403 Error when posting to specific thread

[kafukach]

Hi, I'm hosting a board running on vichan, a futaba-style imageboard software. It's impossible to post in one thread, throwing up "You don't have permission to access /post.php on this server."

I believe this is due to a false positive with mod_security. Is there any way I can have it disabled for my site or something?

 

[caftpx10]

What kind of content are you attempting to post?

 

[kafukach]

Just a simple text post. Anything I type comes out with the error.

 

[caftpx10]

When you remove '>>22', does it still happen?

 

[kafukach]

Yes. Like I said, the actual content of the post field doesn't matter. It's contained only to this thread and occurs for the site's other users in this thread as well. post.php is chmodded to 777 so it's not a permissions issue which is why I think a post may have set off mod_security.

 

[bdistler]

is chmodded to 777

IF 'permissions' set on any folder or file - in your account - are [ 777 ] - that makes a large security risk - so a x10hosting's free-hosting server will throw an immediate "Access Denied" (403 error code) error to protect itself

make sure all file permissions are 0644 (rw-r--r--) and all folder permissions are 0755 (rwxr-xr-x)

 

[kafukach]

That doesn't seem to be the problem here, though. Posting in any other thread or creating a new one does not result in the error.

 

[caftpx10]

I would make sure that the permissions are set to the most appropriate just in case it does become an issue in the future.

When you said that it does not happen on other threads, have you tried posting the same exact content?

 

[kafukach]

Permissions being set to 777 on some stuff is a requirement for vichan to work properly specified in its installation instructions, but anyways, posting ">>22 It's considered a lucky number, though?" in other threads works fine. However, posting anything at all in the thread we've been discussing results in the 403 error.

 

[caftpx10]

Are you able to use developer tools (browser feature)?
That can help out by giving out where it is trying to post to and how it is being done. (The query strings or parameters would especially be important.)

How it would work is that when you open it up, you navigate to the 'network' tab, press the preserve log option, post, press the request logged and then you should get additional information about it.

 

[kafukach]

In vichan or x10's cPanel? Because I don't have this option aside from what might be in command-line tools that it has, and I don't see any sort of "network" tab or anything like that in the cPanel.

EDIT: My bad, didn't interpret what you said right

 

[kafukach]

Nevermind I misinterpreted that, will check now

 

[kafukach]

Okay, I've clicked on post.php and there's four tabs, where would I see the query strings or parameters?

 

[kafukach]

Okay, i've got a log of the params:



Content-Type: multipart/form-data; boundary=---------------------------2210819461716004652711661654
Content-Length: 2763

-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="7gou4kx3jir2ms"

J9K<]s+u♕4%z. Z`CxrX-6)G|f/7^♁iodtjyV⛘wUa⛢&Ag#⚔5>vS☇{m*8p0$♴!_lYF
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="thread"

20
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="dbr⚬ea⚤syfn"

l*=D Mo0,☪JQC Kfspx9?`'+-}hFT⛫)I^an:4y.LYb&#%@PZVgv]B5;21<♩X6wNSju♬ec|7k(U⚞8>t_G/$qi⚁3W[{rz~
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="board"

off
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="6jrk♨y9csdlqftzu31nw☟pavo80i5x⛦e⛱m7h4bg"

>&i,pJ2'=}v]SD⚔r(f⛚_!%\P|⚦l6-b^ /W5`:Y$sZchI[R.0U#a1*XdLQw7AtO
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="message"


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="name"


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="user"


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="q"

k\S.:ZXe]P
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="email"


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="mn⚿qb⚕d0tzcafepox89rk6liu⛑1"

bNB!1|.c3☭#qXgY{CGx@☉il)6 m-5f♥+QdwhzK0 r,DjM8?7'$/H_&v~♢u(2><]yEJOsS⚦ToLk:
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="yk2f8da9jgt⚳3e☽w641mrl70hnsoxbi"


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="login"

{a#@⚈O
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="subject"


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="post"

New Reply
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="body"

>>22
7 is the lucky number of hope!
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="file"; filename=""
Content-Type: application/octet-stream


-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="password"

gA3c$kg&
-----------------------------2210819461716004652711661654
Content-Disposition: form-data; name="hash"

035ee73b1ecf2466036a91156e6204e51b2a2ee8
-----------------------------2210819461716004652711661654--

 

[essellar]

Permissions being set to 777 is a no-go here; there is no way around the maximum permissions level settings. If your files are executable, you get a 403. (Folders must be executable in order to access their contents.) If either your files or your folders are world-writable, you get a 403. Period. If you need permissions beyond that, you need a VPS.

 

[kafukach]

That clearly isn't the problem though, as I've described above, because it doesn't cause issue anywhere but this one specific thread.

 

[kafukach]

Welp, it seems deleting the post that said "Is 7 the number of despair?" fixed it.

 

[bdistler]

@Dead-i OP says that permissions being set to 777 - "doesn't cause issue anywhere"
has the no '777' rule been changed or is there a setup error on his free-hosting server ??

That clearly isn't the problem though, as I've described above, because it doesn't cause issue anywhere but this one specific thread.

###

EDIT - just did some test on my account - which is on free-hosting server [ xo3 ] - there is no longer a 'lock-out' when permissions are set to 777

 

[Dead-i]

Hi,

Welp, it seems deleting the post that said "Is 7 the number of despair?" fixed it.

I took a look at the logs, and strangely, it looks as though your request was being denied for "potentially untrusted web content", which usually only triggers if you're trying to submit suspicious HTML. I'm not so sure how the software you are using works, but the screenshot you provided doesn't show any content I would say would trigger that rule.

@Dead-i OP says that permissions being set to 777 - "doesn't cause issue anywhere"
has the no '777' rule been changed or is there a setup error on his free-hosting server ??

Hmm, a permission level of 777 was simply stopped by the webserver previously; I'll check this. In any case, however, a permission level of 777 is completely unnecessary and a security risk, since it essentially means "read by anyone, writable by anyone, executable by anyone". In general, files should be 644 and directories should be 755, and there is no need at all to set a file to 777 due to the way our webserver is configured.

Thank you,