(2.1.1) Changing page logo results in 403 - access denied with ModSecurity enabled.

  • Affected App
    WoltLab Suite Core

    Update 3/10/2015: How is this not a bug, when you shouldn't have to disable mod security to change page logos and or fonts? I'm more thankful that someone suggested to check if Mod Security was enabled, otherwise I could have spent hours or days changing chmod settings on all the files and folders, and responding to several host tickets regarding the issue.

    Thankfully my shared host allows me to disable Mod Security myself, otherwise could have been left holding the can. Other users aren't always this lucky, and some hosts just don't allow it to be disabled for possible security issues. Isn't it possible to code to accept if Mod Security is enabled or not? @Alexander Ebert Now I have to keep disabling mod security every time I create a sub domain name. :thumbdown:

    Update: After I disabled ModSecurity I don't see the problem happening all that often. ModSecurity was enabled on the sub domain. Maybe wbb is not compatible with Modsecurity?
    Changing the page logo under Appearance > List Styles > Edit a Style > Global Settings > Page Logo.

    Attempt 1: Manually typing in the new logo's name, example; logo_blue.png, seems to load it in logo preview box, but then hitting "submit" gives 403 access denied.

    Attempt 2: Hitting the upload button, choosing the image to upload seems to work, gives green message above saying it was saved/successful. But then after hitting submit button below, gives 403 access denied.

    Refreshing the site index page shows no change of logo at all. I even chmodded wcf/images/ 777, and also premium style folders 777, and yet some how the uploaded logos are being generated in the wcf/images/ folder as chmod 644. I've just been uploading the logo images directly via file manager or ftp client.

    Edit: While doing this in xampp / localhost seems to be working, uploading images and hitting submit is working, no 403 access denied. But I don't have the same premium styles installed in the xampp copy though either. Will test that once. - update, installed the same premium style(s) in xampp, and changed logo and it works. Must be a host setting or whatever.

    Edited 17 times, last by Smooey (March 10, 2015 at 8:02 PM).

  • Most mod_security setups I've seen are horribly misconfigured and cause many false-positives. Look up the error logs (webserver and/or mod_security log) to find the reason for the error message. This has nothing to do with the software, instead you're facing an over-aggressive configuration. Keep in mind that the detections are stupid as hell, they only look for special words or patterns.

    I remember a customer which had issues somewhere, because one of the value for an input field read the term "system" (which can legally appear!) and boom: mod_security strikes again.

  • Look up the error logs (webserver and/or mod_security log) to find the reason for the error message.

    I don't seem to have mod_security log, just "error log", and nothing is mentioned in there. But I can't argue with what you said though, because you've ran across many configurations in your days with woltlab lol. So I'm sure you're right about them being horribly misconfigured or over-aggressive. Thanks for your reply, I'll just make sure to disable it when I create new sub domains or add add-on domains in future. Also was concerned for new users / "new money" for you all, if they can't get your software working in their hosts, then less "new money" for you. :P

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!