Problems with error 403 when using ajax post requests

[satzen]

Hi!

After your recent update to the mod security rules for Apache, the core functionality of my utility site (personal log/tracker), which utilizes post request to submit new entries etcetera, stopped working. I've traced the error and seems to be connected to aforementioned updates to the mod rules. I did my best to find any alternative solution to the problem (playing around with permissions/checking the code) but I simply could not find a reason why this error would be occurring in my case as my application does not bear any resemblance to any possible malicious practices.

I'd be truly grateful if you could take a moment and look into this as it really impedes my ability to continue with the project which heavily relies on this site.

Thanks in advance!


PS; The ajax file is located in a sub-folder (so the path would be root/ajax/ajax_new.php, called from root/new.php)

 

[Dead-i]

Hi,

I can't seem to find a hosting account linked to your forum account. Please could you link your forum account from your cPanel, or give me your cPanel username?

Thank you,

 

[satzen]

Oh sorry about that, completely forgot that the accounts are not linked.

So the linked forum account would be:
micasx10 (to the domain micas.x10host.com)

 

[Dead-i]

Hi satzen,

It looks like the request is automatically being blocked because mod_security, as implemented a few days ago, falsely believes that the request is an attempted SQL injection attack. As this is a false-positive, please could you try disabling mod_security checking and let me know how it goes?

You can do this by adding the following 2 lines to your .htaccess file:

SecFilterEngine Off
SecFilterScanPOST Off

Edit: My apologies - I hadn't realised we were using a different version of mod_security, and the code above will not disable the filtering.

Thank you,

 

[satzen]

Hey again!

Unfortunately, after adding these 2 lines to my .htaccess file the site became completely inaccessible due to error 500 (
Internal Server Error).

Thanks again for your help so far!

 

[Ohso]

Try using

<ifmodule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</ifmodule>

 

[satzen]

Hi,

Thanks, after adding the ifmodule tags the site is now accessible, however, the 403 still persists when I try to use post requests (same error response as before).

 

[Corey]

Can you provide instructions on how to reproduce the issue? I'm not familiar with this software and would like to reproduce the error you're seeing so I can see what's going on.

 

[satzen]

Can you provide instructions on how to reproduce the issue? I'm not familiar with this software and would like to reproduce the error you're seeing so I can see what's going on.

The error occurs simply when I use a normal post request.

so, in my case the main code snippet would be:

$.post("ajax/ajax_new.php", { f_date: date, f_hours: hours, f_additional: additional, f_reflection: reflection, f_action: action, f_activity: activity },
function(response){//callback code here removed for the sake of the example });

Basically, as stated before, i'm requesting the file root/ajax/ajax_new.php from a file located in root/ using a standard jQuery shorthand command.

I can access the ajax_new.php file normally and, given that I change the server side code to interact with GET requests, I can use it with with parameters passed in the url. However, somehow, after the security update, as soon as it is turned into a post request that is executed as shown above, the server returns a 403 error.

 

[satzen]

Bump

The issue has still not been resolved

 

[Corey]

I believe this is fixed... I may have submitted two blank entries to your form while working on this.