Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
403 Forbidden error when uploading a theme
#1
Though I would share this.

Will probably not be valid for people on shared hosting unless their host uses CWP.
My setup is CentOS 6.x with CWP

Problem found: getting a 403 error when trying to upload a new theme xml file

Went through some logs and turns out mod_security was to blame (the htaccess fix in the htaccess example does not work with modsec 2 as far as I'm aware)

So I went through the log files and found the rule ID(s) that appeared to have been violated.

I've removed unnecessary/exposing info
[Sun Oct 25 16:17:59 2015] [error] [client ##.##.##.###] ModSecurity: Access denied with code 403 (phase 2). Match of "eq 0" against "MULTIPART_UNMATCHED_BOUNDARY" required. [file "/usr/local/apache/modsecurity-crs/base_rules/modsecurity_crs_20_protocol_violations.conf"] [line "219"] [id "960915"] [rev "1"] [msg "Multipart parser detected a possible unmatched boundary."] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.9"] [maturity "8"] [accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ"] [tag "CAPEC-272"] [hostname "mywebsite.url"] [uri "/admin/index.php"] [unique_id "###############"]

[id "960915"] being of importance here

To fix this, I added;
## MyBB ##
SecRuleRemoveById 960915

To the bottom of the rules file (typically here /usr/local/apache/conf/mod_sec_disabled_rules.conf)
The ## MyBB ## is not necessary, just to make it easier to understand the next time i look in that file.

Then restart the httpd/apache service and the rule came into force, everything seems fine now.

Also seems to think modifying a stylesheet through /admin/index.php?module=style-themes&action=edit_stylesheet&mode=advanced is an SQLi attempt, violating rule 981317, fix in the same way

edit; turns out it violates a few:
960915
981317
958011
973308
973335
973334
973347
950103
Reply
#2
That's a problem with your host. Contact them.
Reply
#3
He did say it was only related to Centos Web Panel , though indeed contacting the host seems a good step.
Random Fish and Sims Maniac
MY PLUGINS
Help MyBBSupport help you - remember to mark your threads as solved


Reply
#4
I am the host.

Seems Modsecurity 2.x is just being a pain. massive list of rule exceptions sorts it, abandoned using modsecurity 2.x because of it
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)