 1.4.x and newer
The htaccess.txt that comes with the MyBB package disables mod_security by default. If you haven't already, rename the htaccess.txt file to ".htaccess" (without the quotation marks, note the leading dot in the filename).

The relevant code is shown below:

Code:

#
# If mod_security is enabled, attempt to disable it.
# - Note, this will work on the majority of hosts but on
#   MediaTemple, it is known to cause random Internal Server
#   errors. For MediaTemple, please remove the block below
#
<IfModule mod_security.c>
    # Turn off mod_security filtering.
    SecFilterEngine Off

    # The below probably isn't needed, but better safe than sorry.
    SecFilterScanPOST Off
</IfModule>

The Solution - MyBB 1.2.x and older

Place this code in a .htaccess file in your MyBB folder on the server.

Code:

SecFilterEngine Off

Note, this will disable the security function of the mod_security module for the files inside the MyBB folder. This solution is a tradeoff: security vs usability. Use this solution at your own risk.

If this does not work, then feel free to create a new support thread and we'll try to help you further.

Wiki page: [Wiki: Help:Mod_security]

[Cool_Guy]

Hello DenisTT,
What sort of security could i louse from disabling mod_security?
Thanks!

[Justin S.]

You can always just upload the .htaccess file when you need to edit the User CP templates (if that is the only problem you are having), and then delete it when you no longer need to use it

[prutsor]

My host recently installed mod_security but i don`t have any problems with it. I tested the symptoms you gave and its all working fine on my board.
I am using:
Mybb 1.1.1
PHP Version 4.4.2
Apache 1.3.34
and i can see mod_security in "Loaded Modules"

[Chris Boulton]

They've configured it properly then.

Certain hosts just blindly configure it not taking notice of a few things.

[autograff]

I didn't get this error until I upgraded from 1.1.1 to 1.1.2.

CHMOD doesn't seem to fix it, and the reason I switched from PHPBB to MyBB was (besides much better control and easy setup) security. I don't want to disable security on my board. I'll be back in the same boat, with gambling sites posting as admin.

---

Another board is running 1.1.2 on the same host, no problem??

[Dennis Tsang]

autograff Wrote:I didn't get this error until I upgraded from 1.1.1 to 1.1.2.

CHMOD doesn't seem to fix it, and the reason I switched from PHPBB to MyBB was (besides much better control and easy setup) security. I don't want to disable security on my board. I'll be back in the same boat, with gambling sites posting as admin.

---

Another board is running 1.1.2 on the same host, no problem??

They could have already disabled the mod_security via the .htaccess (or another) fix...

[autograff]

Thanks, Dennis. It's possible. I ended up doing the .htaccess thing, and it worked fine.

[CrusH]

Hi friends i'm turkish and i cant understand what you say ! please can you explain it in a simple way ?

[autograff]

Hi CrusH,

If you see a warning "403 Forbidden/Not Acceptable" instead of the page you wish to see, make a text file with only this in it:

SecFilterEngine Off


Then save the text file naming it htaccess.txt

Upload it in ASCII mode to the folder that contains your bulletin board.

Rename it (on the server) .htaccess

Your board will work instead of giving you an error.

It might be less secure, but it will work.