403 (Forbidden) Error AJAX Request

staffing · Dec 23, 2014

I understand that you've updated the mod rewrite for the Apache servers to limit spamming, but my website no longer functions accordingly, certain functions I am limited to producing due to this issue. I can now no longer use ajax requests to update certain SQL queries, however at the same time I'm still able to do so for other functions on my webpage, is there a way that I can get around this somehow?

I've attempted to use this to solve the issue however that did not help me:

Code:

<ifmodule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</ifmodule>

leafypiggy · Dec 23, 2014

You *REALLY* shouldn't be pushing SQL in an ajax request.

That is entirely insecure, and is the reason things like ModSecurity exist.

caftpx10 · Dec 23, 2014

leafypiggy said:
You *REALLY* shouldn't be pushing SQL in an ajax request.

That is entirely insecure, and is the reason things like ModSecurity exist.

I think he means placing a string within a SQL query for uses such as searching and changing a value for a certain account (not a full query).

staffing · Dec 23, 2014

caftpx10 said:
I think he means placing a string within a SQL query for uses such as searching and changing a value for a certain account (not a full query).

Yes that's what I mean, doing updates for some functions work while others dont, and Inserts in genera don't work at all

leafypiggy · Dec 23, 2014

Can I have an example URI?

staffing · Dec 23, 2014

leafypiggy said:
Can I have an example URI?

This is a result of the mod security update on Free Hosting Services

If you have any issues on your website or issues accessing your website please open a thread on the free hosting forum so we can investigate. The mod security rules should be showing a 403 if you inadvertently trigger a rule but it may not in some cases so please report to the forums just in case

I use this code to create ajax requests for certain forms/functions:

Code:

 //Ajax post data to server
            $.post('update.php?action=<?php echo($edit); ?>', post_data, function (response) {

                //load json data from server and output message    
                if (response.type == 'error') {

Depending on the certain action variable the code won't work

Dead-i · Dec 23, 2014

Hi,

What is the typical value of the "action=" parameter in the request ($edit)?

Please could you also provide an example of the data sent in the POST request (post_data)?

Thank you,

staffing · Dec 23, 2014

Dead-i said:
Hi,

What is the typical value of the "action=" parameter in the request ($edit)?

Please could you also provide an example of the data sent in the POST request (post_data)?

Thank you,

The typical values are either 'location', 'employee','edit', or 'fill' (Edit and Fill function appropriately)
Data sent in the POST for location and employee (this is me editing a table/UPDATing it)

Code:

post_data = {'code': <?php echo('"'.$code.'"'); ?>, 'fname': John, 'sname': Doe, 'gender': Male, 'check1': true, 'check2': true, 'check3': false, 'type': APPT, 'tnum': 304, 'number': (123)-345-3859, 'alternate': NULL, 'street': 123 Address Lane, 'postal': postal_code, 'city': cityland, 'majint': majint, 'comments': comments};

Bryon · Dec 24, 2014

Hi Staffing, can you reproduce the problem for me and make a note of the approximate time you receive the error? Let me know that time, including the timezone so I can relate it to the server logs. This will help us narrow down the cause of mod_security blocking the request and hopefully get a solution in place for you.

staffing · Dec 24, 2014

Bryon said:
Hi Staffing, can you reproduce the problem for me and make a note of the approximate time you receive the error? Let me know that time, including the timezone so I can relate it to the server logs. This will help us narrow down the cause of mod_security blocking the request and hopefully get a solution in place for you.

I've reproduced the error at 10:11 PM EST (Residing in Toronto, Ontario - Canada)

Bryon · Dec 24, 2014

Hi, thank you for your reply and the information. I've retrieved the exact cause of the error. We're going to need to investigate this further to correct the mod_security rule at fault. This may take a day or so with the holiday. We'll get you an update soon regarding this, I am expecting that we will be able to correct this while keeping the protection of the mod_security rule for your account.

staffing · Dec 26, 2014

Bryon said:
Hi, thank you for your reply and the information. I've retrieved the exact cause of the error. We're going to need to investigate this further to correct the mod_security rule at fault. This may take a day or so with the holiday. We'll get you an update soon regarding this, I am expecting that we will be able to correct this while keeping the protection of the mod_security rule for your account.

Alright thank you, I'm looking forward to your solution

leafypiggy · Dec 26, 2014

Hi Staffing,

I am looking into this over the weekend. Due to our custom implementation of how we handle mapping domain names to folders on the server, we cannot you any of the pre-built ModSecurity "management" tools, so I'm working on a custom solution that we'll hopefully be able to expose to the end user so they can manage it themselves.

I will update you later today or tomorrow (Maybe Sunday) when I have done more research on this.

staffing · Dec 30, 2014

leafypiggy said:
Hi Staffing,

I am looking into this over the weekend. Due to our custom implementation of how we handle mapping domain names to folders on the server, we cannot you any of the pre-built ModSecurity "management" tools, so I'm working on a custom solution that we'll hopefully be able to expose to the end user so they can manage it themselves.

I will update you later today or tomorrow (Maybe Sunday) when I have done more research on this.

I wanted to know if you've had any recent updates regarding this issue? Thank you

Corey · Dec 30, 2014

Is this a custom script? I've looked at the specific rule being triggered and the logs, while I have an idea of what is triggering the rule it would be good to be able to reproduce this issue. Is it possible you can PM or email me a login and instructions on reproducing one of the errors?

What I'm trying not to do is write a ton of exceptions for each and every script with an issue as we'll just end up with hundreds of unmanageable exceptions and extra rules. If I can reproduce this on demand I can see if I can tweak the rules a bit to allow this specific use case through while not creating additional exceptions or separate rules.

staffing · Dec 30, 2014

Corey said:
Is this a custom script? I've looked at the specific rule being triggered and the logs, while I have an idea of what is triggering the rule it would be good to be able to reproduce this issue. Is it possible you can PM or email me a login and instructions on reproducing one of the errors?

What I'm trying not to do is write a ton of exceptions for each and every script with an issue as we'll just end up with hundreds of unmanageable exceptions and extra rules. If I can reproduce this on demand I can see if I can tweak the rules a bit to allow this specific use case through while not creating additional exceptions or separate rules.

I've messaged you and explained how to reproduce the error, thank you!

403 (Forbidden) Error AJAX Request

staffing

New Member

leafypiggy

Manager of Pens and Office Supplies

caftpx10

Well-Known Member

staffing

New Member

leafypiggy

Manager of Pens and Office Supplies

staffing

New Member

Dead-i

x10Hosting Support Ninja

staffing

New Member

Bryon

I Fix Things

staffing

New Member

Bryon

I Fix Things

staffing

New Member

leafypiggy

Manager of Pens and Office Supplies

staffing

New Member

Corey

I Break Things

staffing

New Member

Free Web Hosting

Our Community

Legal