Hello, is it normal for signatures to show a 403 page if someone tries inputting quotation marks ( ' and " ) in a signature?
If not, how can it be fixed?
https://troublecube.net/mybb/
Me n the pals building this forum just installed mybb yesterday so we apologize if this is a noob question.
the error text is as it follows:
403
Forbidden
Access to this resource on the server is denied!
it's been solved! apparently mod_security was doing some buggy stuff. thank you for helping!
403 is a an error based on the HTTP protocol and means that a resorce in the web is forbidden to access.
Maybe you set any content or external resource to your signature (an image from a remote host or an iframe for example) that is not allowed being loaded and throws this error.
Give us your example of a signature that causes HTTP403 for further investigation, please.
[ExiTuS]
right. here's my own signature. source editor is turned on when i copied it
"hi did you know that eee e ee ee eb eeb eee eeebb eeee eeee d ee e"
plain text, no fancy stuff and yet it errors
Hi, I'm one of the other admins of this forum
Here are some signatures I tested out
Throws a 403
I'm gay and don't go to bed on time, reblog if you too are gay and don't go to bed on time
So then I said "Oatmeal, are you crazy?"
Does not throw a 403
(blank signature)
[hr]
[i]*sleepy catgirl noises*[/i]
[url=https://troublecube.net/mybb/showthread.php?tid=21&pid=369#pid369]Character list[/url]
βSmart quotes do not do it, thoughβ
Sounded like dashes were problematic -- they were not tho
vlrebgalueibgreibvulaiuhglaiughrei4hi;lvszgg59e8asty43;oti23t2;[agg[kapog[aerg
πββ’π±π€πΉππ₯³ππ₯πΆπ¦πΆπ
±π¦β‘β¬
ππ€πππΌπβ
(though it did get converted to "?ββ’????????????β‘β¬
??????β"; guess we should figure out emoji support too huh)
eta: This error started appearing immediately after installing myBB to our KnownHost server via the Softalicious Apps Installer in cPanel
eta2: For science, we ran the installer again to make a second forum and test with a complete blank slate; the results were exactly the same.
FINAL EDIT: Figured it out! Internet search led us to
this old thread that had the same issue; going into the mybb folder and changing "htaccess.txt" into ".htaccess" stopped the thing entirely.
That's plausible and conclusive because .htaccess can affect the whole webserver behavior and communication.
Your reply might help other user with same troubles to focus on this resolution.
Nevertheless you should ensure valid and regular data content of your current .htaccess file.
[ExiTuS]
Not super versed in the nature of the thing, but looking up htaccess on Wikipedia and skimming the contents of the file didn't raise any blatant red flags.
hi folks,just recently started having this problem,got a hold of the host and they said yep,try turning off modsecurity,i did and seem to fix it but i kinda want to have the security ya know
is the fix in this thread legit? "FINAL EDIT: Figured it out! Internet search led us to this old thread that had the same issue; going into the mybb folder and changing "htaccess.txt" into ".htaccess" stopped the thing entirely."
assuming htaccess.txt would be a file at the host?
thanks for any help,Gary
Hello, Gary, if you're even still watching this. The fix we stated earlier did indeed work at the time.
We're back over a year later because... it stopped working. We're suddenly getting this bug again and we don't know why.
We still don't actually know
which part of htaccess fixed the bug.
e: ... okay it's
probably this part:
<IfModule mod_security.c>
# Turn off mod_security filtering.
SecFilterEngine Off
# The below probably isn't needed, but better safe than sorry.
SecFilterScanPOST Off
</IfModule>
So the obvious question is why did it stop fixing it?
edit 2: We were able to disable modsecurity on the forum entirely via cpanel, but this feels like a bit of a nuclear option. Surely there's a way to figure out the cause of specifically
this interaction and fix just that one thing...
You'd need to ask your host, it depends what rules they have set up for it. Little we can do about it as it's to do with Apache, not the application itself.